Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
irfanink
New Contributor

How to Suggest Fortigate to customer

I would like to ask that how we suggest fortigate to customer ,  For example we have 500 user so how we will check which device is best and what will be through output will be better for it

1 Solution
Iescudero
Contributor II

Hi There!

 

The answer is a little bit tricky, because a single user could generate a lot of sessions and another just a few.

Other case would include if you have a service exposed to internet, like a website, so you want to use a IPS, or in the other hand you just use the Fortigate like a Router to Internet. that's why the answer depends on several things, not just the amount of users.

 

In my experience with around 500 users i got this status:

 

CPU states: 77% user 42% system 0% nice 51% idle CPU0 states: 77% user 42% system 0% nice 51% idle Memory states: 54% used Average network usage: 40936 kbps in 1 minute, 44003 kbps in 10 minutes, 37604 k bps in 30 minutes Average sessions: 28504 sessions in 1 minute, 29806 sessions in 10 minutes, 2943 4 sessions in 30 minutes Average session setup rate: 192 sessions per second in last 1 minute, 186 sessio ns per second in last 10 minutes, 183 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 104 days, 13 hours, 4 minutes

 

This is from two Fortigate 110C in a HA configuration with IPS, Antivirus, Web Filter, Application Control and a lot of IPSec VPN's. and FortiOS 5.2.10

 

The cluster is not responding very quickly sometimes or the CPU have spikes 100%, so taking this as a example I am short of resources, but I think a 200 would probably fit for me.

 

The list below just reflect my opinion:

 

500-1000 users = Fortigate 300D

250-500 users = Fortigate 200E

100-250 users = Fortigate 100E

Around 100 users = Fortigate 90E

50-100 Users= Fortigate 60E

1-50 Users = Fortigate 50E/Fortigate 30E

 

in my opinion, a Fortigate 200E would be great for 500 users and a few features enabled on it.

 

Hope it helps!

View solution in original post

7 REPLIES 7
Iescudero
Contributor II

Hi There!

 

The answer is a little bit tricky, because a single user could generate a lot of sessions and another just a few.

Other case would include if you have a service exposed to internet, like a website, so you want to use a IPS, or in the other hand you just use the Fortigate like a Router to Internet. that's why the answer depends on several things, not just the amount of users.

 

In my experience with around 500 users i got this status:

 

CPU states: 77% user 42% system 0% nice 51% idle CPU0 states: 77% user 42% system 0% nice 51% idle Memory states: 54% used Average network usage: 40936 kbps in 1 minute, 44003 kbps in 10 minutes, 37604 k bps in 30 minutes Average sessions: 28504 sessions in 1 minute, 29806 sessions in 10 minutes, 2943 4 sessions in 30 minutes Average session setup rate: 192 sessions per second in last 1 minute, 186 sessio ns per second in last 10 minutes, 183 sessions per second in last 30 minutes Virus caught: 0 total in 1 minute IPS attacks blocked: 0 total in 1 minute Uptime: 104 days, 13 hours, 4 minutes

 

This is from two Fortigate 110C in a HA configuration with IPS, Antivirus, Web Filter, Application Control and a lot of IPSec VPN's. and FortiOS 5.2.10

 

The cluster is not responding very quickly sometimes or the CPU have spikes 100%, so taking this as a example I am short of resources, but I think a 200 would probably fit for me.

 

The list below just reflect my opinion:

 

500-1000 users = Fortigate 300D

250-500 users = Fortigate 200E

100-250 users = Fortigate 100E

Around 100 users = Fortigate 90E

50-100 Users= Fortigate 60E

1-50 Users = Fortigate 50E/Fortigate 30E

 

in my opinion, a Fortigate 200E would be great for 500 users and a few features enabled on it.

 

Hope it helps!

MikePruett

How fast is the internet connection?

 

Are you breaking your network up into several subnets?

Do those subnets talk with one another?

Do you want UTM functionality on the traffic traversing said subnets?

