- Has anyone got any advice regarding the network performance of these
devices in real world environments. During my testing I noticed they are
using a Realtek 8139 based NIC. I personally have never had any issues
with Realtek 8139 cards in environments ranging from slow to medium/high
bandwidth utilization (40-50Mbps) however any feedback about how the
Realtek network cards perform in the Fortigate would be greatly
appreciated.
I did a test of Fortinet products and found them to be highly CPU-bound
once you turn on all features. For example (TPS = HTTP transactions per
second):
only firewall turned on: 2000 TPS/70 Mbps
IDS turned on: 1000 TPS/39 Mbps
IDS+IPS turned on: 1000 TPS/39 Mbps
IDS+IPS+A/V turned on: 100 TPS/2 Mbps
IDS+IPS+A/V+VPN tunnels: 50 TPS/1 Mbps
- I noticed that the system has got HA functionality. It appears to be
very similar to the way in which VRRP works. However it does not state
that its actually VRRP (licensing issues perhaps). Does anyone have any
feedback as to how good the fail over/fail back/ redundancy issues are
on these devices?
It works quite well, for some values of "quite well." See my writeup in
Network World last week:
http://www.networkworld.com/reviews/2005/121905-ssl-ha.html?review=sslvpn
The situation is that the HA is really an availability thing, not a HIGH
availability thing. Fortinet is not sharing all the state information
across the active/active pair, which means that when you have an HA
event, you'll failover to the new device, but many of the transactions
might have to be restarted (such as, for example, requiring users to
re-authenticate). They have an internal load balancer, which looks
slick in the glossy brochures, but once you get to testing it, you'll
see that they are not load-balancing everything. As I remember, only
A/V is really load balanced (which, as you can see by the numbers above,
is the single most significant drag on system performance).
- Any overall opinions or feedback from anyone that has used the device
in any production environments would be fantastic. Also if anyone knows
of any competing products I would like be very interested to know about
them.
I found that their SSL VPN features were buggy and incomplete. I have
severe reservations about their QA process. In the past, they have
"announced" features (like their 2.8 release) and then have them sit in
beta or 'not generally available' for months at a time. For example,
they told me that their SSL VPN feature (in 3.0) was shipping and ready
to go, but in fact it's only available on specific request to technical
support. In other words, they often say "you can get this on our web
site," but in fact, you have to beg technical support for it.
I don't know what the situation is with their internal software QA and
development process, but from the outside, it has a certain malingering
odor to it that I would be suspicious of.
All that being said, I have talked to folks who have used them for
in-line A/V and are very happy. Since this is the oldest and most
stable feature of the product, if that's your goal, then I'd go for it.
But since you're writing to Focus-IDS (and not Focus-Antivirus), I
would be a bit more suspicious of their capabilities in the IDS+IPS
space, and I would test them much more carefully.
- I am also interested to know how everyones experiences are in regards
to Fortinet support?
I have only one data point. On 20-November, I sent in a ticket asking
for copies of the 3.0 manuals (only 2.8 is on the web site) and the
newest 3.0 software. On 28-November, I got a response saying that they
would research that, and on 29-November, I got a response telling me how
to download 3.0beta build 89 (although the build that had been shipped
to me was build 111).
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
[EMAIL PROTECTED] http://www.opus1.com/jms Opus One
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
