Forti-Savings : How to manage Fortigates

Soon after adopting and purchasing Fortinet fortigates firewalls of various sizes and performance, I calculated that after a few years of ownership, and IF you maintained the Support/Subscription on the devices, you can dramatically reduce your cost of ownership by replacing your current firewall appliance with the newer, smaller models, and at the same time, benefit from better overall performance.

Here’s what I learned over the years. First, I would like to point out that I always purchased fortigate in pairs to leverage its High-Availability (HA) capabilities, so in my examples the cost will always be multiplied by two.

If you purchased 2 x Fortigate Model FGT-ABC for a medium-large network, and paid $55,000 for each appliance, and optioned it with full Support & UTM subscription services for 1 year, here is what it would cost you to operate over 5 years (Not including taxes).

With the knowledge that a 7/24 Service/Support/Replacement cost is 25% of the original purchased price, and the Subscription to FortiGuard (UTM) is an additional 20% of the original purchased price, here are two scenarios compare the cost of “Keeping” VS the cost of “Updating”:

Scenario (A)

Year 1) Purchase FGT-ABC: $55,000 X 2 = $110,000
Year 2) – Service/Support renewal: 25% of original purchase price = $27500
– Fortiguard Subscription renewal: 20% of original purchase price = $22000
Total cost for year 2 renewals: $49500
Year 3) Exactly the same as Year 2 = $49,500
Year 4) Same as Year 3 = $49,500
Year 5) Ssame as Year 4= $49,500
At the end of 5 years, your cost of ownership will be: $ 308,000 (Plus taxes).

Now, let’s consider that at year 3, Fortinet releases a new model FGT-XYZ, costing $25,000 each (With 1 year of Service/Support/Fortiguard), and these new models outperforms your current FGT-ABC in every fortigate measured matrix. Would it make more sense to purchase these newer models at year 3? Let’s calculate the COO.

Scenario (B)

Year 1) Purchase FGT-ABC : $55,000 X 2 = $110,000
Year 2) – Service/Support renewal: 25% of original purchase price = $27500
– Fortiguard Subscription renewal: 20% of original purchase price = $22000
Total cost for year 2 renewals: $49500

Year 3) Purchase FGT-XYZ : $25,000 X 2 = $50,000
Year 4)  – Service/Support renewal: 25% of original purchase price: $110,000 = $12500
– Fortiguard Subscription renewal: 20% of original purchase price: $110,000 = $10000
Total cost for year 2 renewals: $22500
Year 5) Same as Year 4= $22500

At the end of 5 years, your cost of ownership would be: $ 254,500 (Plus taxes).

If we compare the COO of scenario (A) VS scenario (B), giving you the very same firewall performance and benefits OR Better, the saving of adopting scenario B after year 3, would save you $53,500. You can further increase your savings by purchasing a multi-year Support/Fortiguard bundle at purchase time, which reduces again your cost of ownership.

By Updating, I don’t mean getting the latest revision of the same model you already own, I mean, downsizing to a smaller model which offers equal, or in most cases, much better performance, and Fortinet will ALWAYS manufacture products which outperforms its previous model year after year.

IT people are seen as a cost centre but it doesn’t prevent you from coming up with a few good ideas to save the company money once in a while ! Saving a few thousands in a large company is not worth mentioning, but if you save enough to pay for your salary, and require little of your time to do it, I’m sure upper management would like to know.

Fortinet Firewalls Pros & Cons;

Pros: i) Design and manufacturer their own chips (NP – Network Processors) to offload specialized functions from the CPU to the NP chipset. This allows Fortinet to outperform competitors firewall of similar price point.
ii) Fortinet entry level is cheap compared to similar competing firewalls, simply because Fortinet  counts on Service & FortiGuard renewal to generate profits. Fortinet also use cheaper (made in china) parts. Which company doesn’t!?

Cons: Fortinet update it ASIC and NP technology very often, making your investment in fortigate obsolete in little time. For example, Fortinet might release a new version of it’s OS, but requires your NP to be at the latest version. If your NP aren’t at the latest version, you can’t upgrade to that OS version. It’s sort of a built-in obsolescence by design.
ii) Check our fortune’s EOL (End of Life) product cycle before purchasing any of their products. Have your Reseller explain to you the Life Cycle of Fortinet’s product. It can be a bit tricky to understand and is essential to make the proper purchase decision.
iii) PowerSupplies: If you mission is critical, always purchase se secondary power supply for your fortigates (When available).Over 95% of fortigate were due to weak/cheap power supplies.
iv) Fortinet’s support has been known to be less than stellar. It is not a secret that if you open a support ticket with Fortinet, you feel like they are pressed to close the ticket ASAP without investing themselves in trying to propose viable solutions. I would recommend contacting your reseller’s support for any issues simply because THEY have a vested interest in making you happy.

