Helpful ReplyHot!How to Suggest Fortigate to customer

Author
irfanink
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/17 04:03:11
  • Status: offline
2017/03/28 00:03:50 (permalink)
0

How to Suggest Fortigate to customer

I would like to ask that how we suggest fortigate to customer ,  For example we have 500 user so how we will check which device is best and what will be through output will be better for it
#1
Iescudero
Bronze Member
  • Total Posts : 45
  • Scores: 2
  • Reward points: 0
  • Joined: 2015/01/21 13:34:23
  • Location: Buenos Aires, Argentina
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/03/28 09:41:41 (permalink) ☄ Helpfulby irfanink 2017/03/28 22:13:22
0
Hi There!
 
The answer is a little bit tricky, because a single user could generate a lot of sessions and another just a few.
Other case would include if you have a service exposed to internet, like a website, so you want to use a IPS, or in the other hand you just use the Fortigate like a Router to Internet. that's why the answer depends on several things, not just the amount of users.
 
In my experience with around 500 users i got this status:
 
CPU states: 77% user 42% system 0% nice 51% idle
CPU0 states: 77% user 42% system 0% nice 51% idle
Memory states: 54% used
Average network usage: 40936 kbps in 1 minute, 44003 kbps in 10 minutes, 37604 k bps in 30 minutes
Average sessions: 28504 sessions in 1 minute, 29806 sessions in 10 minutes, 2943 4 sessions in 30 minutes
Average session setup rate: 192 sessions per second in last 1 minute, 186 sessio ns per second in last 10 minutes, 183 sessions per second in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 104 days, 13 hours, 4 minutes
 
This is from two Fortigate 110C in a HA configuration with IPS, Antivirus, Web Filter, Application Control and a lot of IPSec VPN's. and FortiOS 5.2.10
 
The cluster is not responding very quickly sometimes or the CPU have spikes 100%, so taking this as a example I am short of resources, but I think a 200 would probably fit for me.
 
The list below just reflect my opinion:
 
500-1000 users = Fortigate 300D
250-500 users = Fortigate 200E
100-250 users = Fortigate 100E
Around 100 users = Fortigate 90E
50-100 Users= Fortigate 60E
1-50 Users = Fortigate 50E/Fortigate 30E
 
in my opinion, a Fortigate 200E would be great for 500 users and a few features enabled on it.
 
Hope it helps!
#2
MikePruett
Platinum Member
  • Total Posts : 568
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/03/28 13:46:50 (permalink)
0
How fast is the internet connection?
 
Are you breaking your network up into several subnets?
Do those subnets talk with one another?
Do you want UTM functionality on the traffic traversing said subnets?

Mike Pruett
Fortinet GURU
#3
loic
New Member
  • Total Posts : 15
  • Scores: 2
  • Reward points: 0
  • Joined: 2006/04/05 05:14:47
  • Location: France
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/03/29 02:30:47 (permalink)
0
https://competitive.myfortinet.com/product_sizing
it's an old tool but gives you an idea of which paramters are importants
#4
emnoc
Expert Member
  • Total Posts : 3952
  • Scores: 215
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/03/29 09:20:28 (permalink)
5 (1)
That sizing tool is useless imho  and same for  the sizing app
 
http://socpuppet.blogspot.com/2015/05/the-fortigate-sizing-app.html
 
 
These are great for general guess but "the number of users " is NOT a factor in a fortigate sizing set. I ran a  org on a pair of 2x 200B for over  5 years with no problems. They had way  over end-points  and had a lot of internal items such  as 
 
steelhead
web/ftp-proxy
no vpn-ipsec
no ssl-vpn
no ips
etc....
 
 
So it's really depends on what you are GOING TODO !
 
ideals;
 
Do you need  IPS
Do you ever plan on explicit Proxy
Do you do or need SSL inspection
Do you run any SLB VIP
Do you need ssl-vpn
Do you need logging ( on disk )
Do you plan on using a FAZ in the near future
etc......
 
