Joel, what Fortigate model do your numbers refer to? Is it the 3600 that you reviewed?
thanks -----Original Message----- From: Joel M Snyder [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 8:18 AM To: [EMAIL PROTECTED]; [email protected] Subject: Re: Fortinet's fortigate 100 devices > - Has anyone got any advice regarding the network performance of these > devices in real world environments. During my testing I noticed they > are using a Realtek 8139 based NIC. I personally have never had any > issues with Realtek 8139 cards in environments ranging from slow to > medium/high bandwidth utilization (40-50Mbps) however any feedback > about how the Realtek network cards perform in the Fortigate would be > greatly appreciated. I did a test of Fortinet products and found them to be highly CPU-bound once you turn on all features. For example (TPS = HTTP transactions per second): only firewall turned on: 2000 TPS/70 Mbps IDS turned on: 1000 TPS/39 Mbps IDS+IPS turned on: 1000 TPS/39 Mbps IDS+IPS+A/V turned on: 100 TPS/2 Mbps IDS+IPS+A/V+VPN tunnels: 50 TPS/1 Mbps > > - I noticed that the system has got HA functionality. It appears to be > very similar to the way in which VRRP works. However it does not state > that its actually VRRP (licensing issues perhaps). Does anyone have > any feedback as to how good the fail over/fail back/ redundancy issues > are on these devices? It works quite well, for some values of "quite well." See my writeup in Network World last week: http://www.networkworld.com/reviews/2005/121905-ssl-ha.html? review=sslvpn The situation is that the HA is really an availability thing, not a HIGH availability thing. Fortinet is not sharing all the state information across the active/active pair, which means that when you have an HA event, you'll failover to the new device, but many of the transactions might have to be restarted (such as, for example, requiring users to re-authenticate). They have an internal load balancer, which looks slick in the glossy brochures, but once you get to testing it, you'll see that they are not load-balancing everything. As I remember, only A/V is really load balanced (which, as you can see by the numbers above, is the single most significant drag on system performance). > - Any overall opinions or feedback from anyone that has used the > device in any production environments would be fantastic. Also if > anyone knows of any competing products I would like be very interested > to know about them. I found that their SSL VPN features were buggy and incomplete. I have severe reservations about their QA process. In the past, they have "announced" features (like their 2.8 release) and then have them sit in beta or 'not generally available' for months at a time. For example, they told me that their SSL VPN feature (in 3.0) was shipping and ready to go, but in fact it's only available on specific request to technical support. In other words, they often say "you can get this on our web site," but in fact, you have to beg technical support for it. I don't know what the situation is with their internal software QA and development process, but from the outside, it has a certain malingering odor to it that I would be suspicious of. All that being said, I have talked to folks who have used them for in-line A/V and are very happy. Since this is the oldest and most stable feature of the product, if that's your goal, then I'd go for it. But since you're writing to Focus-IDS (and not Focus-Antivirus), I would be a bit more suspicious of their capabilities in the IDS+IPS space, and I would test them much more carefully. > > - I am also interested to know how everyones experiences are in > regards to Fortinet support? I have only one data point. On 20-November, I sent in a ticket asking for copies of the 3.0 manuals (only 2.8 is on the web site) and the newest 3.0 software. On 28-November, I got a response saying that they would research that, and on 29-November, I got a response telling me how to download 3.0beta build 89 (although the build that had been shipped to me was build 111). jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) [EMAIL PROTECTED] http://www.opus1.com/jms Opus One ------------------------------------------------------------ ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_ 040708 to learn more. ------------------------------------------------------------ ------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
