What needs improvement with Fortinet FortiOS?

The main challenge with Fortinet FortiOS is integration with third-party solutions. I don't see any other areas for improvement. Nowadays, all products work well for 50-60 percent of needs. We must only fulfill 60-70 percent of client requirements because they don't use 100 percent of product features. Banks and financial sectors might need more security features. I don't work much in banking, but they often use multiple products for different security layers, not just firewalls. They might use various products or APIs for different purposes. In the end, clients use the products that suit their needs. At the moment, I don't see any additional features that need to improve, as it's already performing well, even for small businesses. However, one area that could be improved is the consistency in pricing across different regions. Sometimes, the pricing varies depending on the distributor or region, which can confuse. For instance, online prices may not match what we get from distributors, particularly for subscriptions.

Sometimes, Fortinet FortiOS changes its CLI (command line interface) with new versions, which leads to internal incompatibility. When this happens, you need to update the configuration to match the new format, as the commands aren’t always the same. This can create some confusion and extra work because, unlike other vendors where the CLI commands remain primarily consistent with updates, Fortinet often changes the syntax between versions.

Fortinet could integrate something like a YubiKey for 2FA with their SSL VPN clients. Additionally, Fortinet could support WireGuard for our small office locations. These small offices have two clients that log into our VPN from their workstations. Since all our sites use FortiGate, it would be great if I could set up WireGuard on the Fortinet device. Instead of using IPSec, having WireGuard support for site-to-site VPNs would be wonderful.

A switch should be introduced.

Fortinet FortiOS's integration could be improved. It has extensive integration features, such as collectors for other services and third-party intelligence feeds.

The solution's firmware updates have significant bugs and issues. They affect the network and firewall. This particular area needs improvement. Also, they should include an advanced firewall feature.

I want to see a better integration or a better integration with the endpoint protection or with EDR with the security life cycle. I want to see if that enhances a bit more so I have granular datasets and the user level through to the gateway because that's where most of our threats come from. It's from user activities on the Internet and passes into your files over that gateway. That's where most of our threats would appear and where our exposure to vulnerabilities lies. So if we can tighten that up, we can harden our infrastructure much better.

We haven't had any issues with the solution. It's been pretty good in general. We would like to see the ability to maybe monitor applications that use the SD-WAN. They need to integrate more with the SD-WAN. We would like to see lower pricing. The price is high.

Real-time threat monitoring is not there. The traffic hitting the firewall needs to be improved to have real-time monitoring. Traffic should be more visible and should be available on the dashboard. Even if something is blocked, we should be able to see the traffic. We need a security posture showing the organization's security posture to see the traffic hitting the firewall, the user or entity behavior, et cetera. If there's an abnormality, it should be reported. We need to be able to generate multiple reports and see everything in the logs. Logs are only available for a week; we should have them visible for up to three or six months or even a year. It can be a bit expensive. If you have an emergency and need support immediately, it can be hard to reach them as they don't have a direct number to call.

The UI could be a bit better. The coming generation will not be from the Sierra, and therefore they have a chance to make it much better and more user-friendly. Right now, we have to contend with CLI. We'd like it to be easier. We need the features to be in a UI.

The solution's graphic interface could be a bit more responsive and include notations when changes are made

SD-WAN configuration could be easier. The support could be better. We'd like to see bandwidth optimization and traffic prioritization capabilities. These are the two things that I'm looking for, especially in SD-WAN.

It should be controlled in the local environment as well. Its gateway security is more powerful. However, it should also manage the local DSCP network, so the policies, local LAN policies, and other stuff should be there.

The product needs a feature that allows users to create another site on a VPN.

Fortinet FortiOS need to manage its memory and CPU utilization better. It peaks at times, which sometimes can be challenging. In a feature release, if Fortinet FortiOS could have better cloud functionality would be a benefit.

We don't really find a lot of issues on it. If I really have to complain about something, and there's not much, is the free VPN solution is a bit limited. Then again, it is a free solution. That's essentially it. Nothing else on the FortiGate or on the Fortinet OS side is really an issue. That's one of the main reasons why we use them: everything works and works well. For what we use, there isn't really any missing feature. In fact, we actually want to get rid of some of the features that they have due to the fact that, for the security model that we need to implement, having more features actually opens up potential risk. We actually would like to have a device that is more focused specifically on OT environments the operational technologies. We would prefer a device that's stripped down, that doesn't have all the other fluff in the more enterprise system. We actually want a feature where we can remove features that are there that we don't use. That is actually a thing that we find. We use it now in an operational technology environment. We use normal IT equipment. However, it's not a normal IT network. It differs significantly from a normal corporate IT environment. In a normal corporate IT environment, you like the fluff, and the additional features, and you can click, click, click, and you're done. However, all of those features you add to a device open up risk for us. And that is something we do differently in the OT environment in operational technology. We prefer to not have the fluff. We prefer to have only what is needed for the device to do what it needs to do. For example, imagine an additional feature for some sort of additional VPN technology has been added. However, it's not really needed for the OT environment, and it's not configured on the device, yet there's some sort of security threat in there. Now, all of a sudden, somebody can hack your system, and he's in there, and he's switching the lights on and off the entire city. And you don't know about it due to the fact that the additional fluff that we added to the system, we weren't aware of that issue was on there. You can enable and disable certain modules in it. However, with disabling, nobody can really tell us if that module is disabled. Is it really disabled? Is it actually unloaded? Is it uninstalling Word from your laptop, or is it just not running Word?

