Mind you this was 2 1/2 years ago. I was just hired by the company and they had already been testing the VPN design. The problem had to do with source and destination NATing. All I can remember is we had our cisco reps setup two pix's in a row to get the NATing to work the way we wanted. Fortinet had to do the same thing, until they changed their code.
The new ASA routers probably do not have this problem today, or pix version 7 code might work too. Although we no longer use this VPN design and in the future I would have designed it a bit different anyhow.:)
We have bought several fortigates from Fortinet. I have very mixed feelings about them.
The AV file scanning was the only firewall at the time to proxy a file, scan it completely, and pass it on to the user. We wanted this over scanning a stream. Cisco's new ASA could not due this. They could not even get the ASA to work with AV. We at one point had the development engineer on the phone and 3 engineers in the office and could not get it to work.
The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work. That was very nice of them.
Support calls are difficult to deal with at times. Like any small company, YOU will find the bugs first. Or they will ask you to upgrade to the newest OS every time to see if that fixes the problem. This is not acceptable in my line of work. If the bug is not documented and fixed and added to the release notes, I'm not risking and upgrade to code that may have NEW bugs to plague me.
For the recent DST updates, it took fortinet 3 weeks to tell me what code version supported the new DST changes. This meant we had to upgrade our OS. The upgrade crashed our 1000a's as they were build with not enough Flash disk to support the new OS. We asked for RMA replacements to find out that they had only 1 in stock. What if I had a disk or power supply failure? Only ONE in stock for RMA's??? We had to RMA 8 boxes to get the larger flash disks for the DST upgrade. It took over a month to accomplish this! In fact I just completed the upgrades this last monday!
We had 40 of the 60's. They worked well, but if you left them running over 9 months without a reboot, the config would disapear from SAVED memory and on a reboot it only booted to default config mode. This was a problem with the memory, the 60 does not have enough. Though it took me 3 months to get an answer from fortinet on this problem. It happened 4 times on me in 1.5 years of using them.
The fortimanager was so terrible we powered it down. It was not helpful, it made no sense, and it slowed down my management of 40+ firewalls. Not to mention, support would always suggest I upgrade the fortigate OS code, but fortimanager code was 3 months behind the firewall code, so it would not support the firewalls durin
I helped sell 100 fortigates to the California DMV, and got a personal wifi60 from them. The wireless would constantly disconnect my laptop. My SE said this was a known problem.:(
I run a few of the fortigates in transparent mode to proxy and monitor corporate traffic as well as content block web sites. This has caused 6 network loops in our network and taken us down 6 times. The support for spanning tree and other technologies to prevent this is terrible.
Dang, why do I keep buying these?
Slashdot Mirror
Mind you this was 2 1/2 years ago. I was just hired by the company and they had already been testing the VPN design. The problem had to do with source and destination NATing. All I can remember is we had our cisco reps setup two pix's in a row to get the NATing to work the way we wanted. Fortinet had to do the same thing, until they changed their code.
:)
The new ASA routers probably do not have this problem today, or pix version 7 code might work too. Although we no longer use this VPN design and in the future I would have designed it a bit different anyhow.
We have bought several fortigates from Fortinet. I have very mixed feelings about them. The AV file scanning was the only firewall at the time to proxy a file, scan it completely, and pass it on to the user. We wanted this over scanning a stream. Cisco's new ASA could not due this. They could not even get the ASA to work with AV. We at one point had the development engineer on the phone and 3 engineers in the office and could not get it to work. The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work. That was very nice of them. Support calls are difficult to deal with at times. Like any small company, YOU will find the bugs first. Or they will ask you to upgrade to the newest OS every time to see if that fixes the problem. This is not acceptable in my line of work. If the bug is not documented and fixed and added to the release notes, I'm not risking and upgrade to code that may have NEW bugs to plague me. For the recent DST updates, it took fortinet 3 weeks to tell me what code version supported the new DST changes. This meant we had to upgrade our OS. The upgrade crashed our 1000a's as they were build with not enough Flash disk to support the new OS. We asked for RMA replacements to find out that they had only 1 in stock. What if I had a disk or power supply failure? Only ONE in stock for RMA's??? We had to RMA 8 boxes to get the larger flash disks for the DST upgrade. It took over a month to accomplish this! In fact I just completed the upgrades this last monday! We had 40 of the 60's. They worked well, but if you left them running over 9 months without a reboot, the config would disapear from SAVED memory and on a reboot it only booted to default config mode. This was a problem with the memory, the 60 does not have enough. Though it took me 3 months to get an answer from fortinet on this problem. It happened 4 times on me in 1.5 years of using them. The fortimanager was so terrible we powered it down. It was not helpful, it made no sense, and it slowed down my management of 40+ firewalls. Not to mention, support would always suggest I upgrade the fortigate OS code, but fortimanager code was 3 months behind the firewall code, so it would not support the firewalls durin I helped sell 100 fortigates to the California DMV, and got a personal wifi60 from them. The wireless would constantly disconnect my laptop. My SE said this was a known problem. :(
I run a few of the fortigates in transparent mode to proxy and monitor corporate traffic as well as content block web sites. This has caused 6 network loops in our network and taken us down 6 times. The support for spanning tree and other technologies to prevent this is terrible.
Dang, why do I keep buying these?