Fortinet FortiSIEM Reviews

We run a Manage Security Services company and we use it in-house and for some of our clients. The service is a multitenant platform where our clients can log on to view and access various security-related activities and features. In more ways, it becomes like a cloud solution to them. We make use of a secure connection from the clients’ networks using collectors located on their premises back to our centralized SIEM platform.

The most valuable feature is the differentiator, which has a combination of not only the SOC which covers the security operations aspect, but it also includes NOC capabilities. FortiSIEM uses PAM (Performance, Availability, and Monitoring) from an NOC perspective. So not only do you natively look at security data as most SIEM solutions, but you're also looking at the performance and the availability component of those devices. It's easy for us to coordinate if a security incident occurs. You're not only looking at security logs but you also looking at what could potentially have happened in terms of device performance. So that feature to me already makes it quite a big differentiator in the market, compared to other SIEM tools out there.

When they started out after acquiring AccelOps, the user interface wasn't that great. But from version 5.0 they have obviously radically changed the interface, aligning it to the rest of the Forti products from a user experience point of view. This means that there is constant improvement on the interface side of the solution. The other thing that I've noticed is when searching for very old incidents, there is a slight delay. It obviously has to pull that information from the backend database, and the key point to note is that it depends on how you set it up in the backend where factors such as disk types and disk array configs come into play.

The solution is quite solid and stable.

The scalability component is easy. To add workers and even collectors is easy which is how we've deployed it, makes scalability much easier. We plan to grow our users into the thousands.

I never really used support from Fortinet for the FortiSIEM solution that frequent because I figured most of the stuff out on my own, but that being said, the Fortinet Support is great because I figured most of the stuff out on my own.

The initial setup was quite complex. We've had some issues with the first OVF file that we downloaded. We had to customize the installation processes. It was a bit complex in the earlier versions, but the newer versions have greatly improved. 

We use an on-premises deployment model from our perspective and a hybrid model from a customer/user perspective.

I will recommend this solution to others out there looking for a SIEM solution. I've already done a few events we were talk about FortiSIEM and its advantages. I do, however, think the main dashboard where you create and design your graphs could do with some improvement improved. On a scale from 1 to 10, I will rate this solution an 8 to ensure there’s continuous improvement.

The granular monitoring capabilities. Also, it's very configurable.

It gives greater visibility via the dashboards into the real-time status of the network. Additionally, it also provides specific alerts and performance monitoring.

Some of the out-of-box dashboards could be more useful, as they’re not configured out-of-box. Some other products we’ve used give a lot more information right out of the box. With Accelops, we didn’t get quite enough useful information at the beginning. Ping monitors (STMs) are highly configurable, but it would be nice to have a simpler monitor to go with it, like a simple ping monitor. As it is, we have to go through three different processes and 30 minutes to get the ping monitor up with email notifications. It should have an easier way to configure some of these more common monitors.

I've used it for two years, but the firm has had the solution in place for longer.

The product is always stable, but there were a few bugs. During some of the upgrades, fixing one problem revealed another, so we had to go through several patch iterations to find a bug-free version that works for us.

None. Far more scalable than is required for us.

Great - we’d give it a 10/10.

6/10 - as far as the techs go, they are knowledgeable, but when trying to get a hold of a tech or have them call back, they weren’t responsive. It was one of my biggest frustrations with the product, and I started to look elsewhere for another solution at one point. Issues that could have been resolved in 30-60 minutes sometimes took months, but they have improved.

Just do your research – the product does a lot, but it may be more than you’re looking for. Also, be aware that it requires a lot of time to maintain, set up, and configure.

We use the product for threat detection.

There could be more AI features included in the product.

We have been using Fortinet FortiSIEM for more than two years.

I rate the platform's stability an eight and a half out of ten.

The technical support services need improvement.

Positive

They have released a new update recently. With the help of AVPN, users can log in from another country directly using CIM-based predefined rules. Its automated response feature has benefited our customer communication. Analysts feel more confident in providing timely responses.

I recommend other users to go with Fortinet FortiSIEM and rate the product an eight out of ten.

We use this solution to collect logs. 

The advanced agents used to collect logs have been most valuable. We have also made use of the advanced intelligence this solution offers.

The graphs on the user interface could be improved as we often experience glitches. 

This is a stable solution. 

The customer service team needs additional experience and knowledge of the solution so the answers they provide are more accurate and helpful.

Neutral

We use this solution together with McAfee ESM which is a simple and robust solution. Its interface is better than SIEM. 

The initial setup was straightforward. The time it takes to complete the setup and deployment depends on the size of the environment and the number of EPS events per second.

This is a good solution but is fairly new so the support for it is not effective. Their support team does not have the experience to immediately solve issues. 

I would rate this solution an eight out of ten. 

It is provides extremely fast and flexible query of logs/events on the network. For example, it’s easy to write a quick query for all the “authentication” requests on the network, regardless of where they came from, i.e., during the past days, weeks or months.

The ability to write my own parsers for the devices that are not supported by Fortinet is the most valuable feature. It’s impossible to find an application that supports every device/manufacturer that we have. Thus, being able to write my own parsers for device logs, allows for greater scalability.

The reporting feature is not very attractive for the upper management and I am not able to perform complex/nested queries. However, it does function well for our day-to-day operations.

We did experience some stability issues. The parser engine crashes often, but it does recover without any noticeable impact to the performance or service.

