Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wamendoza
New Contributor III

FORTIGATE SIZING

Hi team,

 

I would like your help with the following

I have a company that wants to give a kick to an SSG140, and they ask me for a FortiGate hardware to be able to replace it. I don't see that Fortinet has any sizing tool for these cases, so reviewing the datashee of this SSG140, it seems that all the 60, 70 and 80 models fit perfectly, but I want your support, I don't want wrong sizing

 

https://www.juniper.net/documentation/hardware/netscreen-systems/netscreen-systems54/GSG_SSG140.pdf

 

http://www.nha-fl.com/files/SSG140.pdf

2 Solutions
Cajuntank

80F looks to be a very solid fit giving you some room to grow into (SSL inspection throughput shows 715Mbps...so even if all 5 ISPs were delivering you 100Mb and you were utilizing all at the same time, that's only 500Mb max). I would be cognizant that you would need the 81F for local reporting since it will have an internal storage unlike the 80F that would need a external system for long term storage like FortiAnalyzer.

Again, just confirm on the ability to utilize those "internal" ports for SD-WAN/WAN zone for that branch level hardware.

View solution in original post

gfleming

Yes 80F works and you can re-purpose the LAN ports as WAN ports but just be conscious of the total number of usable ports on that box is 10. So you are using half the ports just for WAN connectivity.

Cheers,
Graham

View solution in original post

14 REPLIES 14
gfleming
Staff
Staff

The Fortinet data sheets are very accurate.

Please let us know what your requirements are.

  • how much throughput do you need?
  • what NGFW features do you require?
    • App Ctrl
    • IPS
    • Web Filter
    • Anti Malware
    • SSL Deep Inspection
  • how many users do you have?
  • will you be using IPSec VPN or SSL VPN (either client or site-to-site)
  • any other features/functionality?
Cheers,
Graham
gfleming

If you are comparing just the specifications for the hardware devices then yes even a FortiGate 60F will work for you. But you have to consider your future needs as well.

 

One thing to note the 80F has dual PSU if you want that

 

Also you will need to order a separate rackmount kit for the 40,60,70,80F firewalls

Cheers,
Graham
wamendoza
New Contributor III

Hi Graham, how are you

Thanks for your comment

how much throughput do you need?
-They didn't really specify a performance, they focused on just removing Juniper for something more updated... Today they have about 5 internet links of 100 and 50 mbps each


what NGFW features do you require?
-all security features


how many users do you have?
-According to customer information, there are around 200 users


will you be using IPSec VPN or SSL VPN (either client or site-to-site)
-yes, will use vpn ipsec and ssl


any other features/functionality?
-not for the moment

Cajuntank
Contributor II

What is the current and/or expected bandwidth for your Internet? What do you expect to implement in regards to threat protection (AV, Web filter, IPS, File filtering, Deep packet inspection, etc...)?

 

Anything you get, due to the age of your Juniper appliance, will be double if not easily triple the performance on Fortinet's entry level models but everything you do comes at a process cost, so depending on those answers you provide, might change the determination of the model or models to zone in on. So for a simplistic example, if you have a 1Gb shared Internet connection, the 60F would only be able to give you 700Mb of threat protection for example, so probably not the right size appliance...so information like that helps better determine where you might need to focus in on.

wamendoza
New Contributor III

Hi friend

 

Sorry for reply late

 

What is the current and/or expected bandwidth for your Internet?

A: Today they have 5 links of all 100mbs

 

What do you expect to implement in regards to threat protection (AV, Web filter, IPS, File filtering, Deep packet inspection, etc...)?

 

A: They want to use all the security features that FortiGate offers like av, web filter, ips, app control etc

Cajuntank

"Today they have about 5 internet links of 100 and 50 mbps each"... I guess I am still a little confused then. So just to confirm, you have 5 different ISPs and they are delivering you either 50Mb or 100Mb service each to this 1 firewall? And you have it set where you are load balancing across all 5 different connections? 

 

wamendoza
New Contributor III

Hellooo

 

well, customer told me that he had around 5 ISPs, each internet link was distributed among its providers between 100mb and 50mb of bandwidth, some of these links are a Backup....

wamendoza_0-1677257251257.png

 

wamendoza
New Contributor III

well, i don't really have much information on how they currently do load balancing, due to their topology it is possible that they do it within their SSG140, but yes, I can confirm that according to what the client has commented they have 5 ISPs, connected with metroethernet connections

Cajuntank

I'm going to let @gfleming answer this one as with those branch level models, I don't know if the ports defined as WAN ports and Internal ports are just marketing verbiage (i.e.. I could use the port for whatever I want even though it says "internal") or truly purposed ports. In the mid-range models like the 100F and above, the verbiage for those ports change and I know I can use any of those ports for "WAN" purposes and since you have so many WAN ports and there is also the question of that many ports in a SD-WAN at the branch model I would inquire about, someone more in the product know would need to answer.

Top Kudoed Authors