Fortigate equipment
I've got a conference call scheduled with a Fortinet sales guy tomorrow morning, but I figured I'd check in with you guys to see which of their products you'd recommend for us. We've got a branch office with around 10 employees, and their local internet is a Cox cable modem. We found out recently that they're using their local connection to watch TV shows on Hulu and who knows where else.
We've got about 80 people in our main office, and about 50 external users (all bank employees) that connect to our terminal servers to use our insurance software. We've found that several of those employees are browsing in their terminal server session to circumvent blocks their bank IT departments have put in place. Needless to say, the banks want us to put a stop to it (but not fork over the money, of course...whoever said you had to spend money to make money didn't work for a bank).
As far as bandwidth goes, we've got a 4 Mbit wireless connection in our main office with a Comcast cable modem for a backup connection and VoIP link, and a T1 point to point connecting our main office to our branch office (using a site to site VPN). Any ideas exactly which Fortigate would work for us? Cost is definitely an issue with my CFO lol. I'm thinking the Fortigate 60-C for the branch office, though not sure what we'd need for the main office. Any ideas?
We've got about 80 people in our main office, and about 50 external users (all bank employees) that connect to our terminal servers to use our insurance software. We've found that several of those employees are browsing in their terminal server session to circumvent blocks their bank IT departments have put in place. Needless to say, the banks want us to put a stop to it (but not fork over the money, of course...whoever said you had to spend money to make money didn't work for a bank).
As far as bandwidth goes, we've got a 4 Mbit wireless connection in our main office with a Comcast cable modem for a backup connection and VoIP link, and a T1 point to point connecting our main office to our branch office (using a site to site VPN). Any ideas exactly which Fortigate would work for us? Cost is definitely an issue with my CFO lol. I'm thinking the Fortigate 60-C for the branch office, though not sure what we'd need for the main office. Any ideas?
[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size]
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size]
Comments
-
ColbyG Member Posts: 1,264Not a fan. They have a screwy CLI and they don't seem nearly as robust as a Cisco or Juniper solution.
-
arwes Member Posts: 633 ■■■□□□□□□□We don't have Cisco or Juniper money.[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size] -
Hypntick Member Posts: 1,451 ■■■■■■□□□□We don't have Cisco or Juniper money.
We use mostly Sonicwall up here. Fairly decent feature set and real easy to use. We do support for the 20-100 user range companies so it fits their budgets just fine.WGU BS:IT Completed June 30th 2012.
WGU MS:ISA Completed October 30th 2013. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□What exactly are you looking for in a firewall? Have you looked at open source solutions? PFsense does application layer filtering now (2.0) and you can run snort and clamav , squid for proxying and a few other things. You can even purchase support:
pfSense Open Source Firewall Distribution - Home
http://doc.pfsense.org/index.php/2.0_New_Features_and_Changes -
demonfurbie Member Posts: 1,819 ■■■■■□□□□□We use mostly Sonicwall up here. Fairly decent feature set and real easy to use. We do support for the 20-100 user range companies so it fits their budgets just fine.
on smaller budgets i always default to sonicwall as wellwgu undergrad: done ... woot!!
WGU MS IT Management: done ... double woot :cheers: -
Chivalry1 Member Posts: 569You may want to check on this forum topic:
http://www.techexams.net/forums/off-topic/58632-fortinet-vs-cisco.html
A lot of good discussion took place about this specific topic. Personally I am a BIG fan of Fortinet technology. They are really easy to configure, have top level protection and you don't leave feeling like you've been robbed. However, If you have the money of course buy Cisco. As a consultant I have pulled/ripped out so many sonic walls firewalls; its a shame. Once the customer realize the limitation of sonic wall technology, they will be calling for a upgrade. Do a google search on SonicWall and VOIP. Good Luck!!"The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
Hypntick Member Posts: 1,451 ■■■■■■□□□□Do a google search on SonicWall and VOIP. Good Luck!!
Yeah ran into an issue with that on a site not long ago. They are one of our bigger clients, had the issue been up to me they would have a Cisco. Unfortunately I don't make those choices, I just configure and support the thing.WGU BS:IT Completed June 30th 2012.
