Sunday, June 24, 2007

Cool web app

Nikon's D40 Marketing Site: "Picturetown"

I fancy myself a bit of a photographer and as such I'm not terribly keen on many of the photos. But I really dig the app, particularly the local time and conditions of "picturetown" in the bottom right. (Despite the fact that the time shows up incorrectly for me?)

Thursday, June 21, 2007

MR5 coming down the pipe

I'm finally chewing through the release notes for MR5 (Release Candidate 3) and must say I'm impressed (as always). For two reasons this time:

1) Some great new functionality
2) Not too much great new functionality (hopefully fewer bugs)

The two things that I'm most excited about are generic USB Disk support and this "Central Management Services"

It was ridiculous to do it any other way before (and the poor bastards that bought FortiUSB sticks will feel a bit punked), but now we'll be able to use any USB key for config and firmware backup. Yeah!

The "Central Management Services" sounds very promising. A subscription based service that will automatically backup your config (with versions) and do firmware upgrades (automatically or on-demand). I sure hope the firmwares that install automagically don't break too much... I wonder how expensive this new "subscription" will be? I see this as great for small companies or satellite offices, but not larger more sensitive enterprise installations - so hopefully it'll be pretty damn cheap.

I did notice two gotchas in MR5 changes:
1) If using the new hard disk log uploader function with an Active/Active HA, only the master unit's logs are uploaded.
2) Probably has the same root cause, but with Active/Active HA content archiving and quarantine files only come from the master unit.

Pretty dodgy if you ask me, if I'm trying to keep logs and content archives, I'm probably doing them to meet some policy requirement (maybe even one enforced by law). So I'll want more than half the logs, after all I prefer stay in a job and out of jail.

Wednesday, June 20, 2007

Actual Fortinet Througput... Not so exciting

So this is what we experience through a 500A in transparent mode utilising virtual domains.

We hit 30% CPU usage with a throughput of 12.72 Mb, if we extrapolate linearly (pretty damn optimisic) we fall short of 50 Mb throughput. Not exactly the 120 Mb of AV or the 600 Mb of firewall throughput touted on their product statistics, eh?

Now this may well be our configuration or specific traffic profile (it's about 90% http). We do have AV on and IDP enabled for everything and IDP is has default settings.

So here's the formula:

Default settings + handing our config to support on multiple occasions =
gulf of discrepancy between advertised and actual throughput

That being said, support is always "shocked" to see our performance, but they have yet to show me the "make this thing run slower than molasses in January" switch that I inadvertently turned on.




Tuesday, June 19, 2007

Fortinet Fun

Well I've decided to start a blog related to work. My personal blog, the poor thing, just isn't the place for all this stuff I do by day.

In my first post I guess I'd like to introduce one of my passions... err specialty?

Fortinet Unified Threat Management Devices. I've used them for 7 years from small business to enterprise and I'd have to say I love to hate them.

So here is my review of Fortinet products to date:

For functionality and performance vs. cost - these devices are unmatched. Yet getting support for them is like trying to squeeze blood from a turnip. This problem is exasperated by Fortinet's exceptionally fast development cycle - they build in tons of great new bits of functionality every few months along with tons of show stopping, debilitating bugs. The real kicker is that support fails to return emails, acknowledge bugs, or even fix them - if only someone would build the same product and actually support it I would be their biggest cheerleader. The general development cycle looks like this:

1) Introduce some killer new functionality... halfway
2) Only add to the existing bug list
3) 10 patches later functionality starts to work, but you're so busy dealing with the new bugs you can't appreciate it.

I give this opinion having worked as a reseller both in the US and now New Zealand over a 7 year period (and I'm an FCNSP for FortiOS v.3). I have implemented a range of their devices:

* the lowly FG-50
* tons of FG-60s (amazing little buggers)
* FG-100s, 200As, and 500As
* also an extended (6 month) test of a Fortilog 100A

Utilising a good chunk of their functionality:
* NAT Routing and Transparent Mode
* Intrusion Detection and Prevention
* Active/Active and Active/Passive HA
* Virtual Domains
* Inline AV
* IPSec VPN Tunnels (w/ NATing, interface mode, etc)
* SSL VPN Tunnels
* Dynamic Rouing (OSPF)
* Some Web Filtering
* Played with AD integration
* etc, etc.


So would I recommend someone buy them?... I'd give them a 50/50 only because of their incredible capability and ease of management.

It's only a 50/50 because they don't even come close to preforming to their specs (I generally experience throughput with AV and IDP at about half of advertised "AV" throughput - you might as well ignore the stated "firewall" throughput). Fortinet's support could only be worse if they purposely logged into your boxes and broke them. And, they introduce more bugs than they fix in most firmware releases.

So if you're looking for a great new firewall product and you have the stomach of a drunken sailor in Thailand, you might give them a try. Just don't put your job on the line if you plan to push these devices to past their basic functionality.

Next I'll get some SNMP graphs to show actual throughput of a 500a (it looks like they'll keel over at around 70 Mb of real traffic - not exactly the 600 Mb throughput they advertise)