Positive

I primarily use FortiGate Cloud-Native Firewall (FortiGate CNF) as a firewall with general bundles of licenses, including Intrusion Prevention System (IPS) and antivirus. We employ it in medium and enterprise-level businesses, not small businesses.

FortiGate Cloud-Native Firewall (FortiGate CNF) is highly valued for its pricing, which is considered very affordable. The rates and reviews it receives, such as from Gartner, underscore its reliability. Its price policies are flexible, and it is widely favored in the market with significant coverage in security. It holds around 60% of the security market in Ukraine.

The Intrusion Prevention System (IPS) in Fortinet products, including FortiGate Cloud-Native Firewall (FortiGate CNF), is not very strong; we often prefer Cisco IPS instead. AI features are not well developed in Fortinet solutions compared to Check Point.

Unfortunately, FortiGate Cloud-Native Firewall (FortiGate CNF) is not very scalable. For businesses that grow or develop further, only about ten percent can handle the increase.

Customer service for Fortinet is rated at four out of five. This translates to approximately eighty percent satisfaction.

Neutral

I've previously used solutions from Trend Micro, Check Point, and Palo Alto. For email protection tools and general security, I often use Trend Micro and Check Point.

Overall, the initial setup for FortiGate Cloud-Native Firewall (FortiGate CNF) is straightforward and hassle-free. It takes two to four weeks to complete.

FortiGate Cloud-Native Firewall (FortiGate CNF) offers a very flexible price policy, with medium pricing, making it an attractive option for many businesses.

I have evaluated solutions like those from Trend Micro, Check Point, Palo Alto, and Cisco IPS.

Overall, I rate FortiGate Cloud-Native Firewall (FortiGate CNF) around seven out of ten due to its flexible pricing, significant market presence, and ease of deployment.

Positive

We enhance our cloud security strategy through FortiGate Cloud-Native Firewall (FortiGate CNF) by implementing zero trust policies for our cloud infrastructure APIs. This includes the secure communication between our on-site data center and cloud premises.

FortiGate Cloud-Native Firewall (FortiGate CNF) greatly enhances our cloud security strategy with features such as policy creation and management. We implemented IPS and IDS, which contribute significantly to our security. The visibility and exposure to logs provide valuable insights for our InfraSec team, aiding in monitoring and managing communication and policies.

I would be glad if there were free solutions to help manage migrations. Migration can be quite challenging when moving from a different firewall to FortiGate Cloud-Native Firewall. Solutions like FortiConverter are good but are paid, and getting approval to purchase can take some time. It would be great to have something more readily available for engineers.

We have been using FortiGate Cloud-Native Firewall (FortiGate CNF) for around one year.

I would rate the stability of FortiGate Cloud-Native Firewall (FortiGate CNF) as nine out of ten, indicating it is very stable.

As of now, we haven't scaled our cloud network much, and the deployment is working fine. There are plans to launch new projects, and once that's done, we will definitely scale our FortiGate Cloud-Native Firewall as needed. I would rate the scalability as an eight out of ten.

There are some bugs that need to be fixed, and they can take some time to resolve. I would rate the customer service and support an eight out of ten.

Positive

I have worked on Palo Alto and Cisco firewalls before. The organization decided to cut CapEx costs and was looking for vendors offering the same features at a lower cost. We ultimately chose FortiGate Cloud-Native Firewall.

The initial setup involved a smooth deployment with some challenges during the migration process, as we had to manually transfer our rules and policies without FortiConverter.

Our deployment team consisted of three network engineers and two infrastructure managers.

The primary benefit we experienced is the reduction in CapEx costs. FortiGate Cloud-Native Firewall provides the same features that higher-end models offer, but at a much lower cost.

The pricing of FortiGate Cloud-Native Firewall is very good and is not considered expensive compared to other products.

I would rate FortiGate Cloud-Native Firewall (FortiGate CNF) an eight out of ten. While the pricing, features, and stability are good, the presence of bugs and the time it takes to fix them prevent a higher rating.

We use FortiGate firewalls for endpoint protection and communication lines, and we have some Cloud-Native and local appliances for VPN connections or multiple sites.

