Re: Fortigate Experiance / Review
- From: "CCMiami" <nospam@xxxxxxxxxxxxxxx>
- Date: Fri, 17 Feb 2006 07:27:05 -0500
Thanks Russ,
You don't happen to be or know of a resource in North Virginia, do you?
The cost of this box in human terms is getting out of hand, the idea of
needing to go to courses and such is disapointing.
As for IPS, Looking at the logs to find out I HAVE BEEN attacked seems like
a bad solution. How often do you do this? Again, the human cost is high.
We spent about an hour with support yesterday to get the VPN working, even
he semed to have trouble - note that this is just setting up normal dial-up
users. Frankly, I still don't understand it, the policies seem to be
"backwards".
As for the VPN client, we have not tried custom installs, one of my guys
just installed the VPN part and his machine will then not shut down. Others
have the full install and it is still troublesome. We mostly have IBM
laptops, perhaps it is a specific conflict.
-CC
"Somebody." <somebody.@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:rXbJf.12195$43.9966@xxxxxxxxxxxxxxx!nnrp1.uunet.ca...
"CCMiami" <nospam@xxxxxxxxxxxxxxx> wrote in message
news:Jr0Jf.64784$bF.7648@xxxxxxxxxxxxx
What has been a problem is the complexity and documentation. This is a
box they expect someone to become an expert on and understand the
concepts, options and there interrelationships. The documentation
requires multiple readings. We have yet to get the VPN working, we are
on our 3rd try - getting VPN up requires configuration of options all
over, there is a "step by step" but it seems somewhat out of date. I
should emphasize we are talking about smart techies trying to do this.
I teach Fortigate courses. I feel the box is a very complex, but very
learnable box. Feedback from my courses is always extremely good.
Perhaps a crash course from a local qualified resource would help you out.
I don't actually read the Fortinet documents very often though. :-)
There are a lot of AV options for specific attacks, most are just set to
record the event. As we don't study virus signatures in detail, we don't
have a good way to know what we should turn on, we hope the defaults are
ok.
You are probably talking about IPS, AV doesn't have such options. You
need to take a pro-active approach with this (and any IPS) to look in the
logs, refer back to the articles on Fortinet's website, and decide what
action to take with each item. The default is fairly permissive, because
if it wasn't, it would break all sorts of your production traffic when you
first drop it in. But it may therefore also let through some stuff you
should care about. However, it's logged. So, look at the logs. Big
hint: Change the column view in the log to reveal the "status" field.
That will help you understand what's happening.
We can't give good marks to the "Forticlient" VPN and Firewall. Every
machine it has been installed on has had stability problems. There is an
option to remove the firewall and just use VPN, but this requires
modifying the install with special software we don't have and have never
used. We are going to try using the MS VPN client.
The Forticlient is really quite excellent compared to most any other IPSec
client install I've tried. You must must must turn off any other firewall
FIRST if you want to use the forticlient firewall. Same for AV. And
these components work really well, far better than any of the Symantec
bloatware or most of the other products I've ever looked at.
That said, all you have to do if you want to stick with the windows
firewall and your favorite centrally managed enterprise AV software, is to
do a custom install instead of a standard install when you put the
forticlient on. Deselect the components you don't want and just leave the
VPN component. It's really very simple to do -- I assume you're trying to
build a custom no-touch install and that's how you've made it difficult.
That should be garden variety msi work but I've never bothered, it's only
about 10 or 15 simple clicks for the custom install anyway. Far simpler
than installing MSoffice or something like that. Just doing a vpn client
install without the other bits has been very stable everywhere I've tried
it so far, but YMMV on that one of course.
As for setting up the software VPN, again, the published docs may not be
all that great, but I can alway set up nicely featured software VPNs with
exported profiles in about an hour to meet the client's needs, no problem.
Once you learn it that is. :-)
Bottom line is this may be a good box for a pro, but it has a high
overhead for the small network user. What we don't have is a good way to
compare this with the other firewalls, perhaps they are all complex. I
suspect that once everything is set up it will function well.
I really do feel that they're great boxes but indeed are too complex for
the average IT guy to learn and set up well on their own in isolation. We
very, very often sell a day of time to do the initial deployment and give
a crash course on them to the local resourses, and they usually do well
from there. Often they'll subsequently sign up for one of my courses, but
not always. But those guys usually end up being loyal Fortigate users as
they learn enough to really leverage the power of the box. A year later,
they can't imagine how they got along without them.
-Russ.
.
- Follow-Ups:
- Re: Fortigate Experiance / Review
- From: CCMiami
- Re: Fortigate Experiance / Review
- References:
- Fortigate Experiance / Review
- From: CCMiami
- Re: Fortigate Experiance / Review
- From: Somebody.
- Fortigate Experiance / Review
- Prev by Date: Re: how secure is a linux firewall?
- Next by Date: Kerio and IE
- Previous by thread: Re: Fortigate Experiance / Review
- Next by thread: Re: Fortigate Experiance / Review
- Index(es):
Relevant Pages
|
