Small network: 20 workstations, 20 ip cameras, 20 other ip devices (printer, laser cutter, iPad, etc). Would you advice to keep the FortiGate-40f router in the network and buy the subscription? Is it worth the money and is it not potential new attack vector? Fortinet seems to have rich CVE history.
Do you have any nosey compliance requirements for any ācyberā insurance, or to tickbox qualify your organisation for bids to other customers, or need to do SSL packet inspection/domain blocking for safeguarding or (insert other jobsworth reason here).
I find it hard to think of any reason to use a commercial FW vendor for anything except its updated content blocking lists (where such is required) and possibly, producing reports on the same only the first of which was ever read.
And if not, why not pfsense (or just a business focussed router, with in-support software and no direct external web access of course).
If you feel like you donāt want to configure all that, then maybe, and if not fortigate one of the others. (though mostly I donāt find them simpler, only different). Fortigate certainly have been winning the CVE high score but that doesnāt mean much for the rest of them automatically. Just keep it up to date.
2 Likes
I think you are on point - it was brought in as the firm was flirting with āsensitiveā production. The fact that the whole CCTV is from HikVision hints that it was not continued.
We have a second router - Mikrotik with RouterOS - good piece in my opinion. Iām sure itās capable of domain blocking, Iāll try to use it and dump FortiGate.
Thank you!
Depends on your threat scenario, compliance/certification, insurance and if you actually use the thing for more than a glorified router.
If you also have their wifi-APs and their client-VPN, then it is probably worth it for ease of administration.
Having touched some other vendors, I am extremely indifferent to Forti.
Some other vendors
Cisco/Meraki - Probably nice when you have 600 locations around the globe with local monkeys doing the hardware installs.
Fortiguard - When the FortiLicense for the FortiGate and FortiAnalyzer and FortiMail are not FortiPaidfor, you can sit your FortiBackside on the FortiCactusā¦
Sophos - Webinterface is s_l_o_w, analysis and logging options are nice though.
Lancom - Very German, in the best and worst manners.
Securepoint - Even more German!
Watchguard - IDK manā¦ WTF?
Checkpoint - You thought Cisco was expensive!
PaloAlto - All the cool kids have a Palo
PFSense - Is fine
I mean, CVE means something was found (and hopefully the sunlight did its thingā¦).
A product having no CVEās can mean perfect security (doubtful), or obscure enough nobody except attackers touch them.
As much as I like Mikrotik for their Routing and Switching options, they are hard to lock down. For the primary data-mover between Servers, Storage and Backup, sure thing! Price/Performance is unbeaten.
As the single-point-of-failure between my job and the internet, only after a lot of scrutiny!