Link to home
Start Free TrialLog in
Avatar of Chip Levinson
Chip LevinsonFlag for United States of America

asked on

Seek Help Finalizing Selection of Fortinet NGFW for Home Office

I have been looking into replacing my Juniper Networks SSG5 firewall that I use in my home and have decided to go with one of the entry level NGFW from Fortinet.  In particular, I am thinking about the FortiGate 40F and the FortiWifi 40F (although I am open to other models).

The SSG5 was purchased about 10 years ago to 1) allow me to separate and isolate my home-based business network from my home personal computers used by family members, and 2) to protect a file server and a web server.  The web server is no longer there, so I no longer get many hits on my network from all over the world.  I still want to have separate home and work zones, however.  The SSG5 is not only old, it is slow.  It only supports 100 Mbps so it is a huge bottleneck to the 400 Mbps I pay for from my ISP.

My usage is very small in comparison to what any of the Fortinet products support. Unless I am mistaken, I should not care about concurrent sessions, new connections per second or firewall latency as I will never come close to stressing the lowest-end model offered. Due to my ISP limitation and small number of endpoints (less than 10), I also doubt I will ever come close to the multi Gbps throughput any of these models offer.

I am leaning towards the 40F vs the 40E because I like the idea of application specific filtering (being able to block whatsapp, etc). I also want this new unit to last about 10 years so buying current generation products makes sense. I would seriously conisder a 30F (or 20F), but do not think they offer those models.

Here are my questions:
1. Should I get wifi version?  I DEFINITELY need wifi in my home and this has been a HUGE challenge for a number of years.  The firewall is located at one end of the house in a server closet in a well insulated room. The wifi signal is always weak outside my office and upstairs. My current solution is to have a Netgear Orbi connected to my ISP modem and a satellite located in the family room. Our wifi performance is spotty, we get a lot of drops and have to frequently reset the Orbi.

I like the idea of having all traffic to my wifi devices pass through my NGFW device for security (right now my wifi sits in front of my SSG5). If I go with a FortiWifi 40F, how can I boost the signals in the rest of the house?  Can I somehow use the two Orbi routers as boosters and not routers (access points) to give me better wifi coverage?  They would be on my home network which I currently have assigned to IP 192.168.3.X.  I would like to be able to take an iPad that is connected to wifi in my office and walk outside my office and go upstairs to any bedroom and never lose my internet connection. Or will the Orbi end up creating its own network so that the iPad must switch from the FortiWifi to the Orbi as I leave the office?  If the Orbis cannot work the way I want, what is a good Wifi booster to use with the FortiWifi?

2) Please confirm that each of the three Gigabit ports on the unit can be programmed into its own zone with its one rules.

3) Does this NGFW protect against ransomeware? How important is it to get Fortigate UTM protection (which I think costs $300-$400 a year on these units)?

4. Any suggestion where to buy?  Is it OK to buy from Amazon or should I buy from a firewall dealer?

Thank you!
Avatar of Bembi
Bembi
Flag of Germany image

Hello,
let me try to answer as far as I can...
1.) WIFI or not...
I would think about where you want to place the device.WIFIAccess points should be palced at locations, where you get the best connectivity to the clients.
A second question is, if you want to provide WIFI for internal and or external access. (External in the sense of a guets WIFI / Hotspot).  
An internal WIFI device can not be published as guest / hot spot because it has access to the internal network.

I use both, the WIFI functionality on the routing device for guests, and additional WIFI routers for internal access.
Even I have two of them, one for the office, one for home.

WIFI devices can usually (but not all of them) used as repeaters or the newer ones as mesh devices.
Mesh can also use the network as bridge if you have cables, while pure repeaters needs also a reliable WIFI connection between them. They can only repeat what they get.

2.) Firewalls are working LAN based. To address a single port needs a kind of network segmentation.
I can not see any hint for that so I cannot really tell you, if it is possible or not.
At least I would expect VLAN as a feature what is not written anywere in the specs.
The device has, like similar devices just an unmanged switch inside.
I would not expect this, but possibly a question you can directly address to Fortinet.