Mike Pruett Fortinet GURU | Fortinet Training Videos
loic
New Contributor III

https://competitive.myfortinet.com/product_sizing

it's an old tool but gives you an idea of which paramters are importants

Loïc
Loïc
emnoc
Esteemed Contributor III

That sizing tool is useless imho  and same for  the sizing app

 

http://socpuppet.blogspot.com/2015/05/the-fortigate-sizing-app.html

 

 

These are great for general guess but "the number of users " is NOT a factor in a fortigate sizing set. I ran a  org on a pair of 2x 200B for over  5 years with no problems. They had way  over end-points  and had a lot of internal items such  as 

 

steelhead

web/ftp-proxy

no vpn-ipsec

no ssl-vpn

no ips

etc....

 

 

So it's really depends on what you are GOING TODO !

 

ideals;

 

Do you need  IPS

Do you ever plan on explicit Proxy

Do you do or need SSL inspection

Do you run any SLB VIP

Do you need ssl-vpn

Do you need logging ( on disk )

Do you plan on using a FAZ in the near future

etc......

 

 

All of that are more important imho. A firewall fgt or non is not like a shoe-size selection where you measure a foot a pick a pair of shoes by that size of the foot. I like to look at it as what your going todo ( dance, job,  for a job interview, climbing, walking, if walking on what,etc......)

 

;)

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
NotMine
Contributor II

Selecting a model can be a little tricky. I would suggest reaching out to your local Fortinet or Fortinet Partner representative, they will be able to help you. Just keep in mind that they will not take any chances and will propose a model that will work 200% without creating a bottleneck, so it might be considered to be an overkill for some users.

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
James_G
Contributor III

If you need a quick budget, then work on the worst possible scenario. Take the sum of the bandwidth you want to inspect, i.e. 40 down 10 up is 50, then triple it because we like future proofing. So we have a value of 150mbs we want to size, look at the fortigate product matrix for the 'threat protection throughtput' that assumes everything turned on, and find the product that matches. So in summary a 40mbs fttc would probably best fit a 100e, 100mbs leased line then a 200e etc. If you need to scan East West traffic in the land, then the sizing gets a lot more complicated. Just my 2c.
ChrisRX
New Contributor

Budget is a huge topic to debate when selecting the right Firewall. What's the end goal for this network? Also, if this company is growing then I highly recommend you take this into account. I currently have two 600C Fortigates for a company with about 230 employees, and about triple that in devices. They're setup in Active-Active for HA. Now, as I'm sure you're aware as you move up in each Fortigate Models, the more expensive they become,however the more features you will get with the main advantage of obtaining some crazy throughput. In my opinion after working with Fortigates for over 6 years now, I would consider what security features you will need first, then build from there.

 

As a side note. I've ran a 200 user office off two 100D Firewalls without complaints. However, it was only servicing Internet with web filtering at first. I then downgraded an older Layer 3 HP switch to Layer 2 Access, and had the 100D route. Made a huge difference in performance believe it or not. The ASIC Chips in the Fortigates really do a nice job with offloading now, at first there were some weird anomalies, but those bugs were squashed with firmware updates. We saw better throughput to our CoLo to end user without the units exhausting their resource limits. And, with all with the added benefits of Application, Device, and User discovery to make managing Policies, Users, and Device Groups much simpler.

 

Things I would consider before purchasing.

 

[ol]
  • SSLVPN for Remote users?
  • IPSec tunneling for remote sites?
  • Web Filtering for all users, then applying strict polices for some and not for others?
  • Will You need Active Directory Integration?
  • Do you need dedicated DMZ ports for on-site web servers?
  • Web and Internet only, or will Layer 3 Advanced Routing will be enabled?
  • ForitMail or other SMTP services?
  • Anti-Virus and IDS\IPS system requirements?
  • Fiber (SFP+ or Copper ports, or will you need a mix of the two.
  • WiFi Integration? If you go with FortiWiFi, being able to control all Your APs from a single point is really nice. Plus, after working with Meraki APs, I'm finding that Fortinet's APs are much easier to manage and deploy.[/ol]

    Hope this helps! best of luck with whichever device you decide on. Not everyone is a fan of Fortigates, but I am. Once you learn them, it's hard to use other products. Not to mention Fortinet's huge push into their Collective Security Fabric with the more recent Firmware updates. I'm personally just about ready to update to 5.6.

     

    -ChrisRX

  • Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors