Fortinet FortiSIEM Reviews

The solution has an all-in-one approach. We buy one product and everything our customer needs is included. He doesn't have to pay any additional licenses to get more functionality, so everything is there and if we have to do any adjustments, it's also done very quickly and easily.

The solution can't be improved, but it can be managed more clearly. The solution just needs minor improvements. I'm quite sure Fortinet is already working on this.

They could work on their documentation. If there's anything about the solution that needs improvement, it's that. For example, documentation already is on a very high level but specifically on the CLI, there are tons of features which can be fine-tuned and thousands of commands are very difficult to document. If they could make this easier, it would improve the overall solution. 

The solution is very stable. It has run for years without the need to do anything except, add new patches when they are available, which are always a good idea to install.

The initial setup is quite easy.

If we do an overall comparison with other products and also count additional licenses, which are necessary for other products, then the prices are comparative.

If we just leave it at base prices, for example, Splunk: Splunk is cheaper, but if you also count the price for licenses, reports, and other things - especially the megabytes and gigabytes of the lock data that you need - then it comes up to a much higher price than you have to pay for FortiSIEM which already includes these things in a base version.

I would rate the solution nine out of ten. Our clients have been very happy with the solution.

We use this solution to collect logs. 

The advanced agents used to collect logs have been most valuable. We have also made use of the advanced intelligence this solution offers.

The graphs on the user interface could be improved as we often experience glitches. 

This is a stable solution. 

The customer service team needs additional experience and knowledge of the solution so the answers they provide are more accurate and helpful.

Neutral

We use this solution together with McAfee ESM which is a simple and robust solution. Its interface is better than SIEM. 

The initial setup was straightforward. The time it takes to complete the setup and deployment depends on the size of the environment and the number of EPS events per second.

This is a good solution but is fairly new so the support for it is not effective. Their support team does not have the experience to immediately solve issues. 

I would rate this solution an eight out of ten. 

Fortinet FortiSIEM can be used to detect unusual user and entity behavior on networks.

We currently are in the process of testing the solution.

The solution is easy to use and user-friendly.

Fortinet FortiSIEM could improve by having better integration and extensions. This would benefit by allowing us to give more rules.

I have been using Fortinet FortiSIEM for a few months.

I have found Fortinet FortiSIEM to be stable.

Fortinet FortiSIEM is scalable.

The installation is straightforward and can be done in one day.

I am able to do the implementation of the solution.

The solution is available for both, perpetual and subscription licenses.

I rate Fortinet FortiSIEM an eight out of ten.

We use the product for threat detection.

There could be more AI features included in the product.

We have been using Fortinet FortiSIEM for more than two years.

I rate the platform's stability an eight and a half out of ten.

The technical support services need improvement.

Positive

They have released a new update recently. With the help of AVPN, users can log in from another country directly using CIM-based predefined rules. Its automated response feature has benefited our customer communication. Analysts feel more confident in providing timely responses.

I recommend other users to go with Fortinet FortiSIEM and rate the product an eight out of ten.

This solution is used to detect irregular user and entity behavior using machine learning.

Fortinet FortiSIEM is easy to use.

I would like to see more integration with other platforms.

We have been providing Fortinet FortiSIEM for one year.

This solution can be deployed both on Cloud, and on-premises.

Fortinet FortiSIEM is a stable solution.

It's a scalable product.

Technical support is good enough. They were able to help us.

It is easy to install.

In one day, we were able to install this solution ourselves.

We only need one engineer to maintain this solution.

They have a yearly subscription.

I would rate Fortinet FortiSIEM a ten out of ten.

We have nearly 30 analysts currently using FortiSIEM.

FortiSIEM provides a single PIN to monitor SOC and NOC. It's a nice tool for integration and monitoring. It provides multiple categories for monitoring based on security designations like low, medium, and high. 

It's difficult to integrate unsupported devices with FortiSIEM compared to QRadar. It's easier to integrate and develop processes in QRadar. It's harder to develop a custom process in FortiSIEM. 

I've been using FortiSIEM for a year and a half.

FortiSIEM is stable. QRadar and FortiSIEM are both fairly stable. There aren't many issues from an admin point of view.

FortiSIEM is scalable. 

Fortinet support is great. They're more responsive than IBM.

FortiSIEM is easy to set up. Installing the supervisor component of FortiSIEM took around one hour, but the console installation for QRadar takes almost three to four hours.

I rate FortiSIEM seven out of 10. 

