Fortinet FortiOS Reviews

FortiOS is the operating system of the FortiGate firewall. So whether it's an actual device or virtual machine, FortiOS is the actual software running.

FortiOS is dedicated to the next-generation firewalls. You can't really use it for anything else.

Essentially, their IPS and DNS filtering databases are the most useful for us. The industrial protocol database, which is the main one that we use, is great. They do extensive research to make sure that all the CVEs that they include in the IPS database are up to date and they keep it up to date. And that they don't miss any threats.

Their classification inside of that database of the various threats is typically very, very good. It's, for that matter, one of the best we've seen.

The IPS, IDS database with the DNS and industrial database are the three core main features that are the best for us.

We don't really find a lot of issues on it.

If I really have to complain about something, and there's not much, is the free VPN solution is a bit limited. Then again, it is a free solution. That's essentially it. Nothing else on the FortiGate or on the Fortinet OS side is really an issue. That's one of the main reasons why we use them: everything works and works well.

For what we use, there isn't really any missing feature. In fact, we actually want to get rid of some of the features that they have due to the fact that, for the security model that we need to implement, having more features actually opens up potential risk. We actually would like to have a device that is more focused specifically on OT environments the operational technologies.

We would prefer a device that's stripped down, that doesn't have all the other fluff in the more enterprise system. We actually want a feature where we can remove features that are there that we don't use. That is actually a thing that we find. We use it now in an operational technology environment. We use normal IT equipment. However, it's not a normal IT network. It differs significantly from a normal corporate IT environment. In a normal corporate IT environment, you like the fluff, and the additional features, and you can click, click, click, and you're done.

However, all of those features you add to a device open up risk for us. And that is something we do differently in the OT environment in operational technology. We prefer to not have the fluff. We prefer to have only what is needed for the device to do what it needs to do.

For example, imagine an additional feature for some sort of additional VPN technology has been added. However, it's not really needed for the OT environment, and it's not configured on the device, yet there's some sort of security threat in there. Now, all of a sudden, somebody can hack your system, and he's in there, and he's switching the lights on and off the entire city. And you don't know about it due to the fact that the additional fluff that we added to the system, we weren't aware of that issue was on there.

You can enable and disable certain modules in it. However, with disabling, nobody can really tell us if that module is disabled. Is it really disabled? Is it actually unloaded? Is it uninstalling Word from your laptop, or is it just not running Word?

I've been using the solution since 2009, give or take. That's almost 13 years.

We don't have any instability issues.

The solution can scale reasonably well, within the means, of course, of the device itself. You buy the device based on the current network requirements. We typically build in a bit of extra expandability into there to ensure that the device can cope with the additional load on it.

It greatly depends on the unit itself and what the limitations are. However, typically, expanding past that limit it's not complicated. Still, you'll have to procure a new unit. It's very crucial for us at the beginning phase to make sure that we know exactly what the customer's networking requirements are in terms of bandwidth, IPS, IDS, and throughput.

If a VPN needs to come in, we’ll need to consider what is done with the requirements of the VPN. And then, based on that, we'll specify the unit with additional capacity. However, if you go outside of the unit's capacity, you'll have to get a new or bigger unit.

It's actually an OT environment, not an IT environment. The actual user base is relatively small as not many people are allowed to use the operational side of things.

It's not like a normal enterprise network where you have thousands of people connected to it. It's very small. And when I say very small, it's typically ten or maybe 20 users.

If you log a support call, they have support engineers that jump on that support call very quickly to try and sort out your issue. There are absolutely no complaints that we have on their support side.

Positive

If you are a novice person that has never worked with any firewall and don't really understand the concepts, you may find it challenging to set up. However, there are help files, online tutorials, and videos that guide you on any of the topics you have in it.

It really helps you a lot to get to it in order to do the configuration. So it varies. It depends on how you install it. It may be fairly easy for your average user at home or for an average enterprise guy. However, for a process environment, it may be a bit more challenging since there are different approaches that we follow in order to install it. That said, Fortinet itself is not very difficult to use and its knowledge base and help are very extensive.

We only need one person to deploy the solution.

How long deployment takes depends on the customer requirements and what they require for their network that we need to implement. For the actual deployment of the FortiOS and the initial testing, you're looking anything from a day to about four days' worth of work.

That said, your pre-prep, in other words, all your pre-definition of your firewall rules and what security model you need to run and what security level in your Purdue model that you need to implement, can take a good couple of months to do since it's purely based on how you apply the IEC 62442.

