UNIFIED THREAT MANAGEMENT
REVIEWED BY SANDRA KAY MILLER
Price: Starts at $32,995
The FortiGate 3600A rolls eight homegrown security services--firewall, IPsec and SSL VPNs, IPS, traffic shaping, antivirus, antispam and Web filtering--into one high-availability appliance built for speed.
It's a good choice for publicly facing data centers and managed service providers, with enterprise-class features such as redundant power supplies, dual-core processing, the new FortiASIC Content Processor-6, AMC network adapter expansion slots, two accelerated gigabit SFP ports and eight 10/100/1000 copper gigabit ports.
The 3600A can be deployed as a gateway between the Internet and private network (NAT/route mode), or on a single subnet invisible to the rest of the network (transparent mode). We chose NAT mode in order to include multiple subnets.
Using the quick-start guide, we planned our network configuration and connected to the Web-based manager in minutes. The interface is pleasantly clean and easy to navigate. Thanks to the expandable menu tree, moving through the initial setup was fairly intuitive.
For example, the VPN option expands to provide instant access to IPsec, PPTP, SSL and certificate administration. We created firewall rules, applied policies for content filtering and set up VPN tunnel associations.
Fortigate supports RADIUS, LDAP and Active Directory authentication.
Our only significant frustration was with the client software, which provides endpoint security and IPsec VPN connectivity. It was extremely slow to install and created instabilities in several instances.
Creating customized firewall rules, IPS signatures and adding URLs to the Web filter was straightforward.
Working primarily through the firewall, we quickly assigned numerous policies relating to network settings, logging, traffic shaping and restricting client network access based on policy compliance, such as up-to-date antivirus and IPS signatures.
However, given the extensive hardware support for high throughput (the pair of SFP connectors for optical networks), we were dismayed there was little standard policy control for VoIP. Also, there are only four IM services listed in the IM/P2P policy tab (MSN, Yahoo!, AIM and ICQ); we would have liked to seen more choices, given the explosive growth of IM clients.
We were impressed with the quality of security services on a single appliance, as well as flexibility for deployment and ease of administration. For instance, the IPS is signature- and anomaly-based, and multiple VPN technologies are included. Automatic updates and system backup and restore for multiple security services simplify life for admins and reduce the chance of human error.
Each layer of security functioned effectively when faced with common threats such as syn floods, malware, port scans and spam. Prohibited Skype traffic and potentially hazardous URLs and sites containing blacklisted keywords were blocked.
Logging is outstanding. The 3600A provides three avenues for logging: local, syslog and through the FortiAnalyzer, an additional dedicated appliance for data collection and analysis from multiple FortiGate devices. The exhaustive logging was easily parsed using single-click column filtering.
Using check boxes, we set up custom email alerts for more than a dozen different events, to be sent at defined intervals. The event log is also highly customizable.
Unfortunately, there are few onboard reporting features unless the data is sent to a FortiAnalyzer, which was not included in our testing.
Considering the costs and IT resources for managing individual products, the FortiGate 3600A offers an affordable and manageable enterprise solution.
Testing methodology: We set up a lab with Windows and Linux PCs sending legitimate as well as malicious traffic back and forth through ISG 2000.