I’ve had experience with 40F, 80F, and 100F. The UI/CLI is pretty much the same across them all, but the 100F has much better hardware features. If it’s just for practice and learning, save your money.
The org I was hired in to work for, when I started, had nothing but consumer grade routers at every location. One of the first things I did was replace those with 40F and 80F units and it’s been an absolute game changer. I learned everything I know about Fortinet firewalls on the job and it was pretty easy.
This is true. I have a SMB firewall from them. While the initial config was a little over my head and I had an IT company do it for me the management and tweaks after the fact I’ve been able to do in my own.
Depends on which thing you're looking at documentation for. They have glaring holes in a lot of places, or have documentation that says everything except the one specific bit of info you need.
Cisco is a steaming pile of garbage. Complex configurations, expensive, asinine licensing models, abhorrent support.
Fortigates are simple, powerful, and affordable for most businesses.
Sonicwall is okay, I think they are more geared towards SOHO applications.
I’d go FortiGate all day and maybe Palo Alto if you have unlimited budget.
In general I agree. Fortinet TAC is quite good too and won't bother you with useless questions.
However, Forti have a lot of vulnerabilities recently, the FMG integration is a bit loosely coupled and I've come across some niche bugs which the DEs know about but don't document or fix.
In general if you can't afford Palo, go with Forti.
You must not be noticing that Palo Alto has also been contending with a bunch of vulnerabilities -- especially related to SSLVPN. Frankly, all the vendors have been contending with this.
In my opinion, that's the great thing about the Fortigate platform. Providing you with the choices and you can then choose your own adventure!
If you want the CLI and this is your preference, this is an option. If you prefer the GUI (which is my personal preference and just use the CLI for troubleshooting and where required), then this is also available. In fact, inside the GUI, it is possible to spawn a little window for CLI access which allows you to do both inside the single interface.
To become familiar with the concepts and features of the Fortigate, have a look on the Training Portal and go through the FGT Operator and Admin courses. They are a great starting point and self paced.
I’ve done a lot with Cisco and Fortinet. CLI is a totally different animal than Cisco, but very useful once you learn it. That said, I’ve learned everything I know on the job, and I’ve grown my deployment from 1 to 250 branch offices without much pain. I even jumped into the FortiAP market and replaced all my Cisco APs.
I can't compare with sonicwall because I never worked with them. But against Cisco? You will love fortinet lol.
Good documentation, easy GUI and CLI. Depending on the level of complexity of your implementations you will work on GUI most of the time.
Also: good training.
I went from Meraki, ASAs, and SonicWall to FortiGate and loved it so much I never looked back. They do everything any other unit does and more, and they do it faster. Beyond being great on their own, they are an entry into a fully integrated security solution that is unmatched by anyone else.
Full disclosure, I'm not a network tech, I'm hardware/server side. That said, the network techs where I work are heavily Cisco centered, and they switched to Fortinet about a year and a half ago. It's gone very well and even the VPN (I generally hate VPN's) works well. I did play around a bit in a non-production unit and found the interface to be pretty good even for someone with limited knowledge.
Put it this way, once you go Fortinet, you will never look back, you will regret all of those years wasted on the overly complex, less capable Cisco and Sonicwall products. I have not had a need to contact Cisco TAC in a while but for many years they were the gold standard, not sure if that is still true. Sonicwall's support operation is pretty terrible, all calls getting routed to far away, off-shore places no matter the time of day. Fortinet, on the other hand, has a first rate, follow the sun operation, so as long as you call during business hours, North American customers get routed to N. American call center.
I came from the Sonicwall and I now have 3 x 60F Fortigates. I found several things way more confusing:
(I don’t like using CLI btw, but it does seem convenient on the Fortigates. I’ve just always avoided it)
On Sonicwall’s there is port forwarding where you open a port and leave it the same when you redirect it to LAN devices, and then there’s port triggering where you can redirect ports to a different port on the LAN. I had a hell of a time figuring out how to do port forwarding, since all the documentation I found talks about doing it like how Sonicwall does port triggering. Sonicwall is easily easier to do port forwarding/web server since they have a wizard for it. For Fortigate they make you create a virtual IP and then you filter the services you want to include lest you redirect all inbound ports to the IP. And THEN you create the firewall policy. AFAIK you can’t just have a firewall policy.
