- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Which Devices to use for my small service provider...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which Devices to use for my small service provider company
Hi, I am brand new here and I'm looking to replace my aging Cisco devices with Fortinet devices. I looked around for the correct forum but I am unsure where I should post my questions and begin a discussion.
I have no (as in Zero) experience in Fortinet products, but I like what I've read and seen while doing some investigation.
I have a whole slew of questions about what to pick for the endpoints in the datacenter and for the client. We're very small and have only a few clients.
What is the right forum for posting a thread to discuss my needs and get suggestions? I don't mind doing this via PM type messages if that's the correct method but I don't even know where to start. I don't know what tags to put on this either.
I am currently looking through the marketing materials, but my experience says those things don't provide the detailed answers I need to evaluate which devices to pick.
Thanks,
-greg
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums.
You're not totally off here, so this forum is as well suited as any. There are always experienced users out here willing to voice their opinions, and they will find this thread.
Choosing the "right" equipment totally hinges on what is "right" for your business and your customers' needs. So maybe you could line out your "must-haves" and "nice-to-haves" a bit.
Some of my personal views on this:
Fortigates in principle are very performant, or rather, the price/performance ratio is excellent.
FortiOS is flexible enough to fit in into nearly all networks/tasks I've encountered with my customers.
GUI and CLI config is quite easy to learn, and once you've got it going on one FGT you can manage all models.
Hardware is (more or less) the only choice you've got to think about hard; it's not features, nor licensing.
Redundant setup is so easy that there's nearly no excuse not to employ a cluster - failure of a single FGT will almost always cost more in damages than a second FGT.
Managing and provisioning many (20+) FGTs via the separate FortiManager is, eh, a weak chapter in the FTNT empire.
Whereas the central logging&reporting instance (FortiAnalyzer) is a must nowadays; preferably as a VM.
Speaking of VMs, all of the non-FGT appliances make sense as virtual devices; the FGT does not, except for being employed within VM itself (on the hypervisor, or between VM servers). That's because the performance comes from the hardware acceleration via Security Processors (SP, better knows as NP plus CP).
The environment around the FGT UTM is really good, called FortiGuard. Services (botnet blacklists, application signatures, webfilter categories) and subscriptions (AV, IPS, WF) are researched and delivered by FTNT itself and are effective.
Running FGTs without any contract doesn't make much sense OTOH, so calculate investment plus opex.
Depending on the development of your business, the hardware can last for 5-8 years, or become obsolete in 2. But in this case you would have earned the resources to buy higher up gear.
And lastly, support is quite good (support on the forums is 99% user self-help best effort, not like the paid support from FTNT). FortiOS releases are not always stable and thus production-ready, to my demise. You usually have 2 or 3 main releases (with patches) available to choose from. More new features, more risk of hitting bugs.
I apologize for this post becoming a bit longer than I expected. Bottom line (for me): having worked with some other vendors, I'm glad to have taken up Fortinet more than 15 years ago.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you ede for responding and my apologies for taking so long to reply back. I don't mind the length at all. As can be seen, I'm looking for help in two areas. I need device selection assistance and I'll probably need some configuration assistance once I get the devices.
I thank your for the detail of your response. Similarly, I'll put a lot of detail in my post and ask everyone for suggestions, ideas, and general discussion. I'm hoping the length of this post doesn't put to many folks off but I'm trying to answer the questions of what we need. I'll try to organize the post in sections.
Fair warning, this is a long post. Even if you only have a part answer/suggestion to anything below, I'd appreciate hearing it. Who knows, this thread might be useful to someone else in the future.
I understand that some feel a reseller is the way to go but my experience is that a reseller usually just wants to push the hardware and be done with it. I have found that I have better luck selecting the reseller if I have a good idea up front of what the device can do. Of course, I'm open to suggestions of good resellers to consider (PMs are fine) and even persons willing to provide assistance on a paid basis (again PMs are fine) but it's important to me to understand what I can and can't do with the hardware. After all, I have to support it.