FortiGate provides features such as Internet connections, monitoring, VPN, WiFi management, and centralized management system with FortiManager. It also offers backup of configurations with FortiCloud. These features help balance security and comfort for customers, ensuring they can operate without too much hassle.

The prices for FortiGate are way too high and are perceived as overpriced.

We have been working with FortiGate for quite a while.

When we install FortiGate firewall, I do not hear back from the clients often, indicating there are usually no issues caused by the appliance.

FortiGate is suitable for medium-sized companies, and we work on a lease basis, administering the machine without selling it outright.

Support is excellent. There is local support through the distributor, which is efficient and provides a friendly relationship.

We tried Check Point, but their solution wasn't up to par until they introduced Quantum Spark. However, adopting it requires policy changes and re-educating technicians, so it is currently on hold.

Setting up FortiGate from end to end, including communication with clients and configuring security policies, takes about three hours.

We use the local distributor for support, and we also manage devices in-house.

The pricing is considered too high and does not justify the value provided by the devices.

We considered Check Point with their new Quantum Spark suite. We didn't proceed due to complexity in transitioning.

We aim to work with products that have local distributors for better responsiveness. I rate FortiGate around eight to eight and a half out of ten since there are usually no technical issues. Still, the pricing is a concern.

We are using two Fortinet firewalls. One is as an office firewall for all users behind it, configured with remote VPN for users working from home. The other firewall is for production use, with our applications behind it, ensuring PCI DSS compliance. It is deployed in AWS Cloud.

FortiGate has provided us with a good experience, making it the best firewall for our needs. It supports centralized logging with its Unified Threat Management features and enhances our infrastructure security effectively.

The Unified Threat Management, URL filtering, application control, antivirus, web filter, DNS control, and intrusion prevention are valuable features. FortiGate's offering of many features in one license is cost-effective.

Currently, whatever features FortiGate provides are sufficient. There are some features we do not use, like DLP and WAF, and there is no specific area that needs improvement.

It's been around five years.

The FortiGate firewall is stable and supports all our requirements for infrastructure security.

For scalability, if the hardware isn't fit or working, the box needs changing. We have around 50 users, and it has been supported well since 2019 without needing changes.

Customer service is good. It's not extraordinary yet not bad either. I would rate them a seven out of ten.

Neutral

I previously used Cisco ASA. Although it was a good firewall, it required many different kinds of licenses and was not as good for UTM features compared to FortiGate.

The initial setup is easier with Fortinet's firewall. It is user-friendly, taking less time than other solutions to deploy.

The cost is good in comparison to Cisco ASA as it offers multiple features with one license, saving both money and time.

FortiGate's cost-effectiveness is noticeable as it provides many features with one license, saving costs compared to Cisco ASA.

Overall, the firewall meets our requirements. I don't have experience with other firewalls like Palo Alto that might provide some better benefits.

I'd rate the solution eight out of ten.

We use the solution to secure firewall security. We always implement FortiGate as a layer 3 router, but with security.

The important part of FortiGate CNF is the UPM. It has a significant impact on the network by providing additional attributes such as a binder filter. This feature is very beneficial. Additionally, it supports ITV for quality and IPv6, making it easy to manage in terms of memory. You can view logs and reports, allowing administrators to monitor and understand what is happening in the network, which adds great value for them.

We sometimes encounter issues with the SSL certificate. Occasionally, we face problems with the certificate, possibly due to a lack of understanding. This often occurs when we deploy the proxy mode with certain components.

200 users are using this solution.

Support is pretty good.

Positive

The solution is difficult to deploy, depending on the environment of the customer and takes two to three hours to complete. Two people can deploy the solution.

FortiGate's price is really good.

Overall, I rate the solution a ten out of ten.

We use the solution for perimeter fiber and to control the external access.

The solution helps to control all the processes and information going on.

I have configured some SD-WAN features, and it's worked pretty well. It manages pretty well, connecting all links to the firewall. It can lower balance and traffic management.

I have been using FortiGate CNF for three years.

We can offer FortiGate customized solutions tailored to small and medium-sized customers, as it can accommodate up to five hundred users.

The initial setup is easy.

