What is our primary use case?
I specify, configure and deploy firewalls in organizations with 500 or fewer employees and 15 or fewer sites. Primarily I choose between Cisco, Sonicwall and Fortigate small and medium sized appliances. Occasionally I deploy virtual appliances in AWS. I prefer to use Fortigate firewalls for several reasons- remote access is simple and the included client works with MacOS Windows and IOS devices. The level of security works well for most clients and the authentication with AD/LDAP makes the solution easier to deploy. I also find that the clients appreciate the lower price point than other vendors.
How has it helped my organization?
We have a standard build. We give the client the laptop, and, especially with the pandemic, we send them home with the laptop or FedEx the laptop already configured, and the user is ready to go.
I don't even need to know the client's password. I can just install the software and create a profile. The client fills the profile in with simple instructions, types in their password instructions, and connects it and they're good. It's really simple.
That's why we have standardized recommending Fortinet. That doesn't mean that I don't support other solutions as well, however, the device that I like the best is the one that's easy to use for me and it's easy to use for the clients. The price point is not bad as well.
What is most valuable?
The ease of setting the solution up is a valuable aspect for us.
The most valuable aspect that differentiates it from other solutions is that the client (the SSL VPN client or the IP sec VPN client, the same clients) is included in the solution. We don't have to pay extra for the software and the clients.
I have had some issues, but no more than others and I don't have to buy an expensive add-on license to do it and it's managed and it's updated automatically. That's the key thing, that the client is included and it updates itself so I don't have to do too much to manage it and it's very transparent to the end-user.
What needs improvement?
The biggest "gotcha" is that if the client purchases what they call the UTM shared bundle, which has unified threat management on both, it's not as easy to manage if you have more than one firewall.
If I wanted a unified console, I have to pay extra. And that's the downfall. That's the only needed improvement that I would say for the Fortinet solution, is that they should have it web-based from the get-go. You should not have to buy an extra bundle or an extra device.
If I have to make an update to a web filter, and I have 12 devices, I've got to do it in 12 places. If I don't want to do that the client can pay for a pretty expensive device or virtual appliance that does that for them. It's like an expensive centralized management tool. That's the big downfall of Fortinet. It doesn't come included, you have to pay for it. Their web-based one, that's sort of just like an inventory manager. It's not really good for distributing roles. With Cisco, you don't have to do anything. The one from Aruba HD has one too. Fortinet should try to be similar to those options.
In the next release, it would be amazing if they could give a better tool for upgrading, so that if I upgrade from an older version to the other, it can read the configuration and processes it for me so that I don't have to rewrite it from scratch. In FortiConverter, they have a tool like this, however, it doesn't work well. It's really more for bringing items in from other vendors, not from one version to the other.
That was my last experience where they operated from version five to six. However, that's really the only big thing. The main thing is to include the FortiManager cloud software like Cisco does. To have one solution. If you paid $150 a year for the support, you might as well get that too so I could manage all the devices at one spot. They do have FortiCloud, however, it's not the same as the way Cisco does it. They are selling another product called FortiManager. FortiManager should be included with the support, and that would make it more of a business solution, rather than a feature request.
For how long have I used the solution?
I would say that I have been using the solution for over 10 years. It's likely been between 10 and 15 years at this point.
What do I think about the stability of the solution?
Fortigate firewalls are very reliable- in the past 15 years I believe only 2 devices in a 100 have failed. The failures were due to harsh environments (dust and water will ruin any electronic device). The input I can give to any technology person or client looking to choose a firewall / threat management device I would highly recommend the stability / reliability of fortigate. Once installed it will do it's job efficiently and effectively for several years.
What do I think about the scalability of the solution?
I will tell a client not to go with Fortinet if they have no firewall or they have a very, very old firewall. If this is from scratch, I'd say let's not go with Fortinet, let's go with Meraki if you have the money. I always say create the budget for it if you have a lot of sites, as Cisco does a better job if you have a lot of sites. If you have two sites, then it's fine to go with Fortinet. It'll scale to that scale. However, if you want to go over a couple of sites, it's not the best option.
How was the initial setup?
The solution's initial setup is straightforward. It's actually gotten better. I got good at doing it from scratch from the command line, or even from the GUI with all the 50 steps to set up stuff. However, now they're wizards and it's much better. It was the thing that probably a lot of people commented on initially, and they just worked hard to fix it. They updated the software from version four to five to six. They did a good job at making it easier.
What was our ROI?
If the client had a lot of downtime or a lot of issues with older equipment, or they did not like the fact that they had to pay every year just to be able to use the device, then the return on investment of spending $900 for a Fortinet 60E per site for a three-year contract will hands-down beat pretty much anybody.
It is definitely set it and forget it. There's very little input. You'll save money on consulting. If you were to call me and you're doing Juniper or you're doing Palo Alto, there's a lot more configuring and it's a lot harder to add stuff and therefore, as a consultant, I make more money, and I'm being serious. Once I set up a Fortinet I really don't have to touch it for years.
Maybe I have to log in to check that I need to do an update, however, in that case, they usually send me an email saying hey, your license key is up and maybe you want to buy a new one. I take the old one out and put a new one in, that's when I get paid again. It's boiled down to that.
What other advice do I have?
I'm not only an authorized reseller. I am a consultant that uses their equipment and recommends them on a routine basis. I am not a Fortinet partner, however.
I use a series of FortiGate products, including the 60, the 90, and the 100. Some of them are E's, some of them are S's; it all depends. However, they have pretty much the same user interface.
If a company is considering the solution, I'd advise that they consider purchasing the FortiManager if they really like the feature set and the way that Fortinet works. For example, a company we work with has these large scale solutions, and they use FortiManager. If you're a very large implementation, definitely look into Fortinet. If you're small, for example, under 20 devices, consider joining Cisco Meraki as it's so much easier. That's what I would tell any client.
FortiManager and FortiGate are really good. If you like the way the GUI works it's more flexible than Cisco. There are more bells and whistles, however, Cisco is going to be the way to do it if you're going to do 50 sites. If you were to do a lot of sites, consider Cisco. If not, you can do Fortinet.
At the end of the day, the solution is very flexible, and if the client has special business partners that want a special type of nailed up VPN or special configuration for the clients, it offers that. The lesson I learned using the solution was to go with the solution that's most flexible for the client and at the same time is as low touch as possible. That's why I've standardized on FortiGate, as it's low touch for me and I'd rather spend time fixing other stuff or troubleshooting the other problems for clients than this particular solution.
You want to spend less time fighting with your remote access solution or your firewall solution and work on other problems. It should not be a difficult thing, and yet, a lot of people struggle with that. Especially today with the pandemic, they have to be able to have access to their stuff and that's crucial. That's the biggest takeaway. Is it easy to manage it, is it easy to connect? If so, it's worth the investment.
I would rate the solution nine out of ten. If they included FortiManager in their offering, I'd give the product a perfect ten.
*Disclosure: I am a real user, and this review is based on my own experience and opinions.