ESG Lab Report: Fortinet FortiGate
This report presents the results of ESG Lab’s validation testing of Fortinet’s FortiGate midrange next-generation firewall appliances.

Sep 15, 2014
ESG Lab Report: Fortinet FortiGate
File: ESG_Lab_Validation_FortiGate_Sep_2014.pdf
Size: 1.73 MB

Background


ESG asked 562 IT professionals and managers to identify spending plans for network infrastructure in 2014. Network security was the most cited response, by 52% of respondents, as shown in Figure 1.[1] In the same survey, mid-sized organizations were asked to name their most important IT priorities for 2014 and information security was once again among the most-often cited responses, with 31% of respondents.


Figure 1. Top Spending Plans for Network Infrastructure in 2014


 

Organizations have relied on the traditional firewall as the first line of security for their private networks and intranets for many years. Traditional firewalls can filter traffic based on: protocols and the ports they use, stateful packet inspection, which holds packets until enough information is received about their state, and application layer filtering to detect whether an unwanted protocol is attempting to bypass the firewall using an allowed port.


Traditional firewalls come with a number of challenges, from complex configuration and management of different types of filters, to increasingly sophisticated attack vectors that can bypass traditional firewall technology, like fragmentation of packets, obfuscation of traffic flows, use of nonstandard ports, and others. Next-generation firewalls have come to market in an attempt to address the challenges of traditional firewalls.


Secure web gateways have traditionally looked at a subset of organizations’ network traffic–http/https over port 80/443, for example–and performed a slightly different function, enabling organizations to monitor and filter both inbound and outbound web traffic.  Today, secure web gateway functions are often being merged with firewall functionality.


Next-generation Firewalls and Secure Web Gateways


The term next-generation firewall (NGFW) is applied to many modern firewalls, and can be defined as follows: A device that filters traffic between networks based on traffic types, content, or applications using specific flows. Applications can be port-agile and communicate across different ports depending upon configuration. Granular, application-specific security policies can help next-generation firewalls to potentially detect more malicious activity than traditional firewalls.


In ESG’s opinion, a next-generation firewall should blend the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), while providing deeper network traffic inspection to enable granular policy enforcement. For example:


  • Identification and filtering of application traffic–To prevent malware from using Internet-based applications for delivery, often over non-standard ports to evade detection, an NGFW needs to be able to identify and filter traffic based upon specific services and application characteristics, rather than just opening or closing ports. Granular monitoring and control of specific application or service functions is also desirable to permit access by legitimate applications and users.
  • Intrusion detection and prevention–NGFWs should be able to leverage deep packet inspection to assist with detection and prevention of intrusions into a private network. This is often flow-based, where the flow of data through the network is analyzed, instead of the contents of each individual packet, enabling organizations to trade a degree of detection for higher performance.
  • SSL and SSH inspection–NGFWs should be able to decrypt and inspect SSL and SSH encrypted traffic, to validate that the conversation is from an allowed application and in accord with security policies.
  • Identity-based intelligence–To manage authorized applications and traffic based upon users and user groups, NGFWs should integrate with common directory services, like Active Directory and LDAP. Support for strong, multifactor user authentication methods is also desirable.
  • Malware detection and filtering–NGFWs should be able to detect and filter malicious code–regardless of source–based on a variety of attributes. Increasingly, solutions also look at runtime activity via the ability to emulate or execute code in a safe environment (commonly called sandboxing).
  • Comparable throughput and performance– NGFWs, despite the deeper level of multi-function inspection, need to keep pace with increasing network speeds and provide comparable or even superior performance as compared to traditional firewalls.

