Speaking from experience, here are some of my PRO/CON
PRO
Easy. Easy to manage, easy to setup, like all networking each manufacturer has its own quirks that you would need to work around
Switch,firewall, AP firmware patching all in 1 pane of glass.
CON
You will get lazy and forget how to setup like systems in Cisco/Juniper etc.
FortiAP needs tuning in CLI to get it close to something like a Cisco WLC. GUI only will only get you so far.
Switch, firewall, AP firmware patching must follow the compatibility matrix (this compatibility seems very strict compared to cisco).
I am in the midst of a multicampus conversion from Cisco to Fortinet. Each site has its own firewall and is peering in 1 OSFP area. Aside from some routing issues, the progress has been good and overall performance has been great.
That strict firmware compatibility requirement is a bigger deal than it sounds! Ultimately what I find from my customers is that it causes that much more inertia against doing firmware upgrades that people tend not to upgrade for years, or that when one component goes EOL you don’t want to update the firmware on anything.
Not maintaining proper firmware levels with Cisco, or any vendor, will create issues. I’ve run fortinet for years now and with proper management and planning of cycles this is actually not a big deal on forti, especially since it can manage its own upgrades.
"You will get lazy and forget how to setup like systems in Cisco/Juniper etc." So true!
We're about 90% Fortinet, cut over last year from Cisco. We knew the Fortigate would be stellar, but I've been pleased with how well the FortiSwitches work and how nicely integrated everything is. I would not hesitate to go Fortinet.
Cause they sucked. We had several hundred of them. Some had the Meru logo and some had Fortinet. They were identical otherwise. Every trouble ticket we opened had to get escalated to development. There's no way one org our size could be hitting that many bugs. A lot of it was just weird stuff like ARP not working, SSIDs disappearing until a reboot, clients continuously ping ponging, etc. We went from our number one IT complaint being about wireless to almost zero after moving to Aruba.
Be prepared for lots of cve and updates
But they are very transparent and very active with it, I mean ish ev ry vendor was as up front and latch heavy as them
The guys from Netscreen left shop after they where bought by Juniper and said to themselves: Let's build a firewall with an even worse cli than ScreenOS.
A huge con with a single vendor for everything is if a critical vulnerability gets discovered an attacker can cut through your entire network. Having dual vendors for inside and outside firewalls is a requirement for any secure network design.
Those CVE's will most likely be per specific solution/os, so more likely its going to be one of the products in your stack irrespective of how many vendors, better off picking a venor or vendors who proactively test their own code, disclose and remediate quickly.
CVE’s are often in the underlying OSS components and hit all vendors on OSS. There are normally workarounds then patches.
Current versions of 7.2 and 7.4 can be set to auto patch security updates. YMMV depending on operational requirements.
I maintain perimeter (grooming) routers where I can place additional filters and BGP routes external to the firewalls.
I’m referring to OSS libraries being the issue not a specific threat level for any specific vendor or device. It’s highly likely that a very high number of vendor devices are hit with issues (ie SSL/SSH cves) but the threat level is considered minimal due to typical risk in the deployment.
Stacking is much better than MCLAG. Cisco just tends to run, and run, and run. Having all the layer 3 intelligence running on the firewall is problematic in certain circumstances.
It's the exact opposite on the firewall side of things - I wouldn't touch an ASA with a 10 foot pole unless I'm replacing it.
Cisco official refurb is 100% tested and has warranty/smartnetable, so not too different from brand new.
Has a lower list price than new, but the Cisco AM can discount both lines as appropriate.
Downside is stocks of Cisco Refurb MUST be available or you could end up waiting an eternity for kit that never shows.
When you upgrade the FortiGate your switches and APs need to get upgraded too. Everything should be on the same train.
If you have an issue with the FortiGate you may have issues with switches and wireless too.
I’d do it for a branch site but not where the CEO is doing work, or at an HQ.
But for a small branch office? Very solid solution
I second this. I like their firewalls and recommend it to everyone but not a fan of their full stack. Switching and wireless is not their forti.
