Wednesday, January 9, 2013

fortigate 60C: What A Pain

OK, first and foremost, I can not stand this product.  I am NOT a fortinet fan.  I had to work on one today and this product is terrible.  Yeah, it might get you internet access.  Yeah, there may be some cool things about it.  But I can tell you I will never have one of these on my network.  Its just not an "enterprise" level solution.  Its more like a soho solution or a paper weight.  Really, more like a paper weight.
I went onsite to do some IP Telephony work today at a customer, and one of the things I needed to do was to configure their 60C (I cant even say that brand name, Ugh) to do DHCP.  It took me 10 minutes just to log into the box.  I got a frame of the screen of selections, with no links to "system", "router", "utm", etc. until a significant amount of time passed.  Terrible.
So my goal was to change parameters in an existing DHCP scope.  It took 6 minutes and 25 seconds just to make a change in the already existing DHCP scope.  Terrible. 
Even when I had this DHCP scope enabled and I plugged my laptop in directly to the 60C, it still wouldn't hand out DHCP over the Microsoft DHCP server.  And it should have, since the 60C was the first device that should have seen my DHCP request from my laptop (since I was connected directly to it).
Now, with that said, I have been on fortinet firewalls before that did not present THIS problem.  There is not doubt that there was just something wrong with this unit, and I understand that.  Although, it seems like everytime I have touched one of these fortinets, something just wouldn't act right on them.  My last experience was a VPN.  Simple enough to configure, but for some reason it just wouldnt work (and this was with another fortinet on the other end).  When I replace it with Cisco, everything worked fine. 
I understand that everyone's experience is different.  But Ive been working with firewalls for a long time.  This isnt rocket science.  To me, fortinet is at the bottom of the list.  Right down there with Linksys.

Ok, while I respect other peoples opinions on technologies, Im going to post here a 'respected' opinion by most.  Not my opinion, or any other regular Joe out there like me.  This is Gartner themselves.


  1. Linksys is by cisco
    Fortinets are OK, just need to know how to work them, just like any other firewall

    1. unfortunately, I do know about fortinet. I'm just personally not a fan.

  2. The GUI features can be disabled etc, based on the account or account group that you logged in with, this may be what caused you the grief. I grew up on PIX/ASA CLI, if you can call it growing up!! :)And now after several months of working with FortiNet I have fell in love.

    The FortiOS CLI is where it is. Just as I had to get use to the ASA back in the day (IOS to PIX differences)this has been no different. I have come to really appreciate the FortiOS that powers these FortiGate's. The performance and the capabilities of this UTM blow away the ASA. It is definitely different, but somewhat similar to CATOS in feel. The GUI imo is similar to the ASA ASDM interface. It has its uses, but the CLI is where its at.

    Hope you open up someday to these devices. I believe after some time you will see the difference and find value in its capabilities.

    IMO they (FortiNet) only have one competitor and the is PAN.

    1. I found that last sentence about fortinet's only competitor being Palo Alto pretty amusing (to me). I think if you look at the 2013 Gartner reports, Palo Alto and Check Point are the real industry leaders. Ill just have to politely disagree with you there.
      Yes, even though there are a lot of Cisco posts on here, I think they are behind in the times. There just seems to be more out there in the world because of the name. Cisco has certainly made a name for themselves, and rightfully so.
      I have a ton of customers, and I rarely come across fortinet, unless Im replacing one.

  3. Fortinets lead the field in low latency. For UTM, Palo Alto are slightly ahead of Fortinet. If you need high SSL throughput, then Checkpoint wins. All depends on your requirements.

    1. Low latency is great. How about what you get a firewall for though, which is security? Again, look at the Gartner reports.

    2. Someone still belives Gartner?? OMG!
      Where are the real network engineers??
      Don't blame a platform just because you don't know how to use it.
      First learn and then talk!

  4. Fortinet must be doing something right. The New York Stock Exchanged dumped Cisco for Fortinet the same year as this post.

    1. I personally would chalk that up to poor management decisions. What I have found is that people who stand up for a not so great product, usually the reason is that is what they know and will defend it no matter what the negatives are about that product. Look, I used to be that way about Cisco. However, there comes a time when you have to face the truth.
      Also, I worked at a bank where the management made the technical decisions. They made some of the dumbest decisions I have ever seen, and this was a widely known bank. Just because there is a big name company using a product doesnt mean they make good decisions. Look at our country for goodness sake. The leader of this country, what used to be a great country, makes terrible decisions. But just because I live here doesnt mean I back his decisions. The principles are the same.

  5. Time to update your Gartner report:

    1. Although interesting, it still does not negate my experiences with the product. :)

  6. Hi.

    My 2 cents.

    About the "last" gartner report, it is important to compare technologies when they plays on the same field, and for what the solution will be implemented.

    The last report is about UTM devices, and yes, FORTINET is the absolute leader at this moment. But an UTM device is comprised of several functionalities (like firewall, url/content filtering, application control, IPS, etc) designed to work together into the same device.

    The report that you advice above, is (I guess) for Firewall ONLY. And YES, palo alto and Check Point are the leaders in THESE sector.

    One more thing. Fortinet is focused on small and médium sized enterprises, and Fortinet is just recently contending for introduce into the market of large-scale enterprises, and they are doing fine IMO.

    Check Point and Palo Alto are focused on large-scale and carrier grade enterprises.

    Again, It depends on where o for what the solution will be impemented and which solution is better to cover the customer requirements (you do not use a 6100 appliance or a Crossbeam X80 appliance runing check point for a branch office comprised of no more than 100 users right? ;) )

    I think that each Brand have nice things and bad things, but the success of a deployment depends on selecting the correct solution considering the requirements of the deployment.

    If you want... no, bad word, instead, if you NEED an all-in-one solution for a médium size Enterprise, Fortinet goes fine.

    If you need brute force for a very very large customer, go with another.

    It is important to read carefully the entire report, not only see the cuadrant. :)


  7. Instead of following the pay-to-play guys at Gartner maybe you should read about the actual certifications that Fortinet has from ICSA and NSS Labs.

  8. the author of this post is completely biased only to what he/she knows. Palo is awful compared to Fortinet and Fortinet beat checkpoint on price which is why so many adopt it now.

    1. Good one. Back to making decisions based on price. Easy to make assertions when you are "unknown".


Your comment will be reviewed for approval. Thank you for submitting your comments.