Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DSL
New Contributor

How to position right Fortigate model for 3000 network users?

How to position right Fortigate model for 3000 network users?

1 Solution
vdralio
Staff
Staff

Hi @DSL ,

 

This is a complex question and depends in many factors (your topology, environment, the scope of the use, etc).

You can check the FortiGate model's datasheet to see the values for each version and decide for yourself.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

https://www.fortinet.com/de/resources/datasheets

 

Another way is you need to contact your Sales Engineer. They can take in your request  Systems Engineer (SE) that covers your territory.
http://www.fortinet.com/aboutus/locations.html

Alternatively, it can be done through Regional Sales Partner Channel
http://www.fortinet.com/partners/reseller_locator/locator.html

 

Also, you can get in touch with our Professional Service Team, they will help you with the whole process.

https://www.fortinet.com/support/support-services/professional-services

 

Best Regards,

Vasil

 

View solution in original post

7 REPLIES 7
vdralio
Staff
Staff

Hi @DSL ,

 

This is a complex question and depends in many factors (your topology, environment, the scope of the use, etc).

You can check the FortiGate model's datasheet to see the values for each version and decide for yourself.

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf

https://www.fortinet.com/de/resources/datasheets

 

Another way is you need to contact your Sales Engineer. They can take in your request  Systems Engineer (SE) that covers your territory.
http://www.fortinet.com/aboutus/locations.html

Alternatively, it can be done through Regional Sales Partner Channel
http://www.fortinet.com/partners/reseller_locator/locator.html

 

Also, you can get in touch with our Professional Service Team, they will help you with the whole process.

https://www.fortinet.com/support/support-services/professional-services

 

Best Regards,

Vasil

 

DSL
New Contributor

Thanks for replied. What values should i look under datasheet? Definitely there is no value stated on number of network users. Is there where to calculate Fortigate model corresponding to number of network users?

DSL
New Contributor

flat network. network users not in accessing any internal servers.

Basically setup is as follow: internet - leased line - NGFW - CONTROLLER - AAA - SW - AP. Objective is to provide internet service with secured & control manner.

Cajuntank
Contributor II

What is the speed of your leased line? What services do you plan to have turned on (i.e... IPS, web filtering, VPN (SSL and/or IPSEC), SSL decryption (deep vs certificate inspection), etc...). All of these services take a toll on processing. That along with your required Internet speed will be the major factors in sizing your appliance. 

DSL
New Contributor

leased line speed 1G. web filtering to enable only. Approximately less 10 VPN IT users - IPSEC

Cajuntank
Contributor II

So for example, looking a the 200F (201F to be precise as the "1" denotes it comes with a hard drive for local storage for logs) as the bare minimum. Having so few VPN users pretty much negates that variable as a factor of having any real impact. If you look on the pdf product matrix @vdralio provided, the Threat Protection Throughput is rated at 3Gb. This 3Gb is rated as the appliance offering a mix of IPS, Application Control, Malware protection, web filtering. You will want to implement these (even though you said just web filtering) to get the most out of your appliance. One major performance aspect that the matrix does not cover is the performance/process hit the appliance will take doing Deep Packet Inspection with SSL as opposed to just certificate inspection. Deep Packet Inspection has the firewall decrypt those HTTPS sessions so that it can peer into that traffic (not just at the certificate level) so it can apply any relevant mitigations against (do I need to block it or not). This can wildly affect performance depending on how much gets decrypted, so I usually go off of the rule of 1/3....i.e... if I'm needing 1Gb of throughput and I'm doing deep packet inspection, my appliance better be rated at 3Gb or better. The 401E, 601E, and 601F would be the firewalls I'd gravitate more toward personally as this would give you some room to grow with ever increasing needs for more Internet bandwidth. You are at 1Gb now, but that might change in a year or two; might as well buffer your firewall some to handle that uptick if it happens as well. The reseller can help further narrow the model down between those, but I feel confident it will come between those I mention (with the disclaimer that based on the information you gave, these are generalities and having a sale engineer investigate further with you will give you and them a clearer picture of your needs).

rajamanickam
Contributor

As per my experience, just understand what is your traffic pattern. % of traffic between your LAN to LAN, LAN to DC/Other branches LAN,  LAN to internet traffic. Because you enable security policies accordingly. Based on that take the datasheet number and consider 50% of that value as a best performance number. The value in datasheet is a half duplex value..

Labels
Top Kudoed Authors