Re: Fortigate Experiance / Review




"CCMiami" <nospam@xxxxxxxxxxxxxxx> wrote in message
news:Jr0Jf.64784$bF.7648@xxxxxxxxxxxxx


What has been a problem is the complexity and documentation. This is a
box they expect someone to become an expert on and understand the
concepts, options and there interrelationships. The documentation
requires multiple readings. We have yet to get the VPN working, we are on
our 3rd try - getting VPN up requires configuration of options all over,
there is a "step by step" but it seems somewhat out of date. I should
emphasize we are talking about smart techies trying to do this.

I teach Fortigate courses. I feel the box is a very complex, but very
learnable box. Feedback from my courses is always extremely good. Perhaps
a crash course from a local qualified resource would help you out.

I don't actually read the Fortinet documents very often though. :-)

There are a lot of AV options for specific attacks, most are just set to
record the event. As we don't study virus signatures in detail, we don't
have a good way to know what we should turn on, we hope the defaults are
ok.

You are probably talking about IPS, AV doesn't have such options. You need
to take a pro-active approach with this (and any IPS) to look in the logs,
refer back to the articles on Fortinet's website, and decide what action to
take with each item. The default is fairly permissive, because if it
wasn't, it would break all sorts of your production traffic when you first
drop it in. But it may therefore also let through some stuff you should
care about. However, it's logged. So, look at the logs. Big hint: Change
the column view in the log to reveal the "status" field. That will help you
understand what's happening.

We can't give good marks to the "Forticlient" VPN and Firewall. Every
machine it has been installed on has had stability problems. There is an
option to remove the firewall and just use VPN, but this requires
modifying the install with special software we don't have and have never
used. We are going to try using the MS VPN client.

The Forticlient is really quite excellent compared to most any other IPSec
client install I've tried. You must must must turn off any other firewall
FIRST if you want to use the forticlient firewall. Same for AV. And these
components work really well, far better than any of the Symantec bloatware
or most of the other products I've ever looked at.

That said, all you have to do if you want to stick with the windows firewall
and your favorite centrally managed enterprise AV software, is to do a
custom install instead of a standard install when you put the forticlient
on. Deselect the components you don't want and just leave the VPN component.
It's really very simple to do -- I assume you're trying to build a custom
no-touch install and that's how you've made it difficult. That should be
garden variety msi work but I've never bothered, it's only about 10 or 15
simple clicks for the custom install anyway. Far simpler than installing
MSoffice or something like that. Just doing a vpn client install without
the other bits has been very stable everywhere I've tried it so far, but
YMMV on that one of course.

As for setting up the software VPN, again, the published docs may not be all
that great, but I can alway set up nicely featured software VPNs with
exported profiles in about an hour to meet the client's needs, no problem.
Once you learn it that is. :-)

Bottom line is this may be a good box for a pro, but it has a high
overhead for the small network user. What we don't have is a good way to
compare this with the other firewalls, perhaps they are all complex. I
suspect that once everything is set up it will function well.

I really do feel that they're great boxes but indeed are too complex for the
average IT guy to learn and set up well on their own in isolation. We very,
very often sell a day of time to do the initial deployment and give a crash
course on them to the local resourses, and they usually do well from there.
Often they'll subsequently sign up for one of my courses, but not always.
But those guys usually end up being loyal Fortigate users as they learn
enough to really leverage the power of the box. A year later, they can't
imagine how they got along without them.

-Russ.


.



Relevant Pages

  • Re: HIPAA and firewalls
    ... something I can install and forget for months on end. ... You can setup a Branch Office VPN tunnel in about 10 minutes if you have ... the firewall to firewall VPN tunnels setup and treat the entire thing as ... Setting up the VPN tunnels between offices is the proper way to do it ...
    (comp.security.firewalls)
  • Re: Fortigate Experiance / Review
    ... We spent about an hour with support yesterday to get the VPN working, ... Others have the full install and it is still troublesome. ... I teach Fortigate courses. ... firewall FIRST if you want to use the forticlient firewall. ...
    (comp.security.firewalls)
  • Re: Fortigate Experiance / Review
    ... We spent about an hour with support yesterday to get the VPN working, ... have the full install and it is still troublesome. ... I teach Fortigate courses. ... You must must must turn off any other firewall ...
    (comp.security.firewalls)
  • Re: Linux Firewalls
    ... The same goes for gibraltar. ... this distro features a VPN Server and a VPN Client!! ... It's only a Firewall and has no VPN features ... I think this is a lot easier to install and configure than sweating ...
    (comp.os.linux.security)
  • Re: Service Pack 1 & 2
    ... but enable to install because of service pack 2. ... >> I recently reinstalled Windows XP home on a new hard disk because the ... >> I tried to install service pack 1 but was rejected from doing so. ... > Why you should use a computer firewall.. ...
    (microsoft.public.windowsupdate)