Would you go with a 90D or a 100D

MacMaster · ‎03-24-2015

I have a client with about 30-40 users. They dont want any UTM, so just plain firewall. They do have IPsec for both client connections (since they had a 60C and SSL was terribly slow) and a IPsec tunnel to a smaller office. 4 pcs of FortiAPs 221C. I think I will run them bridged, if 90D is chosen, so that the tunnel will not become a bottle neck (since as far as my testing goes the CAPWAP specs in the 90D datasheet only refers to tunneling mode).

Money is not as important as speed, so I just want to make the best choice here. I want this unit to be ok for a couple of years. I know they might expand the other office, so there will be more IPsec office to office load, so that needs to be fast. Other than that its just plain internet/surf/download stuff that is important both over cable and wifi in the LAN.

So basically, how would you think in this situation?

PS. By looking at the specs... if you say go with the 90D, is it even worth going with that, or would the 60D be enough (since there is not much difference in those two models spec-wise)?

emnoc · ‎03-24-2015

There's quite a few difference in the models and it's more than just raw sessions and cpu. In your setup do you need switch partions ( multiple switchgroups ) or PoE ?

If money is NOT an issue, get the FGT100D after looking at the fortimatrix and comparison of the models. Your talking less than 800 usd difference between a FGT90 and 100D but the difference in these 2 chassis from port and available features like just the few above could become a factor.

PCNSE

NSE

StrongSwan

View solution in original post

FatalHalt · ‎03-25-2015

In your particular situation - valuing pure speed - I would take the 90d.

Reason being purely around the processing architecture. As others and yourself have noted, the 100d uses a standard Intel CPU, which isn't really optimized, vs the 90d which utilizes the specifically built SoC. You'll get faster throughput, and lower latency.

View solution in original post

Dave_Hall · ‎03-25-2015

I have added the 92D in the comparison mix; between these 3 models, hands down the 90D can't be beat in shear firewall and IPSec throughput. However, the 90D is lacking in firewall new sessions per second and anti-virus scanning. Both the 92D and 100D outperforms the 90D in IPS/anti-virus scanning throughput.

I can't see myself deploying a Fortigate without providing or setting up some sort of IPS/anti-virus protection to the client -- in this regard I'd likely choose the 92D or 100D over the 90D. And if price and annual subscription fee were an issue, I may choose the 92D (depending on how close in price between the two).

That said, real life numbers are more important than theoretical max values -- with 30-40 users on a 100 Mbit connection, I'm sure all 3 models will perform equally in most areas, especially with proper coding/optimizing on the Fortigate config.

My bottom line; while the 90D looks attractive on paper for raw firewall/IPSec throughput, I would scope out just how much daily IPsec tunnel traffic is expected to go through the Fortigate. Unless there are mission-critical apps, there may be little to no difference, load-wise, on the IPsec tunnel connection (on any of the models).

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

FatalHalt · ‎03-25-2015

MacMaster wrote:
Question, if we are talking 30-40 users, how critical is the new sessions per second. I really dont have a clue how many sessions a regular user that is surfing the net can open per second... I think 4000 should be more than enough, but would be nice to hear how you guys calculate that.

There's no true way to calculate this other than looking at the current firewall/router/whatever is in place and finding what they're doing now. Each time a user's browser has to reach out to a new server to get an image? New session.

That being said - 4000 for your needs should be fine. A typical (or even 'power') user will do nowhere near 100 sessions/sec.

View solution in original post

FatalHalt · ‎03-25-2015

MacMaster wrote:
Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?

Easiest way is to use the CLi and use:

get system performance status

Which will give you a line regarding Average session setup rate/different periods of time.

View solution in original post

Dave_Hall · ‎03-26-2015

MacMaster wrote:
But also, back to the question. With all the info we have collected here now, would you still go with the 100D for this clients demands? Or would you agree that a 90D should be a better choice this time?

If the client is adamant about getting the 100D then let him/her make that decision. There are pros/cons to getting either. While the 90D is faster on firewall/IPsec VPN throughput, the 100D may be the better value in the end should the company shift their stance to being more on network security. Real life values play into this as well, e.g. having a fast IPsec VPN connection is nice but only if the other side of that connection can keep up or sustain that throughput. This is why I suggest getting a demo 90D to play around with -- show your client what that 90D can do. That way you can gauge real values, including the CPU/Memory/network performance.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

Dave_Hall · ‎03-27-2015

MacMaster wrote:
Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?

Total open sessions do not tell the full picture of where/what type of traffic going through the Fortigate. Unless you have logging/reporting enabled on the Fortigate (or on a FortiAnalyzer), you'll likely need to drill down to the actual sessions for a device, to see what it's up too in real time. Our remote clients prefer an "open firewall rule set", so when they start complaining about slow speeds, we have to login to their units to see where the traffic is going. Of course, in a closed firewall rule set, we would only open the ports needed.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

MacMaster · ‎03-25-2015

I totally agree with you that as soon as you add some sort of UTM like IPS or AV, the 100D looks very promising.