I would like to see the features of FortiAnalyzer included in Fortinet FortiOS. Right now, you're required to have an additional license and a different device for features such as processing the log, reporting, and analyzing traffic.

I would like to see fewer bugs. If you use the box with its basic features, the solution is straightforward and stable, but you can run into bugs when using newer features or in more complex use cases. They included a DNS filter as a new feature, and I had issues that required raising a ticket with customer support.

Some features I have found to be hidden and cannot be accessed through the graphical user interface, you can only access them through the command-line interface(CLI). All the features should be accessible through the graphical user interface.

The threat time interval lags a little, especially if there's a heavy load on the firewall.

It would be better if AWS instances were available. If I want to upgrade from T2.small to T2.medium, it should be available rather than having a big instance and paying a lot of money for that. The issue is that we had deployed in AWS Cloud, and we were using a very small instance. Recently we wanted to move in-house and deploy it on the big instance because it was struggling with the RAM. If we use T2.small, we cannot upgrade it to the T2.medium. It has predefined instances in the marketplace with a lot of cost differences. If I can increase the RAM, I have to choose the T3.large instance. If I'm paying $270 for the small instance, I have to pay more than double the cost for T3.large. It is about $850, and this is not good. So, it would be better if it was cheaper. I think both AWS and Fortinet should think about that. They should provide it on lower instances as well. If I want to upgrade it from T2.small to T2.medium, it should be available, but it's a problem.

Fortinet FortiOS can improve the GUI and remove the command line interface. All the functionality should be available from the GUI. Day-to-day management can be tough for IT administrators. Additionally, the reporting is not very good.

Fortinet FortiOS could improve by having better authentication methods with Microsoft or Google Services. In an upcoming release, they could improve the user interface.

There are some features for FortiGate using FortiOS that can only be enabled via a command line. These aren't very advanced features they have been part of FortiOS for quite some time but they still aren't accessible from the graphical user interface. It makes it a little bit harder than it should be for us to manage the solution. That's my main concern with the user interface. Another concern we have is some elements for the user interface, if they're not properly configured, it could lead to hardware and performance degradation. We have had some cases where the entire hardware is at a lockout. This means the CPU is 100% consumed and requires a reboot because of a malfunction with the graphical user interface dashboard widget. This is something that we saw a few years ago. We haven't had any new experience with this same issue. However, I'm not sure if that's because Fortinet fixed them, or because we have mow avoid using those specific regions.

The pricing of the product is too high. They should work to lower it.

There are some issues with the performance. We also had some issues while updating the firmware. The download options can be better. While downloading VPN clients, it is a little bit difficult to get different versions. You need to log on and search. Their support can be better.

They're using a lot of application-specific IC, so that may be causing some performance issues. And whenever a Fortinet adds new features, it can affect performance. I don't handle implementation, so I have to ask my frontline engineers to implement new features, like software-defined WAN service. But I'm not sure these are stable and acceptable because this project is still in progress. FortiOS and all the other firewall products are adding SD-WAN service, and this kind of service needs a lot of resources from the fabrics, the hardware, and the software. Still, I think we have more confidence deploying this service with FortiOS than using the other brands, like Juniper.

FortiOS doesn't work well with all browsers. I think they need to do a better job of making it compatible with the various browsers that are out there. I see weird stuff happen sometimes. It doesn't crash the router bin itself, but it typically takes some time. Sometimes I'll have to reboot the router to get it working with a browser again. This is maybe just a problem with older versions. I can't say anything about the recent versions of the FortiOS, but over the years, I've seen weird stuff. This is mainly just a problem with the browser interface. I've never had a problem with the command line.

The solution could improve the log retention and reports.

The reporting and monitoring could improve, they have a lot of limitations. The monitoring is not easy compared to the other firewall.

Many things are missing from the interface that necessitates using the CLI, so it needs to be improved. When I migrated to FortiGate, there many things that I wanted to do, but couldn't. With FortiOS, you can use the router in two modes. The first mode is the profile mode, which is the starter mode that most use, but you have another mode that is a policy mode and is required before creating your firewall rule. The problem is that when you switch from one mode to the other, all of your firewall rules will be gone. This means that you have to decide if you want to use the policy mode firewall or a profile mode firewall. With policy mode, you can have granular control on the application on the firewall rule because the firewall rule works with the source destination protocol. With the application, you have multiple rules, one by one. As an example, you can have one for Skype or one for OneDrive, etc. On the source, you can add a group, and add people to the group, and they can have access to Skype and OneDrive along with others added. You can granularly control applications on the firewall rule with the policy mode, but you don't have access to the proxy mode rules. There are also issues with the antivirus, IPS, and you are forced to switch back to the profile mode where you have less granular control on the application. I have problems with the IPS stability and the antivirus in Policy Based Mode. If the file is bigger, then the antivirus doesn't check it. In policy Based Mode, There are many issues. (Firmware =< 6.4)

It would be great if they can push the Microsoft updates through Fortinet OS and provide a centralized patch management system. They should also include the data loss prevention (DLP) and data leakage prevention features. They could also add network monitoring more effectively.

