Fortigate 60D... what's the catch?
- Thread starter Dreece
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Sophos UTM did stop serving any VPN or any other than basic firewall services (ie: NAT/DHCP) after 3-year subscription expired.
One huge catch with 60D is performance or a complete lack of it with even a single NGFW feature enabled.
IPsec VPN Throughput (512 byte packets) 1 Gbps
Gateway-to-Gateway IPsec VPN Tunnels 200
Client-to-Gateway IPsec VPN Tunnels 500
SSL-VPN Throughput 30 Mbps
Concurrent SSL-VPN Users (Recommended Maximum) 100
IPS Throughput (HTTP / Enterprise Mix) 200 / 41 Mbps
SSL Inspection Throughput 32 Mbps
Application Control Throughput 50 Mbps
NGFW Throughput 23 Mbps
Threat Protection Throughput 20 Mbps
CAPWAP Throughput 250 Mbps
I'd much rather run that 4core DFI w/PFsense.
One huge catch with 60D is performance or a complete lack of it with even a single NGFW feature enabled.
IPsec VPN Throughput (512 byte packets) 1 Gbps
Gateway-to-Gateway IPsec VPN Tunnels 200
Client-to-Gateway IPsec VPN Tunnels 500
SSL-VPN Throughput 30 Mbps
Concurrent SSL-VPN Users (Recommended Maximum) 100
IPS Throughput (HTTP / Enterprise Mix) 200 / 41 Mbps
SSL Inspection Throughput 32 Mbps
Application Control Throughput 50 Mbps
NGFW Throughput 23 Mbps
Threat Protection Throughput 20 Mbps
CAPWAP Throughput 250 Mbps
I'd much rather run that 4core DFI w/PFsense.
So the 60D is only going to be any good if I don't do anything with it other than basic nat firewall and say openswanvpn?
My need would be very simple, it will just be a gateway, don't need anything else from it. As I already have a bespoke linux setup that does pretty much everything else... my aim is just to put the gateway outside of the server so then even if the server comes down, smartphones/tablets can still get internet access across a vpn.
So taking the above into consideration... would the 60D fit the bill?
My need would be very simple, it will just be a gateway, don't need anything else from it. As I already have a bespoke linux setup that does pretty much everything else... my aim is just to put the gateway outside of the server so then even if the server comes down, smartphones/tablets can still get internet access across a vpn.
So taking the above into consideration... would the 60D fit the bill?
It may be slow, but SSL-VPN throughput of 30Mbps is much higher than pfSense which doesn't have SSL-VPN.
I did some number crunching and I think I'll stick to my custom VMs. Server is rarely powered down anyway, I was just thinking that I can compartmentalise things a little more but to be fair my current setup has no limits, throughputs are way beyond what I can even use and the fact I keep changing my VPN setup all the time (ie jumping from tinc to osvpn to wireguard and whatnot) I think having a brick is just too inflexible for me.
No way I am aware to see the impact of 1 VM other than if a cluster move it off to another node and measure baseline then move it back to the original node and then use that take away the baseline and you have a value.
The value of appliance could be easy reboot for the family if something happens when your away and unable to fix remote.
And the ability to run with a very low power footprint if you only say keep one other all in one box running and keep the big play clusters to use one when needed.
I move back and forward between appliance and VM in my mind, right now it’s a less featured appliance than I want but I would be willing to invest in a supported product (Fortinet 60E/61E or Meraki MX67/MX68 or Sophos, for example of course) to get the low power and feature I want (young children so some traffic blocking etc based on content)
(All those fully supported commercial solutions are let’s say close enough to $10 per week average cost so not cheap but... well actually given my monthly power bill let’s say I had an old not efficient home environment then if it was running 220 watts say, but going to 10 watts I could save that a month anyway, my stuff is not where that inefficient though)
The value of appliance could be easy reboot for the family if something happens when your away and unable to fix remote.
And the ability to run with a very low power footprint if you only say keep one other all in one box running and keep the big play clusters to use one when needed.
I move back and forward between appliance and VM in my mind, right now it’s a less featured appliance than I want but I would be willing to invest in a supported product (Fortinet 60E/61E or Meraki MX67/MX68 or Sophos, for example of course) to get the low power and feature I want (young children so some traffic blocking etc based on content)
(All those fully supported commercial solutions are let’s say close enough to $10 per week average cost so not cheap but... well actually given my monthly power bill let’s say I had an old not efficient home environment then if it was running 220 watts say, but going to 10 watts I could save that a month anyway, my stuff is not where that inefficient though)
Right on!!! That was indeed the primary motivator before I went off on the energy-saving tangent.
I think what I can do is just keep the 4G wifi thingy the provider gave us handy so teach the missis to plug it into the switch on a particular port and possibly already have the config all done so that private wifi devices get internet access.
I went through a lot of those text messages "hun internets down again" over the years... I've got so many scripts and failsafes in the linux vm that it really is virtually impossible for it to go down, and the server is rock solid stable, even a powercut doesn't phase the setup with the UPS there and the fact if power does come back after a long duration the server will fire back up and everything is back to normal.
I definitely became a wise home sysadmin over the years... even wrote a few php pages running off websockets to give the missis some 'direct control' of custom functions such as turning the vpn off or adding addresses to bypass vpn etc.