IDS mailing list archives
RE: Fortinet's fortigate 100 devices
From: "Jonathan Lebowitsch" <jlebowitsch () pacbell net>
Date: Mon, 2 Jan 2006 14:02:51 -0800
Joel, what Fortigate model do your numbers refer to? Is it the 3600 that you reviewed? thanks -----Original Message----- From: Joel M Snyder [mailto:Joel.Snyder () Opus1 COM] Sent: Thursday, December 29, 2005 8:18 AM To: squid () oranged to; focus-ids () securityfocus com Subject: Re: Fortinet's fortigate 100 devices
- Has anyone got any advice regarding the network
performance of these
devices in real world environments. During my testing I
noticed they
are using a Realtek 8139 based NIC. I personally have
never had any
issues with Realtek 8139 cards in environments ranging
from slow to
medium/high bandwidth utilization (40-50Mbps) however any
feedback
about how the Realtek network cards perform in the
Fortigate would be
greatly appreciated.
I did a test of Fortinet products and found them to be highly CPU-bound once you turn on all features. For example (TPS = HTTP transactions per second): only firewall turned on: 2000 TPS/70 Mbps IDS turned on: 1000 TPS/39 Mbps IDS+IPS turned on: 1000 TPS/39 Mbps IDS+IPS+A/V turned on: 100 TPS/2 Mbps IDS+IPS+A/V+VPN tunnels: 50 TPS/1 Mbps
- I noticed that the system has got HA functionality. It
appears to be
very similar to the way in which VRRP works. However it
does not state
that its actually VRRP (licensing issues perhaps). Does
anyone have
any feedback as to how good the fail over/fail back/
redundancy issues
are on these devices?
It works quite well, for some values of "quite well." See my writeup in Network World last week: http://www.networkworld.com/reviews/2005/121905-ssl-ha.html? review=sslvpn The situation is that the HA is really an availability thing, not a HIGH availability thing. Fortinet is not sharing all the state information across the active/active pair, which means that when you have an HA event, you'll failover to the new device, but many of the transactions might have to be restarted (such as, for example, requiring users to re-authenticate). They have an internal load balancer, which looks slick in the glossy brochures, but once you get to testing it, you'll see that they are not load-balancing everything. As I remember, only A/V is really load balanced (which, as you can see by the numbers above, is the single most significant drag on system performance).
- Any overall opinions or feedback from anyone that has
used the
device in any production environments would be fantastic.
Also if
anyone knows of any competing products I would like be
very interested
to know about them.
I found that their SSL VPN features were buggy and incomplete. I have severe reservations about their QA process. In the past, they have "announced" features (like their 2.8 release) and then have them sit in beta or 'not generally available' for months at a time. For example, they told me that their SSL VPN feature (in 3.0) was shipping and ready to go, but in fact it's only available on specific request to technical support. In other words, they often say "you can get this on our web site," but in fact, you have to beg technical support for it. I don't know what the situation is with their internal software QA and development process, but from the outside, it has a certain malingering odor to it that I would be suspicious of. All that being said, I have talked to folks who have used them for in-line A/V and are very happy. Since this is the oldest and most stable feature of the product, if that's your goal, then I'd go for it. But since you're writing to Focus-IDS (and not Focus-Antivirus), I would be a bit more suspicious of their capabilities in the IDS+IPS space, and I would test them much more carefully.
- I am also interested to know how everyones experiences
are in
regards to Fortinet support?
I have only one data point. On 20-November, I sent in a ticket asking for copies of the 3.0 manuals (only 2.8 is on the web site) and the newest 3.0 software. On 28-November, I got a response saying that they would research that, and on 29-November, I got a response telling me how to download 3.0beta build 89 (although the build that had been shipped to me was build 111). jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX) jms () Opus1 COM http://www.opus1.com/jms Opus One ------------------------------------------------------------ ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_ 040708 to learn more. ------------------------------------------------------------ ------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Fortinet's fortigate 100 devices Louis Wang (Jan 02)
- <Possible follow-ups>
- Re: Fortinet's fortigate 100 devices Joel M Snyder (Jan 02)
- RE: Fortinet's fortigate 100 devices Jonathan Lebowitsch (Jan 06)
- Re: Fortinet's fortigate 100 devices hank . schupp (Jan 02)
- RE: Fortinet's fortigate 100 devices Andrew Plato (Jan 02)
- Re: Fortinet's fortigate 100 devices Bob Walder (Jan 05)