New Firewalls: Fortinet FG-100D


We recently started offering our clients a new firewall. In addition to the Cisco ASA 5512 and Cisco ASA 5508-X, we now offer the Fortinet FortiGate FG-100D.

The initial reaction from most of our clients went something along the lines of, “Why would you suggest this noname product over Cisco?” Truth be told, we had mixed feelings about it here at Selectel, too; however, our experience with these firewalls has shown us that this solution at least deserves a try.

As far as feedback goes, one client sent us the following message: “We’d like to replace our existing firewalls with new FortiGate appliances from Fortinet. Our experience has shown that FortiGate appliances are much more stable and predictable under high loads.”

Fortinet was founded in 2000 in California. It was started by the same individual who founded Netscreen in 2004, which was later bought by Juniper. After the acquisition, the Juniper SRX firewalls started to appear in the Juniper product line. Fortinet now employs over 4500 people all over the world and brings in an annual revenue of over 1.2 billion dollars (2016).

The company’s principal products are its FortiGate firewalls. The higher the FG model number, the higher the performance. According to the manufacturer, a key feature of these firewalls is the hardware component of every solution’s platform. Traffic is processed on the network firewall by a data-plane, where you’ll find the hardware ASIC; the control plane—CPU—only serves to configure the ASIC.

In 2017, Gartner, in its typical fashion, placed Fortinet alongside the Enterprise Firewall leaders on the “magic quadrant “.

In 2017, FortiGate was certified by the Russian Federal Service for Technical and Export Control (FSTEK), which validates the use of FortiGate firewalls in systems that handle personal data under federal law FZ-152.

Available Model

The FG-100D specifications roughly match those of the Cisco ASA 5508-X, but proves superior in some categories.

The manufacturer claims the firewall has a performance of 2.5 Gbps and can handle up to 2 millions simultaneous sessions. Like the Cisco ASA 5508-X, the FG-100D has only one power supply. To create a reliable network infrastructure, the recommended setup is a system of two firewalls in an HA configuration (high availability).

It’s also suggested that the firewalls be connected not to one PDU, but to different PDUs drawing from separate power feeds.

The FG-100D offers a number of different ports. There are dedicated WAN ports for Internet connections, separate LAN ports for local area networks, and a DMZ port, which is used for connecting switches to servers in corporate installations. There are also two 1000Base-T ports for creating HA configurations.

Setup and Deployment

Unlike the Cisco ASA, where the bulk of the setup, troubleshooting, and maintenance is performed from the Adaptive Security Device Manager software, Fortinet utilizes a sophisticated web interface. There is even an excellent resource available for Fortinet users, the Fortinet Cookbook, which offers detailed tutorials on performing specific tasks. The only drawback is that this resource is currently only available in English, so some international users may have a hard time working everything out.

If you’re new to Fortinet firewalls, there’s a Getting Started section. Most articles on configuring, troubleshooting, and maintaining your firewall are written in easy-to-understand language and have illustrations to help clarify things.

There’s another resource dedicated to High Availability configurations. There you’ll find a description of the initial setup for a firewall cluster.

Further cluster configuration information is available in the documentation in a separate article.

Operating System

Unlike many competitors, Fortinet has kept the numbering and firmware version of its firewalls simple. There’s even a page that describes the nuances of upgrading from one OS to another.

The latest version of FortiOS, version 5.6, was released in May 2017. In addition to fixing some minor issues, users received an enormous amount of new capabilities. The manufacturers make special mention of the improved transparency for tracking sessions within the firewall.

This is a very easy-to-use tool that significantly improves one’s abilities to diagnose complex problems affecting both the network and areas pertaining to the complex logic of server applications.

Conclusion

Fortinet firewalls significantly increase the diagnostics level for problems on the network and that are related to application interactions on the server.

We suggest trying the new Fortinet FortiGate FG-100D firewall, which is more stable and predictable under heavy workloads.

Useful Links:
Introduction to Fortinet firewalls
High Availability with FortiGates
Cluster Setup
Nuances of Upgrading Firewall Firmware