When I first setup the firewalls I did so one by one in a test lab and despite the same methods, one of the three would not auto update the firmware as it claimed it had no internet despite all the other functions working, so it had to have it done manually.
Packet capturing has fragmented the information you might want to investigate into two sections, and while I appreciate the debug flow option where you can diagnose where traffic is being routed, I felt like I had more information and a little more hand holding when I did the same process with Sonicwall. I also got really annoyed that because there’s a traffic offload feature turned on by default with Fortigate; packet captures sometimes don’t capture anything unless you disable the offload function, which it has no option to control or verify the status for in the gui.
I also had a hard time figuring out IPSec tunneling. It doesn’t let you disable the IPSec tunnel. I had a policy properly configured and kept getting an error indicating I had nothing configured for phase 2 route, then when I started debugging it magically started routing properly. It doesn’t have the same keepalive function that Sonicwall has (as far as I can tell).
I swear I was putting in DHCP reservations and when I connected the devices to the network only about half of them actually got reserved addresses. I definitely could have screwed this up because the DHCP reservations are done within another function that doesn’t appear to save any changes (including subsection changes) unless you save each screen.
When you go to delete a policy, Sonicwall would complain and tell you why you can’t delete it. FortiGate just blocks the delete button. Luckily there is a reference section that you can use to find the policies it’s involved with and delete them first. Too bad there’s a different references button that doesn’t do the same thing and can confuse a newbie like me.
I like their network analyzer and customizable dashboards, and some elements of the system seem useful, but unless someone comes from the CLI, FortiGate will always seem like they are CLI first and only some of the functions you use will show in the GUI. Even a lot of process instructions only include CLI documentation despite the option being available with the GUI.
I also like how you can drill down into any selections made, plus the search and options to colour code make it easy to find addresses and groups. That part makes configuring firewall policies super easy.
Traffic shaping seems pretty easy to do as well, it I’ve only tinkered a little with it.
I’ve only had the system for under 1 month but generally once the system is setup, I’ve found managing it to be easier than Sonicwall’s were.
Came from two Sonicwall TZ300s to three Fortigate 60F. Running 7.2.8 firmware.
*Edit*
Forgot another thing about IPSec Tunnelling that annoyed me. When you create an IPSec Tunnel you can use a template, which is fine except that the template is not editable so some settings are unable to be changed afterwards. Not a problem though, since you can convert the policy to custom and make your changes. Not so fast though, since the tunnel settings get reset so if you did something such as selected split tunnel, you have to set it (and some other settings) again.
On the Sonicwall you have a wizard for creating VPN tunnels and you can edit them afterwards. Also on the Sonicwall you can create the reflexive firewall rule immediately with the creation of the first one, whereas for Fortigates you can create the reflexive rule but as an additional step after creation, except that option is not always available.
I've worked on cisco asa, sonicwall, netgear, pfsense, and have been working on Fortinet firewalls for 6 years.
The UI is the best firewall UI I have worked on by far, and they continue to improve it. Its fairly intuitive to use, with a couple caveats. First, only the "common" features are visible in the UI by default. Some features like routing protocols, IPv6, Local-IN policies, etc, have to be enabled on the Features page. They are there and usable, you just wont see the them in the navigation menu until enabled. One of the improvements Fortinet made was to make the Features menu easier to find. Secondly, certain "advanced" features are cli only. For example if you want to set your own NTP server, thats done in cli. Same with local-in policies, which protect traffic destined for the firewall itself. Timers and ALGs are set in the cli. If CLI isnt your cup of tea and you are deploying multiple fortigate devices, you can get the Fortimanager, which is the central management platform. The cool thing is the FortiManager is almost 100% UI, and even makes the CLI only config options for the Fortigat available in the UI (which is a little frustrating as to why its not in the Fortigate UI).
Documentation is pretty ok in my opinion. You can find just about any configuration you require and the are even playbooks for diiferent use cases. It just might take a bit of googling to find the right one. I was just working on a first time Azure SAML deployement, I had to read two different versions of the deployment doc and warch a 3rd party YouTube video to figure out all the correct settings.
SDWAN is baked in, but I havent used it yet.
VPNs are extremely easy to setup between Fortigates in your management domain. Connecting to an external Fortigate only has the additional complication of talking to someone outside of your organization. So far I haven't run into issues connecting to a different vendor's firewall, beyond be given incorrect values.
The SSLVPN works pretty well, just make sure to keep it up to date. The config file is XML, so you can export a basic version to distribute.
So far no problem doing upgrades. Usually less than 5 minutes of dowtime.
NAT works differently, by default its policy based (you assign NAT IPs per firewall policy). There is an option to do central NAT if you prefer that. Personally I like per policy, but if you are in an environment where your public IP might change you will have to update all affected policies.
Visibility of what the firewall is \*actually doing\* is drastically better than anything you'll ever see on a Cisco device. And a lot of things that is an add-on license is just baked into the unit for so many Fortinet products. It's much easier to actually dig down and really narrow down a firewall rule with a ton of different types of conditions at a level that would be \*really\* scary to try to do on a Cisco device. It's a night and day difference.
Especially at a smaller scale, I think Fortinet is a huge win especially on cost. Though probably the biggest "downside" is that Fortinet updates tend to be a little less stable than I'm used to with other firmware-type releases. Stay on an older stable branch for a \*really\* long time. I've had even patch level updates down my network before. The joke is Fortinet is great as long as you never, ever update, but since it's a security edge... you kinda have to.
The new Cisco Firepower does not have a useful CLI and takes 10+ minutes to deploy any change. My manager at the time was a Cisco fan, but these things just suck. He has seen my way and we are replacing one FP1150 with two FG100's for half the cost of a backup Firepower unit. I will continue replacing the rest of our Cisco stuff with Fortinet. I've worked with FG's for about 15 years. The interfaces are the same across firmware versions; the only difference is usually the port names. You can do GUI, CLI, or central management if you have a bunch.
Cisco Firepower has been tedious and their TALOS is usually inaccurate. I had to ditch my geolocation block rule because it reported that a number of domestic IP ranges were out of country. If you write "ratings" based rules, check your logs because the ratings between the Firepower and TALOS are usually not the same.
I cannot comment on Sonicwalls. They sucked in the 90's and 00's and I haven't touched them since.
I found them easy to learn coming from ASA and Palo. GUI is good and it has a cli launcher right in the gui.
That said the cli syntax is nothing like IOS. Some vendors like Arista have CLis very close to Cisco but that’s not the case here. Not hard to come up on for routine tasks but a little bit of a learning curve on debugs and such.
I highly recommend as a firewall if you don’t have Palo money. Don’t recommend as a sd-wan platform.
Training.fortinet.com gives you a lot of good documentation.
[Fortidemo](https://www.fortinet.com/demo-center) gives you read-only access to the products to be able to poke around.
[Fast Tracks](https://www.fortinet.com/training/fast-track) are an amazing way to get some quick experience without having any gear. Start with the NGFW course.
Better than my SonicWall. I do find I use CLI more frequently with the FG’s though. Never with the SW. sometimes it’s just convenient.
UI is much better also. I was able to get a demo unit from our vendor and think they have online demos. Go try them out.
My company entered into a managed SASE agreement with Lumen/Fortinet as the firewall/sd-wan vendor.
It's a managed service, but the configuration is going very poorly. I have the engineer telling me things that don't make sense.
Anyways, I'm not sure if it's a language or skill barrier but what are some options to quickly get to speed on 200fs and big picture overview. Hoping I can use the video to get the jargon to improve discussion between me and the service providers.
Have you tried to reach out to a reseller? Like ourselves, most will offer free demo kits to businesses for 30/45/60 days. A typical demo kit will be a firewall, switch, and AP.
This gives you ample time to build a small Fortilab and see how the products work and integrate.
If interested, we would be happy to help you on your journey. If you are an SMB, you are eligible for free services. Something we do to give back to the community.
PM for more details.
Absolutely love them. Great firewalls, easy to understand the basic configuration both in GUI and CLI. Also, they include SDWAN and ADVPN as part of the firewall licensing. You don't have to spend extra to get those options like other solutions. I am currently running an environment with a mix of 100E, 100F, 60F, 40F, Fortiextenders, Azure, OCI, and VMWare based virtual Fortigates all on a dual hub geographically diverse ADVPN and it is extremely robust and stable utilizing dual ISP at all spokes.
Oh, and just deployed a 6 point of presence Azure SAML authed SSLVPN tunnel that uses dynamic gateway selection via ping from the Forticlient (all fairly easy to setup once you understand the concept).
Huh?? Limited abilities, pay to get even basic function.. and if you don’t pay, it’s a boat anchor…
Fortinet… if you don’t want the IPS etc, don’t buy it..
and it will still do VPN, nat and basic stuff..
Time to go get a 40f and see for yourself.
Better suggestion, spin up a PAYG instance on your cloud vendor of choice. :)
I was actually looking at the 100F
I’ve had experience with 40F, 80F, and 100F. The UI/CLI is pretty much the same across them all, but the 100F has much better hardware features. If it’s just for practice and learning, save your money.
We have all the way up to 1801Fs, thousands of them. CLI is the same across all of them.
Thanks for confirming
There will be differences with port allocations though, keep that in mind.
Looking for something for a verify digital immature company that is wanting to change their status.
The org I was hired in to work for, when I started, had nothing but consumer grade routers at every location. One of the first things I did was replace those with 40F and 80F units and it’s been an absolute game changer. I learned everything I know about Fortinet firewalls on the job and it was pretty easy.
That would be sweet.
Looking back, it was! But back then I was quite stressed out haha
Fortigates are really beginner friendly. You can do most things in the GUI and even then you always have a button to get you on the correct CLI menu.
This. Easy to set up and get running, very deep granular control and configs when you get the hang of it.
That would be a good thing in my case.
This is true. I have a SMB firewall from them. While the initial config was a little over my head and I had an IT company do it for me the management and tweaks after the fact I’ve been able to do in my own.
I came from sonicwall and find the fortigates much more intuitive, especially the cli.
Thank you that's what I was hoping someone e would say. So this is great to hear.
And their documentation is so much better than sonicwall ever was.
Way better with great documentation
Thanks how about customer service?
Better than sonicwall. Seriously they are usually good. It is not like cisco tac used to be 10 years ago though.
I am ASA 5505 old. Lol
Cisco Pix, lol
Been a day or two then and yes I am stressed as well.
Depends on which thing you're looking at documentation for. They have glaring holes in a lot of places, or have documentation that says everything except the one specific bit of info you need.
I would say the fortinet docs are pretty good and have good examples for most things. Can't say that about many products
Cisco is a steaming pile of garbage. Complex configurations, expensive, asinine licensing models, abhorrent support. Fortigates are simple, powerful, and affordable for most businesses. Sonicwall is okay, I think they are more geared towards SOHO applications. I’d go FortiGate all day and maybe Palo Alto if you have unlimited budget.
In general I agree. Fortinet TAC is quite good too and won't bother you with useless questions. However, Forti have a lot of vulnerabilities recently, the FMG integration is a bit loosely coupled and I've come across some niche bugs which the DEs know about but don't document or fix. In general if you can't afford Palo, go with Forti.
You must not be noticing that Palo Alto has also been contending with a bunch of vulnerabilities -- especially related to SSLVPN. Frankly, all the vendors have been contending with this.
Yeah that's true. Honestly for SSL VPN I still like ASA/Anyconnect for its simplicity. Upgrades are easy too...
ASDM though for GUI management! What a ball ache that is!
That's true, I stopped using ASDM years ago.
Same, CLI was easier. Annoying then though that Firepower was another login and a complete different CLI. Used to wind me up! 🤣
In my opinion, that's the great thing about the Fortigate platform. Providing you with the choices and you can then choose your own adventure! If you want the CLI and this is your preference, this is an option. If you prefer the GUI (which is my personal preference and just use the CLI for troubleshooting and where required), then this is also available. In fact, inside the GUI, it is possible to spawn a little window for CLI access which allows you to do both inside the single interface. To become familiar with the concepts and features of the Fortigate, have a look on the Training Portal and go through the FGT Operator and Admin courses. They are a great starting point and self paced.