The product really has everything that we need as far as features for this type of solution and our use case. It works fine for us. One thing that can be improved is the pricing model. It is currently subscription-based and I think they should probably try to change that.

Fortinet needs to make this solution even more robust. Sometimes when we get a DDoS attack, the cannot withstand it. We can run out of sessions very easily. That said, I suppose if you want more a robust system, then you could purchase higher-end solutions, which are more expensive. Still, I would like to see more protection from even in the low-end version. The pricing needs to be improved. It's quite pricey. In terms of the CLI, if they could make it more intuitive, and more user friendly, it would make the solution better. I like to work on CLI instead of through the GUI. If you are used to it then you wouldn't mind the way it works right now. However, for those that don't, there's just a sizeable learning curve.

The solution's switches are lacking. They need more features added to them to build them out a bit. The switches are very simple if you compare them with other companies like Cisco or Aruba. Those organizations offer their clients much more. Technical support could be better. Some competitors have much more responsive support teams. I know the last version had NAC, network access control, added inside the firewall. It's a process, however. There's still work to do. The next version will be better. Right now, you can't authenticate other devices. You only can authenticate Forti devices and not devices from other companies. This could be the next addition to the solution that will make its performance even better.

Right now, it's very trendy to integrate everything into the cloud. This solution would be more effective if they did more integration in that regard.

The solution needs to adjust its pricing model. With the way they are structured, everything is very disparate and sold separately, and, depending on the solution, it can get quite pricey. The solution could be more intuitive. Especially when customers have access to it, it's not as simple and straightforward as some of the other devices I've taken a look at.

One thing that should be improved in future versions is an issue we have observed and had problems with a few times. When we try to reinstall a backup for FortiOS, you need to do a factory reset manually or you lose access to a device. I have experienced this situation a few times and it seems like something that should not be required and they should resolve.

In terms of what needs improvement, the pricing could be lower. The price is very steep. I would like to see in the next release that any client, even small ones from a home office, can run on any access point, not just the one that can be used with Fortinet. It should have an appliance that can be used to support and manage other access points. All the products should be uniform and easy to find.

Docker Container to have a good integration with kubernetes and more throughput as Cisco FP

Their technical support needs improvement. All products have pluses and minuses. It will depend on a client's use case.

I would like to see a drop in the license fees because it is a rather expensive program.

The policies and the way that they are applied can be improved. It could be more direct, as it is an issue for some people. Generally, policy management could be made better and simpler to deploy. The GUI could be improved to make it more usable, easier to administer, and easier to configure.

For me, it is important to be able to block VPN applications, like Facebook, so I would like to see that included in the next release. With this version, if you want to block or allow a site, you now have to drag all the domains related to this site.

In terms of what needs improvements, the troubleshooting could use improvement. When we work with other products like Cisco ASA, Palo Alto, and Check Point, we see a big difference in the troubleshooting. It's not easy to find a report. In order to overcome the problem, you have to install FortiAnalyzer to help you find the troubleshooting problem. FortiOS has its limitations.

While the product is good and does provide services we need for authenticating and establishing VPN connections, some time ago we had issues with logins. The login event and the performance for this feature were very poor but have improved.

The signature discs, compared to Palo Alto, aren't as good. It takes more time to get the signature updates. The solution should be on the cloud a bit more. There should be a cookie eater.

The solution is good, but they have poor marketing in Nigeria. They need to market their product better. They need to work on their support. Cisco has the best technical support. In comparison, Fortinet's support takes too long. If you are paying for SLAs, you should also get value from your SLAs. Right now, everybody is moving to the cloud. The solution has already worked on that aspect, and they are embedding security to the cloud. However, security can be more enhanced and as long as they continue to offer more protection I'll be happy.

The internet service is not as reliable in East Africa as in other parts of the world, and as such, the bandwidth that is required for updating the Fortinet OS should be reduced. I would like to see smaller and more frequent updates.

Reporting, having only recently migrated to 6.04 there will be some time to see what improvements have been made, with some of the menu changes and inclusions through the versions.

The complexity of the VPNs should be improved. Certain versions of the operating system don't function with our current Fortinet unit. For instance, we've got a 60D FortiGate at our branch offices and the 60D FortiGate doesn't support the latest version of the 40 OS. Because of this, certain Wi-Fi access points that depend on those operating systems don't function so well. So that has room for improvement. I'd like to see that happen.