I don't really have anything against Cisco. I think they have a great product line. I even passed the CCNA and CCNP exams back in 2002. However, about 4 years ago when I was working for the City of Provo, we were looking for a new firewall and I was tasked to do the reasearch. It was at this time that I was introduced to the Fortinet FortiGate (all-in-one, multi-threat, unified threat management (UTM), or whatever they are calling these devices now) firewall.
We ended up purchasing two of these devices for the city and set them up in an active-passive distributed cluster (The firewall is partitioned into two virtual firewalls. One network runs on one unit, and the other runs on the secondary unit. However, if either device should fail, the traffic will switch to the other unit). I have since deployed and manage 5 different sets of clustered FortiGate firewalls for another company and I feel like I need to share how much I like using these devices. I am not saying they are perfect, but what device is?
Let me just briefly touch on some of the features offered:
IDS/IPS (Could be easier to manage)
Anti-Spam (One of the areas in which these devices could be improved)
High Availability (Active-Active or Active-Passive Clusters)
For full features and specs, visit http://www.fortinet.com.
Now, to be fair, there are a few areas in which the product could be improved. As mentioned above, the IDS/IPS functionality could be a little easier to configure and the Anti-Spam could have more options. Also, the logging and reporting is all there, but could be improved. However, even discounting the device for these issues it is still an amazing value.
Coming from a Cisco IOS background, it was difficult at first to get used to the fact that you can configure 90-95% of the firewall through the web interface (not that you have to, there is a CLI). However, the web interface is great, and makes managing and training IT staff on the use of the firewall much easier.
I think that I am most impressed with the High-Availability features. Not necessarily how well high-availability works, though it does work well, as much as how easy it is to cluster the devices. The configuration is straightforward, can be done through the web interface, and connecting the devices is a breeze.
The IPSec VPN is standards based and I myself have successfully connected to Cisco, Checkpoint, and SonicWall VPN devices. The SSL VPN is great and runs in both IE and Firefox. They even have clients that allow you to run the SSL VPN in Linux and on Mac OSX.
There are options for authenticating users to determine what web filtering, IDS/IPS, Netowrk AV, etc. (Called Protection Profile) gets applied. This authentication can happen seemlessly with an Active Directory extension, or the user can be required to log in to a webform using Radius, LDAP, or local authentication.
If you haven't heard of Fortinet before, check them out. I highly recommend the product. Do you use Cisco? If so, what are some reasons I should give the Cisco PIX or ASA another shot? If not, what do you use and how do you like it? I would love to hear from others on this topic.