Editor’s note: Next-generation firewalls (NGFWs) are becoming an essential tool for organizations taking steps...
to fortify their network security. Our easy-to-digest reviews look at what you can expect from NGFWs. To help you understand what you should look for when assessing a next-gen firewall, click HERE for our NGFW buying overview.
Fortinet's FortiGate line of firewalls spans a number of sizes and categories, much like the other leading vendors in the next-generation firewall (NGFW) space. The FortiGate 3950B is an enterprise-class NGFW platform chassis with numerous expansion slots. It is loaded with the company's custom-built FortiASIC processors that handle application traffic analysis and filtering.
Notable features. The FortiGate 3950B isn't as easy to configure and set up as the Check Point 12610, but it isn't overly difficult. The Web management interface is very intuitive, and it is easy to navigate and configure once the device is up and running. The command-line interface, or CLI, was somewhat clumsy and took some getting used to. The FortiGate appliance has one significant advantage over some other appliances, in that all changes are made in real time, with no need to "commit" changes after making them over time. That can be slow and cumbersome at best, and problematic at worst -- if an administrator forgets to commit changes, for example.
NGFW buying advice and reviews
How to buy: Assessing next-gen firewalls
Palo Alto PA-5060 product review
The FortiGate appliance allows for very simple firewall and VPN rule creation. The VPN configuration options, in particular, are easy to navigate and configure, and the SSL VPN options include both a portal and client.
The FortiGate user authentication and user identification capabilities aren't as easy to configure as they are in other products reviewed. Active Directory authentication and integration is supported, along with other user repositories, but creating policy rules that leverage user IDs and attributes is somewhat difficult. Once configured, the rules we created worked well, however.
The system has much to offer and should be considered when you're evaluating NGFW platforms in large and midsize enterprises.
What makes it special. The 3950B has excellent intrusion prevention system (IPS) capabilities in the platform that are easy to configure. The rules provide an enormous amount of granularity and flexibility in configuration, as well as numerous rule and policy options for detection, blocking and alerting.
During testing, the FortiGate was successful in identifying applications, not recognizing only a few apps. The application-specific rules are also integrated with the main firewall rule base and easy to manage holistically. Simple quality of service, or QoS, is also configurable for these rules, which is nice to have.
Additional capabilities. The 3950B includes features for detecting and limiting denial of service, or DoS, attacks, with particular emphasis on rate-limiting types of rules.
The product also has some interesting options for identifying IP reputation and geography as attributes for policy definition, but these were not extensively tested.
Challenges. During testing, we noted that the 3950B has several issues. First, the logging and reporting felt somewhat "fixed" in terms of options and flexibility, and we could not tailor the output to our needs completely even when using Fortinet's FortiAnalyzer tools.
Also, the system had significant performance loss when numerous application layer features -- for example, intrusion protection,, URL filtering, application monitoring and antimalware -- were enabled (in particular, when SSL inspection was enabled). While we were not specifically testing for performance, the drop was noticeable.
The last word. Fortinet's FortiGate 3950B offers a plethora of features for application inspection, intrusion prevention, application and content inspection, and much more. Its FortiOS platform is likely the broadest in terms of features, much more of a true unified threat management system. Configuration was somewhat complicated, however, and performance impacts were definitely noted when multiple application-level monitoring and filtering options were enabled. Overall though, the system has much to offer and should be considered when you're evaluating NGFW platforms in large and midsize enterprises.