Solved

Need help choosing firewall.  Any real-world experience with Fortigate 310b?

Posted on 2009-04-04
4
755 Views
Last Modified: 2013-11-22
I run a school network with about 400 users, although only 50-100 active at any one time with about 250 computers.  10 up /10 down Internet pipe.  We need to replace our existing (aging) firewall with something that is better at stopping proxies and malware sites.

Additionally, I need a very granular approach to creating firewall rules (we have several categories of users, faculty, staff, students and guests, etc.), which is why I was attracted to the Fortigate 310b.  I also like that I can firewall my network segments with the 310b and scan internal network traffic for IPS/IDS problems.

Furthermore, it needs to be compatible with eDirectory (Novell).

I have read lots and lots about the Fortigate and like what I've read so far.

However, I'd like to know any real-world issues that people are having now (especially with the latest 4.0 firmware).  Any slows?  Does this Fortigate have an achilles heel?

I know that virus scanning is best limited to 10MB files and lower because of memory limitations on the box.  Just curious if this plays out to any consequence in the real world.

Is there any particular feature of the Fortigate 310b that doesn't work well or that stresses the platform?  SSL decryption, perhaps?

Anyway, as you can see I'm trying to locate someone that has been in the trenches with this Fortigate model and can tell me what they like/don't like about it.

Thanks.
0
Comment
Question by:PhireWall
  • 2
  • 2
4 Comments
 
LVL 11

Expert Comment

by:ecsrd
ID: 24066386
We are a school division, and we use the Fortigate 310b.  It is an excellent device for granular control, and there aren't any issues I've come across.  The only issue I have is that the 310b is not capable of 802.1Q trunking as each port is treated as a separate entity (at least with the firmware I'm using).  I cannot speak to interoperability with Novell, however Fortigate sales and support should be able to answer that easily if you call them.

We are a division with 5000 users, a hub and spoke setup on a 40Mbit fibre MPLS interconnect.  I just had a look and our 310b has been up for 306 days without needing a restart - the device is VERY stable.

Hope that answers at least most of your real-world questions.
0
 

Author Comment

by:PhireWall
ID: 24068295
Great. Excellent response.  Any comment on the antivirus capability/speed?  That's one of the main liabilities I've read.  It can't easily scan files greater than 10MB, and it must load each file into memory to examine it.  Thus, if several people are downloading files, it could overwhelm the system or stress the memory.

Fortinet counters that most virused files are less than 10MB so that they spread rapidly, and that in the real world they will capture most of the viruses entering the network even with this 10MB limit.  (Desktop/enterprise AV should take care of anything larger that makes it through.)  Makes sense, I supposed, but wondering how it plays out with real users.

Also, I read that "heuristic detection" needs to be turned on in the CLI in order to get very good virus detection.  Was wondering if this slows it down.

I also read that turning on a lot of the UTM features (antivirus, IPS, URL filtering) slows the box down way below the specs of about 160mbps for virus detection and 800mbps for IDS/IPS.

Are these bogus claims from the competition?  Without running some really hardcore tests on my own, it's hard to evaluate these concerns.  

(If you're successfully running 5000 users on the 310b, I would think it would be overkill for my 400 users, though.)

I realize this amplifies my original request quit a bit, so if this needs to be broken out as a separate question, please let me know.

P.S.  I verified that the 310b does indeed support Novell.
0
 
LVL 11

Accepted Solution

by:
ecsrd earned 250 total points
ID: 24068789
I have seen - on the Fortigate 60 - which we use at our spoke locations - that during a Virus outbreak (staff and their USB sticks from home...argh), that the Fortigate 60s pretty much had heart attacks dealing with the scanning on their level.  However, the 310b didn't actually have any issues, even after I had to turn off the AV at the spoke units and let the 310b handle everything.  Its a pretty robust unit compared to any of their older style equipment.  Like I said, the only thing that (in my mind) wasn't an improvement on their older 300As (which we used to have) is that 802.1Q is no longer supported...

Note: while we have 5000 users on our network, we only have 1800 stations, and those are distributed across 10 sites in our hub and spoke architecture.  The 310b is only servicing inter-site traffic and internet traffic.  Thats only about 10-12 thousand concurrent connections.  If you put all of your 400 users behind the 310b directly and it services everything, you'll probably be at about 8-9 thousand concurrent since it will be servicing all traffic.

I can't say I've noticed any slowdowns with IPS/AV/AS enabled.  In fact, I just looked at my logs and the highest CPU and Memory usage on the unit (during our virus outbreak) was only 64%.
0
 

Author Closing Comment

by:PhireWall
ID: 31566532
Thanks again.  The 310b looks like a reliable device. Appreciate your rapid help here.  I'll keep the 802.1q problem in mind if/when we make our final decision.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now