Hi,
I am looking to get me a smaller Fortigate for my Home Office / Lab Environment. I have a rather beefy Internet uplink (400 mbits), very few users, but lot's of sessions. A lot of traffic will be run through IPS, some traffic of users (web browsing) will run through the full UTM feature set, incl. SSL decryption.
I've been looking at the 50E (or 51E with storage) and thought it might be the right choice, but some of the datasheet's numbers worry me. For example, it says it only has 160 mbit of NGFW throughput. What exactly does this mean? Is this for when I specify users and applications rather than IPs and port numbers?
I am also looking at the 92D as an alternative, but it costs much more and the performance numbers are only a little higher for NGFW and IPS, whereas they are dramatically lower in general firewall throughput (still more than I need).
Which of the two is newer? Which one would you recommend? Do you think a 50E will handle 400 mbit Internet with the profile I detailed above? Any other models I should look at (should be desktop model or at least a model that is not loud, e.g. I could live with a 19 inch rack model if the fans are not louder than those in the 92D).
Ideally I am looking for a model that can handle the 400 mbit with every feature (including NGFW).
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Anyone?
Hi Sascha.
Welcome to the forums.
More information is needed on your home office/lab environment, in terms of bandwidth usable. The numbers published in the various data sheets/product matrix give theoretical max values, under certain conditions. If it's just a handful of people or a dozen or so devices using your Internet connection, you may be better off looking at the lower end model (like the 30E) especially if you're planning to play around with it (in a lab environment).
Just curious are you equating 400 mbits as 400 Mbps?
The product Matrix sheet seems to imply NGFW is IPS and Application Control, but see this thread though. (I am suspecting anti-virus inspection should be in there somewhere.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
cryptochrome wrote:Hi,
I am looking to get me a smaller Fortigate for my Home Office / Lab Environment. I have a rather beefy Internet uplink (400 mbits), very few users, but lot's of sessions. A lot of traffic will be run through IPS, some traffic of users (web browsing) will run through the full UTM feature set, incl. SSL decryption.
I've been looking at the 50E (or 51E with storage) and thought it might be the right choice, but some of the datasheet's numbers worry me. For example, it says it only has 160 mbit of NGFW throughput. What exactly does this mean? Is this for when I specify users and applications rather than IPs and port numbers?
I am also looking at the 92D as an alternative, but it costs much more and the performance numbers are only a little higher for NGFW and IPS, whereas they are dramatically lower in general firewall throughput (still more than I need).
Which of the two is newer? Which one would you recommend? Do you think a 50E will handle 400 mbit Internet with the profile I detailed above? Any other models I should look at (should be desktop model or at least a model that is not loud, e.g. I could live with a 19 inch rack model if the fans are not louder than those in the 92D).
Ideally I am looking for a model that can handle the 400 mbit with every feature (including NGFW).
Thanks!
Neither the 50E or 92D are acceptable for a 400Mbps connection. You need a 100D minimum which is 650Mbps with AV on Flow and full NGFW/UTM features.
Fortinet devices need to be rated for the rated maximum speed at the location. I regularly see people that really shouldn't be in IT putting 60D's at locations with 500Mbps pipes not understanding that they are 'severely' limiting the flow.
I feel your pain, with a 650Mbps connection at my home I ended up running Untangle because it's $49 a year, and the 100D is very expensive to renew each year for a home environment.
Thanks guys, both of you. However, now I have two contradicting statements. One saying I should go even smaller (30E), the other saying I should go even higher (the 100D).
Let me give you some more details:
Yes, I meant 400 mbps when I said 400 mbit. This is a cable (DOCSIS) internet link, meaning it has 400 mbit downstream, but only 25 mbit in the upstream. This link is primarily being used by myself in my lab and office. So if I am maxing out the 400 mbit, then it's usually coming from a single machine doing a large download (or torrenting a new Ubuntu release). So it's not like I am maxing it out constantly, the 400 mbit are only peak usage, and there isn't a larger user group behind it that would do all sorts of different stuff at the same time (stressing the firewall with different load sets).