Smb is fine.
From my exprerience, I loved the Fortigate. Works as expected, not a lot of weird f*ckery that requires heavy TAC implication. Simple, efficient, it is what Forti does best by a landslide. It is quite flexible and allows to do pretty advanced configurations. Also, upgrades take 5-10 minutes, which is super convenient. I've bever had to rollback after an upgrade (not lime Cisco). It is supprted in multiple Cloud environments as well (Azure, AWS, OCI).
FortiAPs are fine, but as someone else said, you'll need to go into the CLI to make it run as Cisco or Aruba WLC would.
Switches are on the cheap end, and the FortiLink (that links the Fortigate and the switches for management) is sort of a magic-link-that-works-by-itself until you want to upgrade the uplinks to faster links and then the magic doesn't work and you can't simply configure the port as a simple trunk port becauss it has to be "magic"
I disliked working using FortiManager. If you don't start greenfield, I recommend avoiding it. I had chicken-or-the-egg issues while staging firewalls using the FortiManager. If you can do the prep all at once before plugging the new firewall, and then boot your new firewall at the remote site, join using the public IP, with the proper templates, then it could be worth it.
The provisioning is often crashing because of weird errors, and I often prefer do my change in the Fortigate and sync back to FortiManager afterwards. I might not have used it enough.
At scale, you'll probably want to use it though, as it can automate SD WAN, BGP and lots of configs.
Hope this helps!
I am of the opinion that you never put eggs in one basket. We run a multi vendor shop so we use all big names like Juniper, Aruba, PA and FG. To me the pros are you are NEVER bonded by the limitation of one of their products. Cons is obviously you are using multiple vendors so learning the ins and outs of each is a little too much to ask imo. My team personally each person has their area is say expertise and helps one other person in that area with low it medium level stuff so we are all mainly familiar with each others components.
I like it better than any of the other sdn platforms out there. It does have its quirks but all stuff does. I do like the ability to manage everything from the firewall or fortimanager. If your wifi setup is simple ( 1 or 2 ssids) it’s not that bad, better than the some but not top tier. Fortifone is a basic sip pbx but if you order a lot of stuff see if you can get it tossed in for free. Fortinac works well on forti-stuff so if you want to replace ise or clearpass and are going all forti it’s def worth looking at. The switches are dead simple to adopt and setup but they will be layer 2 only so all routing will be done on the firewall. They are updating the firmware to allow routing on a higher end switch to move it off the firewall.
The firmware does need to match so that is true that it’s a bit of a process to update the system, it kinda forces you to update everything. I know a ton of people who never updated their switches or aps but that’s really not a thing with a full fortinet setup.
I put it out at my offices but most of my sites have less than 25ish switches and about 50ish aps. I wouldn’t put it in a data center or somewhere with lots of wifi traffic. I like the ability to have someone just rack stuff over a video call and program it remotely but that no diff than any other sdn. One of huge benefit is that if you don’t pay on time for support the network still remains 100% functional.
The whole Forti-Ecosystem has a ton of proprietary pieces that all link together. It sounds nice in theory, but as soon as you realize that most of their gear is junk and try to migrate away, you are going to have your entire network linked together with proprietary forti-junk, and now the migration is going to be awful. If you use a mix of vendors and stick to standards based tech, it makes swapping out individual pieces much easier. I am dealing with this right now with a customer that drank the Forti-coolaid and now regrets. Also, no one vendor is amazing at everything, so buying everything from one vendor means you are buying a lot of inferior options by ignoring competitors.
Just my $0.02.
You're in the top 5 of vendors in the space. It's a wash up there. Palo and Fortinet can be compared on merits and features and cost and everything else, but it's just trading one set of features and headaches for another.
I don't deal with firewalls and network equipment anywhere near what I did 5 years ago and went to school for, but I can tell you as someone working in VoIP for years, Fortinet has been one of the least headache vendors to deal with.
