Re: Fortigate Experiance / Review

Thanks Russ,

You don't happen to be or know of a resource in North Virginia, do you?
The cost of this box in human terms is getting out of hand, the idea of
needing to go to courses and such is disapointing.

As for IPS, Looking at the logs to find out I HAVE BEEN attacked seems like
a bad solution. How often do you do this? Again, the human cost is high.

We spent about an hour with support yesterday to get the VPN working, even
he semed to have trouble - note that this is just setting up normal dial-up
users. Frankly, I still don't understand it, the policies seem to be
"backwards".

As for the VPN client, we have not tried custom installs, one of my guys
just installed the VPN part and his machine will then not shut down. Others
have the full install and it is still troublesome. We mostly have IBM
laptops, perhaps it is a specific conflict.

-CC

"Somebody." <somebody.@nospam.russdoucet.com> wrote in message
news:rXbJf.12195$43.9966@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:Jr0Jf.64784$bF.7648@dukeread07...
>>
>>
>> What has been a problem is the complexity and documentation. This is a
>> box they expect someone to become an expert on and understand the
>> concepts, options and there interrelationships. The documentation
>> requires multiple readings. We have yet to get the VPN working, we are
>> on our 3rd try - getting VPN up requires configuration of options all
>> over, there is a "step by step" but it seems somewhat out of date. I
>> should emphasize we are talking about smart techies trying to do this.
>
> I teach Fortigate courses. I feel the box is a very complex, but very
> learnable box. Feedback from my courses is always extremely good.
> Perhaps a crash course from a local qualified resource would help you out.
>
> I don't actually read the Fortinet documents very often though. :-)
>
>> There are a lot of AV options for specific attacks, most are just set to
>> record the event. As we don't study virus signatures in detail, we don't
>> have a good way to know what we should turn on, we hope the defaults are
>> ok.
>
> You are probably talking about IPS, AV doesn't have such options. You
> need to take a pro-active approach with this (and any IPS) to look in the
> logs, refer back to the articles on Fortinet's website, and decide what
> action to take with each item. The default is fairly permissive, because
> if it wasn't, it would break all sorts of your production traffic when you
> first drop it in. But it may therefore also let through some stuff you
> should care about. However, it's logged. So, look at the logs. Big
> hint: Change the column view in the log to reveal the "status" field.
> That will help you understand what's happening.
>
>> We can't give good marks to the "Forticlient" VPN and Firewall. Every
>> machine it has been installed on has had stability problems. There is an
>> option to remove the firewall and just use VPN, but this requires
>> modifying the install with special software we don't have and have never
>> used. We are going to try using the MS VPN client.
>
> The Forticlient is really quite excellent compared to most any other IPSec
> client install I've tried. You must must must turn off any other firewall
> FIRST if you want to use the forticlient firewall. Same for AV. And
> these components work really well, far better than any of the Symantec
> bloatware or most of the other products I've ever looked at.
>
> That said, all you have to do if you want to stick with the windows
> firewall and your favorite centrally managed enterprise AV software, is to
> do a custom install instead of a standard install when you put the
> forticlient on. Deselect the components you don't want and just leave the
> VPN component. It's really very simple to do -- I assume you're trying to
> build a custom no-touch install and that's how you've made it difficult.
> That should be garden variety msi work but I've never bothered, it's only
> about 10 or 15 simple clicks for the custom install anyway. Far simpler
> than installing MSoffice or something like that. Just doing a vpn client
> install without the other bits has been very stable everywhere I've tried
> it so far, but YMMV on that one of course.
>
> As for setting up the software VPN, again, the published docs may not be
> all that great, but I can alway set up nicely featured software VPNs with
> exported profiles in about an hour to meet the client's needs, no problem.
> Once you learn it that is. :-)
>
>> Bottom line is this may be a good box for a pro, but it has a high
>> overhead for the small network user. What we don't have is a good way to
>> compare this with the other firewalls, perhaps they are all complex. I
>> suspect that once everything is set up it will function well.
>
> I really do feel that they're great boxes but indeed are too complex for
> the average IT guy to learn and set up well on their own in isolation. We
> very, very often sell a day of time to do the initial deployment and give
> a crash course on them to the local resourses, and they usually do well
> from there. Often they'll subsequently sign up for one of my courses, but
> not always. But those guys usually end up being loyal Fortigate users as
> they learn enough to really leverage the power of the box. A year later,
> they can't imagine how they got along without them.
>
> -Russ.
>
Received on Mon May 1 00:51:03 2006