We plan to replace an old Netgear router by a new UTM and our provider made a proposal for a FG-100D.
Will this hardware be sufficient regarding the following facts :
- We are about 90 users
- We use 25 Mbps download (peak at 40Mpbs) and 3 Mbps (upload) on our dedicated symetrical 100Mbps internet line
- We mostly consume web apps (Google Apps, ...)
- We have 2 VPNS with low traffic (3MBps max)
- We plan to use most features of the UTM excepted antispam, in connection with our Active Directory.
- There will be 10 FortiAP 221C managed by the FG-100D.
I'm a bit disapointed about the correct sizing because I have different opposing points of view :
40 Mbps is doable by a 100D. But I'd never recommend it for you.
There is no easy answer, because it depends entirely on the browsing habits of your users.
You say you are going to use UTM. All major sites are going to SSL, so you are going to need to implement SSL Deep Inspection to get the most from your UTM.
The most intensive part of the connection to SSL protected sites is the initial setup when the session negotiates the symmetric key that lasts the rest of the session.
If your users' browsing habits use a lot of small SSL sessions downloading files (and therefor going through AV), then the 100D isn't going to cut it.
40 Mbps is doable by a 100D. But I'd never recommend it for a client with 90 users. Because it's good enough for now, but by the end of its life, it is going to be a dog. You are going to want that full 100Mbps, and probably even to increase it.
If you look at the data sheets (100D vs. 200D) you will notice that even firewalling throughput on a 100D is rated down from 2.5G for large packets to .2 G for small packets (like HTTPS). This is caused by the lack of a dedicated network processor ASIC (NP) on the 100D.
Second difference is the CPU used, an ATOM vs. a Celeron. Session buildup and (some of the) SSL decryption is done via CPU, and here the 100D shows poor figures: "new sessions per second: 22k vs 77k".
And even for UTM, e.g. the AV throughput is x2 higher on the 200D which is 600 Mbps. Deduct a lot from this figure if you plan to use AV, IPS, AppCtrl at the same time.
If you can afford it the 200D will suit your current needs today, and may be the better investment over time. Both of which I would disagree on with a 100D.
PS as for the comparison to Sophos: from the datasheet, it seems to me it should be compared to a 200D, same CPU, comparable RAM, interfaces etc. Letting it run against a 100D is a bit unfair. Though this is an economical question as well...
definitely go ahead and snag the 200D. It is worth the investment and you won't be kicking yourself in the future.
Full Disclosure, I have a client running 80-100 users on a 100D. For the most part it handles their load. It hits some high utilization though at peak times. I'm working on convincing them to upgrade the appliance now.
I dealt with the same problem as you last year and was impressed by datasheets of Sophos fws. Fortunatelly I got results from testing SG210 nad SG310 in real environment from friend of mine. The datasheets values were considerably overrated (especially when most of UTM features were enabled). So I decided for FG-100D (200 users), and don't regret until now:-). (It was easiier for me, because I wanted to replace FG-110C). Lubos
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.