There is a good correlation between cost and value because this is ready equipment, and the prices are very low compared to other brands. It will be suited to the customer's needs. The product is cheap.

Before offering a firewall solution, we assess the site, service, and customer requirements. Then, we determine the project scope and the available funds to buy a firewall.

Some customers need a big firewall with high performance and certain specific features that FortiGate might not have. They have good performance, capacity, and scalability, but FortiGate may need adjustments to meet some customers' very high requirements. For example, some carriers prefer another kind of fiber instead of FortiGate because they have customers covered by it.

If you're seeking a Firewall with robust performance at a more affordable price point, I recommend FortiGate.

Overall, I rate the solution an eight out of ten.

The first thing that happens is that any incoming cyber threat is stopped. The fiber channels that are coming into the country—let's say there are five or six main channels providing all communication into the country—the first layer of protection is essentially switched. Before the data enters the fiber, load balancing occurs, allowing the system to disable one input channel and switch to another. If one device fails, the system can reroute the traffic quickly to the appropriate destination.

The first application entrance is the denial of service (DoS) protection. For instance, if China is bombarding the Ministry of Defense of Morocco with traffic, and it's all targeting the same IP address, the DoS protection will recognize this as abnormal traffic and activate the necessary defenses. Each manufacturer has a different strategy to prevent such attacks. For example, in the case of Juniper, instead of outright blocking the IP, they reroute the traffic to a fake IP and server, which sends out dummy data while analyzing the traffic and user behavior. This process also filters out hidden cyber attacks to gather more information.

After the initial screening, the next step involves Deep Packet Inspection (DPI). DPI examines all packets, whether they are encrypted or not, and applies specific rules to them. For example, an operator might decide that all traffic to streaming services like Netflix or Prime Video should go to a particular set of servers within the country.

In the DPI section, we often use a passive split of the fiber. It's not a common technique, but in this case, before the data is sent to the firewall, the fiber is split and dispatched across several servers that will inspect the data. You can have rules applied based on the origin of the traffic—like all traffic coming from a specific country, or all voice over IP traffic being directed to a particular server.

Sometimes, there are requirements from companies like Google, or specific mobile regulations, stating that traffic must be routed according to certain rules. For instance, Google Maps might require that any call coming to a certain company or individual be intercepted by law enforcement. This is usually authorized by a judge, and the telecom operator will do its best to intercept and reroute the traffic to a server that is dedicated to law enforcement in that country.

In such cases, the telecom operator might treat the network as their own intranet, allowing them to intercept traffic while providing a security certificate to the end user. This is related to the "man-in-the-middle" attack, where traffic is intercepted for security reasons, and law enforcement can use this method to intercept calls.

In some countries, this is a highly monitored situation. Traffic, at least the destination and initiation IPs, is monitored, and even if the traffic is encrypted, authorities often want to record it for future use. This is all managed and directed by the firewall, which also provides additional capabilities.

Take an example of NVIDIA. They have a competing SIP solution for firewalls that can handle very high terabyte bandwidth, and they can be programmed to work in conjunction with the firewall. In that case, you have a piece of software running inside FortiGate or Juniper that directs specific traffic to and from NVIDIA's platform, working with the firewall to perform certain tasks. 

If our customers were private companies or banks, I would look at this from a different angle. But as a user at the edge of normal usage, the ones dealing with international traffic, if something goes wrong with a service.

All my criticisms are based on large-scale applications. For example, here is a good use case. Very often, telecom companies consider the Internet they offer to their clients as their own Internet. If you’re a banker, you often take services from major providers like T-Mobile or Verizon.

Basically, if you do that, the bank can offer you your own private network. They can say, "We are providing the firewall as a telecom, and we are providing a VPN specifically for all your customers." In that case, very often, the bank will dedicate firewall resources. They will issue an RFP, and if the firewall they need to buy meets the requirements of their customers, they will sell security as a service.

What I see is that more and more, this is where the telecom operators want to make money because they control the infrastructure. In the past, the infrastructure and the firewall were there to block attacks. Today, the philosophy has changed. It's about how fast you can respond once there is an attack.