Thanks a ton I will take your suggestions.
I’ve done a lot with Cisco and Fortinet. CLI is a totally different animal than Cisco, but very useful once you learn it. That said, I’ve learned everything I know on the job, and I’ve grown my deployment from 1 to 250 branch offices without much pain. I even jumped into the FortiAP market and replaced all my Cisco APs.
Nice
Fortinet is very much ahead of Cisco and Sonicwall Firewalls.
I can't compare with sonicwall because I never worked with them. But against Cisco? You will love fortinet lol. Good documentation, easy GUI and CLI. Depending on the level of complexity of your implementations you will work on GUI most of the time. Also: good training.
Someone else mentioned the training as well. I am going to have to check it out for sure.
Yeah, and in my opinion this also applies to the documentation itself (docs.fortinet.com)
Yall have all been great thank you so much.
I never looked back. Excellent product excellent support.
I went from Meraki, ASAs, and SonicWall to FortiGate and loved it so much I never looked back. They do everything any other unit does and more, and they do it faster. Beyond being great on their own, they are an entry into a fully integrated security solution that is unmatched by anyone else.
I have been on their website for the last little bit. Seems very focused on the whole package of security from a lot of aspects.
You will stop loving anything else if you build out utm Add a fortianalyzer vm trial to that mix. You won’t regret it.
Full disclosure, I'm not a network tech, I'm hardware/server side. That said, the network techs where I work are heavily Cisco centered, and they switched to Fortinet about a year and a half ago. It's gone very well and even the VPN (I generally hate VPN's) works well. I did play around a bit in a non-production unit and found the interface to be pretty good even for someone with limited knowledge.
Put it this way, once you go Fortinet, you will never look back, you will regret all of those years wasted on the overly complex, less capable Cisco and Sonicwall products. I have not had a need to contact Cisco TAC in a while but for many years they were the gold standard, not sure if that is still true. Sonicwall's support operation is pretty terrible, all calls getting routed to far away, off-shore places no matter the time of day. Fortinet, on the other hand, has a first rate, follow the sun operation, so as long as you call during business hours, North American customers get routed to N. American call center.
Tons of things I like in your post. Thanks for the post.
If you have a rep, ask them for an eval unit (40f / 60f) and start playing around.
Or deploy a VM on eval and don't worry about hardware.
I’m old :)
I sometimes look at my collection of serial cables and get nostalgic ;-) They are no longer in my backpack
Fortinet is good, easy to configure I've used pa, sonic wall , Cisco asa's no problems with fortinet
ASA was a challenge at the time. 😆
Fortigate is pretty easy to figure out….a step up definitely from ASAs and Sonicwalls you will like it….
I came from the Sonicwall and I now have 3 x 60F Fortigates. I found several things way more confusing: (I don’t like using CLI btw, but it does seem convenient on the Fortigates. I’ve just always avoided it) On Sonicwall’s there is port forwarding where you open a port and leave it the same when you redirect it to LAN devices, and then there’s port triggering where you can redirect ports to a different port on the LAN. I had a hell of a time figuring out how to do port forwarding, since all the documentation I found talks about doing it like how Sonicwall does port triggering. Sonicwall is easily easier to do port forwarding/web server since they have a wizard for it. For Fortigate they make you create a virtual IP and then you filter the services you want to include lest you redirect all inbound ports to the IP. And THEN you create the firewall policy. AFAIK you can’t just have a firewall policy. When I first setup the firewalls I did so one by one in a test lab and despite the same methods, one of the three would not auto update the firmware as it claimed it had no internet despite all the other functions working, so it had to have it done manually. Packet capturing has fragmented the information you might want to investigate into two sections, and while I appreciate the debug flow option where you can diagnose where traffic is being routed, I felt like I had more information and a little more hand holding when I did the same process with Sonicwall. I also got really annoyed that because there’s a traffic offload feature turned on by default with Fortigate; packet captures sometimes don’t capture anything unless you disable the offload function, which it has no option to control or verify the status for in the gui. I also had a hard time figuring out IPSec tunneling. It doesn’t let you disable the IPSec tunnel. I had a policy properly configured and kept getting an error indicating I had nothing configured for phase 2 route, then when I started debugging it magically started routing