Jan 29 2009

Security at the Gate

Fortinet serves up one UTM box that lets you rule them all.

If there is one thing most technology managers find challenging, it’s balancing the need for comprehensive network security against the cost and complexity of the numerous elements that comprise a secure network.

Given the demand for spam filtering, firewalls, intrusion detection, antivirus applications and secure remote connectivity, something typically gets short shrift when resources are limited. One solution? Unified threat management.

A UTM device expands on the features of a good firewall — the use of stateful packet inspection to examine traffic for malicious intent — by integrating the ability to perform:

  • on-the-fly antivirus and phishing protection;
  • spam and web filtering;
  • routing and virtual private network management.

The result is one box that rules all facets of a layered security approach.

UTM devices have become more common, with the major enterprise security players offering products, including Barracuda Networks, Cisco Systems, Juniper Systems and SonicWall.


Fortinet started with a realization: If it was going to ask a security device to do all these things without melting down under the CPU load, it would probably make sense to build a processor specifically for the purpose. FortiGate UTM devices use application-specific integrated circuits to maximize performance and reduce cost.

For the core mission of firewall protection and intrusion prevention, the company’s FortiGate line of UTM devices are highly effective. They feature stateful packet inspection and come preloaded with a large database of attack profiles. Fortinet updates the antivirus and intrusion attack profiles through a subscription service on a push basis, as opposed to the more typical client pull method. Why? Fortinet can then get new attack profiles into the field quickly and make its units responsive to zero-day attacks.

Why It Works for IT

All Fortinet products run the FortiOS, currently in Version 3.0, and all share a common command line and web administration syntax. The FortiOS web administration tool is attractive, simply constructed and consistent in performance. Web administration can be handled through HTTP or HTTPS over either internal or external interfaces. The external web administration comes disabled by default, and the device will accept only the Secure Shell protocol out of the box.

For text-oriented users, the FortiGate devices allow configuration on the command line through the console, SSH or web browser.

Web-filtering services are highly configurable. Users can define URL allow/deny lists by hand, by keyword content blocking or by using the Fortinet subscription web-filtering service to restrict by content category or service type (peer-to-peer file sharing, streaming media or chat, for instance). Exception lists can also be created with Server Message Block authentication or manual lists.

Although FortiGate products performed poorly during industry tests using extremely heavy loads, this should not dissuade you from considering them. The FortiGate devices have very specific rated capacities. During the same industry tests, the devices performed well at their rated capacities. 

The FortiGate 200A is rated for 150 megabit-per-second firewall throughput and 70Mbps VPN throughput. It can support 200 dedicated VPN tunnels and 400,000 concurrent sessions, with the ability to create or tear down 4,000 sessions per second. The firewall can handle 2,000 policy rules.

Even lower-end FortiGate devices support several hundred firewall rules and dozens to hundreds of VPN tunnels.

Inbound/outbound file scanning, limited to 10 megabytes by default, can be increased to 50MB. Be sure to review the default setting during install because larger files will be allowed through without inspection.

The system’s broad-based configurability also exists in its antispam feature. Administrators can manually block by regular expressions, domain allow/deny or by using the subscription spam filter.

Connor Anderson on Fortigate


While the spam filter allows the administrator options in creating blocks, it is probably the weakest feature. In real-world use, the device reduced spam levels by between 40 percent and 55 percent.

Additionally, the web interface has a fairly steep learning curve. This is pretty common, however, in UTM hardware because of the broad feature set and high degree of configurability of these products. Simplicity is not on any UTM menu.

Although the FortiGate appliance functions well as a firewall/VPN solution out of the box — as do devices from the other UTM providers — you will need to sign up for the subscription service to receive attack signature updates and web- and spam-filtering services. But Fortinet’s subscriptions are well priced, which plays a part in the value proposition of their products.

Finally, introducing FortiGate to your security infrastructure will cause some disruption — so be prepared. It requires training, especially in organizations that rely heavily on other brands of switching and security products. Ultimately, the FortiGate UTM line offers best-of-breed performance at affordable prices.