Well I've decided to start a blog related to work. My personal blog, the poor thing, just isn't the place for all this stuff I do by day.
In my first post I guess I'd like to introduce one of my passions... err specialty?
Fortinet Unified Threat Management Devices. I've used them for 7 years from small business to enterprise and I'd have to say I love to hate them.
So here is my review of Fortinet products to date:
For functionality and performance vs. cost - these devices are unmatched. Yet getting support for them is like trying to squeeze blood from a turnip. This problem is exasperated by Fortinet's exceptionally fast development cycle - they build in tons of great new bits of functionality every few months along with tons of show stopping, debilitating bugs. The real kicker is that support fails to return emails, acknowledge bugs, or even fix them - if only someone would build the same product and actually support it I would be their biggest cheerleader. The general development cycle looks like this:
1) Introduce some killer new functionality... halfway
2) Only add to the existing bug list
3) 10 patches later functionality starts to work, but you're so busy dealing with the new bugs you can't appreciate it.
I give this opinion having worked as a reseller both in the US and now New Zealand over a 7 year period (and I'm an FCNSP for FortiOS v.3). I have implemented a range of their devices:
* the lowly FG-50
* tons of FG-60s (amazing little buggers)
* FG-100s, 200As, and 500As
* also an extended (6 month) test of a Fortilog 100A
Utilising a good chunk of their functionality:
* NAT Routing and Transparent Mode
* Intrusion Detection and Prevention
* Active/Active and Active/Passive HA
* Virtual Domains
* Inline AV
* IPSec VPN Tunnels (w/ NATing, interface mode, etc)
* SSL VPN Tunnels
* Dynamic Rouing (OSPF)
* Some Web Filtering
* Played with AD integration
* etc, etc.
So would I recommend someone buy them?... I'd give them a 50/50 only because of their incredible capability and ease of management.
It's only a 50/50 because they don't even come close to preforming to their specs (I generally experience throughput with AV and IDP at about half of advertised "AV" throughput - you might as well ignore the stated "firewall" throughput). Fortinet's support could only be worse if they purposely logged into your boxes and broke them. And, they introduce more bugs than they fix in most firmware releases.
So if you're looking for a great new firewall product and you have the stomach of a drunken sailor in Thailand, you might give them a try. Just don't put your job on the line if you plan to push these devices to past their basic functionality.
Next I'll get some SNMP graphs to show actual throughput of a 500a (it looks like they'll keel over at around 70 Mb of real traffic - not exactly the 600 Mb throughput they advertise)
3 comments:
Fair play to Fortinet, they've now changed their release structure so that you now get upgrades that are seperate from updates that include bug fixes. It's a little late in the day for this and I feel your pain but they are working on it and so far so good.
Hum. To be honest I hadn't noticed if Fortinet was trying to stop putting features in the patch releases. This would hit on another issue I have with them - where's the transparency? If you make this type of shift wouldn't it be good to communicate it?
frankly fortnet are a bunch of cunts
Post a Comment