Fortinet says it’s all about the security ASICs As security and networking converge, Fortinet CEO Ken Xie believes the company he co-founded will win this particular $200bn market with its custom application-specific ICs, or ASIC chips. "On day one, 22 years ago, we leveraged ASIC technology to lower computing costs, increase computing power, and also add additional …
Bollocks (ish)
I've deployed quite a few Fortinets and other firewalls/routers/packet ticklers. You need to be able to define your policy wrt internets and then you need to be able to deploy and enforce that policy. Everything else is stamp collecting!
Define your policy: Errr keep the baddies out and my users safe or somethink. OK this needs some work but out of the box you do get a reasonable set of defaults - bugger all with no indication of what to turn on. NAT enabled on all allow rules and other travesties.
Deploy it: Let's take a simple operation - allow access from the outside to a box on the inside. Oh $DEITY. Define a NAT policy (it isn't called that) in one place and then reference that in firewall rules. There are other methods too from the GUI or CLI that barely hide the underlying OS primitives.
What about a site to site VPN? That'll be IPSEC only thank you. Curve 25519 support has recently been added which is nice but the GUI is awful to navigate, its dreadfully clunky. Yes there's a CLI but it is yet another language to learn and I can't be arsed. FFS I already have to speak so many IT wanky languages already - most of them with a rubbish accent.
Fortinets may have loads of clever shit in the box but the GUI is wank for many of the basics. That goes for pretty much everything "cool" in IT these days. Lots of clever stuff with a crappy interface and half thought out interactivity. Support via whispers and innuendo on Reddit and shitty "forums".
Despite my whining, I won't go back to IT in the (say) noughties. What we have now is (mostly) rather better by an order of magnitude.
I do recommend you use the colour coding, even if it is a bit inconsistent. It does help make rule sets readable.
Your first sentence fits the following ones very well.
None of the firewall vendors are saints, but amongst the crop Fortigate's get as good as it gets (unless you can or want to pay for PAN). I'm not sure what version of FortiOS you're talking about, because as mentioned by another poster since at least version 6.0 it's been dead easy to use.
Your rant also suggests that your understanding of network security is stuck in the '90s where simple port blocks were sufficient to be reasonably secure. These days are long gone and your simple SPI firewall is pretty useless against modern attacks which require your firewall to be able to detect and examine encrypted data.
I just came out of a firewall evaluation with products from different vendors such as Sophos, Watchguard, Juniper and Cisco, and if you think that Fortigate's are poor you clearly haven't seen what the others came up with (Sophos XG is slow but feature rich, Juniper's SRX is only good as a VPN endpoint and legacy firewall, and Cisco Firepower is a major clusterfuck). With Fortigate, the only thing you need to be aware off is to not deploy any firmware where the last version digit is lower than 4.
Remember? You missed the memo Radware bought the rotting carcass in the Nortel collapse, and used it to make their "next-gen" load-balancers now. Yes my friend, it's aliiiiiive! <cackles to himself>
I always wondered what jackasses actually buy radware (that aren't Israeli), and last year I ran into one still running ancient radware LB's (still required flash!) and went in on the "next-gen" kit now. I tried to talk some sanity into them F5 or Citrix might be a more rational option, you know, people actually use and support them, but they couldn't be bothered to look at switching vendors.
I just laugh inwardly that someone actually bought the last-gen-before rejects as everyone already forgot the stench from the first and second round of life.
Oh wait, they skipped over that part, where the the CEO was selling the reporter of the benefits of his other company selling accelerators to Fortinet.
They might even work, but at the cost of dealing with yet another networking giant who's products are stuck in the 90s and early 2000's. Hardware accelerators show up on a decadal cycle, we worked with one out of New Zealand for a content filtering firewall/UTM almost 20 years ago. The kiwis were great guys, the solution was fast enough, lowered both latency and cpu ovehead. But it was cheaper a year later just to buy faster hardware and some slightly better NICs. So we did. Most routers will never be used in an environment that justifies staying on the bleeding edge and rolling low volume custom silicon.
Also, the company needs to streamline more then the ASICS. The gui is jank, the Fortinet VPN client is basically malware, and the companies support is an embarassment(took them 6 months to unbrick a machine that choked on a bad vpn client update that one of our vendors had us install for a database project. 10 calls over 6 months for a known bug and it only stopped when one of the vendors C levels called one of Fortinet's C levels and told them to stop making them look like idiots in front of the Vendors customers.)
Venom aside, using network hardware with offload capability is still a good idea, just that it will probably be the same stuff that every other network hardware company has been selling to put in servers and switches for years. The sweet spot is always the middle of the high end of the mass market.
There was so much marketing bafflegab, the only comprehensible bit was the 7th paragraph, where the El Reg folks tried to inject some sanity and plain-English explanation.
If I feel like I'm listening to a '60s Star Trek episode, I'm certainly not going to want their product.
I’ve been taking care of FortiGate firewalls for coming on 15 years and I love them.
Excellent value and the ASIC based models have been very high bandwidth and super low latency, compared with other vendors at similar price points.
Unlike other vendors which don’t use any ASIC or FPGA acceleration, enabling deep inspection even of encrypted traffic, for IPS and AV, does not punish us for performance.
The GUI is excellent now and the stability has been phenomenal for us.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
