With so many viruses, hacker intrusion attempts, peer-to-peer file
sharing network hogs, and other network security issues, an IT
administratorï¿½s job of protecting the network can be a daunting task.
Fortunately, with Fortinetï¿½s ASIC-powered 1U Fortigate-400 appliance you can
have firewall functionality, filter Web traffic, VPN, virus and worm
protection, intrusion detection, bandwidth throttling, and much more for a
very reasonable $7,995 price tag. It also supports a ï¿½high availability
portï¿½ to support redundant configurations, which is ideal for
mission-critical applications. And did we mention that it supports H.323
over NAT to support VoIP applications? The ability to support VoIP is a neat
feature that many firewalls cannot support.
TMC Labs tested the Fortinet-400 and we were very impressed with its
feature-set. The Fortigate-400 can detect and eliminate content-based
threats from e-mail and Web traffic such as viruses, worms, intrusions,
inappropriate Web content, and more in real time -- without degrading
network performance. FortiGate Antivirus Firewalls employ Fortinetï¿½s unique
FortiASIC content processing chip. Fortinet claims that their Fortigate
systems are the only systems in the world that are triple-certified by the
ICSA (for antivirus, IPSec, and firewall functionality). Often times an
organization may already have a firewall or VPN setup, so they wouldnï¿½t need
or require all of FortiGateï¿½s advanced functionality. No problem. The
FortiGate systems can be set to a ï¿½stand aloneï¿½ mode and can be deployed for
antivirus protection and content filtering alone and used in conjunction
with the existing firewall, VPN, and related devices. If you decide later on
to replace all the disparate network systems and use just the FortiGate for
your firewall, VPN, virus protection, and content filtering, itï¿½s a very
simple configuration change. For this reason, TMC Labs was impressed with
the level of flexibility of the FortiGate platform.
The FortiGate system can perform quite demanding tasks such as 3DES (Data
Encryption Standard) and AES (Advanced Encryption Standard) encryption
without breaking a sweat. In addition, the FortiGate features four
auto-sensing 10/100 Base-T ports. In addition it features flexible
deployment options allowing administrators to customize the ports and assign
route and NAT mode options to individual interfaces. The FortiGate 400
provides very granular security through multi-zone capabilities, which
allows administrators to segment their network into zones and create
policies between zones. Each security zone may contain several subnets, and
the firewall policy will let you select if you want to apply a rule only to
one network or to a group of networks inside a zone instead of to the entire
zone. In addition, the FortiGate-400 fully supports Remote Access via VPN
using Fortinetï¿½s Remote VPN client.
TMC Labs was quite impressed with the ability to perform content
filtering on the FortiGate-400. The content filtering feature is completely
policy-based, so it can be applied to specific users or IP addresses and of
course can be scheduled. Thus, you can block certain material during work
hours, and then relax it during off hours. It supports URL blocking,
keyword/phrase blocking, URL exempt list, and can block Java applets,
cookies, or ActiveX controls. One thing that we did determine was missing
was the ability to use wildcards in the URL block list, such as www.sex*.com,
or *.org. It would be nice if Fortinet provided some sample templates of
keywords to blocked, as well as a comprehensive list of objectionable sites
to block, which could be imported into the device and updated regularly from
their Web site. This would make this a very cost-effective solution versus
expensive solutions such as Websense, a popular content filtering program
that costs $5,000 per year for 50 users.
We tested the traffic-shaping, which lets you set the guaranteed and
maximum bandwidth in each policy. As a test, we defined a policy stating
that HTTP traffic cannot exceed 20 KB/s. Immediately, our Web downloads
dropped from 200 KB/s to approximately 19 KB/s. One nice capability is that
you can create schedules for when the traffic-shaping policy is in effect.
Finally, we tested the H.323 over NAT feature by testing the Fortinet
firewall with Quintumï¿½s Tenor CMS H.323-compatible gateway. During our
tests, we were only able to get voice in one direction, which indicated a
firewall NAT issue. After a few attempts at reconfiguring the firewall, we
still couldnï¿½t resolve the issue. This is not to say the Fortigate-400 does
not support H.323, but it was not as seamless as we would have liked.
- Provides complete network protection functionality through a
combination of network-based antivirus, Web content filtering, firewall, VPN,
and network-based intrusion detection (IDS), and traffic shaping.
- Eliminate viruses and worms from real-time traffic without degrading
- Front panel LCD and keypad ease deployment by setting basic system
parameters without an external console.
- High-availability option supports transparent failover for
- Multi-zone support allows granular network segmentation into zones with
individual security and access control policies.
- Delivers excellent performance and reliability from hardware accelerated, ASIC-based architecture.
- Automatically downloads the latest virus and attack database and can
accept instant ï¿½pushï¿½ updates from the FortiResponse Network.
- Underlying FortiOS is ICSA-certified for Antivirus, Firewall, and IPSec
- Easy to use and deploy -- quick and easy configuration wizard walks
administrators through initial setup with graphical user interface.
- Web-based GUI and content filtering support multiple languages.
TMC Labs was very impressed with the performance of the Fortigate-400,
especially considering what you get for your money. With its plethora of
features, including virus-protection, intrusion detection, policies, and
more, the Fortinetï¿½s Fortigate-400 sets the benchmark for appliance-based
To The June 2003 Table Of Contents ]