It also greatly depends on what the customer needs are. The pre-prep work is actually the most important. The actual configuration is quick. However, the pre-prep work takes quite a while.

It's probably one of the best devices you have for ROI, especially regarding the current security landscape that we are in with the current kinds of security threats and stuff flying around. FortiGate is one of the best solutions regarding your return on investment.

If you look at the way that you'll typically have to try and clean systems, let's say, if you were infected with very bad ransomware, the amount of cost and effort and money that you'll have to spend in order to clean all your systems and get all your IT equipment and everything running in top form condition.

If you don't have a FortiGate unit protecting you, and you compare that to installing a proper FortiGate unit with all the correct modules and stuff like that, your ROI on it is much better than trying to clean everything after an attack. It's definitely well worth your investment.

There are different types of licensing. It depends on what kind of licensing you decide to take, if it's on an annual basis or if it's a three-year basis. It also depends on what modules you have selected in your firewall.

If you have the next business day on-site warranty, and if you have the actual hardware replacement, the normal RMA on devices like Cisco and those devices where the device fails, the company comes out and swaps the device out for you free of charge, that comes at a price.

It greatly depends on what options you take with their warranties and guarantees and stuff. It's very difficult to say what the licensing is until you break down which module you will take.

You need to buy the modules or the add-ons based on your needs. Licensing then will be directly connected to that. It’s like purchasing Windows. You can just buy Windows. However, you won't get Office working necessarily. It's the same with the FortiOS licensing. You buy the OS; then you buy everything you want to run on it.

You can just buy the operating system, the FortiOS. However, it won't give you IPS or any other advanced firewall rules. That will be an additional cost on your licensing.

They are slightly on the pricey side. They are affordable. However, they are not cheap. I’d rate them a two out of five in terms of affordability.

All of the infrastructure is hosted locally on-prem. We can't host it in the cloud due to security reasons.

We’re resellers more than partners. We provide the solution to customers. It's an industrial process environment.

Whether we use the latest deployment or not depends on the customer. However, we prefer to not install the latest version. We typically install two or three versions backward. The reason is, that your latest versions typically have a lot of bugs that are not necessarily known yet. Since this is a process plant, which is not directly connected to the internet, effectively, you go through a Purdue model, which connects to layer three or layer four before they get to the corporate network.

That then will break them out to the internet. The risk model for that is okay to have them not on the latest version. Also, since it is a process environment, literally, it's a process plant; it's an industrial process plant. The performance and uptime is king, not so much anything else. In a normal corporate environment, uptime and security is king. However, in a process environment, you need to keep the plant running 24/7 in order to pay the bills. The way that you look at how you install the product is quite a bit different than normal enterprise IT.

I’d rate the solution ten out of ten.

It is the best solution for users if they start out in a secure environment. They just need to make sure that they partner up with the correct partner that can guide them through the processes of obtaining the correct device and obtaining the correct training for themselves in order to use the device. That said, it's a highly recommended device to use from a perspective of security, usability, and installability.

We primarily use the solution as a firewall operating system.

The built-in SD-WAN is the most valuable aspect of the product.

It is simple to set up. 

The solution has been stable so far. 

It's easy to scale. 

The pricing is excellent. 

SD-WAN configuration could be easier. 

The support could be better.

We'd like to see bandwidth optimization and traffic prioritization capabilities. These are the two things that I'm looking for, especially in SD-WAN.

I've been using the solution for three years. 

It's stable as a product. However, SD-WAN has some issues. The route policies and how you prioritize traffic are the areas of concern for us.

I'd rate the solution seven out of ten in terms of how stable it is. 

The scalability is great. 

We have 1,500 users using the solution. 

We are not very pleased with the support. It could be better. 

Neutral

We are using Fortinet, however, we are exploring Palo Alto.

While the initial setup is not an issue, the SD-WAN configuration is a little complex.

There are three people here who are maintaining the firewalls.

The solution is the cheapest on the market. I'd rate it five out of five in terms of affordability.

I've compared this solution to other vendors. Palo Alto is number one in the world. Then I would go with Check Point. Then my third preference would be Fortinet.

We are end-users.

I'd rate the solution five out of ten. 

We use the solution as a perimeter firewall. 

It's simple to use in terms of inbound and outbound traffic management, traffic shaping, and connectivities, as well as the VPN. Everything is built into it, so it gives us quite a good well-rounded solution.

With assistance, the initial setup is easy.

The solution is stable and reliable. 

I would like to see more statistics in the monitoring part. There is monitoring, there are DSCPs, and everything; however, I would like to have more active monitoring of the traffic.