I dont know what clients you guys have, but my clients are businesses with 5-50 users. We are very Mac oriented (98% are mac users). Other than that, its Linux for server.

Why am I saying this. Well, when it comes to things like this, windows users have a totally different mindset. I am happy I can get my clients to understand the value of having a "real" firewall and managed APs instead of just putting lots of Airport Extremes all over the place. Trust me, there are tons of advertising firms .. (just a example since those companies usually have lots of macs) that have 5 Airport Extremes as their setup. So when it comes to prioritizing AV, IPs and so on, these clients dont want that. They want a firewall to be able to open and close ports, and they might want IPsec for offise connection and between offices. But other than that, they are just not interested.

So that is why I can say for sure, we are talking pure throughput and IPsec right now. In this case, the IPsec is critical, because they have fileservers for both offices, and they need to get hold of those and brows them easily and copy stuff... if that is slow, they will not be happy. So IPsec is critical. BUT, interent surfing is also critical and they will "scream" if it is slow.

Question, if we are talking 30-40 users, how critical is the new sessions per second. I really dont have a clue how many sessions a regular user that is surfing the net can open per second... I think 4000 should be more than enough, but would be nice to hear how you guys calculate that.

Other than this, of course this might change in the feature... especially since there are more and more "viruses" for mac... but for now, they are happy to have FortiClient running as protection for that.

FatalHalt · ‎03-25-2015

MacMaster wrote:
Question, if we are talking 30-40 users, how critical is the new sessions per second. I really dont have a clue how many sessions a regular user that is surfing the net can open per second... I think 4000 should be more than enough, but would be nice to hear how you guys calculate that.

There's no true way to calculate this other than looking at the current firewall/router/whatever is in place and finding what they're doing now. Each time a user's browser has to reach out to a new server to get an image? New session.

That being said - 4000 for your needs should be fine. A typical (or even 'power') user will do nowhere near 100 sessions/sec.

MacMaster · ‎03-25-2015

By the way Dave.

You say: "especially with proper coding/optimizing on the Fortigate config"

you got me interested here... what kind of coding/optimizing do you usually do to optimize speed, just some examples to ease my curiosity :)

Dave_Hall · ‎03-25-2015

Sounds like you already made up your mind, so run with it -- contact your local Fortinet dealer and ask to borrow a demo 90D to play around with.

Regarding coding/optimizing, it's more of a throwback to the old 4.1/4.2 firmware days where you really needed to craft/tailor the UTM options to the traffic. e.g if your company is an all-Apple Mac shop there may be no real need to craft IPS/anti-virus sensors to Windows-based PCs -- you don't want the Fortigate spending any more time then needed scanning for something that's not there. This includes setting up the proxy options/SSL/SSH inspection options and creating separate fw policies (http/https, pop3, ntp, dns, other, etc.) The attached pic shows an example config (original was created for us by another company which I just expanded upon). It's an "open" firewall rule set. (Our in-house Fortigate is configured differently as a "closed" rule set.)

Regarding 4000 new session -- should be enough, though you will want to keep an eye out for people bittorrenting or running p2p software -- it can take just one or two individuals to bring down an entire network; (Saw this first hand from a client site that had one device opened over 5500 sessions.)

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

MacMaster · ‎03-25-2015

Sorry if it sounds like I decided my mind. I absolutely dont have. This is more me telling you argument to see if you can say, "hey no did you think about this". So I am absolutely open for choosing whichever of these two

Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?

But also, back to the question. With all the info we have collected here now, would you still go with the 100D for this clients demands? Or would you agree that a 90D should be a better choice this time?

PS. thanks for sharing your optimization setup by the way! :)

FatalHalt · ‎03-25-2015

MacMaster wrote:
Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?

Easiest way is to use the CLi and use:

get system performance status

Which will give you a line regarding Average session setup rate/different periods of time.

Dave_Hall · ‎03-26-2015

MacMaster wrote:
But also, back to the question. With all the info we have collected here now, would you still go with the 100D for this clients demands? Or would you agree that a 90D should be a better choice this time?

If the client is adamant about getting the 100D then let him/her make that decision. There are pros/cons to getting either. While the 90D is faster on firewall/IPsec VPN throughput, the 100D may be the better value in the end should the company shift their stance to being more on network security. Real life values play into this as well, e.g. having a fast IPsec VPN connection is nice but only if the other side of that connection can keep up or sustain that throughput. This is why I suggest getting a demo 90D to play around with -- show your client what that 90D can do. That way you can gauge real values, including the CPU/Memory/network performance.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Dave_Hall · ‎03-27-2015

MacMaster wrote:
Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?

Total open sessions do not tell the full picture of where/what type of traffic going through the Fortigate. Unless you have logging/reporting enabled on the Fortigate (or on a FortiAnalyzer), you'll likely need to drill down to the actual sessions for a device, to see what it's up too in real time. Our remote clients prefer an "open firewall rule set", so when they start complaining about slow speeds, we have to login to their units to see where the traffic is going. Of course, in a closed firewall rule set, we would only open the ports needed.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C