Fortigate equipment

arwes

I've got a conference call scheduled with a Fortinet sales guy tomorrow morning, but I figured I'd check in with you guys to see which of their products you'd recommend for us. We've got a branch office with around 10 employees, and their local internet is a Cox cable modem. We found out recently that they're using their local connection to watch TV shows on Hulu and who knows where else.

We've got about 80 people in our main office, and about 50 external users (all bank employees) that connect to our terminal servers to use our insurance software. We've found that several of those employees are browsing in their terminal server session to circumvent blocks their bank IT departments have put in place. Needless to say, the banks want us to put a stop to it (but not fork over the money, of course...whoever said you had to spend money to make money didn't work for a bank).

As far as bandwidth goes, we've got a 4 Mbit wireless connection in our main office with a Comcast cable modem for a backup connection and VoIP link, and a T1 point to point connecting our main office to our branch office (using a site to site VPN). Any ideas exactly which Fortigate would work for us? Cost is definitely an issue with my CFO lol. I'm thinking the Fortigate 60-C for the branch office, though not sure what we'd need for the main office. Any ideas?

ColbyG

Not a fan. They have a screwy CLI and they don't seem nearly as robust as a Cisco or Juniper solution.

arwes

We don't have Cisco or Juniper money.

Hypntick

arwes wrote: »

We don't have Cisco or Juniper money.

We use mostly Sonicwall up here. Fairly decent feature set and real easy to use. We do support for the 20-100 user range companies so it fits their budgets just fine.

Bl8ckr0uter

What exactly are you looking for in a firewall? Have you looked at open source solutions? PFsense does application layer filtering now (2.0) and you can run snort and clamav , squid for proxying and a few other things. You can even purchase support:

pfSense Open Source Firewall Distribution - Home

http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes

demonfurbie

Hypntick wrote: »

We use mostly Sonicwall up here. Fairly decent feature set and real easy to use. We do support for the 20-100 user range companies so it fits their budgets just fine.

on smaller budgets i always default to sonicwall as well

Chivalry1

You may want to check on this forum topic:

http://www.techexams.net/forums/off-topic/58632-fortinet-vs-cisco.html

A lot of good discussion took place about this specific topic. Personally I am a BIG fan of Fortinet technology. They are really easy to configure, have top level protection and you don't leave feeling like you've been robbed. However, If you have the money of course buy Cisco. As a consultant I have pulled/ripped out so many sonic walls firewalls; its a shame. Once the customer realize the limitation of sonic wall technology, they will be calling for a upgrade. Do a google search on SonicWall and VOIP. Good Luck!!

Hypntick

Chivalry1 wrote: »

Do a google search on SonicWall and VOIP. Good Luck!!

Yeah ran into an issue with that on a site not long ago. They are one of our bigger clients, had the issue been up to me they would have a Cisco. Unfortunately I don't make those choices, I just configure and support the thing.

Jack2

At home I have a 60-c firewall, and at work I have 3 Fortigate Firewalls, Fortimail, Fortianalyzer. They will do what you need just fine. I have been able Filter Just the Netflix streaming movie queues with with the firewalls and I can see just who was doing it and when...

Forsaken_GA

Fortigates are fine firewalls. They do take a little bit of getting used to on the configuration side, but they're well featured and reliable, so if it's the best your budget can support, it's not a bad choice.

arwes

Thanks for all the replies, guys. He's suggested a 200B for our main office and a 60C for the branch office. So, just a hair over $5,000 for the equipment and 1 year of 8x5 support & updates and around $1,500 a year for renewal. Not bad, but we'll have to see if we can get board approval for it.

it_consultant

Check to see if you can buy a multi-year support / licensing instead of the yearly renewal. I know if you buy the multi-year with Watchguard when the boxes are bought you realize a substantial savings (about 40%) over three years.

colemic

It seems like from your post that you are a vendor to bank -I would tell the banks to start enforcing their Acceptable Use Policy and enforcing consequences and if this scenario isn't in their policy, it should be

JAT.

arwes

Actually we're owned by around 50 small to medium sized banks. Essentially when State Farm decided to get into banking, these smaller banks decided they'd get into insurance. So we answer to the banks, and that's who we'll have to ask for the money. And they are very stingy with our company's finances. We think the IT people from the banks will definitely agree with us that it needs to be implemented though, so we should be OK.

it_consultant

Make sure you buy the right licensing for true multi-WAN also. I was just configuring round robin on a now-out-of-support firewall and I discovered that without the "pro" license I could not weight the two WAN connections differently. I would have used a routing table multi-WAN solution but the non "pro" license also does not include the OSPB or BGP license, which is necessary for building a routing table! Not a huge deal, talking a single T1 and 2 bonded T1s. Outbound connections split evenly between those two interfaces is basically OK.

mrblackmamba343

Forsaken_GA wrote: »

Fortigates are fine firewalls. They do take a little bit of getting used to on the configuration side, but they're well featured and reliable, so if it's the best your budget can support, it's not a bad choice.

We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?

Forsaken_GA

mrblackmamba343 wrote: »

We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?

I don't actually know, I've never done site to site with them. Looking at their VPN configuration guide, it looks like you define a security policy for each subnet to allow it on the tunnel, but multiple security policies can map to the same vpn tunnel.

Crucio666

mrblackmamba343 wrote: »

We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?

The site to site vpn tunnel would use 0.0.0.0 as the source and destination. You can then use the firewall policy to restrict or allow different networks across the site. You should also use ipsec interface mode so you can control backup tunnels through routing and not firewall policy's

ipSpace

Hi,

I work a lot with FortiGates. They are really reliable.
Here are some links with all the Fortigate Appliances, you can check and see what suits you:

Fortinet, Inc. : FortiGate Appliances | FortiGate Network Security | FortiGate Platforms
http://www.fortinet.com/doc/FortinetMatrix.pdf

I like Cisco too, but for security it is just not the best. Check FSAE and see if you can find the same thing in ASA and plus in VDOMs you do not lose any functionalities as you do with Contexts in ASA.

More to say about fortinet. I really like their Firewall, really easy to manage and + the CLI is ok when you get used to it.

ipSpace

mrblackmamba343 wrote: »

We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?

That is not correct. You can create more phase2 policies(like push through the VPN the 192.168.1.0/24 range and 192.168.190.0/24 range) through the same Phase1(same VPN endpoint).

Whatever you can do on the Cisco you can do on the Fortigate too, on the VPN part i mean.