Sometimes we would like to monitor some threats. For example, where are some bots, and how do we detect these kinds of things. That would be good for us.

I've been using the solution for more than five years. 

We've been happy with the stability. It's been good so far. There are no bugs or glitches. It doesn't crash.

We are not scaling it right now. We bought it sometime back and we didn't need to scale it. We bought a higher end for our use case, which is still sufficient for another few years.

We have 200 or so users of different levels and positions on it.

We do not have plans to increase usage. 

This firewall is quite a capable firewall - even up to 1000 users. Due to that, we didn't find any requirement to expand it or replace it somehow. It has helped us build our software-defined WAN, LAN, et cetera. It is sufficient for us. It gives us Gbps throughput, which is good enough. The firewall itself is 32Gbps capable, which is more than what we need.

We have used support sometimes. That said, mostly we use it via the third party directly. They are helping us with support of any type that we need.

There was something else that was used. However, I don't remember what was that previously.

The initial setup was easy for us as we had assistance. 

For the deployment, one person was involved from the outside, and two people we assisting from our side. In total, three people were involved.

The deployment itself took a few days as we were rebuilding policies as well.

The initial setup was done by the contractor. For that reason, we had no problem implementing this.

The ROI we have witnessed is good. I would rate it five out of five. 

We started with a three-year license and have since renewed it. 

For three years, we paid about 2,800 KD, which is about $9,000.

The product is pretty affordable overall.

We are just customers of the solution. 

We're not using the most recent version. We updated it a few years ago and we are still using that version.

I'd rate the solution ten out of ten. We are really happy with it in general. 

Potential users should plan what they want to do with it before buying something this big and this good. They should know what they want to do first and then act accordingly.

We're using the solution for firewall segmentation, including segmentation of the network, authentication purposes, logins, et cetera.

Compared to other firewalls, segmentation is much easier in FortiGate.

The initial setup is straightforward. 

The support could be better. Their first-level support is often poorly trained. 

We don't have any other requirements in terms of needing new features. 

I've used the solution for ten years. 

The solution is stable. There are no bugs or glitches. It doesn't crash or freeze. 

It's scalable. The model we bought is highly scalable. However, if you buy a device on the low end, it may not be scalable. You need to consider what you need in advance and buy more than you need if you believe you will need to scale. 

Technical support is okay. Compared to Palo Alto, they need to improve a bit. Palo Alto is better. The first-level team isn't very knowledgeable. 

Neutral

I work with Palo Alto, Cisco, Fortinet, et cetera.

The initial setup is very simple and straightforward. It's not overly complex or difficult. You only need one person to implement the solution. 

The deployment will take only one hour, however, the policy web creation based on the user requirements may take time. That is the nature of every firewall. Usually, the deployment takes only one to two hours.

We handled the setup in-house. We didn't need any outside assistance. 

I don't directly deal with licensing. I can't speak to the exact costs.

I'm an end-user. I used to be a partner. 

We're using the latest version of the solution and update regularly.

I'd rate the solution seven out of ten. 

It's a security device. We use it to keep the bad guys away.

A firewall is a security appliance. FortiGate also does email filtering and does data loss prevention.

All networks are security-driven, we get throughputs and security. We feel that the people at Fortinet are easy to deal with from a support standpoint. If they need to jump in and help us, they're very willing to do that. Their email filtering, their data loss prevention, their intrusion prevention, type of products in the newest OSs has been outstanding.

I have been using Fortinet FortiOS for ten years. 

The stability is excellent. 

Scalability is wonderful. Affordability is really good.

Everybody's being protected by the firewall. The firewall device is using the operating system. And so, in that sense, you could say everybody is using it. The people that are actually technically working with the Fortinet devices are a handful, six to eight technicians.

We feel that the people at Fortinet are easy to deal with from a support standpoint. If they need to jump in and help us, they're very willing to do that. Their email filtering, their data loss prevention, their intrusion prevention, type of products in the newest OSs has been outstanding.

We've used other solutions in the past. But we've settled into FortiGate for around 10 years. 

The initial setup was straightforward. It's pretty much just plug and play. It takes hours. 

They're very competitive and easy to work with in terms of pricing. I can't say, that's why we chose them, that's why we've stuck with them. It's a very well-respected name in the industry.

Everybody wants to go to Cisco for different things and everybody loves to hate Cisco. Cisco is a great product for large companies. They're low income, they're low-end products and their support for their low-end products leaves a lot to be desired. That's hence why SonicWall, Extreme Networks, and Fortinet are in business. There are these other smaller companies that are getting involved with the smaller companies, taking market shares away from Cisco because Cisco's support for their product is bad.

