Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marouaa
New Contributor

How to choose the Fortigate Model that fit your needs:

Hello all,

I'm working with Fortigate solution for a time. I do network and security configurations. But now, i need to have some informations and skills on how to estimate the Fortigate model that fit client's needs.

 

Usually, clients express their needs by giving me the number of user on the company and functionnalities to be activated on the security device (the UTM).

 

Should i look to the number of concurrent sessions? the firewall throughput ? or the NGFW throuput ?

How to calculate the needed throughput in order to be compared to the Fortigate throughput given in the datasheet ?

 

I have a little old file that i found in the net giving a matrix and depending on number of users ranges and the activated features it gives the estimated fortigate model to be used. But, it is an old one with old models. 

 

Thank you for helping me by giving some ideas!

4 REPLIES 4
gbagita
New Contributor

Hi,

you're true. You should consider all the functionalities and parameters you've mentioned :) At first, you need to know what is the awaiting of the end customer, how his environment is designed, what services he is he running, what are the growth expectations for the next period. There are a lot of differences when between the SMB and a large enterprise customer. Fortinet has some recommendation which type of device to use for which type of customer, but it is just a beginning. Here you can find a product comparison tool https://www.fortinet.com/products/product-compare?cat=ngfw, and here is a documentation for the whole range of Fortinet products https://docs.fortinet.com. You can find there also a most actual documents .

Marouaa

Hello,

 

Thank you for your response . i will take a look on links you mentioned. and i will wait for other ideas or recommandations from other participants here in this forum 

 

Marouaa

lobstercreed

You definitely want to completely ignore the firewall throughput number.  I would always use the Threat Protection (enterprise mix) number to size throughput.  It's pretty close to worst case scenario with all the knobs turned on.  You may also want to consider the SSL Inspection throughput as it is usually an even lower number and if you think you might want to use it (recommended where possible), you need to consider that as well.

 

There are other things to take into account like number of users, but I'm not an expert in that area.  Mostly I would recommend discussing details with your local Fortinet SE (sales engineer) while keeping in mind that his job is to sell.  Usually the engineers are pretty good about giving low-bulls*** answers though.

aagrafi

First, forget about the number of users in your network. There can be networks of 10 users that may need more throughput than networks with 100 users. Also, considering number of sessions, sessions/sec and such metrics are pointless, as nobody can estimate such things in advance.

 

What I'm suggesting is the following:

1. Define your needs first, in terms of what security features and profiles you must deploy in your network and where.

2. Define your data flows per traffic direction: north-south & east-west

3. Define your throughput needs per traffic direction (that's the most difficult)

4. Define other needs, like IPsec/SSL needs, VDOMs, access points, fortiswitches, etc.

5. Define your future needs.

 

In the north-south direction, the actual barrier is usually your Internet speed. This is normally much lower than the threat protection throughput of your firewall. The east-south direction is more difficult to estimate in advance - it depends also in the nature of your network. DCs have normally huge east-west traffic needs.

 

After you have done all this housekeeping, try to estimate your aggregate worst case throughput needs, which is the threat protection throughput, having in mind that the performance numbers provided by Fortinet are referring to non-encrypted needs, while the majority of the traffic nowadays is encrypted. Therefore, the figure that would be closer to the aggregate throughput needs should be SSL inspection throughput. Finally, allow a minimum tolerance of +50% in that figure and you are done.

Labels
Top Kudoed Authors