Which Devices to use for my small service provider company
Hi, I am brand new here and I'm looking to replace my aging Cisco devices with Fortinet devices. I looked around for the correct forum but I am unsure where I should post my questions and begin a discussion.
I have no (as in Zero) experience in Fortinet products, but I like what I've read and seen while doing some investigation.
I have a whole slew of questions about what to pick for the endpoints in the datacenter and for the client. We're very small and have only a few clients.
What is the right forum for posting a thread to discuss my needs and get suggestions? I don't mind doing this via PM type messages if that's the correct method but I don't even know where to start. I don't know what tags to put on this either.
I am currently looking through the marketing materials, but my experience says those things don't provide the detailed answers I need to evaluate which devices to pick.
You're not totally off here, so this forum is as well suited as any. There are always experienced users out here willing to voice their opinions, and they will find this thread.
Choosing the "right" equipment totally hinges on what is "right" for your business and your customers' needs. So maybe you could line out your "must-haves" and "nice-to-haves" a bit.
Some of my personal views on this:
Fortigates in principle are very performant, or rather, the price/performance ratio is excellent.
FortiOS is flexible enough to fit in into nearly all networks/tasks I've encountered with my customers.
GUI and CLI config is quite easy to learn, and once you've got it going on one FGT you can manage all models.
Hardware is (more or less) the only choice you've got to think about hard; it's not features, nor licensing.
Redundant setup is so easy that there's nearly no excuse not to employ a cluster - failure of a single FGT will almost always cost more in damages than a second FGT.
Managing and provisioning many (20+) FGTs via the separate FortiManager is, eh, a weak chapter in the FTNT empire.
Whereas the central logging&reporting instance (FortiAnalyzer) is a must nowadays; preferably as a VM.
Speaking of VMs, all of the non-FGT appliances make sense as virtual devices; the FGT does not, except for being employed within VM itself (on the hypervisor, or between VM servers). That's because the performance comes from the hardware acceleration via Security Processors (SP, better knows as NP plus CP).
The environment around the FGT UTM is really good, called FortiGuard. Services (botnet blacklists, application signatures, webfilter categories) and subscriptions (AV, IPS, WF) are researched and delivered by FTNT itself and are effective.
Running FGTs without any contract doesn't make much sense OTOH, so calculate investment plus opex.
Depending on the development of your business, the hardware can last for 5-8 years, or become obsolete in 2. But in this case you would have earned the resources to buy higher up gear.
And lastly, support is quite good (support on the forums is 99% user self-help best effort, not like the paid support from FTNT). FortiOS releases are not always stable and thus production-ready, to my demise. You usually have 2 or 3 main releases (with patches) available to choose from. More new features, more risk of hitting bugs.
I apologize for this post becoming a bit longer than I expected. Bottom line (for me): having worked with some other vendors, I'm glad to have taken up Fortinet more than 15 years ago.
Thank you ede for responding and my apologies for taking so long to reply back. I don't mind the length at all. As can be seen, I'm looking for help in two areas. I need device selection assistance and I'll probably need some configuration assistance once I get the devices.
I thank your for the detail of your response. Similarly, I'll put a lot of detail in my post and ask everyone for suggestions, ideas, and general discussion. I'm hoping the length of this post doesn't put to many folks off but I'm trying to answer the questions of what we need. I'll try to organize the post in sections.
Fair warning, this is a long post. Even if you only have a part answer/suggestion to anything below, I'd appreciate hearing it. Who knows, this thread might be useful to someone else in the future.
I understand that some feel a reseller is the way to go but my experience is that a reseller usually just wants to push the hardware and be done with it. I have found that I have better luck selecting the reseller if I have a good idea up front of what the device can do. Of course, I'm open to suggestions of good resellers to consider (PMs are fine) and even persons willing to provide assistance on a paid basis (again PMs are fine) but it's important to me to understand what I can and can't do with the hardware. After all, I have to support it.
Who we are/What we do:
I am the owner of a very small business providing remote desktop services for small companies so they don't have to maintain any hardware or software. They simply subscribe to a desktop and I pretty much take care of the rest.
We use VPN tunnels between the customer's locations. The Cisco 2901 at the datacenter end is sufficient for the VPNs and does the NATs well, but it lacks many things that I'd like to have. Particularly, it's currently a single point of failure that I want to address as part of the replacement. I'd like to have two devices, either of which can provide connectivity should the other fail. I already have cross-connected switches inside of that, but I need a good firewall device that can be set up to utilize the datacenter's redundant connection capability ("HSRP/VRRP") and which does the VPN and NATs that we need.
For the customers' end, we utilize Ciscso ASA 5505 devices. These are mostly adequate but need to be refreshed as well. They also have a few limitations from the customer simplicity point of view. Frankly their DNS and DHCP functionality stinks. But the do handle the VPN and the NATs really well.
I understand from above that there are two basic areas. Basic device capabilities and capabilities augmented by subscriptions. I am open to the subscription model as threats evolve and to counter them I'll need the continual updates provided by subscription. Which subscriptions are suggested? I don't believe I'm ready for "Enterprise" level stuff, but I do need good threat protection. One of the areas that concerns me is VoIP. Because the phone system is in-house, we have a lot of ports opened to that device. Because the smart phone app that works with the in-house phone system reaches in from the outside, I can't restrict the incoming source address because the smartphones might be anywhere.
I need to be able to direct one Static IP to the phone system device. The NAT functionality needs to not mess up the VoiP traffic. From the Cisco ASA, I have to turn off the Inspect for the SIP traffic. I need equivalent functionality in the replacement devices.
I need to be able to gather data and information from the devices to see how they are performing. Preferably in the form of graphs. I'm not a Network Engineer by trade but I can do the 80% stuff without issue. What I don't have is time to do the intensive dig-in. I need the devices (or a package that works with the devices) to provide data on what's happening and what has happened. Both from a utilization viewpoint and from a diagnostics viewpoint. And, since I'm looking for UTM/NGFW type devices, I'd like to see good reporting on the threats encountered and what was done. I think I saw FortiAnalyser in the above response
OK, that's the basic features. On to selection:
Device Selection; Datacenter: Each customer has one VPN tunnel per office. Since we're small, that's currently about 15 but I'd like to be able to support about 100. The VPNs tend to be low traffic as they really only carry the print and scan traffic from the customer. The majority of the traffic comes from connections to specific ports reserved for each customer which are then "Routed" to the customers' server. This implies that the replacement device is capable of both the firewall aspect and a routing aspect along with the requisite NAT (P-Nat for CISCO). This device needs to have intrusion protection and the UTM/NGFW features that help protect the customer. I need a pair of them that can operate in a redundant manner.
So any suggestions on which device for the datacenter?
Device Selection; Customer:
Each customer office has one device which maintains a VPN tunnel to the server (for the print and scan traffic). Most of the access to the server is via protected protocols (https, secure rdp connections) and don't actually traverse via the VPN. The device needs to be able to do NAT and basic routing for the small office. It needs to be able to do DNS and DHCP server functionality because the small offices don't have any servers at all, they're just a collection of PC/Tablet units that use the internet. I need to be able to set up DHCP option records for things like timeclocks and VoIP systems and I need to be able to do device reservations (by MAC at a minimum).
So, any suggestions on which device for the customer end?
And, if you reached the end, I thank you. Even if you only have a part answer/suggestion to anything above, I'd appreciate hearing it. Who knows, this thread might be useful to someone else in the future.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.