I have a client with about 30-40 users. They dont want any UTM, so just plain firewall. They do have IPsec for both client connections (since they had a 60C and SSL was terribly slow) and a IPsec tunnel to a smaller office. 4 pcs of FortiAPs 221C. I think I will run them bridged, if 90D is chosen, so that the tunnel will not become a bottle neck (since as far as my testing goes the CAPWAP specs in the 90D datasheet only refers to tunneling mode).
Money is not as important as speed, so I just want to make the best choice here. I want this unit to be ok for a couple of years. I know they might expand the other office, so there will be more IPsec office to office load, so that needs to be fast. Other than that its just plain internet/surf/download stuff that is important both over cable and wifi in the LAN.
So basically, how would you think in this situation?
PS. By looking at the specs... if you say go with the 90D, is it even worth going with that, or would the 60D be enough (since there is not much difference in those two models spec-wise)?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There's quite a few difference in the models and it's more than just raw sessions and cpu. In your setup do you need switch partions ( multiple switchgroups ) or PoE ?
If money is NOT an issue, get the FGT100D after looking at the fortimatrix and comparison of the models. Your talking less than 800 usd difference between a FGT90 and 100D but the difference in these 2 chassis from port and available features like just the few above could become a factor.
PCNSE
NSE
StrongSwan
In your particular situation - valuing pure speed - I would take the 90d.
Reason being purely around the processing architecture. As others and yourself have noted, the 100d uses a standard Intel CPU, which isn't really optimized, vs the 90d which utilizes the specifically built SoC. You'll get faster throughput, and lower latency.
I have added the 92D in the comparison mix; between these 3 models, hands down the 90D can't be beat in shear firewall and IPSec throughput. However, the 90D is lacking in firewall new sessions per second and anti-virus scanning. Both the 92D and 100D outperforms the 90D in IPS/anti-virus scanning throughput.
I can't see myself deploying a Fortigate without providing or setting up some sort of IPS/anti-virus protection to the client -- in this regard I'd likely choose the 92D or 100D over the 90D. And if price and annual subscription fee were an issue, I may choose the 92D (depending on how close in price between the two).
That said, real life numbers are more important than theoretical max values -- with 30-40 users on a 100 Mbit connection, I'm sure all 3 models will perform equally in most areas, especially with proper coding/optimizing on the Fortigate config.
My bottom line; while the 90D looks attractive on paper for raw firewall/IPSec throughput, I would scope out just how much daily IPsec tunnel traffic is expected to go through the Fortigate. Unless there are mission-critical apps, there may be little to no difference, load-wise, on the IPsec tunnel connection (on any of the models).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
MacMaster wrote:
Question, if we are talking 30-40 users, how critical is the new sessions per second. I really dont have a clue how many sessions a regular user that is surfing the net can open per second... I think 4000 should be more than enough, but would be nice to hear how you guys calculate that.
There's no true way to calculate this other than looking at the current firewall/router/whatever is in place and finding what they're doing now. Each time a user's browser has to reach out to a new server to get an image? New session.
That being said - 4000 for your needs should be fine. A typical (or even 'power') user will do nowhere near 100 sessions/sec.
MacMaster wrote:
Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?
Easiest way is to use the CLi and use:
get system performance status
Which will give you a line regarding Average session setup rate/different periods of time.
MacMaster wrote:But also, back to the question. With all the info we have collected here now, would you still go with the 100D for this clients demands? Or would you agree that a 90D should be a better choice this time?
If the client is adamant about getting the 100D then let him/her make that decision. There are pros/cons to getting either. While the 90D is faster on firewall/IPsec VPN throughput, the 100D may be the better value in the end should the company shift their stance to being more on network security. Real life values play into this as well, e.g. having a fast IPsec VPN connection is nice but only if the other side of that connection can keep up or sustain that throughput. This is why I suggest getting a demo 90D to play around with -- show your client what that 90D can do. That way you can gauge real values, including the CPU/Memory/network performance.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
MacMaster wrote:Interesting to hear about the torrent thing. I have a clint with a 60D and they have problems from time to time. What is the best way to check how many sessions that are open on a unit?
Total open sessions do not tell the full picture of where/what type of traffic going through the Fortigate. Unless you have logging/reporting enabled on the Fortigate (or on a FortiAnalyzer), you'll likely need to drill down to the actual sessions for a device, to see what it's up too in real time. Our remote clients prefer an "open firewall rule set", so when they start complaining about slow speeds, we have to login to their units to see where the traffic is going. Of course, in a closed firewall rule set, we would only open the ports needed.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
There's quite a few difference in the models and it's more than just raw sessions and cpu. In your setup do you need switch partions ( multiple switchgroups ) or PoE ?
If money is NOT an issue, get the FGT100D after looking at the fortimatrix and comparison of the models. Your talking less than 800 usd difference between a FGT90 and 100D but the difference in these 2 chassis from port and available features like just the few above could become a factor.
PCNSE
NSE
StrongSwan
Thanks emnoc for the reply.
No, I will not need any switch partitions. The FAPs will get power over POE, but we have injectors for that.
I understand there is a lot of difference feature wise, but this client really isnt a feature demanding client. They just want pure speed basically.
When looking at these number, to me it sound as if they would get more speed in those areas they do demand if they go with a 90D, or is that wrong?
Firewall Throughput (1518 / 512 / 64 byte UDP packets) 90D: 3.5 / 3.5 / 3.5 Gbps 100D: 2,500 / 1,000 / 200 Mbps
Firewall Latency (64 byte UDP packets) 90D: 4 μs 100D: 37 μs
Firewall Throughput (Packets Per Second) 90D: 5.3 Mpps 100D: 300 Kpps
IPsec VPN Throughput (512 byte packets) 90D: 1 Gbps 100D: 450 Mbps
The client has a 100Mbit WAN line right now, but I am thinking that the prices are falling and soon they might be on a 500Mbit, and that is when the 3,5Gbps throughput and 1Gbps IPsec will become handy on a 90D.
Or am I thinking wrong here, will they not notice these kind of numbers. Is it wiser to go with the smallest mid section model 100D instead of taking the biggest low section model 90D when they are so close in price?
Where did you find those specifications numbers at ( FGt100D )? I didn't think they where that far bad, I believe you are looking at a FGT100A or C numbers
Ken
PCNSE
NSE
StrongSwan
No, this is for the 100D and that is why I am wondering why so many say that it is a great unit. They might be packed with features, but they seem to lack speed.
Here is the link I am reading from:
MacMaster wrote:No, this is for the 100D and that is why I am wondering why so many say that it is a great unit. They might be packed with features, but they seem to lack speed.
Here is the link I am reading from:
https://www.fortinet.com/...ets/FortiGate-100D.pdf
We pondered some of the same issues. We went with the 100D.
[align=left]*auto-sig* rb400 << FGT (v6.2.x) [/align]
I have added the 92D in the comparison mix; between these 3 models, hands down the 90D can't be beat in shear firewall and IPSec throughput. However, the 90D is lacking in firewall new sessions per second and anti-virus scanning. Both the 92D and 100D outperforms the 90D in IPS/anti-virus scanning throughput.
I can't see myself deploying a Fortigate without providing or setting up some sort of IPS/anti-virus protection to the client -- in this regard I'd likely choose the 92D or 100D over the 90D. And if price and annual subscription fee were an issue, I may choose the 92D (depending on how close in price between the two).
That said, real life numbers are more important than theoretical max values -- with 30-40 users on a 100 Mbit connection, I'm sure all 3 models will perform equally in most areas, especially with proper coding/optimizing on the Fortigate config.
My bottom line; while the 90D looks attractive on paper for raw firewall/IPSec throughput, I would scope out just how much daily IPsec tunnel traffic is expected to go through the Fortigate. Unless there are mission-critical apps, there may be little to no difference, load-wise, on the IPsec tunnel connection (on any of the models).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
The 90D uses the new FortiSOC2 ASIC so it's very fast and has integrated NP and CP technologies. I've read that it provides 10x improvement in encryption throughput than traditional architectures.
The 100D uses an Intel processor and offloads acceleration to a CP8.
Paul
Yes, I know all this. That is why I am still puzzled why some still say I should go with the 100D. Is that just old reputation?
For the above specified needs, isn´t the 90D be better? I know 100D is meant for bigger offices than all the smaller models, but in this case, the 100D seams like a slow big brother when it comes to plain throughput and IPsec!?
In your particular situation - valuing pure speed - I would take the 90d.
Reason being purely around the processing architecture. As others and yourself have noted, the 100d uses a standard Intel CPU, which isn't really optimized, vs the 90d which utilizes the specifically built SoC. You'll get faster throughput, and lower latency.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.