Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MacMaster
New Contributor

Would you go with a 90D or a 100D

I have a client with about 30-40 users. They dont want any UTM, so just plain firewall. They do have IPsec for both client connections (since they had a 60C and SSL was terribly slow) and a IPsec tunnel to a smaller office. 4 pcs of FortiAPs 221C. I think I will run them bridged, if 90D is chosen, so that the tunnel will not become a bottle neck (since as far as my testing goes the CAPWAP specs in the 90D datasheet only refers to tunneling mode).

 

Money is not as important as speed, so I just want to make the best choice here. I want this unit to be ok for a couple of years. I know they might expand the other office, so there will be more IPsec office to office load, so that needs to be fast. Other than that its just plain internet/surf/download stuff that is important both over cable and wifi in the LAN.

 

So basically, how would you think in this situation? 

 

PS. By looking at the specs... if you say go with the 90D, is it even worth going with that, or would the 60D be enough (since there is not much difference in those two models spec-wise)?

7 Solutions
emnoc
Esteemed Contributor III

There's quite a few difference in the models and it's more than just raw sessions and cpu. In your setup do you need switch partions ( multiple switchgroups ) or PoE ?

 

If money is NOT an issue, get the FGT100D after looking at the fortimatrix  and comparison of the models. Your talking less than 800 usd difference between a FGT90 and 100D but the difference in these 2 chassis from port and available features like just the few above could become a factor.

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
FatalHalt
Contributor II

In your particular situation - valuing pure speed - I would take the 90d. 

 

Reason being purely around the processing architecture. As others and yourself have noted, the 100d uses a standard Intel CPU, which isn't really optimized, vs the 90d which utilizes the specifically built SoC. You'll get faster throughput, and lower latency. 

View solution in original post

Dave_Hall
Honored Contributor

I have added the 92D in the comparison mix; between these 3 models, hands down the 90D can't be beat in shear firewall and IPSec throughput.  However, the 90D is lacking in firewall new sessions per second and anti-virus scanning. Both the 92D and 100D outperforms the 90D in IPS/anti-virus scanning throughput.

 

I can't see myself deploying a Fortigate without providing or setting up some sort of IPS/anti-virus protection to the client -- in this regard I'd likely choose the 92D or 100D over the 90D.  And if price and annual subscription fee were an issue,  I may choose the 92D (depending on how close in price between the two).

 

That said, real life numbers are more important than theoretical max values -- with 30-40 users on a 100 Mbit connection, I'm sure all 3 models will perform equally in most areas, especially with proper coding/optimizing on the Fortigate config. 

 

 

 

My bottom line; while the 90D looks attractive on paper for raw firewall/IPSec throughput, I would scope out just how much daily IPsec tunnel traffic is expected to go through the Fortigate.   Unless there are mission-critical apps, there may be little to no difference, load-wise, on the IPsec tunnel connection (on any of the models).

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
FatalHalt

MacMaster wrote:
Question, if we are talking 30-40 users, how critical is the new sessions per second. I really dont have a clue how many sessions a regular user that is surfing the net can open per second... I think 4000 should be more than enough, but would be nice to hear how you guys calculate that.

There's no true way to calculate this other than looking at the current firewall/router/whatever is in place and finding what they're doing now. Each time a user's browser has to reach out to a new server to get an image? New session. 

 

That being said - 4000 for your needs should be fine. A typical (or even 'power') user will do nowhere near 100 sessions/sec.

View solution in original post

FatalHalt

MacMaster wrote:
Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit? 

Easiest way is to use the CLi and use: 

get system performance status

Which will give you a line regarding Average session setup rate/different periods of time. 

View solution in original post

Dave_Hall
Honored Contributor

MacMaster wrote:

But also, back to the question. With all the info we have collected here now, would you still go with the 100D for this clients demands? Or would you agree that a 90D should be a better choice this time?

 

If the client is adamant about getting the 100D then let him/her make that decision.  There are pros/cons to getting either.  While the 90D is faster on firewall/IPsec VPN throughput, the 100D may be the better value in the end should the company shift their stance to being more on network security.  Real life values play into this as well, e.g. having a fast IPsec VPN connection is nice but only if the other side of that connection can keep up or sustain that throughput.  This is why I suggest getting a demo 90D to play around with -- show your client what that 90D can do.  That way you can gauge real values, including the CPU/Memory/network performance.

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

MacMaster wrote:

Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit? 

 

Total open sessions do not tell the full picture of where/what type of traffic going through the Fortigate.  Unless you have logging/reporting enabled on the Fortigate (or on a FortiAnalyzer), you'll likely need to drill down to the actual sessions for a device, to see what it's up too in real time.  Our remote clients prefer an "open firewall rule set", so when they start complaining about slow speeds, we have to login to their units to see where the traffic is going.  Of course, in a closed firewall rule set, we would only open the ports needed. 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
17 REPLIES 17
emnoc
Esteemed Contributor III

There's quite a few difference in the models and it's more than just raw sessions and cpu. In your setup do you need switch partions ( multiple switchgroups ) or PoE ?