3.) Ransomware is a special kind of a virus, the major difference is how it behaves, if a system is infected.
But in general, it is a virus like any other virus. .
See:
https://www.fortinet.com/solutions/small-business/stop-ransomware-phishing

The UTP covers E-Mail AntiSpam  as well as Web Filters. With web filters, you can block URLs, filter Web Sites by keywords or block special services like File Sharing Streaming etc.
There are also features inside to block phishing sites and some other threats as well as youth protection.
While an Application control is more port / service based, the WebFilters is also URL based.  

Both make sense if you are not protected in a different way.

The UTP is additional 80 Euros against ATP per year.
But currently there are promo offers for a 3 year UTP bundle which is cheaper than the ATP bundle.

4.) A firewall dealer may give you some more information, nevertheless you can directly contact Fortinet.
At the end they distribute over different channels. The devices are the same, the licenses too, so at the end you can buy wherever you like. Compare prices.  

5.) Be aware that a firewall can identify what passes the device. So any kind of protection mechanism is an add on, but not a replacement for a virus scanner. The device can block some traffic before it reaches your end device, but cannot protect you against other sources.  

Oh, one more comment according the devices...
The 40E supports 1 GB external and 600 Mbps with threat protection
For web surfing, the threat protection value is the one, you should take into account.

The 30E has only 150 Mbps what is less than your connection speed.
So the 40F is better fitting.  
 

> 1. Should I get wifi version?  

No.

If you can and want to invest some money for infrastructure and want to use your FortiGate for 10 years you really should get a 40F (newer hardware --> longer support cycle) or a 60F (depending on number of users and complexity of rules, desired protection level and internet speed)

In your case I would get an non-Wi-Fi firewall and one or more FortiAP access points from Fortinet. (40F can support up to 5)
a) can be managed from the Fortigate and each SSID can be treated like a network interface in the firewall policies (think "HOME" "COMPANY" "GUEST" etc. SSID each with their own scanning, policies, traffic shaping, application/port/address blocking etc.)
b) you can swap out for newer APs if the Wi-Fi standards change (Wi-Fi 6, 6e etc.) and add more APs if your coverage needs to be extended and place the APs where you need coverage

You just need PoE Ethernet connection to the position of each AP

For Ethernet coverage you may also want to consider one or more FortiSwitches with PoE support for the access points (again can be managed from the fortigate and port or VLAN can be treated like a network interface in the firewall policies)

Switches and APs from Fortinet come with a high(er) price, but with good integration and central management on the firewall.

> 2) Please confirm that each of the three Gigabit ports on the unit can be programmed into its own zone with its one rules.

Yes.
The 40F has 3 LAN ports (can be split to individual interfaces e.g. port1, port2 port3), 1 FortiLink port "A" for a FortiSwitch (can also be used  as a general purpose port if no FortiLink is needed) and one WAN port.

3) Does this NGFW protect against ransomeware? How important is it to get Fortigate UTM protection (which I think costs $300-$400 a year on these units)?

No.
You better invest in some training to educate the users.
UTM provides anti virus, intrusion protection, application detection, IP to country database (like "block all traffic from country XXX and YYY to my network") and more

> 4. Any suggestion where to buy?  Is it OK to buy from Amazon or should I buy from a firewall dealer?

Depends on your location. If you can find a decent Fortinet partner near you, they can also help installing and support you if you run into problems.


Let me add a comment as Don addressed some additional points.

1.) All in one devices have always the lack, that you can not change single components. You can only replace the whole device.
The major topic of Fortigate is Firewall, so WIFI is an add on.
If the technique changes, the built in functionality may get obsolete and you have to buy anyway another device to follow the technique. Another argument is just the placement. Separate devices you can place where they are needed rather than to have them at the place where your internet connection resides.
Both are aguments against the included WIFI.

The same argument may be with switches, but depend from your needs. A specialized switch has possibly much more functionality than the built in switches. PoE and network segmentation may be an example.
If you need more than 3 (4) ports, you need additional switches anyway.  

The agument for a all in device is just the price.

3.) Maybe I was a bit generic with my explanation.
A firewall can protect you against anything, what passes the firewall. And as ransomware is a virus than any other virus, the antivirus of the FW can fish it out as far as it passes the firewall (i.e. Download) and as far as the virus is covered by the actual patterns.
It doesn't cover of course against the mechanism of ransomware.

A local virus scanner on the machine may be even capable to react on the behaviour of ransomware what a FW never can do.

