Everything you need to know about Fortigate before buying it !!
Updated April 02, 2019
Everything you need to know about Fortigate before buying it !!
Score 7 out of 10
Vetted Review
Verified User
Overall Satisfaction with Fortinet FortiGate
We use FortiGate mainly for internet gateway and IPS at each of our offices. It offers us IPS, Firewall, VPN and many more features for a competitive price.
We also use Fortigate captive portal with their 2FA (mobile or physical) keys to offer an additional validation before accessing our service backend networks.
We also use Fortigate captive portal with their 2FA (mobile or physical) keys to offer an additional validation before accessing our service backend networks.
- User authentication inside firewall rules. It is practically seamless and really easy to setup.
- Management of firewall rules via the GUI.
- Management of IPS rules via the GUI.
- Forticlient with SSL VPN causes a lot more problems than it solves. Windows and Mac updates keep breaking the Forticlient and it takes weeks to get updates. Fortigate updates also sometimes break the SSL VPN. Forticlient crashes and the only fix is to restart the computer to restart the VPN driver. We had this problem for 3 years and they still don't have a fix for that. We now use L2TP-IPsec and Cisco-IPsec with Windows and Mac embedded VPN clients because of all that.
- Memory issues with IPS. We tried all the firmware versions and IPS engines given to us by the Fortinet support and we are still experiencing memory leaks once in a while with the IPS engine. The only provided solution is to restart the IPS engine via CLI.
- FortiView only works properly if you disable ASIC routing. Their marketing always says that their ASICs is the reason their appliances are better than competition but you can't use it if you want reports or to be able to drill down on network usage.
- Every time they release a new firmware version, it takes 3-6 revisions for it to be free from major bugs. We are still waiting for a 5.6 revision that will not have major bugs within the features we use.
- Active-Active clusters do not offer much resilience when problems are software based. If for example the IPS engine has a memory leak, it will not automatically fallback on the other Fortigate, even if the primary one reboots.
- Everything related to virus, spam and intrusion detection (Forticlient, IPS, mail antispam, etc.) needs a lot of tweaking otherwise you will get a lot of false positive. It is also lacking in the type of actions you can do when those are detected. It is designed more for blocking than anything else.
- Because we use FortiGate in all our offices and all FortiGates run on the same firmware/OS, it is really easy to setup cross-site configuration or deploy firewall/IPS rules company wide.
- Fortinet always does things a bit differently than the rest which sometimes makes it easier to set up but most of times means that you need to contact support or search online to know what options really do. This can cost a lot of man-hour in the long run.
- The man-hour needed to fix or workaround all the small bugs as to be the most impacting thing to consider before buying FortiGate. If you really use most of the features, you will need to put the time into learning this product. Also for some reason their support doesn't seem to be trained on a lot of features they have inside the product. I often have to link Fortinet documentations to the support technician for them to even understand which feature I am trying to implement.
- Sophos Firewall, Palo Alto VPN Appliance, Palo Alto Networks Threat Protection and WatchGuard NGFW
I know I am repeating myself but Fortigate, for the price, is the most complete and customizable product there is. It might not be the best but we always were able to fix or workaround the problems we encountered with the help of their support.
Evaluating FortiGate and Competitors
Yes - It replaced an old Cisco ASA which was well due for replacement at the time. We also wanted to have better firewall rule management and implement VPN. We also had in the roadmap the project of implementing IPS and segmenting the networks and wanted to future proof as much as possible for not too much money.
- Price
- Product Features
- Existing Relationship with the Vendor
- Positive Sales Experience with the Vendor
- Analyst Reports
For the features it offers the only thing that can beat Fortigate (at least at the time we evaluated it) was opensource solution with support contract but still Fortigate offers more features for not much more money when you include hardware cost of the opensource solutions.
If we had to do it again now we would probably evaluation the more expensive options that were out of the budget at the time. Now though we have so much time and experience on the platform that the alternatives would need to be an order of magnitude better even with the bigger budget.
FortiGate Support
| Pros | Cons |
|---|---|
Kept well informed Quick Initial Response | Slow Resolution Less knowledgeable Problems left unsolved Escalation required Need to explain problems multiple times |
Yes - Most of the bugs I reported were only occuring in corner cases (Ex. when using 2 features in a certain way at the same time) but still the ones that got fix took years and didn't matter to us as we found workarounds or we used another product before then.
Our SE always provides support that goes beyond what is expected.
One time we were diagnosing a slowness when doing SMB traffic over L2TP VPN and even though support was trying to help but not finding the problem our SE was continually giving us things to try in parallel and in the end it wasn't even the Fortigate that was causing the problem, it was some regkey in Windows.
One time we were diagnosing a slowness when doing SMB traffic over L2TP VPN and even though support was trying to help but not finding the problem our SE was continually giving us things to try in parallel and in the end it wasn't even the Fortigate that was causing the problem, it was some regkey in Windows.
Integrating FortiGate
- Windows and macOS embedded VPN clients
- FortiManager
- FortiAnalyzer
- FortiAuthenticator
Integrating Fortigate with other Fortinet solutions like FortiAnalyzer is for the most part really easy. The only problem I remember having was when trying to use AD users + FortiAuthenticator (2FA) in the Fortigate captive portal. As it was not a supported setup, we had to create a script that syncs AD users to the Fortigate as local users.
For the VPN integration with Windows and macOS embedded client we had to do a lot of trial and error to find the correct settings as this is again not something that is officially supported in their documentation.
For the VPN integration with Windows and macOS embedded client we had to do a lot of trial and error to find the correct settings as this is again not something that is officially supported in their documentation.
- OpenVPN as a VPN client
- Clearpass
To my knowledge, OpenVPN is not supported and Fortinet does not plan to support it as a VPN client and this is why we will probably stop using Fortigate as our VPN server.
Clearpass is support though but as Fortigate only supports some types radius message and not all of them we can't do everything we would like to.
For example, it is not possible to do machine authentication as Fortigate does not support changing the group dynamically which prevents us from using a post-user-auth VLAN to do machine auth to finally send the machine/user in the correct VLAN.
Clearpass is support though but as Fortigate only supports some types radius message and not all of them we can't do everything we would like to.
For example, it is not possible to do machine authentication as Fortigate does not support changing the group dynamically which prevents us from using a post-user-auth VLAN to do machine auth to finally send the machine/user in the correct VLAN.
- File import/export
- Single Signon
- API (e.g. SOAP or REST)
- Javascript widgets
You should probably stick to Fortinet products if you want to use Fortigate as they are not the best at being vendor agnostic. Sometimes they will use standard protocols and it will be possible to use third party but you will need figure out mostly by yourself if it's even possible and then how to do it.