Tuesday, May 20, 2014

Fortinet Fortiwifi 60D review




1)Intro
2)Features
3)Setup
4)Wireless configuration
5)Throughput tests (Wireless/Wired)
6)Closing Notes

Intro:  The Fortinet 60D is a enterprise level office security appliance that is a robust full featured enterprise router/firewall that is somewhat affordable for small to medium businesses, has lots of features and can tolerate a lot of heavy usage that enterprises require.

Features: The 60D features the following:
1) Layer 7 firewall controls with tons of site blocking presets to help block against P2P, sports, social media, video streaming sites and more as well as custom hostnames and expressions.
2) 7 wired Gigabit LAN ports
3) 2 x 3.5dBi  dual band external SMA antennas with 17dBm output power
4) SSIDs with configurable VLANs for each one providing more security then standard guest networks
5) Dual band 2.4Ghz or 5Ghz operation with 2 x 2 MIMO connectivity at up to 300Mbps
6) Full VLAN configuration
7) Per port VLAN
8) Full and extremely detailed traffic shaping (QoS) and firewall controls
9) Full client connectivity details and monitoring.
10) Network wide bandwidth monitoring. You can see how much bandwidth all clients in the network are using as well as the WAN interface.
11) Fixed and DHCP client address assignments
12) Cellular 3G/4G failover via the USB port with seperate firewall and traffic shaping
13) Fully customizable user/group policies
14) WAN uplink selection based on traffic type
15) And lots more



Setup:
You have to manually add the WAN interface using the policies and assigning a static IP to the WAN interface per this guide http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install-basic/cb_install-nat.html This REALLY should have been specified in the quick start guide. A small business owner That gets this firewall is going to overlook this and have to call up the company. I also had issue with the WAN interface so I had to get an RMA on this unit, as the rep said it should not have issues with a cable modem connection and should have automatically obtained the IP address.

1)Power brick was very thoughtfully designed. It has the brick inline like a laptop’s power connector rather then it being on the plug itself so you don’t have to block an outlet on your power strip/UPS!
2)Could not configure to our cable modem connection with the first test unit. Had to get an RMA since the rep told me it should not have issues at all.
3)New unit: it is working. Got it quick as well with overnight from CA.



Let's take a look at the really helpful status page that tells us all our status. It also shows CPU usage memory usage, and disk usage.




Let's take a look at the really helpful Traffic report page that tells us what uses the most traffic on the network:



Wireless Configuration: The 60D has a very different wireless configuration then consumer class routers. Wireless LANs are separated by default and MUST have a separate subnet and IP range. To have the wireless clients communicate with the wired LAN you must create a software switch and MUST be configured before any DHCP or other interface policies are created and bound to ANY interfaces or the software switch option will NOT let you add it. I really don’t think this is a good idea for Fortinet to have it like this. If your network needs change a lot this can be a pain. Companies that change their needs frequently will not like having to undo the interface binds to create the virtual switch. 

Also the WLAN radio is very underpowered at only 17dBm while the Meraki MX60W was 30dBm and the Amped RTA15 was 27dBm


Here’s the WLAN config screens:
Radio Settings:

The 60D supports WPA/WPA2 and supports PSK and Enterprise authentication types that can be different for each SSID. Selecting “Enterprise” allows you to use Fortinet Authentication, which allows you to define a username and password rather then a static key, allowing for more fine control over your wireless network. User based controls allow you to define limits PER USER so that if let’s say, they get fired, you just delete thier user account and not have to change the ENTIRE NETWORK’S encryption key.

One thing I do wish the 60D had was simultaneous dual band operation. The operation is either 2.4Ghz OR 5Ghz and NOT both. However, it runs at 40Mhz (5Ghz) allowing for higher throughput.

One thing I will note that it has something called “wireless profiles” which has pre-done settings for several other Fortinet products. However, in order to adjust some wireless settings you have to configure them in the profile and they are missing from the main WLAN config screen. This could be messy and hard to keep track of.

Also if you want to set a static IP or alter the DHCP lease times you can NOT edit them using the GUI. It must be edited with the CLI.