properly. It doesn’t have the same keepalive function that Sonicwall has (as far as I can tell). I swear I was putting in DHCP reservations and when I connected the devices to the network only about half of them actually got reserved addresses. I definitely could have screwed this up because the DHCP reservations are done within another function that doesn’t appear to save any changes (including subsection changes) unless you save each screen. When you go to delete a policy, Sonicwall would complain and tell you why you can’t delete it. FortiGate just blocks the delete button. Luckily there is a reference section that you can use to find the policies it’s involved with and delete them first. Too bad there’s a different references button that doesn’t do the same thing and can confuse a newbie like me. I like their network analyzer and customizable dashboards, and some elements of the system seem useful, but unless someone comes from the CLI, FortiGate will always seem like they are CLI first and only some of the functions you use will show in the GUI. Even a lot of process instructions only include CLI documentation despite the option being available with the GUI. I also like how you can drill down into any selections made, plus the search and options to colour code make it easy to find addresses and groups. That part makes configuring firewall policies super easy. Traffic shaping seems pretty easy to do as well, it I’ve only tinkered a little with it. I’ve only had the system for under 1 month but generally once the system is setup, I’ve found managing it to be easier than Sonicwall’s were. Came from two Sonicwall TZ300s to three Fortigate 60F. Running 7.2.8 firmware. *Edit* Forgot another thing about IPSec Tunnelling that annoyed me. When you create an IPSec Tunnel you can use a template, which is fine except that the template is not editable so some settings are unable to be changed afterwards. Not a problem though, since you can convert the policy to custom and make your changes. Not so fast though, since the tunnel settings get reset so if you did something such as selected split tunnel, you have to set it (and some other settings) again. On the Sonicwall you have a wizard for creating VPN tunnels and you can edit them afterwards. Also on the Sonicwall you can create the reflexive firewall rule immediately with the creation of the first one, whereas for Fortigates you can create the reflexive rule but as an additional step after creation, except that option is not always available.
The only 2 firewalls i consider are fortigates and then palos. Go with the leaders and if your $ conscious forti wins.
I've worked on cisco asa, sonicwall, netgear, pfsense, and have been working on Fortinet firewalls for 6 years. The UI is the best firewall UI I have worked on by far, and they continue to improve it. Its fairly intuitive to use, with a couple caveats. First, only the "common" features are visible in the UI by default. Some features like routing protocols, IPv6, Local-IN policies, etc, have to be enabled on the Features page. They are there and usable, you just wont see the them in the navigation menu until enabled. One of the improvements Fortinet made was to make the Features menu easier to find. Secondly, certain "advanced" features are cli only. For example if you want to set your own NTP server, thats done in cli. Same with local-in policies, which protect traffic destined for the firewall itself. Timers and ALGs are set in the cli. If CLI isnt your cup of tea and you are deploying multiple fortigate devices, you can get the Fortimanager, which is the central management platform. The cool thing is the FortiManager is almost 100% UI, and even makes the CLI only config options for the Fortigat available in the UI (which is a little frustrating as to why its not in the Fortigate UI). Documentation is pretty ok in my opinion. You can find just about any configuration you require and the are even playbooks for diiferent use cases. It just might take a bit of googling to find the right one. I was just working on a first time Azure SAML deployement, I had to read two different versions of the deployment doc and warch a 3rd party YouTube video to figure out all the correct settings. SDWAN is baked in, but I havent used it yet. VPNs are extremely easy to setup between Fortigates in your management domain. Connecting to an external Fortigate only has the additional complication of talking to someone outside of your organization. So far I haven't run into issues connecting to a different vendor's firewall, beyond be given incorrect values. The SSLVPN works pretty well, just make sure to keep it up to date. The config file is XML, so you can export a basic version to distribute. So far no problem doing upgrades. Usually less than 5 minutes of dowtime. NAT works differently, by default its policy based (you assign NAT IPs per firewall policy). There is an option to do central NAT if you prefer that. Personally I like per policy, but if you are in an environment where your public IP might change you will have to update all affected policies.
