This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Created on 01-19-2016 02:10 AM
I asked this question by submitting a web form on your Web page a couple of weeks ago - and also mailing email@example.com last week, but I got no acknowledgement or response. I posted this on the Fortinet Developer Network yesterday, and was directed here by James Cabe and Kenneth Ish.
Basically, my question is this: When are you going to bring out an SFP-equipped version of the FortiGate 70D/90D, that processes traffic at 3.5Gb/sec, like the copper versions you already have? Currently, to consider deploying 70D/90D equipment at FTTH-equipped premises (which is fast growing to be the norm here in Switzerland and many other European countries), one has to consider installing two boxes (three if redundant WAN fiber connections are required) – one FortiGate, and one media converter. Not only does this add expense and complexity, it’s also yet another piece of equipment to keep track of – and diagnose (out of band, to boot), in the event of problems. Or, one has to buy a rackable FortiGate that's completely inappropriate for the entry level or branch office.
Currently the closest piece of equipment you sell that meets the requirements for a fast, simple way to connect a small business or branch office to a FTTH line is your FortiGate Rugged 60D, and that isn’t even available with a supported mains power supply! It also comes with a reduced performance - only 1.5Gbps, instead of the 3.5Gbps that the 70D and 90D are capable of. In addition, the customer has to hack their own DIY PSU together, unless they happen to be a -48v shop already. For most FTTH customers, this won’t be the case – and none of your mainstream entry-level FortiGates 60s, 70s or 90s support SFP WAN links, so hacking a FortiGate Rugged 60D is the best option available, and only then if the reduced performance isn't a deal-breaker. This isn’t a great way to encourage adoption.
There is a whole market you’re missing out on, because of your refusal to support SFP on mainstream entry-level equipment. If I could make a suggestion, it would be this: Produce a version of your FortiGate and FortiWifi 90D with 12 LAN copper ports, 2 DMZ copper ports and shared (2 RJ45 and 2 SFP) WAN ports - and equip it with a full-speed (5.3Mpps / 3.5Gbps throughput) SOC2 chipset, like the mainstream 70D and 90D. Bundle an AC adapter - and keep the design fanless. With just this one product, you will open up a completely new market segment that is ripe for the taking: The deployment of a comprehensive routing, firewall and security appliance for businesses operating on fiber-equipped premises, that does everything in just one little box. The SFP slots should also support bi-directional SFP modules (i.e. 1310nm TX / 1550nm RX and 1550nm TX / 1310nm RX), because many ISPs - including us, by the way - now deploy gigabit fiber internet using one bi-directional single-mode strand, rather than two uni-directional strands - as was commonplace in the past.
James Cabe also stated that the E series (which presumably includes the 60, 70 and 90 models: James did not confirm this) was rolling out, but I did not see any evidence on Google or Fortinet's own product pages about the existence of a FortiGate or FortiWifi 60E, 70E or 90E. Presumably, these products would be based on a new platform (FortiASIC-SoC3?), but I haven't seen any evidence of this in the wild, either.
Created on 01-20-2016 08:12 AM
Hello Oliver -
We definitely appreciate the product feedback, and it has been communicated to Product Management. Your best bet is to work with your local sales and SE team for any specific future needs, but I can say that your general suggestion of low-end SFP-capable devices has been received.
If interested, maybe you'd be open to answer a few things that might help us:
Hope this helps!
Thanks for your reply. Yes, I believe that if you put an SFP-capable device on the market several years ago (I'm guessing 4+), you missed the market. This article should give you a good idea of what is happening here in Switzerland. Across Europe, the story is similar, with around 30.2 million FTTH subscribers, according to this article (which is now almost a year old.) 2014 alone saw a 60% growth in FTTH technology here in Europe, and I personally have a symmetric Gigabit internet connection in my home - something that simply wasn't possible in my area until about 9 months ago.
The obvious upshot of widespread Gigabit availability is that it makes high-speed firewalls like yours far more relevant to the SOHO market than they used to be. You are choosing to exclude yourself from this market by not supporting SFP, which is the prime means of connectivity to FTTH in most modern homes and small offices. Most modems over here have a fiber lead going straight to them - copper is only used in legacy installations, or in the fast-shrinking areas where FTTH is not yet available.
SFP is, frankly, not expensive to build into a device: If Ubiquiti Networks can build SFP and non-SFP versions of their EdgeRouter X for less than $25 difference between the models, when the total unit comes to less than $135 cost, I think that arguing about the expense of a couple of $25 SFP ports in a $750+ firewall is somewhat trivial. After all, the cheapest FortiGate Rugged 60D I could find here in Switzerland was from Boll, and that costs nearly $1895. Please do not tell me that SFP ports are what make it so expensive. :)
What I meant by "bundle an AC adapter" is a reference to your FortiGate Rugged 60D - the only reasonably-performing low-end firewall you sell with SFP ports - which does not come with an AC adapter. Nor does Fortinet offer one: It is strictly up to the customer to hire an electrician to connect it up to a -48v supply, or hack their own power supply together (in the event that they aren't a -48v shop). In other words, a PSU on the FortiGate Rugged 60D is strictly "do it yourself" project.
Fanless is extremely important for the SOHO market: Use a big heatsink, or excessive ventilation (as with the Rugged 60D). Die shrinks and technology improvements should also be doing the work of increasing performance. You have been working on the SoC3 chipset (quad-core ARM Cortex A9 architecture) for quite some time, if this May 2014 job advert (or this LinkedIn profile) are to be believed. Where is it? The SoC2 came out nearly 40 months ago, and it's more than overdue for replacement.
With regard to mass management requirements, especially with regard to ISPs, I would consider offering a secure means of ISP control over managed devices: Either a mini-smartcard / SIM or SD / mini-SD card capable of holding ISP-generated certificates (either tunneled over SSH, or SSL over TLS). Whatever you choose, it should be easy for an ISP to simply include media in the box with the device, without having to power on the device and upload the certificate (that rules out internal storage!) Such end-user devices should be manageable via a specialised FortiManager device (using the existing JSON API, for example), so that things like firmware updates and configuration changes can be made to many devices at once. Special attention to detail will need to be paid to security, because by definition, the management will be done by the ISP via the WAN port. If you like, I can set up a meeting to discuss concrete requirements in more detail.
As for SFPs, the TP-LINK TL-SM321B (specification here) and Lightwin LSFP-WDM-LA20-UNI (also TX:1310, RX:1550) modules are fairly popular here in Europe. The TP-LINK is recommended by many ISPs and has up to a 10km range, while the Lightwin module is one I personally own and use - it is a little more expensive than the TP-LINK, but it has a 20km range. Both SFP modules transmit at 1310nm and receive at 1550nm, with a single strand of fiber. If you want to be sure of mainstream support in as many FTTH sites as possible, you should support both of these modules.
Created on 01-20-2016 12:06 PM
I would advise you to talk to the local SE for escalation and cite the $$$ your team is reckon to bring in with the specific design. If it's viable, our PM team will act according.