Reply to post: impressive but scary

Fortinet's latest hyperscale kit packs 2.4Tbit/sec of firewall into a 4U chassis

Nate Amsden Silver badge

impressive but scary

Pretty amazing specs on paper at least. Though the idea of having so much traffic being routed through a complex next generation firewall as a single point of failure (referring to software failure not hardware) is scary. I've read (from Fortinet fans) that Fortinet has a history of questionable firmware versions that can cause big problems(so find a good version and stick to it is the suggestion). They aren't alone here for sure, Cisco has a really bad reputation for Firepower. Sonicwall has a pretty terrible reputation among network folks as well. I'm sure there are others too. I personally have used Sonicwall for the past decade without much issue but all my firewalls are basically layer 4. I assume most of the pain with Sonicwall may be the layer 7 stuff. I recall one stupid mistake on Sonicwall's part earlier this year I think where they pushed a bad signature update out to their Gen7 firewalls and made them go into a crash reboot loop. One of my office edge firewalls was hit by that, what was even more strange to me is that firewall had no layer 7 licensing, so why the hell was it bothering to download a signature update that it didn't have a license to use. Stupid.

Load balancers have a solid history of being able to do Layer 7 well at high speeds, but they too are far less complex than a next generation firewall.

Point being, firewall at layer 4 is pretty well flushed out at this point the systems are simple and reliable probably 98-99% of the time. Layer 7 firewalls and deep packet inspection, SSL inspection reliability seems to be far less (and such reliability hasn't seem to have improved much in recent years as complexity grows ever greater). Having so much complexity at a single point for massive traffic just scares me(probably anything over say 50Gbps).

I'm less concerned about something getting through the firewall (as in firewall not detecting a threat, since no way any firewall can block everything so some stuff will get through regardless) than I am the firewall outright crashing, dropping packets for unknown reasons or otherwise blocking valid traffic because of bug(s).

Maybe I'm wrong though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon