Replacing 200B active/passive HA cluster

wjens · ‎01-12-2017

Hi,

I don't know if this is appropriate for this forum, but I need advice on how to spec out a replacement for our 200B active/passive HA cluster. I tried Fortigate support and they pushed me to sales or a reseller but so far my reseller pushed me back to the product matrix. I was hoping that since I've been running my 200Bs for years that someone would be able to review the stats and let me know what made the most sense for a replacement (200D, 100D, 91E).

I'm considering lower end models because I suspect we overbought when getting the 200Bs.

What stats should I review in my 200Bs and how can I use that to pick a new model?

# get sys perf stat
CPU states: 1% user 5% system 0% nice 94% idle
CPU0 states: 1% user 5% system 0% nice 94% idle
Memory states: 33% used
Average network usage: 10425 kbps in 1 minute, 18602 kbps in 10 minutes, 17156 kbps in 30 minutes
Average sessions: 2470 sessions in 1 minute, 2532 sessions in 10 minutes, 2645 sessions in 30 minutes
Average session setup rate: 14 sessions per second in last 1 minute, 15 sessions per second in last 10 minutes, 17 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 445 days, 15 hours, 57 minutes

RickSell · ‎03-19-2017

Hi William,

- How much traffic are you pushing through the firewall at peak times?

- How many sessions are running throught it?

- How many users are behind it?

- Which services are it running?

/Rickard Sellstedt

NSE8

wjens · ‎03-27-2017

MRTG shows 20 Mbps peaks during the day. Some nights offsite backup copies can push that between 60-70 Mbps.

I don't think sessions go over 3000.

There aren't really any users behind it -just our SaaS application and a small email server. It does DMZ/Trust firewall between web server and SQL.

It has most features enabled but there are only policies for Intrusion Protection and Vulnerability Scan. It supports a single site-to-site IPSec VPN and a handful of dialup SSL VPNs (used for admin and development). It also runs HA active/passive.

We do not use AV, Web Filter, Email Filter, Data Leak Prevention or Client Reputation security profiles.

William

DrWolfgangBeneicke1 · ‎03-31-2017

hi,

heck, even a 60E will do for your environment. And that's not the worst choice. It does even IPS in wirespeed for a GbE line. Your old 200B had 2 drawbacks:

- only 1 GB RAM (thus limiting UTM scanning perf. and features)

- the newer FortiOS versions (v5.4, v5.6) are not supported.

The 60E has 2 GB RAM, a fast CPU-on-chip (SoC3) and convincing performance figures throughout.

Things to consider:

- overprovisioning is not a bad idea. It prolongs the life of your investment and will make your FGT a lot more reliable in comparison to a model 'on the edge'.

- you will have to make the jump to v5.4.4 immediately - there's is no v5.2 or v5.0 image for the E series. Then again, v5.4.4 is stable and a real breeze. You'll like it.

- vulnerability scan is discontinued in these FOS versions

- the 60E has 10x GbE ports, a bit less than the 200B; but, only 4 ports on the 200B were accelerated, on the 60E all are.

- do not consider the 50E or 90E - these are CPU based and considerably slower.

- AFAIK there's no 60E model with an internal SSD but that doesn't matter much; log into memory for which you can allocate 2 MB or so and that will give you many days of logging. If you need more, get a FortiAnalyzer (VM).

HTH,

Ede (forum: ede_pfau)

Replacing 200B active/passive HA cluster

Nominate a Forum Post for Knowledge Article Creation