Thanks Dave for pointing me to that other thread about NGFW throughput. As I understand it, it's App Control and AV, whereas IPS still has its own number in the datasheet. That being said, I could live with a box that is slower when scanning for viruses on HTTP/S, but will otherwise deliver the speed as advertised (in the case of the 50 E that would be a massive 2.5 gbit for firewalling and 800 mbit for IPS).
The Fortigate lineup is confusing. There are too many different models, and sometimes models with a higher model number are actually slower than those with a smaller model number (like the 50E having 2.5 gbit and the 92D only 2.0 gbit).
Looking at Untangle now too. Looks very interesting. Never heard of it before, thanks! :)
Much of the confusion of Fortigate models comes from the age of the lineup. C units are older, D are more recent, and E lineup is the very newest. As new units release their throughput tends to increase to meet the demands of ever faster internet connections.
30E is pretty good if you want to penny pinch. The throughout is very good for a lower cost unit. Wholesale they run $450.00 and that's with the 1 year UTM bundle, and the yearly UTM renewal is only about $110.00. (or so) Take a look at that unit as I think it would probably suit you well - and it out performs the 60D by a significant margin in many areas. But really - the 100D is where you need to be.
Untangle has the benefit of operating at the speed of your NIC's. So if you have 1Gb NICS then that's the speed of the UTM. Which is why I run Untangle at my home - that and it's $49 a year for the full UTM bundle and you can run it on any $99 refurbished PC you find laying around.
Wait... 50MB/s = 400 mbit (or mbps). With that same bandwidth figure you recommended the 100D earlier and now you are going down to the 30E? I am getting more confused here, sorry :)
The 30E is specified with only 150 mbps NGFW. Why would you recommend this much slower unit over the 50E or even the 100D now?
Money is not the issue, really. I could buy the 92D if it would make sense.
My recommendation for the 100D stands. You have a fast connection, you need a 100D.
I only said the 30E because you seemed like you wanted to go on the cheap and weren't worried about throttling your connection a bit on scans/appcontrol. For your connection only the 100D is going to provide a wide open throughput all of the time.
Personally, I wouldn't put too much in theoretical numbers published in the data sheets if they may not apply to your own (or household) unique traffic/bandwidth usage. Thing to keep in mind here is the various app control/AV/IPS signatures on the Fortigate is "countless", and includes things like checking for various server/client/app exploits. You really don't want your Fortigate spending time checking for Linux/ios exploits/viruses in a purely Windows environment. If you craft your firewall policies (NGFW/IPS/UTM signatures) accordingly, you may be able to get away with using a smaller model. But yes, applying full NGFW/UTM features to all traffic on your network will require a more powerful fgt.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave Hall wrote:Personally, I wouldn't put too much in theoretical numbers published in the data sheets if they may not apply to your own (or household) unique traffic/bandwidth usage. Thing to keep in mind here is the various app control/AV/IPS signatures on the Fortigate is "countless", and includes things like checking for various server/client/app exploits. You really don't want your Fortigate spending time checking for Linux/ios exploits/viruses in a purely Windows environment. If you craft your firewall policies (NGFW/IPS/UTM signatures) accordingly, you may be able to get away with using a smaller model. But yes, applying full NGFW/UTM features to all traffic on your network will require a more powerful fgt.
Given the blended threat surface these days, even in homes - you had better put the full NGFW on. For example many home devices including DVR's count as Linux and sometimes iOS or MACOS. I've seen embedded windows in some home devices. Now that Windows 10 will be including BASH, you'd best have Linux protection in place.
IoT smart devices, dvr's, TV's, home appliances, computers, tablets, phones, notebooks, smart-home gear, furnaces, alarm systems - it's virtually impossible to avoid a blended threat surface. We only sell Fortigate's (Gold Reseller) with the assumption we will turn everything on, including CLI of grayware, heuristics, extended IPS, extreme AV database. The threat risk is just too high to risk not these days.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.