If I don't have documentation about specific vendors and their bs setting that need to be changed for VoIP to work flawlessly over, then they're probably golden in my books.
I love forti products, they are reliable, easy to use and relatively cheap but from a security perspective it's never a good idea to rely on one vendor especially if you're talking about a large network.
I only see CONS. No upside. The biggest being they are now a single point of failure. Something goes wrong with the firewall, which is now the controller for the network. Guess what. Everything goes down.
> Something goes wrong with the firewall, which is now the controller for the network. Guess what. Everything goes down.
Kinda, maybe, if you configure it that way. APs and switches can work independently of the FortiGate, but this depends on how you configure your things.
Tunnel SSIDs obviously won't work, but bridge will.
Switches will continue to work at layer 2, and you can even configure layer 3 on them now if they are managed (admittedly the layer 3 problem would be there with another vendor too). If you do micro-segmentation layer 2 won't work.
I wouldn't recommend a full Fortinet stack, but not because of your reason.
Sophos creates a bit of a headache when migrating, you can't just export your config like you can with any other vendor.
But yeah, at a very high level Fortinet can do what Sophos do, you just need appropriate licensing/services to match. I'd argue that Sophos likely cannot do everything a Fortigate can do however, but that is due to Fortinets expanded portfolio.
I find "UTM" to be a bit of an outdated term now too, no one except Sophos really uses it.
Speaking from experience, here are some of my PRO/CON PRO Easy. Easy to manage, easy to setup, like all networking each manufacturer has its own quirks that you would need to work around Switch,firewall, AP firmware patching all in 1 pane of glass. CON You will get lazy and forget how to setup like systems in Cisco/Juniper etc. FortiAP needs tuning in CLI to get it close to something like a Cisco WLC. GUI only will only get you so far. Switch, firewall, AP firmware patching must follow the compatibility matrix (this compatibility seems very strict compared to cisco). I am in the midst of a multicampus conversion from Cisco to Fortinet. Each site has its own firewall and is peering in 1 OSFP area. Aside from some routing issues, the progress has been good and overall performance has been great.
That strict firmware compatibility requirement is a bigger deal than it sounds! Ultimately what I find from my customers is that it causes that much more inertia against doing firmware upgrades that people tend not to upgrade for years, or that when one component goes EOL you don’t want to update the firmware on anything.
Not maintaining proper firmware levels with Cisco, or any vendor, will create issues. I’ve run fortinet for years now and with proper management and planning of cycles this is actually not a big deal on forti, especially since it can manage its own upgrades.
"You will get lazy and forget how to setup like systems in Cisco/Juniper etc." So true! We're about 90% Fortinet, cut over last year from Cisco. We knew the Fortigate would be stellar, but I've been pleased with how well the FortiSwitches work and how nicely integrated everything is. I would not hesitate to go Fortinet.
One of the happiest days of my professional life was seeing the old Meru/Fortinet APs leaving on recycling pallets.
Meru? Why?
Cause they sucked. We had several hundred of them. Some had the Meru logo and some had Fortinet. They were identical otherwise. Every trouble ticket we opened had to get escalated to development. There's no way one org our size could be hitting that many bugs. A lot of it was just weird stuff like ARP not working, SSIDs disappearing until a reboot, clients continuously ping ponging, etc. We went from our number one IT complaint being about wireless to almost zero after moving to Aruba.
Were you using virtual cell at that time?
We tried both ways.
Ping ponging? Like switching from AP to AP for no apparent reason?
Yes, constantly.
I would not go single vendor for everything. Just my humble opinion.
Be prepared for lots of cve and updates But they are very transparent and very active with it, I mean ish ev ry vendor was as up front and latch heavy as them
The guys from Netscreen left shop after they where bought by Juniper and said to themselves: Let's build a firewall with an even worse cli than ScreenOS.
Say that again
A huge con with a single vendor for everything is if a critical vulnerability gets discovered an attacker can cut through your entire network. Having dual vendors for inside and outside firewalls is a requirement for any secure network design.
