Best Firewall for Small and Mid-sized organisation with negligible flaws
January 05, 2022
Best Firewall for Small and Mid-sized organisation with negligible flaws
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Fortinet FortiGate
Being an IT consultant and Software Development Centre (Lab) for our Parent Company, we are very specific and skeptical when we choose a product that will be implemented across many other daughter companies. For FortiGate Firewall, the basic functionality and requirement is met easily as Fortigate is among market leaders in NGFW. There are some extra points that inclined us to use [Fortinet] Fortigate as our main Firewall. Fortigate has a very well refined and functional SD-WAN solution when it comes to load balancing for normal Internet Traffic, be it web browsing, Application traffic, IPSec or SSL VPN traffic. Some of the top NGFW still lacks the basic load balancing feature (to be practical) in small and mid scale organizations where budget is a constraint in selecting the technologies. Another feature is to have the traffic shaping (QoS) or bandwidth allocation to users, Application, subnets with all possible variables in configuration. Explicit Proxy is also a great feature, to be configured on the Firewall itself. SSL VPN configuration on firewall is also very easy with the help of Wizard.
- SD-WAN - Load balancing of Internet traffic is a USP of Fortigate and makes it stand tall in the competition. Be it 3 or more Internet Links, multiple Subnets/segments of users to distribute and bandwidth load balancing for links and users. SLA based monitoring of Internet Links / MPLS links, makes it even better to choose the links on the basis of performance (Latency, packet loss, Jitter etc).
- SSL VPN configuration - As we all have WFH force (to some extend or all employee) during Covid-19, it is impossible to plan BCP without having a SSL VPN. In Fortigate, the SSL VPN configuration is very easy with the help of wizard. The deep CLI-level debugging is also very helpful in troubleshooting. Type of tunnel can be easily configured - Full Tunnel or Split Tunnel for SSL.
- Explicit Proxy - This is also a great feature to shape and re-route the traffic, configuring the Proxy on the Firewall itself. We are using this feature in Pilot for now, and planned to rollout in few weeks looking at the success rate of the POC.
- Though, I think Fortigate is one of the best options for small and mid-sized organisations, there are some areas for improvement. First, the CLI interface is very hard to adapt as the commands and directory hierarchy is very different for common syntax and standards.
- Scalability - this is something that I personally have faced twice in the same organization. Fortigate is not easy on scalability part, you have to change the hardware box in order to scale the firewall as organization grows.
- Fortigate sometimes stucks on GUI, which is basically happens due to Disk error. And the only way to mitigate the issue is to reboot the firewall. Which is very hard if you have a 24x7 production running behind the firewall.
- HA switch over in certain conditions is also have some room to improvement. Basic internet link flapping can cause HA switchover, if not configured wisely and with custom settings. HA switch over also takes more than normal time, approx 4 minutes sometimes.
- SD-WAN
- Internet Traffic Load Balancing
- QoS (Bandwidth Allocation)
- SSL VPN
- Application Based Traffic Shaping
- SD-WAN : Can't stress it further that we are very happy with this functionality and outcomes in the org. We have multiple WAN and MPLS links and traffic switching becomes an important in order to utilize the best performing line.
- QoS : We use QoS for almost all internet traffic, be it Web browsing by users, IOT segment, Application based traffic policy and VIP and normal user based bandwidth allocation.
- SSL and IPSec VPN, both features are fully used to it absolute capacity. IPSec tunnels with multiple sister companies across globe.
As mentioned in the previous sections, Fortigate is best suited for our use cases of SDWAN, load balancing, SSL VPN, IPSec Tunnels, Bandwidth allocation (per IP, per user based ). Comparing with Palo Alto NGFW and Cisco ASA, the SD WAN and link load balancing based on the different performance SLA is not best. Cisco ASA also has complexity in terms of managing the firewall, as configuration of simple IPSec tunnel and associated policies can be cumbersome and very hard new Admins.
Do you think Fortinet FortiGate delivers good value for the price?
Yes
Are you happy with Fortinet FortiGate's feature set?
Yes
Did Fortinet FortiGate live up to sales and marketing promises?
Yes
Did implementation of Fortinet FortiGate go as expected?
Yes
Would you buy Fortinet FortiGate again?
Yes