A secure web gateway (SWG) should provide a combination of baseline capabilities to enable monitoring, filtering, and inspection of web traffic. For example:


  • URL filtering–One of the most basic approaches to securing web traffic is URL filtering, which controls access to sites that are known to be bad–or good–using blacklists and whitelists. Reputation databases can be used to increase the accuracy of blacklisting techniques. Systems should allow organizations to map corporate usage policies to URL filters to ensure that users are not visiting sites or categories of inappropriate sites.
  • Malware detection and filtering–Secure web gateways should be able to detect and filter malware traffic based on signatures, reputation, activity, or behaviors to block malicious applications and sites. The ability to emulate or execute code in a safe environment (commonly called sandboxing) is one way to provide this capability.
  • Identity-based intelligence–To manage authorized web site traffic, including downloads, based upon users and user groups.

The overlap in purpose and functionality of today’s NGFW and SWG devices is clear to ESG Lab, as is the desire of some to consolidate them.


Fortinet FortiGate Next Generation Firewall


The FortiGate next-generation firewall platform is designed for tight integration of diverse security features—firewall, IPS, VPN, application control, antivirus, URL filtering, and advanced threat protection.


Figure 2. The Fortinet FortiGate Midrange Family


This architecture enables inspection of data packets as they traverse the security infrastructure, and are either blocked or allowed to pass directly to the client inside the network without having to take multiple hops through point security control devices. This can improve an organization’s security posture while simplifying their administrative burden, from the simplest SMB implementation to the most complex multi-network, multi-site enterprise or managed service provider environment. This ESG Lab Validation focused on the midrange line of FortiGate appliances, engineered to serve mid-sized environments that require between 3Gbps and 20Gbps of firewall throughput.


ESG Lab Validation


ESG Lab performed hands-on evaluation and testing of FortiGate at Fortinet’s facilities in Sunnyvale, California. Testing was designed to examine next-generation firewall functionality along with application visibility and control, with a look at intrusion detection and prevention, anti-malware capabilities, and actionable reporting and policy management. Also of interest was the ease of migration from a standalone traditional firewall to a FortiGate consolidated next-generation firewall/secure web gateway.


Getting Started


ESG Lab started with a pre-staged test bed as shown in Figure 3. Designed to emulate key elements of a typical mid-sized organization’s network, the environment consisted of both physical and virtual endpoint machines. These systems were deployed behind a Fortinet FortiGate security platform, which in turn was connected via a WAN link to the Internet.


Figure 3. The ESG Lab Test Bed


ESG Lab Testing


ESG Lab first started with a walkthrough of configuring a newly installed FortiGate security system. The walkthrough started with connecting a laptop directly to the FortiGate system using Ethernet. The laptop was automatically assigned an IP address by the DHCP server built into the FortiGate. A standard web browser was used to log in to the FortiGate appliance using its default address. Once logged in, the FortiGate presented the system dashboard, as shown in Figure 4


Figure 4. The FortiGate Management Dashboard

On the left the dashboard presented a full menu for managing the FortiGate on a daily basis, while in the center, the dashboard presented system status and licensing information. On the right, the dashboard presented resource utilization graphically as a series of gauges, for an at-a-glance overview of the health of the system. At the top right of the interface is a button to invoke the configuration wizard.


The administrator selected the configuration wizard, which walks through a well-defined sequence of steps to collect the primary configuration information and apply the configuration to the system (Figure 5).


Figure 5. The FortiGate Configuration Wizard


The configuration wizard walked the administrator through configuration of global system settings, including integrating the device with FortiGate’s FortiManager centralized security management system. Once the global settings were configured, the next step was to configure the network interfaces for both the internal network and the WAN (Internet) interfaces, and Wi-Fi if installed. FortiGate also supports a backup connection to the Internet over a 3G/4G cell modem.


Following the network configuration, the wizard provided the administrator the opportunity to provide an initial configuration of FortiGate’s security features, including providing a schedule for enabling the WAN interface, as well as configuring virtual server (NAT tunneling) and remote VPN access. During Internet access policy configuration, the wizard provided both outbound and inbound firewall security settings, as well as the settings for the integrated unified threat management system (Figure 6).