Ten or fifteen years ago, the IT manager might have thought, "This is the internet. Nobody is coming inside the bank or inside the network." But today, it's a reality. The question is, how fast can you detect abnormalities?

This is where telecom operators say, "Oh, we are great at that. We have tools that see all the traffic way before it goes to the bank and way after it leaves the bank. We have more information. Now, we can offer IT services to large customers." They are making less and less money with connectivity, but they see IT services as a goldmine for the future.

So, that means the way you manage a server, both Juniper and FortiGate, they are both really well done for remote management.

The ability to launch third-party software is one of the best features because of the variety of software available. For me, it's one of the best ones.

Another valuable aspect is that it's a large platform in terms of development, with a full line of products. This means that once you're educated on one of their products, you understand the full range of their offerings. That's a good side.

The bad side is that they are not really geared for DPI usage in telecom applications. They're great at DPI if you have a bank or a smaller network, but on a large-scale network, the DPI performance is declining. Their DPI performance dies. It acts more like a firewall or router, applying rules with minimal analysis.

For in-depth analysis, the ability to associate with more powerful processors is critical. Today, only two manufacturers produce silicon that are able to deal with fiber-level processing: Intel and NVIDIA. Intel had the best technology but stopped developing new products. NVIDIA, on the other hand, took parallel processing and the ability to handle high levels of information simultaneously, gaining ground in that market.

At the end of the day, it's really about processing power. More and more, firewalls need to be smart, but often, the processors inside are designed to function like traditional firewalls from a long time ago. But with very large volumes, they don't perform as well as they could. We often end up reducing the ability to be smart, which can slow down traffic.

More processing power is needed. Security using firewalls used to be fairly straightforward, but now you technically need to run AI-based intelligence. For example, if you have a denial-of-service attack at the first level, do you block everyone trying to reach an address, or do you maintain a specific user?

And how do you deal with regular users who are already connected? They may be trying to block the service by overloading access. If FortiGate CNF has stronger processors with AI-based capabilities; these issues can be addressed extremely fast. So far, most manufacturers aren't ready for that. They depend on third-party software that is very good but lacks the processing capability inside the device. Or you end up oversizing the device you’re buying because it doesn't perform well. You might need to go from a $100,000 device to a $400,000 device to get the performance you need.

If you had a stronger processor that could do the work, it would be great. This is what many manufacturers, from Juniper to FortiGate, Cisco, and others, are trying to do—they’re designing silicon optimized for firewalls. 

Fortinet is producing its own silicon, which is great, but it’s not doing the entire job. It’s good at handling the packet quickly, but it lacks the processing capability to be truly smart. There is a change coming to the market [telecom], especially with the 5G changeover, which will change the structure of data centers and firewalls worldwide. Today, most of the data goes to a data center.

Another improvement is in terms of security, with companies offering next-level protection in monitoring threats. They have international call centers where all threats are aggregated, allowing them to respond in real-time to cyberattacks. The idea is good, but it needs improvement because it's not yet perfect.

It's a fairly recent product; I've been using it and providing it to our clients for about two years. 

The stability and scalability of the solution are among the best available today. However, what threatens the stability of this platform is its capability to manage large-scale operations efficiently.

If I were an end-user, I’d like to see these platforms offer open access to the software side. Currently, each company has its own set of rules. When developers want to create solutions, they often have to follow FortiGate’s way of doing things, using their specific tools. This means the software must be adjusted for specific hardware, which makes it difficult to transfer developments from one platform, like Juniper, to FortiGate. 

Open-source software would likely make things cheaper and better. The architecture of these tools also needs to be improved in the future.

The people involved in calling for support are usually experienced in this field, especially in telecom companies. They typically follow an internal process to isolate and document problems before contacting external support. When the issue reaches Fortinet or Juniper, it's usually well-documented, making it easier to resolve. In general, the customers are very professional, which helps ensure effective support.

So, once the problem is documented and duplicated, the issue is in good hands. In my experience with public safety agencies in Canada and large customers, users have professionals communicating with professionals. 

However, if users are dealing with customers in regions like Africa, where there might be a lack of training or support, the issues often stem from insufficient training on the specific device. This training needs to be refreshed regularly, and both companies offer that option, though not all customers take advantage of it.