BUGS:
Found a really odd bug in the Fortinet. it lets you have a different internal IP address than the range you define on the "DHCP settings" area on the setup wizard, then you go to correct it in the web GUI to the correct one it won't let you and displays a message "IP address is the same as the others" and doesn't let you correct with CLI till you re-run the wizard again and correct it and have to redo the other settings! How did they NOT catch that??!! .


Support experience:

Had a call scheduled for in between 1-2PM eastern time zone. Rep called on time and 1:16PM. Rep was nice enough. We had a gotomeeting session and he took remote control and was able to confirm some settings. One thing he did note that the wizard did not give a good configuration for one of the interfaces so he helped me change that. Rep did not really seem to care about the Firefox issue though. Support experience 7.2/10


Firewall Config options:
Policies:

Services:



Traffic Shaping:
You can do traffic shaping to make sure each client has equal bandwidth and also to make sure certain clients that are more important have more bandwidth then other clients like important servers, mission critical workstations, etc. Very useful. 



Throughput Tests: (Wireless)
I will be using LAN Speed test for the throughput tests and PRTG to generate the graphs. It also is a comprehensive enterprise level network monitoring software and it can record uptime, transfer rates, errors, etc.

Test environment: (Set 1)

Specs of Building: This is going through about 32 ft through 2 walls, a solid all-wood dresser, and a chimney. The room has plaster walls in some places.

Specs of server :(my machine in the same room as the60D): Intel i5 3570K/16GB Corsair XMS3 DDR3 1600 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Realtek GBE NIC

Specs of client: (remote machine in other room): AGNXAndrakon/AMD Phenom 9650/4GB Corsair XMS2 DDR2 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Amped Wireless ACA1 USB WLAN connection:USB3 via a PCI-Express addon card.


5Ghz 802.11mode: Channel 161 -62dBm

LAN speed test: 25 stream 6GB file: 4Mbytes/sec or 32Mbits/sec


2.4 GHz 802.11n mode: Channel 6 -64dBm

LAN speed test: 25 stream 6GB file: 3Mbytes/sec or 24Mbits/sec




Test environment: (Set 2)
Specs of Building Test Run 1: 16Ft away thru a wood door hallway right outside the office where the 60D is located.

Specs of server (my machine in the same room as the60D): Intel i5 3570K/16GB Corsair XMS3 DDR3 1600 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Realtek GBE NIC

Specs of client: HP2000-412NR/AMD E300/8GB DDR3 RAM/300 GB HDD/AMD RADEON 6310/Windows 7 x64 Home Premium/RalinkRT5390 WLAN

2.4 GHz 802.11n mode: Channel 11 -38dBm



LAN speed test: 25 stream 6GB file: 4Mbytes/sec or 32Mbits/sec




Throughput tests (Wired):

Specs of server: (my machine in the same room as the60D): Intel i5 3570K/16GB Corsair XMS3 DDR3 1600 RAM/Nvidia Geforce 650Ti/Samsung 840 120GB SSD/Windows Server 2012 Standard/Realtek GBE NIC

Specs of client: GrumpyCat/AMD Phenom 9550/4GB DDR2 RAM/500GB SSHD /Nvidia Geforce 8800GT/Windows 8.1 Enterprise 64 bit /NVIDIA nForce Networking Controller








LAN speed test: 25 stream 6GB file: 115Mbyes/sec or 920Mbits/sec






Conclusion: 

The Fortinet 60D Security Appliance is 
Pros:
Ø High wired performance throughput 
Ø Excellent management software with lots of options
Ø Very robust security controls and options
Ø 3G/4G failover via USB dongle

Cons:
Ø Harder to get  WAN connectivity than the Meraki MX60W which was instant
Ø Pricey
Ø Low WLAN performance and throughput and not very powerful transmit
Ø No USB storage
Ø Not concurrent dual band WLAN. Must be 5 or 2.4Ghz and not both at the same time. 
Ø UI seems to be a bit dated, and clunky at times with Firefox issues.


Rating:  5/10 
Recommended: No