Outbound Internet access could be configured to use Network Address Translation (NAT), while inbound Internet access could be configured to both monitor usage and block malicious content. The integrated unified threat management configuration included switches to enable the detection and removal of viruses, IPS, and blocking of spam and malicious content. Secure web gateway functionality was also configured in this step to enable monitoring and blocking of malicious web content as well as the use of specific applications.


Figure 6. The FortiGate Configuration Wizard – Internet Access Policy


Once all steps in the configuration wizard were completed, the administrator was presented with a summary of each configuration item that would be set. The wizard allows users to step backward through the process to rectify any errors. Clicking on the Configure button caused the wizard to apply the configuration to the system.


ESG Lab validated that the wizard-based approach to obtaining and applying the initial configuration was quick and easy to use, and configuring the system to a running state took just a few minutes.


Why This Matters


It’s a fact of life in IT that security system installation and configuration is difficult. The process of researching, purchasing and setting up hardware and software, defining processes, and testing your solution can be time-consuming and complex. As a result, many small and medium-sized organizations struggle with security–including upgrading security products–as they often have few IT staff, most of whom are IT generalists. For the same reason, remote offices in distributed enterprises are often under- or unprotected.


A consolidated appliance-based protection solution such as Fortinet FortiGate can be more affordable, easier to integrate into an environment, and provide faster time-to-value than multiple point solutions. Using a test bed that simulated a typical mid-sized organization’s network environment, ESG Lab validated that FortiGate was subjectively easy to set up and begin using for security, and doesn’t require extensive security expertise out of the box. The initial deployment took less than 5 minutes using the Configuration wizard.




Consolidated Next Generation Firewall and Secure Web Gateway


ESG Lab next examined some of the security services available on the FortiGate midrange platform. The environment was designed to emulate key elements of a mid-sized organization’s network, as illustrated earlier in Figure 3. A FortiGate appliance was deployed between a number of physical and virtual endpoint machines and the Internet. Testing aimed to validate the ability of the FortiGate appliance to provide robust, consolidated network security services acting as both a next-generation firewall and as a secure web gateway.


ESG Lab Testing


ESG Lab began with a look at firewall policies. Policies are where rules are applied to all traffic passing through the firewall. Figure 7 shows policies defined in the test system. Standard firewall options are called out in the upper left, including source and destination, users and groups, schedules, services, and the action to be taken.


Figure 7. Examining Firewall Policies


Extended functions are called out in the lower right, including antivirus, web filtering, application control, IPS, e-mail filtering, data leak prevention, and SSL inspection. Extended functions are defined under the Security Profiles menu, and applied via policies to specific systems, networks, users, or groups.


Using the Application Control security profile, FortiGate can detect and take action against network traffic based on the application generating the traffic, and can granularly allow or deny specific actions within an application. Application control uses Fortinet’s IPS protocol decoders that can analyze network traffic to detect application activity even if the traffic uses non-standard ports or protocols.


First, ESG Lab configured the default application sensor in the system. As seen in Figure 8, activities associated with creating offsite copies of data using the DropBox service were blocked.


Figure 8. Creating an Application Sensor


It’s important to note that each application sensor can contain multiple application elements representing many different applications and activities.


Next, ESG Lab created a firewall policy for the Corp-users group and assigned the default Application Control sensor to it, as shown in Figure 9.


Figure 9. Configuring a Firewall Policy


It’s important to note that users and groups can be imported from user directory services like Active Directory over LDAP, shown in Figure 10.


Figure 10. Importing Users and Groups


Figure 11 shows the completed firewall rule defined for the group corp-users with the default Application Control sensor assigned to it.


Figure 11. Examining the Firewall Rule that was Invoked


Finally, ESG Lab logged in as a corporate user and as soon as the machine attempted to access DropBox, the FortiGate redirected to the Application Blocked replacement message. The user was unable to access or connect to the DropBox service.


Figure 12. User Notification of a Blocked Application


The Applications and Cloud Applications dashboards provide insight into the applications in use on an organization’s network. The Applications dashboard covers locally installed applications, while the Cloud Applications Dashboard focuses–as one would expect–on cloud-based services and applications.


