Fortinet FortiGate-3810A

An enterprise UTM appliance that’s big on features, performance and expansion potential, but is it good value as well?

Within a profile you can activate virus scanning on HTTP, FTP, IMAP, POP3, SMTP, IM and NNTP, add your own file filters and block email attachments over a certain size. Two options are provided for web filtering, where the first enables you to apply keyword matching plus black and white URL lists. You can also add the usual blocks for Java, ActiveX and cookies from here. The FortiGuard feature provides URL filtering and the eight main categories cover around eighty subcategories. You can block or allow entire categories or select options at the subcategory level and activate logging for each individual entry.

FortiGuard worked well during testing. With the gambling sub-category blocked we Googled for on-line bingo sites and gave up after the appliance blocked us from the first 100 hits. With social networks such a big issue in the workplace we tested this and found access to sites such as Facebook and MySpace could be easily blocked. Finding the right category can be tricky but Fortinet has this covered as you enter a URL on its main web site and it'll tell you what into which category it fits.

Profiles include your Intrusion Prevention System (IPS) settings, where you assign a predefined sensor or create your own. For testing we opted for the default sensor with a filter that covered all targets, operating systems, protocols and applications and merely logged all activity. However, it's easy enough to create custom sensors for selected systems, application and protocols and decide whether to block, allow or log them.

IM and P2P usage needs to be controlled in the workplace and the 3810A has a modest range of facilities for controlling these. For P2P you can choose from five main types, including Bittorent and eDonkey and allow, block or apply rate limits. From the IM and P2P menu option you also get a page of statistics showing logged in IM users, chat sessions and file downloads, whilst for P2P you can see how much network bandwidth is being sucked up.

Initially, we had some problems controlling our clients using Windows Live Messenger. Merely selecting the MSN option in the profile immediately blocked all further logins although we hadn't specifically requested this. After a chat with Fortinet's helpful support it transpired that the appliance is set to automatically block all unknown users for AIM, MSN and so on. With this total block now lifted we could allow our clients to log in but stop them from downloading files or using video.

We tested the P2P controls using one client running a Bittorent download and found that you can't passively monitor this type of activity. With our profile set to pass Bittorent traffic the statistics screen showed zero activity. We could block this traffic but only when we applied rate limits could we see usage figures in the statistics screen. Fortinet advised us that it believes with the profile set to pass Bittorent traffic the appliance won't activate its proxy for this so can't see what's occurring.

For sheer features the FortiGate-3810A has a lot going for it and we found it easy enough to install and deploy in the lab. The use of VDOMs, zones, policies and protection profiles make it extremely versatile but you'll also need to factor in the cost of anti-spam measures and possibly the additional FortiAnalyzer reporting systems.

Verdict

The FortiGate-3810A delivers an impressive range of security features, with port expansion high on the agenda. Fortinet’s VDOM feature is a great idea as you can create multiple virtual appliances each with their own separate security policies. Performance is also a key feature, but for the price the hardware specification could be more up to date and the IM and P2P controls are fairly basic.

Chassis: 2U rack CPU: 2 x 1.8GHz AMD Opteron 265HE Memory: 2GB 400MHz DDR Expansion: 4 x expansion slots Network: 10 x Gigabit Ethernet (8 x copper, 2 x SFP) Power: 2 x 600W hot-plug supplies Management: Web browser

Dave Mitchell

Dave is an IT consultant and freelance journalist specialising in hands-on reviews of computer networking products covering all market sectors from small businesses to enterprises. Founder of Binary Testing Ltd – the UK’s premier independent network testing laboratory - Dave has over 45 years of experience in the IT industry.

Dave has produced many thousands of in-depth business networking product reviews from his lab which have been reproduced globally. Writing for ITPro and its sister title, PC Pro, he covers all areas of business IT infrastructure, including servers, storage, network security, data protection, cloud, infrastructure and services.