Re: Fortigate Experiance / Review

      We would like to find a Fortigate consultant to review our setup and
help get all the features working. We are in North Virginia / DC Metro.
      You may contact us at
      user: cc06temp
      domain: enterprisecomponent.com

"CCMiami" <nospam@modeldriven.org> wrote in message
news:TijJf.85964$QW2.4504@dukeread08...
> Thanks Russ,
>
> You don't happen to be or know of a resource in North Virginia, do you?
> The cost of this box in human terms is getting out of hand, the idea of
> needing to go to courses and such is disapointing.
>
> As for IPS, Looking at the logs to find out I HAVE BEEN attacked seems
> like a bad solution. How often do you do this? Again, the human cost is
> high.
>
> We spent about an hour with support yesterday to get the VPN working, even
> he semed to have trouble - note that this is just setting up normal
> dial-up users. Frankly, I still don't understand it, the policies seem to
> be "backwards".
>
> As for the VPN client, we have not tried custom installs, one of my guys
> just installed the VPN part and his machine will then not shut down.
> Others have the full install and it is still troublesome. We mostly have
> IBM laptops, perhaps it is a specific conflict.
>
> -CC
>
> "Somebody." <somebody.@nospam.russdoucet.com> wrote in message
> news:rXbJf.12195$43.9966@nnrp.ca.mci.com!nnrp1.uunet.ca...
>>
>> "CCMiami" <nospam@modeldriven.org> wrote in message
>> news:Jr0Jf.64784$bF.7648@dukeread07...
>>>
>>>
>>> What has been a problem is the complexity and documentation. This is a
>>> box they expect someone to become an expert on and understand the
>>> concepts, options and there interrelationships. The documentation
>>> requires multiple readings. We have yet to get the VPN working, we are
>>> on our 3rd try - getting VPN up requires configuration of options all
>>> over, there is a "step by step" but it seems somewhat out of date. I
>>> should emphasize we are talking about smart techies trying to do this.
>>
>> I teach Fortigate courses. I feel the box is a very complex, but very
>> learnable box. Feedback from my courses is always extremely good.
>> Perhaps a crash course from a local qualified resource would help you
>> out.
>>
>> I don't actually read the Fortinet documents very often though. :-)
>>
>>> There are a lot of AV options for specific attacks, most are just set to
>>> record the event. As we don't study virus signatures in detail, we
>>> don't have a good way to know what we should turn on, we hope the
>>> defaults are ok.
>>
>> You are probably talking about IPS, AV doesn't have such options. You
>> need to take a pro-active approach with this (and any IPS) to look in the
>> logs, refer back to the articles on Fortinet's website, and decide what
>> action to take with each item. The default is fairly permissive, because
>> if it wasn't, it would break all sorts of your production traffic when
>> you first drop it in. But it may therefore also let through some stuff
>> you should care about. However, it's logged. So, look at the logs. Big
>> hint: Change the column view in the log to reveal the "status" field.
>> That will help you understand what's happening.
>>
>>> We can't give good marks to the "Forticlient" VPN and Firewall. Every
>>> machine it has been installed on has had stability problems. There is
>>> an option to remove the firewall and just use VPN, but this requires
>>> modifying the install with special software we don't have and have never
>>> used. We are going to try using the MS VPN client.
>>
>> The Forticlient is really quite excellent compared to most any other
>> IPSec client install I've tried. You must must must turn off any other
>> firewall FIRST if you want to use the forticlient firewall. Same for AV.
>> And these components work really well, far better than any of the
>> Symantec bloatware or most of the other products I've ever looked at.
>>
>> That said, all you have to do if you want to stick with the windows
>> firewall and your favorite centrally managed enterprise AV software, is
>> to do a custom install instead of a standard install when you put the
>> forticlient on. Deselect the components you don't want and just leave the
>> VPN component. It's really very simple to do -- I assume you're trying to
>> build a custom no-touch install and that's how you've made it difficult.
>> That should be garden variety msi work but I've never bothered, it's only
>> about 10 or 15 simple clicks for the custom install anyway. Far simpler
>> than installing MSoffice or something like that. Just doing a vpn client
>> install without the other bits has been very stable everywhere I've tried
>> it so far, but YMMV on that one of course.
>>
>> As for setting up the software VPN, again, the published docs may not be
>> all that great, but I can alway set up nicely featured software VPNs with
>> exported profiles in about an hour to meet the client's needs, no
>> problem. Once you learn it that is. :-)
>>
>>> Bottom line is this may be a good box for a pro, but it has a high
>>> overhead for the small network user. What we don't have is a good way
>>> to compare this with the other firewalls, perhaps they are all complex.
>>> I suspect that once everything is set up it will function well.
>>
>> I really do feel that they're great boxes but indeed are too complex for
>> the average IT guy to learn and set up well on their own in isolation.
>> We very, very often sell a day of time to do the initial deployment and
>> give a crash course on them to the local resourses, and they usually do
>> well from there. Often they'll subsequently sign up for one of my
>> courses, but not always. But those guys usually end up being loyal
>> Fortigate users as they learn enough to really leverage the power of the
>> box. A year later, they can't imagine how they got along without them.
>>
>> -Russ.
>>
>
>
Received on Mon May 1 00:51:09 2006