When you look at a Fortigate (FG), you can configure it were all ports are governed as a single switch by the firewall rules, or where each port is a unique interface with full L3 capabilities (recommended and gives you way more flexibility). 

 

So for a DMZ, you only need one firewall.  Port1 is WAN (you can have multiple for WAN link load balancing), Port2 is LAN, Port3 is DMZ, etc, and you can assign specific flow rules and filtering for each.  For instance if rule Port2 to Port1 is for your internal DHCP clients, you can enable Web/App/and Client OS IDS/IPS filtering (something suitable for Mac/Windows clients) and it is NAT'd of course.  You then create another rule for Port3 to Port1 and Port1 to Port3 for a webserver that you want to be isolated in a DMZ.  That way if it is compromised, the attacker cannot probe the machines connected on Port2 unless you have rules setup allowing such traffic (Port3 to Port2) or course.  On those ports you create IDS/IPS rules suitable for Apache or IIS.  The FG is very flexible this way. 

 

You can buy two of the same model, put a layer 2 dumb switch in front of them, link them directly for high availability (HA), and use the switch to tie the ISP incoming connection to the WAN ports on each FG.  When in HA mode, you have a single management IP that you use to manage the pair.  I tend not to do this.  I buy two.  One for production and the other for testing POC.  Makes upgrades much easier and less stressful. 

 

I've used Fortigates for 11 years and have never had one fail (I've also never had a Crypto variant or any virus for that matter make it to my LAN, lots of drive by download attempts, but the FG always blocks the payload sparing me the infection).  Started with the 60 series and we now use the 500D.  If you are in a "downtime is not an option" industry, that may not be a choice you can make, although in that case I would suggest you buy two firewalls for HA and one VM license so you can test firmware updates via the VM.

 

A word about firmware.  Be on the conservative side when it comes to updating.  FG has a very nice section in the new 5.4 FortiOS guide (P.613) regarding best practices.  More people need to read and understand this.

 

http://docs.fortinet.com/d/fortigate-fortios-handbook-the-complete-guide-to-fortios-beta

 

The ONLY bad thing about Fortinet IMHO is that in the past they have tended to release firmware at times that is not as stable or well tested as it should be.  That is NOT to say these are not stable devices (my current one has been up for 175 days), but make sure you wait at least 30 days after a new release and monitor these forums for the people who do blind upgrades and then wonder why they are having problems so you can learn from their experiences.  I'm currently testing the 5.4 release which is a major release for them.  So far so good (much better than the past), but I have yet to put it under load.  Some here indicate issues with it in specific cases.

 

Based on reading these forums, it seems folks with the lower end units tend to have more issues, but that is just a gut based analysis.  Know why you need to upgrade, know the bugs that exist, ALWAYS reboot first and backup your current config (keeping a local copy of your current firmware on hand should you need to downgrade and restore your backup config), and you will have a much easier time with them.

 

I agree with @ede_phau, FortiAnalyzer (FAZ) is your best bet unless you have very specific high detail needs, and buy a VM not the dedicated model.  The VM is much faster if you can put it on a SAN or dedicated server with enough IOPs.  The latest version 5.4 is very good and makes it easy to search for traffic.  It also generates very nice daily reports that you can use for auditing/compliance.  The FG also allows you to dedicate a port as a one arm sniffer to capture PCAP files (if you want to dig deeper using Wireshark) and you can also output syslog to a SEIM such as Splunk if you have it.  We use a FAZ VM64 but we also have Dell SecureWorks monitoring our FG via Syslog output to their Counter Threat Appliance.  Very happy with this setup. (See attached JPG).

 

VPN should not be an issue.  Test both.  IPsec is about 4x faster than SSL VPN.  Fortinet allows Windows and MacOS clients to connect (also Android and iOS) and as mentioned they offer the FortiClient (FC), which can install only VPN components or act as your endpoint Antivirus also.  You can download and mess with it for free here:

 

http://www.fortinet.com/resource_center/product_downloads.html

 

The current 5.4 release is new and there have been some issues (BSODs) for some folks.  Most recent version is supposed to resolve.  There is an ongoing DNS/Kernel Panic issue with FC on Mac OSX 10.11.X.  I'm running FortiClient 5.2.5 on MacOSX 10.11.3 and my only issue is I cannot resolve hostnames without FDQN because the silly client doesn't give you the option to enter search domains like the native L2TP and IPsec MacOS clients do.

