Jimmy -
We ran an internal bake-off between several of the All-in-one appliances last
year including the FortiGate 3000-series appliance. In the end, for us, the
FortiGate appliance took the lead in almost every category. Throughput,
ease-of-use, configuration, and HA/LB. The HA was tested on both the copper
and fiber interfaces and the units failed-over consistently when such
conditions were created. The HA process maintains session data across the
units. We pulled cables in the middle of large downloads and the units not only
failed over but passed on the session data so that the download continued with
only a momentary (it was visible) hitch. FTP sessions were rock solid but
occasionally an HTTP download would hiccup during the FO.
There were some weaknesses in the Management Interface as far as AV
configuration and reporting but from recent reviews I hear that has improved
dramatically.
FortiGate had some licensing issues with the AV portion of the product last
year and I have not heard how they resolved all that but since they are still
selling it with AV I gather it has been.
Support-wise I was impressed. Even though they knew we were doing this as an
eval for a customer they were always quick to respond to our questions and
issues. Enough so, that when we experienced some problems with the HA testing
they sent an engineer to our lab to assist in the troubleshooting. Problem was
a bios mis-match. Unable to fix it onsite - they shipped overnight another
PAIR of units they knew to be compatible. This was support pre-sales! In the
end our customer did purchase several FortiGate 3000 appliances and has been
extrememly pleased with the boxes so far. (some log-forwarding to a SIM has
made them even happier).
Caveat: In the end, all three vendors (FortiGate, Symantec, and ISS) being
evaluated sent engineers to assist in the initial configuration or
troubleshooting of their products. This was more to do with giving them all an
equal chance to show their product at what they conceived to be "tuned" than
with any actual problems.
Note2: The FortiGate included an option for a "Fail-By" capability (hardware
option) that could bypass the unit(s) if they started failing to inspect
traffic (due to load or just plain failure). This is a highly controversial
option since you likely would NOT want traffic to go uninspected. However,
there are conditions where the RISK considerations say to maintain the link no
matter what. Hmmm... Not sure if that should ever be true ... but the option
is there none-the-less.
I have the eval docs on file (not releasable) and can look up any specific
areas you may have questions on.
hps
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