 

If money is NOT an issue, get the FGT100D after looking at the fortimatrix  and comparison of the models. Your talking less than 800 usd difference between a FGT90 and 100D but the difference in these 2 chassis from port and available features like just the few above could become a factor.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MacMaster
New Contributor

Thanks emnoc for the reply.

 

No, I will not need any switch partitions. The FAPs will get power over POE, but we have injectors for that.

 

I understand there is a lot of difference feature wise, but this client really isnt a feature demanding client. They just want pure speed basically.

 

When looking at these number, to me it sound as if they would get more speed in those areas they do demand if they go with a 90D, or is that wrong?

 

Firewall Throughput (1518 / 512 / 64 byte UDP packets) 90D: 3.5 / 3.5 / 3.5 Gbps 100D: 2,500 / 1,000 / 200 Mbps

 

Firewall Latency (64 byte UDP packets) 90D: 4 μs 100D: 37 μs

 

Firewall Throughput (Packets Per Second) 90D: 5.3 Mpps 100D: 300 Kpps

 

IPsec VPN Throughput (512 byte packets) 90D: 1 Gbps 100D: 450 Mbps

 

The client has a 100Mbit WAN line right now, but I am thinking that the prices are falling and soon they might be on a 500Mbit, and that is when the 3,5Gbps throughput and 1Gbps IPsec will become handy on a 90D.

 

Or am I thinking wrong here, will they not notice these kind of numbers. Is it wiser to go with the smallest mid section model 100D instead of taking the biggest low section model 90D when they are so close in price?

emnoc
Esteemed Contributor III

Where did you find those specifications numbers at ( FGt100D )? I didn't think they where that far bad, I believe you are looking at a FGT100A or C numbers

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MacMaster
New Contributor

No, this is for the 100D and that is why I am wondering why so many say that it is a great unit. They might be packed with features, but they seem to lack speed.

 

Here is the link I am reading from:

https://www.fortinet.com/...ets/FortiGate-100D.pdf

rb400

MacMaster wrote:

No, this is for the 100D and that is why I am wondering why so many say that it is a great unit. They might be packed with features, but they seem to lack speed.

 

Here is the link I am reading from:

https://www.fortinet.com/...ets/FortiGate-100D.pdf

We pondered some of the same issues.  We went with the 100D.

 

[align=left]*auto-sig*   rb400 << FGT (v6.2.x) [/align]
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
Dave_Hall
Honored Contributor

I have added the 92D in the comparison mix; between these 3 models, hands down the 90D can't be beat in shear firewall and IPSec throughput.  However, the 90D is lacking in firewall new sessions per second and anti-virus scanning. Both the 92D and 100D outperforms the 90D in IPS/anti-virus scanning throughput.

 

I can't see myself deploying a Fortigate without providing or setting up some sort of IPS/anti-virus protection to the client -- in this regard I'd likely choose the 92D or 100D over the 90D.  And if price and annual subscription fee were an issue,  I may choose the 92D (depending on how close in price between the two).

 

That said, real life numbers are more important than theoretical max values -- with 30-40 users on a 100 Mbit connection, I'm sure all 3 models will perform equally in most areas, especially with proper coding/optimizing on the Fortigate config. 

 

 

 

My bottom line; while the 90D looks attractive on paper for raw firewall/IPSec throughput, I would scope out just how much daily IPsec tunnel traffic is expected to go through the Fortigate.   Unless there are mission-critical apps, there may be little to no difference, load-wise, on the IPsec tunnel connection (on any of the models).

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
PaulM1114
New Contributor III

The 90D uses the new FortiSOC2 ASIC so it's very fast and has integrated NP and CP technologies.  I've read that it provides 10x improvement in encryption throughput than traditional architectures.

The 100D uses an Intel processor and offloads acceleration to a CP8.

 

Paul

MacMaster
New Contributor

Yes, I know all this. That is why I am still puzzled why some still say I should go with the 100D. Is that just old reputation?

 

For the above specified needs, isn´t the 90D be better? I know 100D is meant for bigger offices than all the smaller models, but in this case, the 100D seams like a slow big brother when it comes to plain throughput and IPsec!?

FatalHalt
Contributor II

In your particular situation - valuing pure speed - I would take the 90d. 

 

Reason being purely around the processing architecture. As others and yourself have noted, the 100d uses a standard Intel CPU, which isn't really optimized, vs the 90d which utilizes the specifically built SoC. You'll get faster throughput, and lower latency. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors