Zone-based model on ASA?

Started by killabee, August 11, 2015, 12:24:57 AM

Previous topic - Next topic

wintermute000

well fortinet is in the mix too I suppose. I don't know  much about them TBH other than everyone telling me they're great bang-for-buck and UTM for mid-market, but if you turn all the features on the throughput goes south somewhere shocking. I've also heard that at the enterprise level some of the features/reliability doesn't stack up to the big boys.

Interestingly, I have dealt with one cloud company before that basically bought entire pallets of Fortinet C-series (The little ones), racked them up 2x per RU and maxed out the contexts = 12 contexts per RU = 12 customer instances, they showed me the math and it was by a significant margin the cheapest way to deploy multi context firewalling even considering RU/power etc. Of course each customer was getting SFA processing grunt but they were using them more like stateful fws than a UTM/NGFW anyway - again, cloud multi-tenancy, firewalling is more about separation/internet PAT/tickbox than NGFW.

Netwörkheäd

Fortinet did not please us when we tested them.

Sent from my SM-N900P using Tapatalk

Let's not argue. Let's network!

wintermute000


deanwebb

1. Could not operate well in our environment because we do not have a default route to the Internet. We opened up a permission for it to talk with the outside world, but it couldn't use the proxy server for Internet traffic.

2. The consultant they sent to assist with the testing was affable enough, but technically inept. He gave us some bad info for setting things up and then got confused about it later on and spent a lot of time staring at the screen, trying to figure out what was wrong.

3. Same consultant threw me under the bus when my manager asked what was going on. Blamed the problems on me. When I showed the email that said to set them up the way that they were, my manager was none too pleased with said consultant and his product.

4. If that's the kind of support we can expect from them, we don't want that product in our house.

At least that was better than the McAfee/Intel guy that couldn't figure out how to plug a network cable into a switch port. Seriously. He pushed it almost all the way in and complained that the port was faulty or something. I pushed the cable in just a bit more to get the *tink*, indicating that it was actually all the way in, and it worked fine.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

well sounds like an issue with your SE/partner than the actual product.

I've never seen a FW before that used a proxy. Usually the proxy is behind the FW and the FW has access to the default route even if the internal network doesn't and/or is blocked.

packetherder

#20
Have some fortinet's in production. Had a similar pre-sales experience as dean. My hunch is that there's a small cabal of developers who truly know the product but they are well insulated from customers...and sales...and support. I'm really not a big fan of the NGFW concept anymore because of it, honestly.

Fortinet's a decent firewall, if all you're doing is filtering packets, but the NGFW features are buggy.

NetworkGroover

Quote from: deanwebb on August 25, 2015, 09:58:15 AM
1. Could not operate well in our environment because we do not have a default route to the Internet. We opened up a permission for it to talk with the outside world, but it couldn't use the proxy server for Internet traffic.

2. The consultant they sent to assist with the testing was affable enough, but technically inept. He gave us some bad info for setting things up and then got confused about it later on and spent a lot of time staring at the screen, trying to figure out what was wrong.

3. Same consultant threw me under the bus when my manager asked what was going on. Blamed the problems on me. When I showed the email that said to set them up the way that they were, my manager was none too pleased with said consultant and his product.

4. If that's the kind of support we can expect from them, we don't want that product in our house.

At least that was better than the McAfee/Intel guy that couldn't figure out how to plug a network cable into a switch port. Seriously. He pushed it almost all the way in and complained that the port was faulty or something. I pushed the cable in just a bit more to get the *tink*, indicating that it was actually all the way in, and it worked fine.

Wow - that's a pretty crappy experience, Dean.  Seeing this and your reaction is exactly why I take the approach I do because I remember exactly what it was like being in an engineer's shoes and distrusting vendors.  If I don't know - I just say I don't know.  I don't care if I look stupid - I haven't been fired for this approach (yet).  Customers seem to respond to that well as long as you're willing to dig up the info for them or get them in touch with an SME on the particular tech.  I'm not just going to screw up your environment and then blame you for it - what a tool.
Engineer by day, DJ by night, family first always

killabee

And I appreciate your approach, AspiringNetworker :-)

Just to close the book on my issue, we ended up creating a deny rule for each nameif that denied it's network from talking to other networks on the same box, then created permit rules to whereever the network needed to go.  Copy and paste saved the day, as usual.  This really made me appreciate true zone-based firewalls, but it is what it is.

Reggle

Having them in production for a year now I can share my Fortinet experience:

Positive: they're absolutely fantastic for stateful inspection. They have a Network Processing Unit, which is basically an ASIC that is stateful. They show little to no jitter under load, have low latency and have good throughput. IPsec VPN encryption in the hardware goes great as well. So for a 'secure router' it's about the best to get. Voice over VPN with these devices is no problem.

Negative: you may have noticed in the 'positive' part that all those functions depend upon the NPU. The software and CPU suck. The moment you activate anything that requires inspection about layer 4, the CPU will be involved and throughput will plummet completely. I'm talking from 1 Gbps L4 throughput on an interface to about 30 Mbps L7 in some cases. Antivirus, website filtering, IPS, application recognition, ... All useless really. The best way to do website filtering on a Fortinet for me is DNS-based: it will intercept DNS requests and check if the requested domain is allowed. This is not CPU intensive and works reasonably.

Conclusion: it's a Secure Router, not a NGFW. But I'm still a fan because it's exactly what some environments need. It just shouldn't be marketed as NGFW, and perhaps with a beefier CPU for some models it would become a good all-round device.

Disclaimer: I'm probably going to make a blog post based on this comment here.

wintermute000

well thats defo known in the community (i.e. start turning features on and watch the headline throughput plummet) but I didn't quite know it was THAT bad. Care to name the specific model that goes from 1Gb to 30Mb?
I might follow up internally next week with the Security team, because that sounds pretty poor

Reggle

Quote from: wintermute000 on August 29, 2015, 07:20:56 AMit was THAT bad. Care to name the specific model that goes from 1Gb to 30Mb?
Fortigate-60D. Note that I did not involve their support for this one, it may be less bad with the right knobs.
The features I had turned on were flow-based web filtering, anti-virus and Traffic Shaping. Ironically, Traffic Shaping pushes flows through CPU, decreasing throughput... Although high priority indeed gets a lower latency than the other profiles.