The support contracts are usually about $100 - $200 a device. The support contract usually includes software upgrades, hardware maintenance, and hardware break-fix. And they very seldom break.

I am looking at replacing some SonicWalls for a customer. I think SonicWall is its competition. SonicWall is got a good product, but I still believe that FortiGate is the best product for the people that we deal with.

My advice to someone implementing this solution is not to take shortcuts. Shortcuts aren't good. Don't hesitate to use FortiGate's technical support.

Always buy support. Always buy FortiCare. You can buy it for one year, two years, or three years with the initial purchase. We always buy it and sell it to our customers for three years. And the product will last more than three years.

Fortinet competes in the big companies as well. We just don't. Our marketplace is the smaller users two or three, maybe four locations, 150 to 300 endpoints. So we're not dealing in the 10,000s of users trying to get into 100 of servers. We're dealing with tens and fifties and a hundred, trying to get into a few servers.

I would rate it a nine out of ten. It could more scalable for the lower end users. 

I used FortiOS, the Fortinet firewall operating system, to connect two additional sites. I set up IPSec VPNs to connect all three sites. I also configured firewall rules to block certain countries and websites, such as gambling and social media sites like Facebook. Additionally, I implemented firewall rules to protect our web servers from XSS and SQL Injection attacks. Initially, I configured the VPN using IPsec, but when I couldn't find a suitable client for our workstations and desktops, I switched to SSL VPN. Fortinet provides dedicated FortiClient VPN software, which I used for this setup.

At the beginning of this month, we experienced DDoS and SQL injection attacks. The attack originated from a botnet and seemed to be associated with BroadNet. It was coming from a Fortinet device. I had to contact Spectrum to inform them about the botnet attack and provide them with the specific IP addresses to block. This action likely prevented us from being hacked and protected our web servers that were exposed to the public. This incident highlighted the usefulness of FortiOS's threat intelligence features.

The firewall options in FortiOS allow us to open up access to our vendors for EDI and all its features.

Fortinet could integrate something like a YubiKey for 2FA with their SSL VPN clients. Additionally, Fortinet could support WireGuard for our small office locations.

These small offices have two clients that log into our VPN from their workstations. Since all our sites use FortiGate, it would be great if I could set up WireGuard on the Fortinet device. Instead of using IPSec, having WireGuard support for site-to-site VPNs would be wonderful.

I have been using Fortinet FortiOS since February this year.

They handle the support because it's their device. We don't own it; we lease it from Spectrum. So, I can't speak to that for now. However, when we used to own the FortiGate, every time I called Fortinet for support, I would rate their response time at eight out of ten and their problem-solving ability at nine out of ten.

Once they respond, because it takes me a while to navigate the bureaucracy, I call the 800 number. They ask for various information, tokens, and other details. After I explain the problem, they call me back again. Usually, they assign the issue to an engineer, which also takes time. The engineer then calls me and solves the problem. So, I have to deal with a lot of bureaucracy. 

Positive

We had a really old FortiGate there, and when we switched to the newer FortiGate, it was cheaper than the old one.

When we purchase a FortiGate, it comes with FortiOS. Overall, the pricing for the device and related components is better than average. In comparison, FortiGate offers more competitive pricing than Palo Alto and Cisco.

If they could log in, it would be possible only if FortiOS is included. With FortiOS, you can manage all your devices. Let's say you have ten devices and need to manage all of them, including patching FortiOS. FortiCloud helps you with that, and it's nice to have FortiCloud as a bundle with FortiOS. Even if you only have one device, I would still recommend it.

I suggest incorporating AI or machine learning to anticipate threats in the future. For instance, if you configure a new site with your FortiGate, AI could detect any misconfigurations. It would be beneficial for FortiOS, FortiGate, or Fortinet to have an AI feature that alerts you to potential misconfigurations in devices, like an edge router, communicating with others. This AI could also analyze your logs to identify patterns, such as frequent false positives, and recommend reconfiguring the device to minimize unnecessary alerts. 

It's good. In my case, I was the only one dealing with the devices at that time. I would get all kinds of false positives and alerts. Sometimes, if there's a new device, the configuration from the old device to the new device doesn't translate. Maybe on the old device, everything defaults to open, and you must close everything. On the new device, everything might be defaulted to closed, and you have to open up the required ports. So, something like that would be nice, where it's easier to configure and find out if you did something wrong.

