What is our primary use case?
I have deployed several of the following models for customers: 200D, 60E, 60D. This review focuses on the FortiGate 200D.
How has it helped my organization?
The first implementation I performed of a FortiGate 200D was to replace a Juniper SSG-140 in a main corporate office. This implementation provided improved network administration and network performance.
We also received more timely security updates, and it became easier to connect all of the other offices together (via an IPsec VPN mesh).
As additional FortiOS releases have come out, we have obtained more flexibility in device identification and WAN load-balancing, among other things.
What is most valuable?
- The CLI is robust and powerful, enabling rapid, consistent changes via SSH.
The device identification is very flexible, facilitating the creation of rules to regulate all sorts of devices that might spring up on a network, especially via WiFi. - The IPsec tunnels are very easily created, and quite interoperable with devices from other vendors.
- WAN load-balancing has improved, but needs some refinement.
You can set up a different DDNS config for each WAN link.
It is great to be able largely use the same OS features across the family of devices.
What needs improvement?
WAN load-balancing could be a lot better at detecting when a link is poor or inconsistent, and not just flat out dead. There are lots of options for routing traffic over a specific path when you have WAN load-balancing enabled, but they are not as clear and consistent as they could be, and most can only be set at the CLI.
Some configuration elements cannot be easily altered once created. For instance, there is no way to rename an interface (say, for a VPN tunnel), unless you create an entirely new one and perform a little gymnastics to switch from one to the other. Or, you export the config, rename the elements in question, then re-import the entire config.
Creating a meshed VPN connection (Office A with two WAN links connecting to Office B with two WAN links) requires a massive bundle of four IPsec interfaces, with two policies. It would be nice to have a cleaner, simpler config for that functionality, something not very uncommon today.
I have found that if you have a console cable in the device when you reboot it for a disk check, it will boot to the device firmware. This will not happen for a regular reboot.
If you have more than a very basic environment, you quickly have to escalate past the first level of support. The initial level is so-so. The next level up has been stellar for me, and quick to figure out issues and resolve them.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
I've only experienced stability issues a few times. One was with the v5.4.0 and .1 releases. Also, there was an issue during the v5.2.x series where there was an SSD issue that was fixed with later firmware. Overall, the devices have been very stable.
What do I think about the scalability of the solution?
No. Scalability is good, and performance increases are great as you move to higher products.
How are customer service and technical support?
Customer support is okay. They are fairly responsive for level three and higher (one and two) issues, but if your issue is a little complex, you will want to ask them to escalate to a second level tech. They don't always read all the info you provide in the first pass, but overall, they are helpful.
Which solution did I use previously and why did I switch?
I previously favored NetScreen/Juniper SSG solutions, but Juniper stopped supporting the SSG line, and FortiGate provides more value and performance for the dollar.
I've also tested the Sophos solutions, but found them not compelling enough to switch from the FortiGate devices.
How was the initial setup?
The devices are very easy to setup, even if you need to configure VPNs. You could have an HA config up and running within 60-90 minutes, with the latest firmware installed, and a couple of policies and tunnels.
If you do not regularly work with enterprise-class firewalls, you might need to add an hour to the above scenario, but the provided wizards make it pretty easy to address the basic functions.
What about the implementation team?
In-house deployment all the time.
What was our ROI?
In almost every case, I've experienced (or had customers experience) an ROI within 12 months, based on better performance for the same price or increased functionality for the same (or less) price.
What's my experience with pricing, setup cost, and licensing?
Licensing and setup costs are generally pretty clear with Fortinet. If you go with centralized management or their Log Analyzer tool, these carry some additional pricing that you need to look at.
Check out the price matrix, and go with a value-added reseller that understands how to help you size out the equipment. Remember to always look at the performance with the assumption that you will have many of the unified threat management (UTM) features on, not off.
Which other solutions did I evaluate?
Yes, I tested and evaluated solutions from pfSense, Sophos, and Palo Alto.
What other advice do I have?
I highly recommend, and often try to deploy Fortinet solutions for my office network and for my customers. They run for a long time, they are supported for many OS updates, and they are pretty solid.
Don't upgrade the OS right away when it is released, if a major new version has come out. v5.0 was problematic early, but v5.2 was great. v5.4 was a problem child, but v5.6 had only a minor issue. v6.0 was surprisingly smooth and had only a minor issue. I could have avoided most of these problems if I waited an additional month or so before updating, but I updated because I need to advise customers on what they should be doing.
I've had to interact with support a lot, and overall they've been good (with the caveat mentioned earlier).
Disclosure: I am a real user, and this review is based on my own experience and opinions.