Positive

The deployment process is complex, but it's not the fault of Fortinet because it's a complex industry, and it's very rarely deployed the way it's shown in the book. 

The first thing we do is split the traffic. Before it goes to the firewall, we split it and send addressing traffic to servers that will process this, and at the end, maybe give the data back to the firewall or bypass the firewall completely.

The complexity is that both companies use the best they can, but when something goes wrong, there is still time to resolve the issue. You probably haven't seen that in detail, but for example, in Canada, Rogers, a telecom company, lost the ability to make mobile phone calls for three days for all their users.

The CRTC, which is the equivalent of the FCC in the US, said, "What the hell? How can you lose the ability to firewall communication for a few days?" This was basically because the reaction time from the firewall side was too slow. Some of the automatic protections against external attacks did not work, and when they engaged them manually, it caused more trouble than it solved.

As a result, one-third of the Canadian population didn't have communication. The details weren't fully disclosed, but the job should have been done at the level of the firewall of all the traffic coming into Canada. The firewall software should have reacted. In fact, every time it reacted, it was because of a large network issue. 

"Is it easy to deploy?" The answer is, if you have 400 firewalls, like they do, it's extremely difficult to recycle them if everything goes wrong. When you are at that level, it goes wrong extremely fast, and it's extremely slow to recover.

Before we sell the product, there's a qualification period. We respond to the RFP; then, the customer has two to three months to ask questions and decide who has the best offer.

Then, we have some time to deliver the first model and often demonstrate and validate the technology. This isn't exactly a pilot project, but it's part of the RFP. Then you have the deployment, and usually, it goes from one operator's data center to another.

For example, in Morocco, we have the three main operators as our clients.

We are a value-added reseller. We bought the technology for our own use, but it's oversized, mainly for demonstrating the technology.

We sell a lot of solutions to telecom operators. We are the largest SIM card manufacturer in Canada, and we develop software used by most telecom operators in Western and North Africa.

So, when we look at these products, we usually get specification requirements from the client. They publish an RFP, and we look for the best product to fit the RFP requirements.

Usually, we form a co-solution, meaning both companies respond together, or we are the prime, or sometimes the customers are. We respond together to the RFP because when they are doing an RFP for that type of solution, they don't just want the equipment. They want software installation. If it's an on-site installation, CNF needs telecom engineers. I am certified on the Zscaler platform, and they are also authorized to install inside the data center of the operator. They have to have special accreditation for that.

We do that very often. There is a specific need because most of these platforms will accept third-party software that will run on Juniper platform or on FortiGate. We also carry other products for large telecom operators. So, we bundle the solution together to respond to the RFP. From one country to the other, the use of the equipment can be very different because they have different architectures.

For the operator, it's a solid product because it can be technically upgraded, and both companies provide excellent service and support.

It's extremely good. There aren't many choices on the market, so it offers a better return compared to alternatives. It's also cheaper, especially when compared to some Chinese firewalls, which I would avoid if I were a telecom operator.

I'd rate it around a nine or nine out of ten. It's one of the best in the industry today.  

The choice often depends on the legacy equipment already installed and its upgradeability. Juniper is really good at replacing Cisco devices, as Cisco is losing ground in the telecom operator market. Sometimes, choosing equipment is influenced by the legacy systems already in place.

So, as a customer, I often can't remove all legacy equipment and must work in parallel with it. That's one of the key issues when it comes to integration. If users have a hybrid platform, it can dramatically complicate deployment.

We use the platform for virtualization, malware protection, and VPN client support.

They should offer more affordable renewal options or flexible plans for license upgrades. It would make the product more accessible to a wider range of users.

We have been using FortiGate Cloud-Native Firewall (FortiGate CNF) for the last eight months.

The platform has good stability.

The platform is mostly suitable for enterprise businesses.

The initial setup is complicated. It requires technical experts to set up firewall communications easily. It takes a few days to complete.

It is an expensive platform.

We have been using FortiGate Cloud-Native Firewall for a few years now. It is the most stable and recommended firewall. Users with less technical knowledge can easily manage complex network and security components using it.

I rate it an eight out of ten.