FortiGate - a good all-in-one firewall with some design weaknesses
April 18, 2017
FortiGate - a good all-in-one firewall with some design weaknesses
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Fortinet FortiGate
For customers with 50-200 users we are using FortiGate as the central firewall. That is, internal users are surfing the Internet (URL filtering, antivirus), servers in the DMZ are reached from the Internet, partners are connected via static site-to-site VPNs, and home office users are able to log into the company network via a VPN with two-factor authentication.
- Good summary GUI: The basic steps such as adding new policies or users can be done through the GUI. The GUI is fast and has a couple of options. There is a CLI-widget on the dashboard which enables the usage of CLI commands through the GUI - nice.
- Counters and bars for policies and VPNs: Within the GUI you have several counters of packets/bytes/sessions that make it easy to understand whether some policies of VPNs are functional and in use.
- Built-In two-factor authentication possibility: You can use a two-factor auth via SMS out of the box. You simply need an email-to-SMS provider and you're done.
- Though the GUI is fast, it lacks many options. In many cases, you can only configure the first 20% of options while the other 80% must be done through the CLI. This won't be a problem for experienced (Cisco) admins but it's a challenge for normal IT workers that are not working with FortiGate every day.
- Separate security policy for IPv4 and IPv6: This is a really bad design because you need to manage two independent security policies! Other firewall vendors have a single policy which can be used for both Internet protocols.
- No configuration revisions: There is no store for old configuration snapshots. Don't forget to backup the config manually before doing an upgrade!
- No dedicated out-of-band management plane: FortiGate can only be managed in-line. You must connect to some data ports. (That is: You don't have the possibility to configure a management-only interface with its own default route.)
- From my point of view, FortiGate has the best price-performance ratio. The usage of URL filtering and antivirus is a good (and easy) first step in reducing unwanted traffic for your users.
- Due to the fast routing capabilities, FortiGate can be used as a LAN segmentation router for smaller locations. No need for an extra router.
- Palo Alto Networks PA-3000 Series
Compared to Palo Alto Networks' firewalls FortiGate has the better price while the worse security design. FortiGate is an all-in-one appliance with many many features that are not completely implemented. In contrast, Palo Alto firewalls have the better concept on how to implement policies, security profiles, etc. For example, Palo Alto has only one security policy for IPv4 and IPv6 while you must configure two separate ones on FortiGate.
However, if price plays the biggest role, customers tend to buy FortiGate.
However, if price plays the biggest role, customers tend to buy FortiGate.