Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FredMB
New Contributor

FG-100D for 90 users ?

Hi,

We plan to replace an old Netgear router by a new UTM and our provider made a proposal for a FG-100D. Will this hardware be sufficient regarding the following facts : - We are about 90 users - We use 25 Mbps download (peak at 40Mpbs) and 3 Mbps (upload) on our dedicated symetrical 100Mbps internet line - We mostly consume web apps (Google Apps, ...) - We have 2 VPNS with low traffic (3MBps max) - We plan to use most features of the UTM excepted antispam, in connection with our Active Directory. - There will be 10 FortiAP 221C managed by the FG-100D.

I'm a bit disapointed about the correct sizing because I have different opposing points of view :

On one hand, the official sizing guide indicates it's the correct sizing ((https://competitive.myfor.net.com/product_sizing).

On the other hand, we also have an other proposal for a Sophos SG210 for which an "independant" study saying that SG210 beats Fortinet 100D ((https://www.sophos.com/en...stingreport.pdf?la=en) ) and the official sizing guide indicates it's not a relevant choice for our 90 users (http://www.virtualsecurit...-sizing%20-guide.pdf).

Do you think the 100D will fit our needs for the next years ?

Thank you for our help,

Fred

4 REPLIES 4
Justinb
New Contributor II

40 Mbps is doable by a 100D.  But I'd never recommend it for you.

 

There is no easy answer, because it depends entirely on the browsing habits of your users.

 

You say you are going to use UTM.  All major sites are going to SSL, so you are going to need to implement SSL Deep Inspection to get the most from your UTM.

The most intensive part of the connection to SSL protected sites is the initial setup when the session negotiates the symmetric key that lasts the rest of the session.

 

If your users' browsing habits use a lot of small SSL sessions downloading files (and therefor going through AV), then the 100D isn't going to cut it.

 

40 Mbps is doable by a 100D.  But I'd never recommend it for a client with 90 users.  Because it's good enough for now, but by the end of its life, it is going to be a dog.  You are going to want that full 100Mbps, and probably even to increase it.

 

I'd recommend a 200D

ede_pfau
Esteemed Contributor III

@Justinb: +1!

 

If you look at the data sheets (100D vs. 200D) you will notice that even firewalling throughput on a 100D is rated down from 2.5G for large packets to .2 G for small packets (like HTTPS). This is caused by the lack of a dedicated network processor ASIC (NP) on the 100D.

 

Second difference is the CPU used, an ATOM vs. a Celeron. Session buildup and (some of the) SSL decryption is done via CPU, and here the 100D shows poor figures: "new sessions per second: 22k vs 77k".

And even for UTM, e.g. the AV throughput is x2 higher on the 200D which is 600 Mbps. Deduct a lot from this figure if you plan to use AV, IPS, AppCtrl at the same time.

 

If you can afford it the 200D will suit your current needs today, and may be the better investment over time. Both of which I would disagree on with a 100D.

 

PS as for the comparison to Sophos: from the datasheet, it seems to me it should be compared to a 200D, same CPU, comparable RAM, interfaces etc. Letting it run against a 100D is a bit unfair. Though this is an economical question as well...


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
MikePruett
Valued Contributor

definitely go ahead and snag the 200D. It is worth the investment and you won't be kicking yourself in the future.

 

 

Full Disclosure, I have a client running 80-100 users on a 100D. For the most part it handles their load. It hits some high utilization though at peak times. I'm working on convincing them to upgrade the appliance now.

Mike Pruett Fortinet GURU | Fortinet Training Videos
lukral
New Contributor

Hi Fred,

I dealt with the same problem as you last year and was impressed by datasheets of Sophos fws. Fortunatelly I got results from testing SG210 nad SG310 in real environment from friend of mine. The datasheets values were considerably overrated (especially when most of UTM features were enabled). So I decided for FG-100D (200 users), and don't regret until now:-). (It was easiier for me, because I wanted to replace FG-110C). Lubos

 

 

 

Labels
Top Kudoed Authors