Both dashboards provide basic information about each application–application name, category, risk level, number of sessions, and bytes sent and received.


The Cloud Applications dashboard, shown in Figure 13, shows additional information pertinent to cloud applications, specifically the number of login IDs associated with the application or service and if applicable, the number of files downloaded or videos played. When the user hovers the cursor over the column showing the number of videos, the titles of the videos are displayed.


Figure 13. FortiView–Cloud Application Dashboard


The Cloud Applications dashboard can be viewed by applications or users. Applications, as shown above, lists the programs being used, where Users shows information on the individual users of the cloud applications, including username if the FortiGate device was able to view the login event.


Why This Matters


ESG research indicates that information security is a top concern of mid-sized organizations—defined as having from 100 to 999 employees. Thirty-one percent of the IT managers surveyed cited information security initiatives as one of their most important IT priorities for 2014.[2] Faced with numerous IT initiatives, and an increasingly dangerous threat landscape, security analysts and managers are forced to address new security requirements with legacy tools, point products, short-staffed security teams, and manual processes. What’s needed to address these challenges are intelligent, automated, and tightly integrated security management systems leveraging multiple technologies and tools.


ESG Lab validated that Fortinet FortiGate was able to use granular user- and group-based policies to provide next-generation firewall services, including monitoring and control of access to local and cloud-based applications, enabling consistent enforcement across the organization. Consistent enforcement via a consolidated platform can reduce the time, effort, and cost required to maintain a strong security posture.


 


Intrusion Prevention, Antivirus, and Web Filtering


FortiGate includes the ability to consolidate a wide variety of functionality–including antivirus, IPS, web filtering, and SSL inspection of encrypted content. All of these functions are available by simply enabling license keys. ESG looked at the configuration of three of these areas of protection in the FortiGate appliance: IPS, antivirus with cloud-based sandboxing, and web filtering.


FortiGate IPS allows organizations to create multiple IPS sensors, as seen in Figure 14.


Figure 14. Configuring IPS


FortiGate IPS uses two techniques: anomaly- and signature-based. Anomaly-based defense is used when network traffic itself is used to flood a host with far more traffic than it can handle, making the host inaccessible. The most common example is the denial of service (DoS) attack. Signature-based defense is used against known attacks or vulnerability exploits. FortiGate IPS includes more than 7,000 known malicious patterns, and uses experience-based heuristics to detect and stop attacks. Once a policy is defined, it can be applied to any appropriate firewall policy.

Antivirus profiles can be configured and applied to firewall policies as Application Sensors were in the previous section, to define how the traffic within a policy is examined and what action should be taken based on the results.


Figure 15. Antivirus and Send to Cloud or On-premise Sandbox Policies


As seen in Figure 15, The FortiGate antivirus profile allows administrators to select both inspection mode and the action to take on virus detection, and provides the ability to send files to a FortiSandbox advanced threat prevention (ATP) appliance or cloud-based service for deeper analysis.


Figure 16 shows the configuration of a Web Filter Profile on a FortiGate Appliance. There are three main components of web filtering in FortiGate, the Web Content Filter, the URL Filter, and the FortiGuard Web Filtering Service. These components are tightly integrated and interact with each other to provide control over what the user can view as well as protection from many content-based threats.


Figure 16. Configuring Web Filtering


The Web Content Filter blocks web pages containing specific words or patterns. URL filtering blocks or exempts web pages from specific sources using URLs and URL patterns. FortiGuard Web Filter is a subscription-based managed web filtering solution. FortiGuard Web Filter enhances the web filtering features offered by FortiGate by sorting billions of web pages into a wide range of categories users can allow or block. The FortiGate unit accesses the nearest FortiGuard Web Filter Service Point to determine the category of a requested web page, and then applies the security policy configured for that user or interface.