There were no scalability issues; the product scales well for us.

Support was very good when owned by AccelOps. I have not opened any recent cases with Fortinet since its buyout.

The setup was pretty complex, but we had great support from AccelOps.

I haven’t looked at the latest offerings or licensing models since Fortinet bought this product. Previously, AccelOps was looking to add other Tableau reporting modules for more complex reporting purposes. This was not attractive to us, due to the high cost of Tableau's licensing. Also, it required licensing for an event forwarding engine to be installed on the servers. The cost was getting high when we looked at licensing for 50-plus servers.

We only evaluated this solution and loved the capabilities that it offers. We decided to take a chance and I’m not sorry that we did. Overall, the experience has been very positive.

Make sure you size the solution to the number of devices and servers on the network. Don’t be afraid to add additional workers.

Try to avoid using WMA formats for log retrieval of the busy servers; this is extremely resource-intensive. Price out the event forwarding engine that they offer and add it to your budget.

We have nearly 30 analysts currently using FortiSIEM.

FortiSIEM provides a single PIN to monitor SOC and NOC. It's a nice tool for integration and monitoring. It provides multiple categories for monitoring based on security designations like low, medium, and high. 

It's difficult to integrate unsupported devices with FortiSIEM compared to QRadar. It's easier to integrate and develop processes in QRadar. It's harder to develop a custom process in FortiSIEM. 

I've been using FortiSIEM for a year and a half.

FortiSIEM is stable. QRadar and FortiSIEM are both fairly stable. There aren't many issues from an admin point of view.

FortiSIEM is scalable. 

Fortinet support is great. They're more responsive than IBM.

FortiSIEM is easy to set up. Installing the supervisor component of FortiSIEM took around one hour, but the console installation for QRadar takes almost three to four hours.

I rate FortiSIEM seven out of 10. 

We are trying to onboard some devices, which we will analyze using Fortinet FortiSIEM. 

Once it responds smoothly, we will onboard some clients with requests.

It's a very nice solution to work with. It is easy to understand.

There is no proper guide for integration or configuration. They need to improve the documentation library.

We are using the enterprise version in my organization. I have been using it for 30 to 40 days, but not more than two months.

We have contacted technical support. They are good and provide good resolutions.

The initial setup was straightforward.

I will definitely recommend this solution to others. I am still exploring it, as it is new to us. I need more time to analyze it further.

I would rate Fortinet FortSIEM a seven out of ten.

The primary thing I use it for is monitoring IPS because we have 12 or 14 Cisco IPS devices, and the Cisco solution for monitoring that many IPS devices is hokey at best, aside from it being expensive. I also use it when we’re trying to track down activity on a particular IP address – I use the query engine to search for things like that.

We’ve had some situations where we’ve either gotten hit with a DOS attack or we’ve gotten notification that we’ve been blacklisted because some IP that belongs to us is roaming the internet trying to bogusly log in to SNMP servers. So, we’ll take that IP, or wherever the DoS is coming from, and run a query over the last 30 days or so, to see just what the activity on that machine has been, and make various decisions from that. In a couple of cases it’s meant to shut down the machines and get them off the network because they’ve obviously got some kind of malware on them. In other cases, it’s been a matter of determining the exact scope of DoS – where it came from, how long it lasted, how intense it was, etc.

One of the things that actually opened a ticket about (and they couldn’t help me) is when traffic is leaving our network, it’ll only report the source. I would think that if it’s examining the packets that it should also be able to give me the destination. It’s not possible to tell me whether it reached the destination, but it would be helpful to know where it was headed when it left the network. That field is always empty in the query.

I've used it for about a year.

No serious issues.The biggest issue I had with their deployment methodology as a virtual appliance – with the way things our VM farms are structured – there are only a couple of people that are allowed to bring up OVAs, which is the way they ship the product, so I have to get their time to do any kind of upgrade.That’s why I recently queried the helpdesk on what was required to do the upgrade that’s available to us (at no cost), and they pointed me to a manual which I haven’t had time to download yet. My guess is I’m going to have to deploy a separate OVA.

No issues encountered.

We've not had any issues so far.

The only complaint I have is that they wouldn’t issue a license until they had the check in their hands, which is not my experience with other vendors. If you issue a PO for something, usually you get a license immediately – in their case they wouldn’t until they had actually gotten payment, which was a little frustrating.

I have tried to open some tickets, and usually they’ll respond with a note at the top of the response. It says “if you’re responding to this email do it above this line,” and I didn’t see that the first time I got an email like that, so for weeks they kept sending me emails saying I hadn’t responded to their initial contact. To me that was a little bit nit-picky.

I inherited a solution that was discontinued by the vendor, and I was charged with finding a replacement.

Once we got the OVA file, and I was able to commandeer some time from the appropriate people here, it wasn’t an issue.

It was in-house. Part of the initial purchase included some on-site time with one of their engineers, so I used that time to do an upgrade while he was here.

The pricing seems fairly standard in terms of the pricing model, so how it compares to other similar products I don’t know. The people I took this to about replacing the other product didn’t seem to blink at the price.

We ran a PoC for Accelops for a trial period, so we didn’t look as much into other products.

It would be to get as good an estimate as you can of what EPS's you’ll need before you get pricing and so forth. We underestimated what we would need, which is what precipitated ordering additional licensing and not being able to get them right that.