Overall, I rate the solution an eight-point five to nine out of ten.

We use Fortinet FortiOS to protect our office, and we have another deployment in production. We have the PCI DSS environment on which we have deployed the Fortinet Firewall.

I am satisfied with Fortinet FortiOS. It's a cool product and has a lot of UTM features. It has application control, web filtering, antivirus, IPS/IDS, DNS filtering, and many things in that firewall. It also has a web application firewall WAF feature. On the feature side, it's a good firewall.

It would be better if AWS instances were available. If I want to upgrade from T2.small to T2.medium, it should be available rather than having a big instance and paying a lot of money for that.

The issue is that we had deployed in AWS Cloud, and we were using a very small instance. Recently we wanted to move in-house and deploy it on the big instance because it was struggling with the RAM. If we use T2.small, we cannot upgrade it to the T2.medium. It has predefined instances in the marketplace with a lot of cost differences.

If I can increase the RAM, I have to choose the T3.large instance. If I'm paying $270 for the small instance, I have to pay more than double the cost for T3.large. It is about $850, and this is not good. So, it would be better if it was cheaper.

I think both AWS and Fortinet should think about that. They should provide it on lower instances as well. If I want to upgrade it from T2.small to T2.medium, it should be available, but it's a problem.

I have been using Fortinet FortiOS since 2019, so more than three years.

Fortinet FortiOS is a stable product.

Fortinet FortiOS is scalable. 

Technical support is good. When I create the ticket, they respond to me, engage the engineer, and support is good. No issue at all.

The initial setup is not too complex; it's simple.

It would be better if it were cheaper. We have the firewall in our office, and the license is expiring in 20 to 25 days. We got a quote for almost 80,000 Pakistani Rupees, which is a little costly.

If I compare Fortinet FortiOS with Cisco Adaptive Security Appliance (ASA), it's a cool product. The deployment of ASA is a little bit complex because it's GUI-based, and ASA also has a graphical user interface. But I still think Fortinet is a good firewall compared to ASA because if you want to use the IPS/IDS feature in the ASA, you have to deploy the management center and integrate it with the firewall, which is a little complex.

I recommend this solution to potential users because it has many features, and it's a stable product.

On a scale from one to ten, I would give Fortinet FortiOS an eight. 

We primarily use the solution for banks, whereby they want to secure their edge network, to filter their web application and block forms, etc. We also are able to integrate AWS using secure channels. It's more robust and they have different modes including nap, flow, and proximity.

You can apply patterns to look for. That can be done for applications also. You can ask for a specific feature to become a pattern.  If you were using Office 360 and had 2 ISPs, automatically using SD-WAN will allow you to switch over to the other link based on the criteria you can set yourself. You don't need to go to the device to manually sort and link it, it does it automatically.

Users can go directly to the cloud from the branch instead of routing to the head office and then the cloud. That will reduce the cost of routing, so you just pay for internet service and you have access to the cloud.

The interface is easy to understand, so when there are threats you get alerts. It's quite intuitive, but if you are ever confused they have instructional videos. For example, if you don't understand a graph there's a link to a video that explains what the graph means. It makes it very user-friendly.

The solution is good, but they have poor marketing in Nigeria. They need to market their product better.

They need to work on their support. Cisco has the best technical support. In comparison, Fortinet's support takes too long. If you are paying for SLAs, you should also get value from your SLAs.

Right now, everybody is moving to the cloud. The solution has already worked on that aspect, and they are embedding security to the cloud. However, security can be more enhanced and as long as they continue to offer more protection I'll be happy.

The solution is very stable.

The solution is very scalable. It allows for API integrations so you can actually integrate into other security solutions.

Technical support could be more qualified and offer a quicker turnaround.

The initial setup is very straightforward, especially if that person understands security.

We integrate solutions on the client's request. Most times I push on Fortinet, as it's a robust system.

You can integrate your endpoint with Fortinet. You can integrate the cloud on-premises. Because the solution is so robust and offers excellent the features we tend to enjoy using FortiOS. Cisco is similar, however, and we do work with them too.  

We are using the on-premises deployment model.

We are an integrator, so we do integrations using Fortinet, Cisco, Sophos, and Palo Alto.

If you're an SMB or a small enterprise, I would recommend Fortinet.

I would advise users to make sure they are getting value for what they are paying for. I can say that Fortinet is not as expensive as the others, but it also gives good value. The main thing is not about the cost, but the value and Fortinet delivers on that front.

I would rate the solution nine out of ten.