Also there are other ways to infect a system, phishing is one of them, directly sent by email or even connected to each other (one virus download another one).
So a FW can possibly avoid, that subsequent viruses are downloaded, either by direct detection or by blacklists, means well know sites or IPs which spread viruses or malware which are blocked.
If the FW do not scan emails, they also can pass if directly included in the email, i.e. as attachements. The FW can only detect viruses in emails, if the FW acts as an email gateway (what needs the UTP license).

Means antivirus on a firewall is an additional protection, but doesn't replace a virus scanner on the local machine.  
Avatar of Chip Levinson

ASKER

Thank you everyone for your continued help! First off, I definitely decided if I buy a Fortinet it will be the 40F. My only hesitancy about the 40F, or any new firewall for that matter, is how difficult (or expensive) will it be for me to get it configured. I am some years removed from helping set up my SSG5.  I have been searching the web and Fortinet's site for videos on how to configure.  For a variety of reasons, I do not wish to hire a local IT pro to come in and do everything.

A. If I start a new thread about Fortigate programming, are any of you able to help me set the new unit up?  

If yes, my plan would be to start by posting a summary of my SSG5 current rules (zone definitions, traffic allowed, traffic blocked, etc) and get feedback on what I should keep and what I should change with the 40F. My firewall settings are 10 years old.  I imagine there may be some new steps I can take to protect my infrastructure.

B. In terms of a FortiAP, does it need to be plugged in directly to the 40F or a 40 switch?  Or can it be plugged into any unmanaged gigabit switch? If needed, I should be able to plug it directly into one of the 4 ports of the 40F (I will never need FortiLink for my home setup).

C. I have three possible PoE Ethernet connections outside of my heavily shielded home office I could use for a FortiAP, all of them are in upstairs bedrooms. The logical location would likely be the master bedroom since it is centrally located and is near the two smart televisions that would use the wifi. Would this single FortiAP eliminate the need for my underwhelming wifi mesh built with two Netgear Orbis?

D. Any advice on the most cost-effective model of FortiAP?  The wifi will be used by family and guests for their cell phones (maximum of 10 people at one time, usually 3), two smart tvs (but very rarely at the same time),  an ipad, and maybe 1-2 laptops.  Finally, I may add one or two security cameras that will use Wifi. Is all of this still considered a small number of devices for an AP?  I would like to end up with download speeds of at least 200+ over wifi from my 400 mbps IP.  For this type of workload do I need Wifi6?

Thanks again.

UPDATE: A quick review shows that FortiAP 221E/223E or 23JF will cost $350+ for the hardware. It looks like I am getting close to $1,000+ if I buy Forticare for the two device solution.  I plan to have all wifi devices be in their own zone and to isolate that zone from all work and family computers.  Let's say my work devices (and the Fortinet 40F) are 192.168.1.xxx.  The 40F port 1 would be work and would be plugged into a Dell unmanaged switch for all devices to connect to the zone.  The 40F port 2 would be the "Family zone". It will use 192.168.2.xxx and will be plugged into a separate unmanaged switch for all the personal computers to use.  The 40F port 3 would be the Wifi Zone and will be 192.168.3.xxx.  Rules will block all traffic between the three zones.  

What if I used the Netgear Orbi as the "switch" for the Wifi Zone?  So I would plug the Netgear Orbi into the 40F and have it use NAT with DHCP so Wifi devices look for 10.10.10.x.  Rather than have the Orbi satellite connect to the base via wifi, could I plug it in directly to the base using a PoE ethernet connection? This would eliminate the problem of poor wifi signals coming out of my office. Then I could configure any additional wifi security rules I want for the Wifi Zone - like block whatapp. How does that setup sound?
ASKER CERTIFIED SOLUTION
Avatar of Bembi
Bembi
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi I will close this in the next day or two.  I plan on buying the Fortinet 40F.
Update: I ended up purchasing a SonicWall TZ270 with a 3 year subscription to their Essentials UTM package.  SonicWall offered a discount for a competitive upgrade and it was almost half the cost of the 40F with 3 years of UTM. For my purposes, it looks like the two are fairly comparable in terms of performance.  Both are far superior to my SSG5.  The SonicWall will arrive tomorrow or Wednesday, so I am not going to try to get the SSG5 to work anymore.  Next steps is to review SSG5 configuration and figure out how I want to setup the TZ270.  I will likely start a new thread with specific questions about that.  Thanks again!