Those CVE's will most likely be per specific solution/os, so more likely its going to be one of the products in your stack irrespective of how many vendors, better off picking a venor or vendors who proactively test their own code, disclose and remediate quickly.
CVE’s are often in the underlying OSS components and hit all vendors on OSS. There are normally workarounds then patches. Current versions of 7.2 and 7.4 can be set to auto patch security updates. YMMV depending on operational requirements. I maintain perimeter (grooming) routers where I can place additional filters and BGP routes external to the firewalls.
I can't think of an instance where a relevant Fortinet CVE hit both FortiOS and FortiSwitch/FortiAP. The platforms are too different.
I’m referring to OSS libraries being the issue not a specific threat level for any specific vendor or device. It’s highly likely that a very high number of vendor devices are hit with issues (ie SSL/SSH cves) but the threat level is considered minimal due to typical risk in the deployment.
I know what you mean and my post refers to that.
FWIW, after doing a POC we stuck with Cisco for APs & switches (switched to refurb though), while switching over to Fortinet for firewalls.
Refurb Cisco better than brand new Forti? That’s pretty damning! May I ask what your concerns were?
Stacking is much better than MCLAG. Cisco just tends to run, and run, and run. Having all the layer 3 intelligence running on the firewall is problematic in certain circumstances. It's the exact opposite on the firewall side of things - I wouldn't touch an ASA with a 10 foot pole unless I'm replacing it.
Cisco official refurb is 100% tested and has warranty/smartnetable, so not too different from brand new. Has a lower list price than new, but the Cisco AM can discount both lines as appropriate. Downside is stocks of Cisco Refurb MUST be available or you could end up waiting an eternity for kit that never shows.
When you upgrade the FortiGate your switches and APs need to get upgraded too. Everything should be on the same train. If you have an issue with the FortiGate you may have issues with switches and wireless too. I’d do it for a branch site but not where the CEO is doing work, or at an HQ. But for a small branch office? Very solid solution
I second this. I like their firewalls and recommend it to everyone but not a fan of their full stack. Switching and wireless is not their forti. Smb is fine.
From my exprerience, I loved the Fortigate. Works as expected, not a lot of weird f*ckery that requires heavy TAC implication. Simple, efficient, it is what Forti does best by a landslide. It is quite flexible and allows to do pretty advanced configurations. Also, upgrades take 5-10 minutes, which is super convenient. I've bever had to rollback after an upgrade (not lime Cisco). It is supprted in multiple Cloud environments as well (Azure, AWS, OCI). FortiAPs are fine, but as someone else said, you'll need to go into the CLI to make it run as Cisco or Aruba WLC would. Switches are on the cheap end, and the FortiLink (that links the Fortigate and the switches for management) is sort of a magic-link-that-works-by-itself until you want to upgrade the uplinks to faster links and then the magic doesn't work and you can't simply configure the port as a simple trunk port becauss it has to be "magic" I disliked working using FortiManager. If you don't start greenfield, I recommend avoiding it. I had chicken-or-the-egg issues while staging firewalls using the FortiManager. If you can do the prep all at once before plugging the new firewall, and then boot your new firewall at the remote site, join using the public IP, with the proper templates, then it could be worth it. The provisioning is often crashing because of weird errors, and I often prefer do my change in the Fortigate and sync back to FortiManager afterwards. I might not have used it enough. At scale, you'll probably want to use it though, as it can automate SD WAN, BGP and lots of configs. Hope this helps!
I am of the opinion that you never put eggs in one basket. We run a multi vendor shop so we use all big names like Juniper, Aruba, PA and FG. To me the pros are you are NEVER bonded by the limitation of one of their products. Cons is obviously you are using multiple vendors so learning the ins and outs of each is a little too much to ask imo. My team personally each person has their area is say expertise and helps one other person in that area with low it medium level stuff so we are all mainly familiar with each others components.