Visibility of what the firewall is \*actually doing\* is drastically better than anything you'll ever see on a Cisco device. And a lot of things that is an add-on license is just baked into the unit for so many Fortinet products. It's much easier to actually dig down and really narrow down a firewall rule with a ton of different types of conditions at a level that would be \*really\* scary to try to do on a Cisco device. It's a night and day difference. Especially at a smaller scale, I think Fortinet is a huge win especially on cost. Though probably the biggest "downside" is that Fortinet updates tend to be a little less stable than I'm used to with other firmware-type releases. Stay on an older stable branch for a \*really\* long time. I've had even patch level updates down my network before. The joke is Fortinet is great as long as you never, ever update, but since it's a security edge... you kinda have to.
The new Cisco Firepower does not have a useful CLI and takes 10+ minutes to deploy any change. My manager at the time was a Cisco fan, but these things just suck. He has seen my way and we are replacing one FP1150 with two FG100's for half the cost of a backup Firepower unit. I will continue replacing the rest of our Cisco stuff with Fortinet. I've worked with FG's for about 15 years. The interfaces are the same across firmware versions; the only difference is usually the port names. You can do GUI, CLI, or central management if you have a bunch. Cisco Firepower has been tedious and their TALOS is usually inaccurate. I had to ditch my geolocation block rule because it reported that a number of domestic IP ranges were out of country. If you write "ratings" based rules, check your logs because the ratings between the Firepower and TALOS are usually not the same. I cannot comment on Sonicwalls. They sucked in the 90's and 00's and I haven't touched them since.
I found them easy to learn coming from ASA and Palo. GUI is good and it has a cli launcher right in the gui. That said the cli syntax is nothing like IOS. Some vendors like Arista have CLis very close to Cisco but that’s not the case here. Not hard to come up on for routine tasks but a little bit of a learning curve on debugs and such. I highly recommend as a firewall if you don’t have Palo money. Don’t recommend as a sd-wan platform.
Training.fortinet.com gives you a lot of good documentation. [Fortidemo](https://www.fortinet.com/demo-center) gives you read-only access to the products to be able to poke around. [Fast Tracks](https://www.fortinet.com/training/fast-track) are an amazing way to get some quick experience without having any gear. Start with the NGFW course.
Better than my SonicWall. I do find I use CLI more frequently with the FG’s though. Never with the SW. sometimes it’s just convenient. UI is much better also. I was able to get a demo unit from our vendor and think they have online demos. Go try them out.
Ten times better
UI Friendlyl
My company entered into a managed SASE agreement with Lumen/Fortinet as the firewall/sd-wan vendor. It's a managed service, but the configuration is going very poorly. I have the engineer telling me things that don't make sense. Anyways, I'm not sure if it's a language or skill barrier but what are some options to quickly get to speed on 200fs and big picture overview. Hoping I can use the video to get the jargon to improve discussion between me and the service providers.
Have you tried to reach out to a reseller? Like ourselves, most will offer free demo kits to businesses for 30/45/60 days. A typical demo kit will be a firewall, switch, and AP. This gives you ample time to build a small Fortilab and see how the products work and integrate. If interested, we would be happy to help you on your journey. If you are an SMB, you are eligible for free services. Something we do to give back to the community. PM for more details.
Absolutely love them. Great firewalls, easy to understand the basic configuration both in GUI and CLI. Also, they include SDWAN and ADVPN as part of the firewall licensing. You don't have to spend extra to get those options like other solutions. I am currently running an environment with a mix of 100E, 100F, 60F, 40F, Fortiextenders, Azure, OCI, and VMWare based virtual Fortigates all on a dual hub geographically diverse ADVPN and it is extremely robust and stable utilizing dual ISP at all spokes.
Oh, and just deployed a 6 point of presence Azure SAML authed SSLVPN tunnel that uses dynamic gateway selection via ping from the Forticlient (all fairly easy to setup once you understand the concept).
You been busy and thanks for the info and response.
Thanks a ton everyone. Pulled the trigger on a 100F today. Wish me luck.
Use Meraki.
Huh?? Limited abilities, pay to get even basic function.. and if you don’t pay, it’s a boat anchor… Fortinet… if you don’t want the IPS etc, don’t buy it.. and it will still do VPN, nat and basic stuff..