 

Like all technology there will be minor frustrations, but overall compared to Cisco or PA, you cannot beat their price and performance.  To get an idea for pricing, you can check out http://www.avfirewalls.com/.

 

I really like the 500D.  It is a solid firewall.  We are supporting 175 people on it with a 100Mbps connection, we just got a 1Gbps connection.  Doing some tests with Google Fiber speedtest I was able to get 850Mbps avg throughput with all filters enabled so pretty happy about that.

First of all, I'm thankful to you, Ede and Seadave, for the prompt and thorough answers. That's the kind of support I hoped to receive from this forum. took some time to study your answers and thinking about the project, I'll try to reply in order to Ede and Seadave advices. Reply to Ede: 1. Budget and security Budget should not be a problem (hopefully), I just jave to justify design with common sense explanations and if there will be advantage by buying some more devices I'll be able to do that. Level of security should be adequate, not paranoid. With "adequate" I mean around 80%, with "paranoid" I mean around 95%. Oviously 100% does not exist. This could be reasonable because in our small company there are few factotum people with many IT tasks and within this small group an even smaller group has network security and administration tasks. If the network design is too much complicated to handle for few people, there will be what I call the "open-hole-mindset", in order to make things work ASAP you open holes in firewall or security to stop the workers complaints. I want to avoid this will all my heart so I will try to simplify things for IT people as much as I can. 2. Inline firewall Bearing point 1 in mind, I think I will accept your advice of using only the FGT UTM (in HA) and not two inline firewall, as I think this will not raise the overall security but instead will lower manageability. 3. Network recorder I could use also FAZ, since it will be integrated with FGT and provide the logging funcionality. I should investigate more if we require to log ALL the metadata traffic (for example with nBox recorder product) or should be enough to log triggered IPS events like FAZ does. 4. App proxy Thank you for spotting me Fortiweb, I took note of that. 5. VPN VPN feature as you explained should be OK. 6. Switches As you explained, I think we'll use switches we are proficient with. 7. Models I think I will need 1Gbps AV so I should look into a mid-range FGT model. Reply to Seadave: 1. DMZ & firewall thank you for the DMZ flow rule example, it was very clearly explained. From your reply I understood that you wouldn't use two inline firewalls, am I right? A question about FGT equipment in FA, if it is managed as a single IP do I need to buy double update licenses or one is enough for both equipments? 2. Firmware I'll follow your advice on waiting before installing firmware and I will explore the possibility of buying a test equipment as you do. 3. FAZ VM I'll study that option. Thank you for the advice. 4. Models I'll investigate which mid-range models better suit our needs. Thank you for sharing your experience. This should be the new block according to Ede and seadave advices: Internal LANs ---> Core Switch ---> 2 UTM FGT in HA managed as single IP and DMZ connected ---> FAZ connected to FGT ---> Switch ---> Router ---> internet Thanks again for your support, please let me know your further thoughts as I appreciate them a lot.

Good. The FAZ (or any other logging device) usually is connected to the LAN somewhere, or via a management VLAN, but not to the DMZ.

 

For 1+ Gbps AV you should be good with a 300D or higher. 400D and 500D only differ in having 0 or 1 internal SSD. Internal storage wouldn't be important if you will be logging to an external device anyway. For selection, see the current FTNT Product Matrix doc at http://www.fortinet.com/sites/default/files/productdatasheets/Fortinet_Product_Matrix.pdf .

 

Unfortunately, for a cluster of 2 you will need 2 full licences, FortiCare plus some UTM / FortiGuard subscription. In old times, Fortinet offered the second licence for 50% but would not discount the hardware. Today, if you buy the hardware, get the bundle (hw plus subscriptions for a couple of years) and negotiate with your FTNT partner. Subscription renewals cannot be much less than listprice.

Just out of curiosity, as I'm going through the same - what did you implement?