Looking for Forticlient experiences

Question

HiWe're currently comparing Forticlient and Z-scaler for client security. Was hoping to hear some stories from real users/admins.We have around 50.000 users all around the globe and I was wondering:[ul]How's the management platform, is it easy to understand and manage?Has there been any serious bugs or annoyances?Any weaknesses/limitations in the product that we should know about?How long does it take from updating the policy to it reaching the client?Which method do you use to authenticate the clients when they are outside the office? Is there any issues with said method?We have a bunch of local security products already and it would take considerable political efforts before we can replace them. Would you consider the client to be heavy if only using it for Web filtering/Sandbox:ing?Anything else I should be aware of?[/ul]I know these are very generic questions but I am grateful for any input. Thank you! Kind regards,Patrik

SteveG · Accepted Answer

Ah I'm with you. There are a few options within EMS/FC. You can specify an 'on net subnet', and use different filter settings when on prem as opposed to at home. However that's easily bypassed given it's based on IP. FortiClient has the same web filtering capability as the FortiGate firewalls so you can undertake any filtering etc on the client device. The configuration of that stuff is very easy to do via the profile that's applied to the group which the client PC's are in. That group membership can be pulled from AD so there's very little admin required within EMS.

The policy here is we don't restrict web access but everything is logged, we're a progressive company. FC has the ability to send traffic logs to FortiAnalyzer (hence my comment about nice integration with other FN products). With each released of EMS they introduce new features so there may well be stuff you'd benefit from which I don't know about.

epacke wrote:
Hi Steve
How do you handle employees travelling? Don't you enforce web filtering then?

/Patrik

SteveG · Answer

Hi there, we've been using FortiClient and EMS (since it was released). We have a very small estate compared to yours, about 1500 devices, a mix of Linux, MacOS & Windows. Here are my honest answers to your questions, I'm a big Fortinet fan.

How's the management platform, is it easy to understand and manage?

The web interface of EMS is actually great, it's very modern and functional.

Has there been any serious bugs or annoyances?

Yep! Still are, the auto upgrade feature for Mac's only works in about 70% of the updates. The failed upgrades leave the Mac with no FortiClient installed which means re-installing it manually.

Any weaknesses/limitations in the product that we should know about?

Generally speaking FortiClient does not work reliably on MacOS.

Although there is a Linux client it doesn't support any form of VPN connection but I believe that's in the works.

How long does it take from updating the policy to it reaching the client?

Our install is set to a 2 minute FortiClient poll so updates are pushed pretty quickly, if you change a profile that affects hundreds of PC's it does take a little longer to sync them all.

Which method do you use to authenticate the clients when they are outside the office? Is there any issues with said method?

You can enable the "FortiClient telemetry connection key" which is effectively a password required to register FC with EMS. What's nice is if you don't have a PW you can add it to a profile, which get's sync'd, then you can enable the global PW and most FC's will carry on working. One issue we do hit is if someone is WFH and the auto upgrade kicks in, FC will be uninstalled which kills the VPN, which means the new installer isn't pushed to the PC. So the user is stuck with no VPN and no FC installed. It may be there's a way around this in EMS but I've not found it yet!

We have a bunch of local security products already and it would take considerable political efforts before we can replace them. Would you consider the client to be heavy if only using it for Web filtering/Sandbox:ing?

From what I've seen FC is very light weight, things have improved a lot as, again on MacOS, we were seeing high CPU but version 6 seems to have largely fixed this.

In summary, EMS is a joy to use but there still remain so frustrating bugs around the auto upgrade feature. On Windows you can force a remote install but this isn't an option on Mac's without a pre-installed FC so when the client disappears manual intervention is required. If you push installers via GPO etc then I'd expect you to really like EMS. I'd certainly use EMS again given how efficient FC is and how affordable it is compared to other products BUT that's only if I was using Fortigate firewalls as there's some nice integration. I typically find FN support very good, but I always dread raising a ticket for EMS/FC as it's a real struggle to find someone on their support team who understands it well.

Hopefully that helps!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded