Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BrianPro
New Contributor

sizing assistance

I was wondering if anyone can offer suggestions on sizing for our environment: -Strictly a datacenter environment, no end users VPNing into this setup, VPN would be used only for admin purposes at this point. -3 segments: 2 DMZ and 1 LAN (each DMZ would have 1 web server, the LAN = the rest of our internal servers (about 15 total, mix of FTP, other web servers) -ISP connection : 1 WAN @ 100Mbit, current utilization 2Mbit + periodic bursts several times a day to 15-20 Mbit (about 15 minutes or so sustained) -only interested in applying IPS at this point between segments (no AV, etc) -2 web servers in the DMZs are hosted for external customers and are the busy ones for us. Currently we get about 500-1000 sessions concurrent on each and would expect growth of 2-3x over the next year or so due to some larger customers coming on board. -Would need the firewall to perform as a router (internal traffic would pass through it for backup purposes). Mostly rsync traffic for large database backups -Backend switch is currently a HP Procurve 1800-24G which is an older managed switch capable of VLANs When looking at this I' d guess a 110C would be the starting point? The limitation is only having 2 gigabit ports and concerns with routing/backups. We could jump to a 200B, but that seems like overkill (maybe not)... Oh forgot to mention we do see peak spikes on concurrent sessions up to 10K or so beyond normal due to external scanning tools.
16 REPLIES 16
billp
Contributor

I' m not a FTNT expert, but here' s my personal experience. I run a pair of 111c' s in high availability mode. Average total sessions generally run 3k-4k. I run VPN, IPS, AV, webfilter/UTM. No antispam. Internet is 20mbps. I do not have any CPU or memory issues. When I set it up, though, I did have to hone the IPS fairly carefully in order to avoid CPU spikes. That might have been a firmware issue at the time, though. The only oddity that I' ve seen recently has to do with bandwidth. I can' t get more than 15mbps out of a single bandwidth test. If I run the same text external to the firewall, I get the full 20mbps. The results are the same even if I turn off AV, IPS, webfilter, etc. I can get aggregate bandwidth well over 20mbps for all workstations, however. So, this is not a major issue for me at the moment. I would think a 110c would be fine for what you want immediately, but a 200b would definitely give you some horsepower to spare and give you more room to grow. That would be my recommendation.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
emnoc
Esteemed Contributor III

In all fairness both models would do what you want and have growth. Keep in mind a 200B is like a 5gbps firewall and has module slot . What is your budget and how far on or off are you, w/ your future growth plans? Since your routing on the backend, and the 1800 is a layer2 switch for the most part, are you comfortable with the numbers/types of interfaces on a 110? If you later decide to do more, the 200B would be a nice to have and should scale much higher than a 110, but costs slightly more. I personally don' t see a 110 as a DC firewall imho. I know some will come online and say otherwise, but the 110C is a backoffice firewall device and was situated by fortigate to provide a intermediate device between t he SMB and Enterprise level.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

I agree with my PP' s both models are capable of handling your load. But...the 200B is a fine machine, with lots of headroom for future growth, with 4 accelerated GbE ports (which can be important for in-LAN traffic) and 4 other GbE ports for servers, and it is extensible with a HDD. Local storage might benefit you with decent logging - logging into memory may only cover a couple of minutes in history depending on the rate of events. If you earn money with this infrastructure then I' d recommend spending a little more and investing in a 200B. You' ll never regret it. At first I even thought ' a 80C might do it' until I caught the ' future growth' keyword. Essentially I see a 110C as a souped-up 80C with a much higher price.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
FortiRack_Eric
New Contributor III

In my opinion, a 100 mb connection always sizes to a 200B. A 200B is the best in price/perf ratio. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
BrianPro
New Contributor

Thanks for the input everyone. The 200B seems like the better choice, since it does have more gigabit ports for backend LAN routing and extra growth since this will have to last 5 years. Budget will allow for it. My only concern if going with the 200B was having a back-up device in case of a failure. I' ll have the 24x7 comprehensive in case of failure, but will probably need some type of backup for the 1-2 day time it takes fortinet to ship a replacement (hopefully they are timely). If I go the 200B route what would be a good short term backup device assuming no services (just firewall),during this emergency period? 60C? (since it has gigabit fwing and 80K connections) 80C? Getting a cold spare 200B is pricey at this time and HA with a 200B would double the cost of this project :( I kind of wish fortinet would let you A/P units and only pay for services on the Active unit and support only on the passive, but alas it doesn' t seem that way.
FortiRack_Eric
New Contributor III

In HA, the second unit costs 1/2 the price for a 200B

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
BrianPro
New Contributor

In HA, the second unit costs 1/2 the price for a 200B
Huh, I' ll have to question my VAR then. He mentioned that it was full price. Is there a part number or something that I can mention when I speak with him?
FortiRack_Eric
New Contributor III

I can make you an offer... It' s just something every FortiPartner should know an offer to its clients/prospects. The only thing is that they need to be ordered at the same time.

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
BrianPro
New Contributor

Ah so that is the catch. Probably why I never knew about the 1/2 price thing. If I add the HA unit *after* initial purchase (say 6 months down the line or whatever), I don' t get it at 1/2 price.
Labels
Top Kudoed Authors