Optionally, users can be allowed to override FortiGuard Web Filtering and view blocked web sites. Overrides can be applied to individual users, entire user groups, or all users who share the same web filter profile. Access to FortiGuard overrides is controlled through firewall and directory services user groups.


The Websites dashboard, as shown in Figure 17, lists the top allowed and top blocked websites.


Figure 17. FortiView-Websites Dashboard


Administrators can view information sorted by domain or by FortiGuard categories. Clicking on a FortiGuard category will display a description of the category and several example sites, with content loaded from FortiGuard on demand. Information is also provided about browsing time, threat weight, sources, and bytes sent or received.


Why This Matters


According to ESG research, of the organizations surveyed that had experienced a successful malware attack in the past two years, the overwhelming majority­ (83%) had experienced multiple breaches. Within this group, 32% suffered between two and five attacks, and another 30% suffered more than ten. Fifty eight percent of security professionals told ESG that they believe that network-based anti-malware technology should be integrated into next-generation firewalls, making this the most popular response to where network-based anti-malware technology should reside by a wide margin.[3]


This is noteworthy since malware is used to give attackers access to internal systems and the key information stored on them, while further distributing itself across private networks. To be effective against these threats, a modern NGFW should be able to protect against them from multiple angles.


ESG Lab validated that Fortinet FortiGate can enable threat prevention and detection via IPS, antivirus, and FortiSandbox, and add another layer of threat protection with onboard and subscription-based Web filtering, all controlled via integrated, granular policies, running on the same consolidated platform.


 


Migrating to FortiGate with FortiConverter


When an organization upgrades its existing systems with new technology, IT is faced with the challenge of migrating system configurations. For security systems, the requirement to get it right the first time or risk a security breach is crucial and increases the level of difficulty. The challenge is increased by the differences in vendor devices and terminology, changes in technology, and old and redundant information in existing configurations.


Traditionally, organizations transitioning to new technology have relied on manual processes and expensive professional service teams from multiple vendors. Fortinet has created FortiConverter, an automatic multi-vendor configuration conversion tool. With the goal of simplifying migrations and enabling organizations to rapidly and simply transition to FortiGate, FortiConverter can convert configuration information from Cisco, Juniper, Checkpoint, and SonicWALL security devices, with support for additional vendors planned for future versions.


An automated configuration conversion tool, FortiConverter requires minimal input from the administrator, reducing the risk of human error. FortiConverter also has built in error detection and correction to identify unused objects and errors in the source configuration and prevent these errors from appearing in the final FortiGate configuration. FortiConverter is able to convert the largest and most complex security configurations, enabling administrators to rapidly transition to FortiGate.


ESG Lab Testing


ESG Lab participated in a walkthrough of FortiConverter conducted by Fortinet. FortiConverter is a Windows application, and a trial version can be downloaded directly from the Fortinet web site.[4]  Once installed and opened, the main window presented a choice of vendors to begin the conversion. In this case, ESG Lab clicked on Juniper to demonstrate the conversion from Juniper to Fortinet.


Figure 18. FortiConverter Inputs


The next screen prompted for key pieces of critical information, indicating the specific model of Juniper security device to be converted. Output directory and output format (FortiGate or FortiManager) were also selected. Next, FortiConverter prompted for the location of the source configuration file.


The following screen enabled the administrator to map network interfaces from the source device to those on the destination FortiGate device. FortiConverter displayed a table listing each of the active interfaces and addresses. Each line in the table provided a pull-down menu to select the appropriate FortiGate interface to be mapped to that specific interface. The final screen listed the network routing table, and provided the administrator with the ability to add, edit, or delete individual entries. Once the routing table was updated appropriately, clicking ‘Next’ started the conversion process.


FortiConverter completed the conversion process in a matter of seconds, and displayed a summary of the conversion. In addition to directly viewing the FortiGate configuration, FortiConverter provided an option to view an HTML-based conversion report, as seen in Figure 19.