WGU MS:ISA Completed October 30th 2013. -
Jack2 Member Posts: 153At home I have a 60-c firewall, and at work I have 3 Fortigate Firewalls, Fortimail, Fortianalyzer. They will do what you need just fine. I have been able Filter Just the Netflix streaming movie queues with with the firewalls and I can see just who was doing it and when...WGU Courses Completed at WGU: CPW3, EWB2, WFV1, TEV1, TTV1, AKV1, TNV1| TSV1, LET1, ORC1, MGC1, TPV1, TWA1, CVV1, DHV1, DIV1, DJV1, TXP1, TYP1, CUV1, TXC1, TYC1, CJV1
Classes Transferred: BAC1, BBC1, LAE1, LAT1, LUT1 ,1LC1, 1MC1, QLT1, IWC1, IWT1, INC1, INT1, SSC1, SST1, CLC1
WGU Graduate - BSIT 2014 -
Forsaken_GA Member Posts: 4,024Fortigates are fine firewalls. They do take a little bit of getting used to on the configuration side, but they're well featured and reliable, so if it's the best your budget can support, it's not a bad choice.
-
arwes Member Posts: 633 ■■■□□□□□□□Thanks for all the replies, guys. He's suggested a 200B for our main office and a 60C for the branch office. So, just a hair over $5,000 for the equipment and 1 year of 8x5 support & updates and around $1,500 a year for renewal. Not bad, but we'll have to see if we can get board approval for it.[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size] -
it_consultant Member Posts: 1,903Check to see if you can buy a multi-year support / licensing instead of the yearly renewal. I know if you buy the multi-year with Watchguard when the boxes are bought you realize a substantial savings (about 40%) over three years.
-
colemic Member Posts: 1,569 ■■■■■■■□□□It seems like from your post that you are a vendor to bank -I would tell the banks to start enforcing their Acceptable Use Policy and enforcing consequences and if this scenario isn't in their policy, it should be
JAT.Working on: staying alive and staying employed -
arwes Member Posts: 633 ■■■□□□□□□□Actually we're owned by around 50 small to medium sized banks. Essentially when State Farm decided to get into banking, these smaller banks decided they'd get into insurance. So we answer to the banks, and that's who we'll have to ask for the money. And they are very stingy with our company's finances. We think the IT people from the banks will definitely agree with us that it needs to be implemented though, so we should be OK.[size=-2]Started WGU - BS IT:NDM on 1/1/13, finished 12/31/14
Working on: Waiting on the mailman to bring me a diploma
What's left: Graduation![/size] -
it_consultant Member Posts: 1,903Make sure you buy the right licensing for true multi-WAN also. I was just configuring round robin on a now-out-of-support firewall and I discovered that without the "pro" license I could not weight the two WAN connections differently. I would have used a routing table multi-WAN solution but the non "pro" license also does not include the OSPB or BGP license, which is necessary for building a routing table! Not a huge deal, talking a single T1 and 2 bonded T1s. Outbound connections split evenly between those two interfaces is basically OK.
-
mrblackmamba343 Inactive Imported Users Posts: 136Forsaken_GA wrote: »Fortigates are fine firewalls. They do take a little bit of getting used to on the configuration side, but they're well featured and reliable, so if it's the best your budget can support, it's not a bad choice.
We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet? -
Forsaken_GA Member Posts: 4,024mrblackmamba343 wrote: »We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?
I don't actually know, I've never done site to site with them. Looking at their VPN configuration guide, it looks like you define a security policy for each subnet to allow it on the tunnel, but multiple security policies can map to the same vpn tunnel. -
Crucio666 Member Posts: 91 ■■■□□□□□□□mrblackmamba343 wrote: »We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?
The site to site vpn tunnel would use 0.0.0.0 as the source and destination. You can then use the firewall policy to restrict or allow different networks across the site. You should also use ipsec interface mode so you can control backup tunnels through routing and not firewall policy's -
ipSpace Member Posts: 147Hi,
I work a lot with FortiGates. They are really reliable.
Here are some links with all the Fortigate Appliances, you can check and see what suits you:
Fortinet, Inc. : FortiGate Appliances | FortiGate Network Security | FortiGate Platforms
http://www.fortinet.com/doc/FortinetMatrix.pdf
I like Cisco too, but for security it is just not the best. Check FSAE and see if you can find the same thing in ASA and plus in VDOMs you do not lose any functionalities as you do with Contexts in ASA.
More to say about fortinet. I really like their Firewall, really easy to manage and + the CLI is ok when you get used to it.
My Network & Security Blog with a focus on Fortigate. New post on how to create a fortigate ssl vpn. -
ipSpace Member Posts: 147mrblackmamba343 wrote: »We plan on purchasing these but I need a little clarification on something I heard, It is true that you can only define one source network for site-to-site vpn traffic? With cisco an access-list can be used to define interesting traffic for multiple netwoks per vlan, is that the case with fortinet?
Whatever you can do on the Cisco you can do on the Fortigate too, on the VPN part i mean.
My Network & Security Blog with a focus on Fortigate. New post on how to create a fortigate ssl vpn.