It is provides extremely fast and flexible query of logs/events on the network. For example, it’s easy to write a quick query for all the “authentication” requests on the network, regardless of where they came from, i.e., during the past days, weeks or months.

The ability to write my own parsers for the devices that are not supported by Fortinet is the most valuable feature. It’s impossible to find an application that supports every device/manufacturer that we have. Thus, being able to write my own parsers for device logs, allows for greater scalability.

The reporting feature is not very attractive for the upper management and I am not able to perform complex/nested queries. However, it does function well for our day-to-day operations.

We did experience some stability issues. The parser engine crashes often, but it does recover without any noticeable impact to the performance or service.

There were no scalability issues; the product scales well for us.

Support was very good when owned by AccelOps. I have not opened any recent cases with Fortinet since its buyout.

The setup was pretty complex, but we had great support from AccelOps.

I haven’t looked at the latest offerings or licensing models since Fortinet bought this product. Previously, AccelOps was looking to add other Tableau reporting modules for more complex reporting purposes. This was not attractive to us, due to the high cost of Tableau's licensing. Also, it required licensing for an event forwarding engine to be installed on the servers. The cost was getting high when we looked at licensing for 50-plus servers.

We only evaluated this solution and loved the capabilities that it offers. We decided to take a chance and I’m not sorry that we did. Overall, the experience has been very positive.

Make sure you size the solution to the number of devices and servers on the network. Don’t be afraid to add additional workers.

Try to avoid using WMA formats for log retrieval of the busy servers; this is extremely resource-intensive. Price out the event forwarding engine that they offer and add it to your budget.

The primary thing I use it for is monitoring IPS because we have 12 or 14 Cisco IPS devices, and the Cisco solution for monitoring that many IPS devices is hokey at best, aside from it being expensive. I also use it when we’re trying to track down activity on a particular IP address – I use the query engine to search for things like that.

We’ve had some situations where we’ve either gotten hit with a DOS attack or we’ve gotten notification that we’ve been blacklisted because some IP that belongs to us is roaming the internet trying to bogusly log in to SNMP servers. So, we’ll take that IP, or wherever the DoS is coming from, and run a query over the last 30 days or so, to see just what the activity on that machine has been, and make various decisions from that. In a couple of cases it’s meant to shut down the machines and get them off the network because they’ve obviously got some kind of malware on them. In other cases, it’s been a matter of determining the exact scope of DoS – where it came from, how long it lasted, how intense it was, etc.

One of the things that actually opened a ticket about (and they couldn’t help me) is when traffic is leaving our network, it’ll only report the source. I would think that if it’s examining the packets that it should also be able to give me the destination. It’s not possible to tell me whether it reached the destination, but it would be helpful to know where it was headed when it left the network. That field is always empty in the query.

I've used it for about a year.

No serious issues.The biggest issue I had with their deployment methodology as a virtual appliance – with the way things our VM farms are structured – there are only a couple of people that are allowed to bring up OVAs, which is the way they ship the product, so I have to get their time to do any kind of upgrade.That’s why I recently queried the helpdesk on what was required to do the upgrade that’s available to us (at no cost), and they pointed me to a manual which I haven’t had time to download yet. My guess is I’m going to have to deploy a separate OVA.

No issues encountered.

We've not had any issues so far.

The only complaint I have is that they wouldn’t issue a license until they had the check in their hands, which is not my experience with other vendors. If you issue a PO for something, usually you get a license immediately – in their case they wouldn’t until they had actually gotten payment, which was a little frustrating.

I have tried to open some tickets, and usually they’ll respond with a note at the top of the response. It says “if you’re responding to this email do it above this line,” and I didn’t see that the first time I got an email like that, so for weeks they kept sending me emails saying I hadn’t responded to their initial contact. To me that was a little bit nit-picky.

I inherited a solution that was discontinued by the vendor, and I was charged with finding a replacement.

Once we got the OVA file, and I was able to commandeer some time from the appropriate people here, it wasn’t an issue.

It was in-house. Part of the initial purchase included some on-site time with one of their engineers, so I used that time to do an upgrade while he was here.

The pricing seems fairly standard in terms of the pricing model, so how it compares to other similar products I don’t know. The people I took this to about replacing the other product didn’t seem to blink at the price.

We ran a PoC for Accelops for a trial period, so we didn’t look as much into other products.

It would be to get as good an estimate as you can of what EPS's you’ll need before you get pricing and so forth. We underestimated what we would need, which is what precipitated ordering additional licensing and not being able to get them right that.