Figure 19. FortiConverter Conversion Summary Report

The center column of the conversion report provided the conversion summary organized into logical groups such as interfaces, zones, addresses, routing table, etc. The right hand column provided the entire text-based conversion file. By providing both a human readable, organized, and categorized version of the configuration, as well as the configuration using the actual FortiGate commands, administrators who are unfamiliar with the FortiGate CLI can review the configuration.


In addition to providing a general review of the converted FortiGate configuration, FortiConverter also provides the administrator with tools to fine-tune the configuration. The administrator selected the “Go to Tuning” button to start the fine-tuning process (Figure 20).


Figure 20. FortiConverter Conversion Fine-tuning


The fine-tuning section of FortiConverter provides a detailed log of the conversion process, enabling an administrator to quickly review the conversion to get a detailed understanding of each converted item, as well as to identify any areas for fine-tuning.


One major area for fine-tuning is the NAT table. Administrators can review and modify the SourceNAT (forward) NAT table, as well as the DestinationNAT (reverse) NAT table. FortiConverter displays the NAT table with a clean layout, and provides the ability to sort on any column, enabling the administrator to rapidly organize and review the information.


The most critical section that may require fine-tuning upon conversion is the security policy section. FortiConverter provides detailed tables on all aspects of security policies managed by FortiGate. Selecting a policy–in this case the default policy–displays the complete policy as a table. Simultaneously, a categorized list of managed object types for the policy is displayed.


Selecting a specific object type causes FortiConverter to display a table of all objects of that type. The table can be sorted by any column, making for quick and easy review. All items in the table are directly editable by clicking on them. The far right hand column is a policy reference that links to the lines in the policy that reference the object in question. Selecting a specific policy reference causes FortiConverter to display those specific policy references, enabling administrators to rapidly gain an understanding of complex security policies.


 

Why This Matters


Although IT organization strive for standardization, particularly for configurations, the rapid pace of technological change forces IT systems to develop organically and rapidly. Modifications are often performed ad-hoc without documentation, and, as with all manual processes, errors are often introduced and never noticed. When organizations upgrade to newer and better systems, they are faced with the daunting task of converting configurations to support the latest technological advances. This task is made more challenging by the absolute necessity of avoiding errors or risking security breaches.


Traditionally, IT has resorted to time consuming and error prone manual conversion of system configuration files during technology upgrades, or engaged costly professional services to aid in the process. With either method, the possibility for errors is great, and the risk to the organization is increased.


Fortinet’s FortiConverter is offered as a solution to the challenges faced during network security technology upgrades. ESG Lab validated that FortiConverter, with the input of a few key pieces of information, can automatically ingest configuration files from security devices from Juniper, Cisco, Checkpoint, and SonicWALL. FortiConverter can convert and generate configurations directly for FortiGate security systems. During ESG Lab testing, a new configuration was available within a matter of seconds and, using the FortiConverter tool, the final configuration could be easily understood, and any fine-tuning adjustments could be made.


The speed and automation provided by FortiConverter delivered the ability for administrators to quickly upgrade to the latest technology provided by FortiGate, while simultaneously reducing the potential for errors and minimizing the time and cost involved with the upgrade process. As a result, the costs and associated security risks inherent during an upgrade can be drastically reduced.


 

ESG Lab Validation Highlights


  • Using a test bed that simulated a typical mid-sized organization’s network environment, ESG Lab found Fortinet’s FortiGate appliances offer all of the functionality essential to a consolidated solution.  As such it can be more effective, affordable, and easier to integrate into an environment, providing faster time-to-value than multiple point solutions.
  • A consolidated appliance-based protection solution such as Fortinet FortiGate can be more effective, affordable, and easier to integrate into an environment, providing faster time-to-value than multiple point solutions.
  • FortiGate’s dashboards and reports give organizations a clear understanding of activity and risk, while granular application control and other capabilities enable the definition and enforcement of policies that balance productivity and security.
  • Granular user- and group-based policies provide next generation firewall services, including monitoring and control of access to local and cloud-based applications, enabling consistent enforcement across the organization.
  • Threat prevention and detection via IPS, antivirus and sandboxing add another layer of threat protection together with on board and subscription-based Web filtering, all controlled via integrated, granular policies, running on the same consolidated platform.
  • FortiGate also demonstrated that organizations can deploy multiple functions on the same platform. With next generation firewall functionality working in concert with secure web gateway services exercising granular application control, consolidation of security functions promises fewer devices to manage and less operational overhead.
  • ESG Lab validated that FortiGate was easy to set up and begin using for security, and didn’t require extensive security expertise out of the box. The initial deployment took less than 5 minutes using the Configuration wizard and moving to FortiGate from legacy platforms is simplified with the FortiConverter migration tool.