 
All of that are more important imho. A firewall fgt or non is not like a shoe-size selection where you measure a foot a pick a pair of shoes by that size of the foot. I like to look at it as what your going todo ( dance, job,  for a job interview, climbing, walking, if walking on what,etc......)
 
;)
 
Ken

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#5
slavko
Silver Member
  • Total Posts : 82
  • Scores: 6
  • Reward points: 0
  • Joined: 2014/08/09 01:05:35
  • Location: Montenegro
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/03/29 12:39:01 (permalink)
0
Selecting a model can be a little tricky. I would suggest reaching out to your local Fortinet or Fortinet Partner representative, they will be able to help you. Just keep in mind that they will not take any chances and will propose a model that will work 200% without creating a bottleneck, so it might be considered to be an overkill for some users.

NSE 4, NSE 5, NSE 7, FortiMail & FortiWeb Specialist
All oppinions/statements written here are my own.
#6
James_G
New Member
  • Total Posts : 17
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/04/14 02:27:46 (permalink)
5 (1)
If you need a quick budget, then work on the worst possible scenario. Take the sum of the bandwidth you want to inspect, i.e. 40 down 10 up is 50, then triple it because we like future proofing.

So we have a value of 150mbs we want to size, look at the fortigate product matrix for the 'threat protection throughtput' that assumes everything turned on, and find the product that matches.

So in summary a 40mbs fttc would probably best fit a 100e, 100mbs leased line then a 200e etc.

If you need to scan East West traffic in the land, then the sizing gets a lot more complicated.

Just my 2c.
#7
ChrisRX
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/14 18:59:38
  • Status: offline
Re: How to Suggest Fortigate to customer 2017/04/19 08:46:45 (permalink)
0
Budget is a huge topic to debate when selecting the right Firewall. What's the end goal for this network? Also, if this company is growing then I highly recommend you take this into account. I currently have two 600C Fortigates for a company with about 230 employees, and about triple that in devices. They're setup in Active-Active for HA. Now, as I'm sure you're aware as you move up in each Fortigate Models, the more expensive they become,however the more features you will get with the main advantage of obtaining some crazy throughput. In my opinion after working with Fortigates for over 6 years now, I would consider what security features you will need first, then build from there.
 
As a side note. I've ran a 200 user office off two 100D Firewalls without complaints. However, it was only servicing Internet with web filtering at first. I then downgraded an older Layer 3 HP switch to Layer 2 Access, and had the 100D route. Made a huge difference in performance believe it or not. The ASIC Chips in the Fortigates really do a nice job with offloading now, at first there were some weird anomalies, but those bugs were squashed with firmware updates. We saw better throughput to our CoLo to end user without the units exhausting their resource limits. And, with all with the added benefits of Application, Device, and User discovery to make managing Policies, Users, and Device Groups much simpler.
 
Things I would consider before purchasing.
 
  1. SSLVPN for Remote users?
  2. IPSec tunneling for remote sites?
  3. Web Filtering for all users, then applying strict polices for some and not for others?
  4. Will You need Active Directory Integration?
  5. Do you need dedicated DMZ ports for on-site web servers?
  6. Web and Internet only, or will Layer 3 Advanced Routing will be enabled?
  7. ForitMail or other SMTP services?
  8. Anti-Virus and IDS\IPS system requirements?
  9. Fiber (SFP+ or Copper ports, or will you need a mix of the two.
  10. WiFi Integration? If you go with FortiWiFi, being able to control all Your APs from a single point is really nice. Plus, after working with Meraki APs, I'm finding that Fortinet's APs are much easier to manage and deploy.
Hope this helps! best of luck with whichever device you decide on. Not everyone is a fan of Fortigates, but I am. Once you learn them, it's hard to use other products. Not to mention Fortinet's huge push into their Collective Security Fabric with the more recent Firmware updates. I'm personally just about ready to update to 5.6.
 
-ChrisRX
#8
Jump to:
© 2017 APG vNext Commercial Version 5.5