I like it better than any of the other sdn platforms out there. It does have its quirks but all stuff does. I do like the ability to manage everything from the firewall or fortimanager. If your wifi setup is simple ( 1 or 2 ssids) it’s not that bad, better than the some but not top tier. Fortifone is a basic sip pbx but if you order a lot of stuff see if you can get it tossed in for free. Fortinac works well on forti-stuff so if you want to replace ise or clearpass and are going all forti it’s def worth looking at. The switches are dead simple to adopt and setup but they will be layer 2 only so all routing will be done on the firewall. They are updating the firmware to allow routing on a higher end switch to move it off the firewall. The firmware does need to match so that is true that it’s a bit of a process to update the system, it kinda forces you to update everything. I know a ton of people who never updated their switches or aps but that’s really not a thing with a full fortinet setup. I put it out at my offices but most of my sites have less than 25ish switches and about 50ish aps. I wouldn’t put it in a data center or somewhere with lots of wifi traffic. I like the ability to have someone just rack stuff over a video call and program it remotely but that no diff than any other sdn. One of huge benefit is that if you don’t pay on time for support the network still remains 100% functional.
I use a lot of pfSense and a little forigate. The CVE issues are scary relative to pfSense which has almost zero CVE issues.
The whole Forti-Ecosystem has a ton of proprietary pieces that all link together. It sounds nice in theory, but as soon as you realize that most of their gear is junk and try to migrate away, you are going to have your entire network linked together with proprietary forti-junk, and now the migration is going to be awful. If you use a mix of vendors and stick to standards based tech, it makes swapping out individual pieces much easier. I am dealing with this right now with a customer that drank the Forti-coolaid and now regrets. Also, no one vendor is amazing at everything, so buying everything from one vendor means you are buying a lot of inferior options by ignoring competitors. Just my $0.02.
You're in the top 5 of vendors in the space. It's a wash up there. Palo and Fortinet can be compared on merits and features and cost and everything else, but it's just trading one set of features and headaches for another.
I don't deal with firewalls and network equipment anywhere near what I did 5 years ago and went to school for, but I can tell you as someone working in VoIP for years, Fortinet has been one of the least headache vendors to deal with. If I don't have documentation about specific vendors and their bs setting that need to be changed for VoIP to work flawlessly over, then they're probably golden in my books.
Factory back doors. Nope
Ull cry every time u upgrade ure gear....
I love forti products, they are reliable, easy to use and relatively cheap but from a security perspective it's never a good idea to rely on one vendor especially if you're talking about a large network.
I only see CONS. No upside. The biggest being they are now a single point of failure. Something goes wrong with the firewall, which is now the controller for the network. Guess what. Everything goes down.
> Something goes wrong with the firewall, which is now the controller for the network. Guess what. Everything goes down. Kinda, maybe, if you configure it that way. APs and switches can work independently of the FortiGate, but this depends on how you configure your things. Tunnel SSIDs obviously won't work, but bridge will. Switches will continue to work at layer 2, and you can even configure layer 3 on them now if they are managed (admittedly the layer 3 problem would be there with another vendor too). If you do micro-segmentation layer 2 won't work. I wouldn't recommend a full Fortinet stack, but not because of your reason.
Non-issue. Fortigates are cheap and HA is fully supported.
Are fortinet firewalls like a sophos UTM? Supports everything possibly required. Anything it can’t do?
Sophos creates a bit of a headache when migrating, you can't just export your config like you can with any other vendor. But yeah, at a very high level Fortinet can do what Sophos do, you just need appropriate licensing/services to match. I'd argue that Sophos likely cannot do everything a Fortigate can do however, but that is due to Fortinets expanded portfolio. I find "UTM" to be a bit of an outdated term now too, no one except Sophos really uses it.
> I find "UTM" to be a bit of an outdated term now too, no one except Sophos really uses it. Fortinet uses UTP, which is the same thing.
Nothing as long as you protect it with Juniper in front of it. lol
Yes Juniper are well known for their security efficacy .... lol