After working in the reseller channel for many years, I've spent a lot of time with many firewall products. It wasn't until I recently joined Fortinet that I had a real opportunity to get to grips with the FortiGate firewall. I was impressed at the wide capabilities of the box, but a few things stuck out as being unique. These are not necessarily the kind of features that a salesman would blurt out during his 30 second elevator pitch, but that make living with and using the product on a daily basis a pleasant experience.
Out of box experience
This is a small thing, but first impressions count. My approach is typically plug the thing in and start bashing away rather than "RTFM", but in this case I learned a couple of useful things in the nicely printed booklet. For a start, there are several options to get the thing configured from a cold start. Obviously one can use the serial console or direct LAN attachment, but the appliance can also be configured by a USB connection from a PC or an Apple IOS device using the FortiExplorer App. Serial access not being a requirement is a bigger plus than one may think; more than once I've been stuck on site with a dead laptop or a duff RS232 cable and needed to jump on a firewall urgently; this would have saved me a lot of headaches!
Policy hit count
One of the challenges that network administrators face is keeping a firewall rule base tidy representative of business needs. This is a task made difficult as many firewall vendors make keeping track of policy activity either difficult or expensive (ever hear the phrase: "Yes, we have a separate license for that"?). A terrific little touch to the FortiGate GUI is the hit count that is displayed on each policy. This allows the administrator to see how many times a particular policy has been matched since the last reboot. This is helpful for a couple of reasons: 1. If there are nagging doubts that a particular rule isn't being matched properly or at all, then you can see at a glance it's activity relative to other policies. 2. Tracking very chatty traffic like DNS becomes easier; this features shows the resources wasted tracking outbound queries; resources you'd rather have available for more pressing requirements. There is no faffing around to turn this on in the policy or reminding your fellow administrators to enable it, it just works out of the box.
Embedded DNS server
There is ongoing pressure to reduce the amount of kit deployed at branch sites. UTM firewalls such as the FortiGate can come to the rescue as they can consolidate many network functions into one physical appliance. One feature I'd not seen implemented this well before was the inclusion of a full-blown DNS server on the firewall. This reduces WAN traffic and the branches dependency upon it. It's unlikely that you'd use it in place of a full Active Directory integrated DNS solution, but again it's a nice get out of jail free tool. Whilst a UTM box that performs DNS server functions isn't necessarily unique, I've never seen it as well and easily implemented as it is on the FortiGate. Configuration is fully integrated into the GUI and doesn't require any messing about with the CLI or arcane config files.
Automatic Geographic tracking on logs
Another nice feature built into the GUI is the tracking of IP addresses against regions. Again, there are sophisticated and expensive ways of doing this with your logs with other products, but it gives the network administrator an easy, direct view of where traffic is going into the network, exactly where you need it; the standard log view. For example, large volumes of traffic heading to a US address from your European only organisation would be worth investigating. Furthermore, regular VPN traffic from far eastern IP address block may be indicative of a bigger problem.
More than one firewall in the box.
The list of features as standard on even the entry level appliances is impressive; as an example virtual firewall (virtual domains) features are included as standard on all but the tiniest of boxes. This feature can scale to hundreds of logical devices on a single appliance. For most administrators, virtual firewalls are an expensive luxury that requires careful cost/benefit analysis. With the Fortinet solution however, the administrator has many options at their disposal on how traffic is partitioned in a single appliance. A scenario familiar to many is the provision of guest wireless. It is standard practice to separate this relatively dirty traffic from the line of business applications. Often a consumer grade device is dedicated to this task, but by utilising a virtual domain the separation can be achieved with much better visibility and control, and of course without any additional expenditure.
Scratching the surface
There are many scenarios where the above features would be useful. I've not really scratched the surface of what the firewall FortiGate is capable of and over the coming weeks and months the product will continue to reveal its secrets. I hope to be able share with you any tips and tricks I discover with the FortiGate and other Fortinet products on this blog in the near future. If you have any of your own discoveries, I'd love to hear about them in the comments or in the support forum.