Who we are/What we do:
I am the owner of a very small business providing remote desktop services for small companies so they don't have to maintain any hardware or software. They simply subscribe to a desktop and I pretty much take care of the rest.
We use VPN tunnels between the customer's locations. The Cisco 2901 at the datacenter end is sufficient for the VPNs and does the NATs well, but it lacks many things that I'd like to have. Particularly, it's currently a single point of failure that I want to address as part of the replacement. I'd like to have two devices, either of which can provide connectivity should the other fail. I already have cross-connected switches inside of that, but I need a good firewall device that can be set up to utilize the datacenter's redundant connection capability ("HSRP/VRRP") and which does the VPN and NATs that we need.
For the customers' end, we utilize Ciscso ASA 5505 devices. These are mostly adequate but need to be refreshed as well. They also have a few limitations from the customer simplicity point of view. Frankly their DNS and DHCP functionality stinks. But the do handle the VPN and the NATs really well.
UTM/NGFW:
I understand from above that there are two basic areas. Basic device capabilities and capabilities augmented by subscriptions. I am open to the subscription model as threats evolve and to counter them I'll need the continual updates provided by subscription. Which subscriptions are suggested? I don't believe I'm ready for "Enterprise" level stuff, but I do need good threat protection. One of the areas that concerns me is VoIP. Because the phone system is in-house, we have a lot of ports opened to that device. Because the smart phone app that works with the in-house phone system reaches in from the outside, I can't restrict the incoming source address because the smartphones might be anywhere.
Routing/NAT:
I need to be able to direct one Static IP to the phone system device. The NAT functionality needs to not mess up the VoiP traffic. From the Cisco ASA, I have to turn off the Inspect for the SIP traffic. I need equivalent functionality in the replacement devices.
Performance Monitoring:
I need to be able to gather data and information from the devices to see how they are performing. Preferably in the form of graphs. I'm not a Network Engineer by trade but I can do the 80% stuff without issue. What I don't have is time to do the intensive dig-in. I need the devices (or a package that works with the devices) to provide data on what's happening and what has happened. Both from a utilization viewpoint and from a diagnostics viewpoint. And, since I'm looking for UTM/NGFW type devices, I'd like to see good reporting on the threats encountered and what was done. I think I saw FortiAnalyser in the above response
OK, that's the basic features. On to selection:
Device Selection; Datacenter: Each customer has one VPN tunnel per office. Since we're small, that's currently about 15 but I'd like to be able to support about 100. The VPNs tend to be low traffic as they really only carry the print and scan traffic from the customer. The majority of the traffic comes from connections to specific ports reserved for each customer which are then "Routed" to the customers' server. This implies that the replacement device is capable of both the firewall aspect and a routing aspect along with the requisite NAT (P-Nat for CISCO). This device needs to have intrusion protection and the UTM/NGFW features that help protect the customer. I need a pair of them that can operate in a redundant manner.
So any suggestions on which device for the datacenter?
Device Selection; Customer:
Each customer office has one device which maintains a VPN tunnel to the server (for the print and scan traffic). Most of the access to the server is via protected protocols (https, secure rdp connections) and don't actually traverse via the VPN. The device needs to be able to do NAT and basic routing for the small office. It needs to be able to do DNS and DHCP server functionality because the small offices don't have any servers at all, they're just a collection of PC/Tablet units that use the internet. I need to be able to set up DHCP option records for things like timeclocks and VoIP systems and I need to be able to do device reservations (by MAC at a minimum).
So, any suggestions on which device for the customer end?
And, if you reached the end, I thank you. Even if you only have a part answer/suggestion to anything above, I'd appreciate hearing it. Who knows, this thread might be useful to someone else in the future.
Thanks and looking forward to your responses.
-g
Related Posts
- FortiClient Automatisierung (PAM) 90 Views
- FortiGate GRE Tunnel with Dynamically obtain... 112 Views
- SSL VPN for MAC M1 MAX 508 Views
- Connecting Two SIP Trunks with Different... 269 Views
- How to change the fortigaurd email... 251 Views
Labels
-
FortiGate
6,510 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.