Issues to Consider


  • A network-based security strategy should be used to complement an existing endpoint security software/antivirus strategy. While the cost and complexity of deploying and managing endpoint security software continues to rise and the effectiveness against zero day attack/polymorphic malware continues to fall, a strategy that includes a network-based solution that can detect advanced threats can improve coverage and reduce risk.
  • The test results/data presented in this document are based on testing in a controlled lab environment. Due to the many variables in each production data center, it is important to perform planning and testing in your own environment to validate viability and efficacy of any solution.


The Bigger Truth


In ESG’s 2014 IT Spending Intentions survey, ESG asked 562 IT professionals and managers to identify spending plans for network infrastructure in 2014, and network security was the most cited response, by 52% of respondents.[5] In the same survey, mid-sized organizations were asked to name their most important IT priorities for 2014 and information security was once again in the top three responses, with 31% of respondents.


Smaller organizations are finding it challenging to address new security requirements with legacy tools, point products, and manual processes. What’s needed to address these challenges are intelligent, automated, and tightly integrated security management systems leveraging multiple technologies and tools.


The FortiGate next-generation firewall platform is designed for tight integration of diverse security features—combining next-generation firewall application control, URL filtering, IPS, antivirus, advanced threat protection, and secure web gateway services under a single platform. This architecture is specifically engineered to improve an organization’s security posture while simplifying their administrative burden.


ESG Lab found the configuration wizard cleanly laid-out and easy to follow. Configuration of a new appliance was completed in less than five minutes, including definition of initial security profiles and policies.


Fortinet FortiGate demonstrated flexible, consolidated network security, delivering multiple layers of security functionality on a single appliance. ESG Lab used the management console to configure policies and examine events in detail. Organizations can deploy multiple functions on the same platform, with next-generation firewall and secure web gateway services working in concert in our tests.


FortiConverter enabled ESG Lab to quickly upgrade from a legacy firewall to the latest technology provided by FortiGate, while simultaneously reducing time, effort, and potential for errors, reducing the risk inherent in any migration.


Products in the firewall space have different strengths, weaknesses, and capabilities for various types of security needs. ESG Lab believes that a next generation firewall should blend the capabilities of first-generation network firewalls and network intrusion prevention systems (IPS), while providing deeper network traffic inspection to enable granular policy enforcement. Combining those capabilities with the web traffic monitoring, filtering, and inspection of a secure web gateway only makes sense as threats become more pervasive and evasive.


Fortinet’s FortiGate appliances offer the features, capabilities, and integration that can satisfy organizations’ requirements for intelligent, actionable network security with the additional capabilities to consolidate multiple functions onto a single platform. Any business looking for a multi-function next-generation firewall platform to improve their security posture would be smart to give Fortinet FortiGate a serious look.



Appendix

Table 1. ESG Lab Test Bed


ESG Lab Reports


The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to provide a first-hand look at some of the more valuable features/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab's expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. This ESG Lab report was sponsored by Fortinet.

 

 




[1] Source: ESG Research Report, 2014 IT Spending Intentions Survey, February 2014.


[2] Source: ESG Research Report, 2014 IT Spending Intentions Survey, February 2014.


[3] Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013.


[5] Source: ESG Research Report, 2014 IT Spending Intentions Survey, February 2014.