Fortinet 60C Experiences

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Possibly a longshot, but I'm now trying to figure out the networking side of the colo experience. Likely will have 30-100mbps uplink and the two thoughts are:
  1. Get a 24 port switch, use VLANs and work from there
  2. Get a firewall appliance like a Fortinet 60C (or two) then just put a dumb 24 port switch in the infrastructure.

Does anyone have thoughts on this type of setup?
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
Havent used the fortinet, but most of the UTM stuff seems pretty comparable. I had a Zyxel USG1000 for a while and I really liked it.

Also, I think option 1 is a terrible idea...you are asking for someone to mess with you.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
I certainly respect and appreciate your criticism in this area. So think 1 would be OK? Does it make sense to do a HA setup? Guessing no since I have only one switch and power budget is tight.
 

sboesch

Active Member
Aug 3, 2012
467
95
28
Columbus, OH
I certainly respect and appreciate your criticism in this area. So think 1 would be OK? Does it make sense to do a HA setup?
I am a believer in HA. Active Active may be overkill. I run Active Passive w/ 2 Juniper SSG-140s, I tested the failover and it was so fast that I could not even tell it happened.
As for the networking portion, I believe that network segregation is imperative and VLANs are the way to go for the isolation subnets, iSCSI ETC.... I have been deploying Dell switches throughout my datacenters and offices, I currently have 3 24port 2624's stacked at my Colo, and they are pretty cheap.
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
I would start with just the one for now. Doesnt sound like you have much redundancy elsewhere, so im not sure doing HA on your perimeter device is worth the extra cost. Especially since you would have to buy double the subscription for the UTM features. Your money is probably better spent on something else.
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
I am a believer in HA. Active Active may be overkill. I run Active Passive w/ 2 Juniper SSG-140s, I tested the failover and it was so fast that I could not even tell it happened.
As for the networking portion, I believe that network segregation is imperative and VLANs are the way to go for the isolation subnets, iSCSI ETC.... I have been deploying Dell switches throughout my datacenters and offices, I currently have 3 24port 2624's stacked at my Colo, and they are pretty cheap.
Just for the record, I was not suggesting to not subnet your resources....but was simply saying that setting up VLANs is not a replacement for a perimeter device. :)
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
I am a believer in HA. Active Active may be overkill. I run Active Passive w/ 2 Juniper SSG-140s, I tested the failover and it was so fast that I could not even tell it happened.
As for the networking portion, I believe that network segregation is imperative and VLANs are the way to go for the isolation subnets, iSCSI ETC.... I have been deploying Dell switches throughout my datacenters and offices, I currently have 3 24port 2624's stacked at my Colo, and they are pretty cheap.
How much power do the SSG-140's consume? I was looking at the SGX 240 and they are like 61w but 150w maximum (I think you need to add cards though).
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
So I was given a "heads-up" that I may not want to buy a 60C. Turns out that the Fortigate 60D was released this week. So new I didn't even get pricing details at their offices today. Looks like a big upgrade over the 60C and makes the 80C look fairly old. The Fortinet guys suggested I buy 2x 100D's. Not sure if I need $3000 of firewall to secure the servers... Even if I consolidate the forums and the main site.
 

sboesch

Active Member
Aug 3, 2012
467
95
28
Columbus, OH
How much power do the SSG-140's consume? I was looking at the SGX 240 and they are like 61w but 150w maximum (I think you need to add cards though).
It seems I missed this. I honestly don't know. Power is part of the price at Expedient where my Colo is, so I never took it into consideration.
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
Again I would start with one. At a colo your need for HA is limited. If there is a service provider issue, your SLA with your colo should handle failover to one of their other providers.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Again I would start with one. At a colo your need for HA is limited. If there is a service provider issue, your SLA with your colo should handle failover to one of their other providers.
More worried about what happens if the fortinet box dies OR if there is a ethernet port failure or something.

sboesch - 1/4 cabs typically come with 5A. Buying more is not an issue, except that costs go up. I'm a bit concerned/ interested to see what the C6100 pulls to figure out how much overhead I have.
 

Mike

Member
May 29, 2012
482
16
18
EU
How about another uplink as a fail over and a dual nic box just for that purpose. No real need for a redundant firewall setup at this stage if you ask me. Just thinking out loud.
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
More worried about what happens if the fortinet box dies OR if there is a ethernet port failure or something.
.
Missed this.

I see what you mean, especially since LAS is not exactly down the street, but unless you have two network drops will that matter if the box dies?
Honestly on these things, you just dont see port/box failure rates like we used to.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
Missed this.

I see what you mean, especially since LAS is not exactly down the street, but unless you have two network drops will that matter if the box dies?
Honestly on these things, you just dont see port/box failure rates like we used to.
Appreciate your insights in this one. The second network drop is something that can be had fairly inexpensively. A lot of the units even have dual WAN ports even in the $500-800 range.