The Fortigate product matrix

Fortinet publishes a document called Fortigate Matrix which compares the performance of all of its firewalls, and that document will allow you to create various scenarios to see if there are savings to be done by dumping your newly purchased firewall with newer ones. With any fortigate firewall purchase of $5000 or more, it’s worth doing the scenario exercise once a year. I recommend doing this cost analyses at least 6 months prior to the end of your Service/Fortiguard subscription expiration dates, giving you enough time to make your decision, get it approved and schedule a firewall swap.

Port density consideration

I originally allocated 1 Gigabit port for each VLAN within my network, and the more VLANS I had, the more ports built-in the Fortigate I had to acquire. At a certain point, managing +50 VLANs becomes cost prohibitive. A simple way to avoid paying for a high number of ports is to aggregate ports together and create virtual interfaces within that aggregation. This said, a 8 Gigabit ports firewall would be plenty for most needs:

Example:
4 aggregated gigabit ports for internal VLANS
1 aggregated gigabit ports for internet (WAN) links.
1 gigabit port for out of band management (MGNT VLAN)
1 gigabit port for direct management (Laptop)
1 gigabit port for HA (If you use it).

Recent mid-high end fortigates offer 10/40/100 GE ports, allowing you to achieve a very high throughput between internal vlans on 1 or 2 aggregated GE ports. So, the need for a high port density is no longer an option to consider, unless you have a specific reason to allocate 1 port per network (VLAN).

If you use multiple VDOMs, I cooked-up an architecture which will allow you to use as many VDOMS as you wish, without running out of physical ports. I will write an article about this a bit later.

Firewall upgrading tip

Changing fortigate firewalls every few years is not a big deal. In each case, when I purchased a newer model to replace my existing ones, the reseller imported the configuration to the new firewalls free of charge.

Fortinet used to offer a tool (FortiConverter) to export/import configurations between Fortigate models (And other sources), but stopped giving it for free and only supplies it to resellers. Most of the configuration export/import will have to do with Interface ID/Names anyway. If you do many export/import of fortigate firewalls, or want to migrate your configuration from another vendor to a Fortigate, you can purchase this tool from Fortinet for approx. $5000/year, but if your reseller offers this service for free, might as well take advantage.

Memory issues

For having used fortigate products for many years now, I found that one of the most frustrating “bad-design” of each fortigate is its lack of properly sized memory for the amount of features is offers. Upon enabling any Statistic/Report feature, your memory usage skyrockets in such a way that the appliance often falls into protective mode and disables non-critical features, like the possibility of logging on the firewall to manage it. If that’s not enough, forting puts Glue on the Ram chipset to prefer you to upgrade the RAM on their devices, and voids your warranty/coverage if you do. That is a stupid practice.

Fortinet has a tendency to offer features on its firewall first, and then move this feature to its own specialize appliance after a few years. The function of stats and reporting feature are now part of the Forti-Analyzer which features rich and too large to be hosted on a Fortigate firewall.

Also, since more and more protocols are being encrypted at the source, the need to apply UTM filters on firewall policies are becoming completely useless, allowing you to save to firewall performance and memory usage.

Use a SIEM, not a FortiAnalyzer

I have been disappointed with purchasing Forti-Analyzers. Those appliances give did not provide me with what I need to properly manage a network, but did provide nice graphics/reports for the C level crowd.

My recommendation for you is to spend your money on a SIEM Server, and send all your logs to it. “Splunk” is a popular software choice when it comes to SIEM and if you are agile with its filtering language, you can really extract critical information from your logs. Splunk certainly helped me troubleshoot, find root causes and expose security risks over the years.

If you do not want to learn a SIEM language, then I might recommend a cloud based service like “CrowdStrike’s Falcon” which offer pre-configured cybersecurity oriented filters, offer alerts that can make your  job less stressful, and are backed with a small army of security specialists and researchers working for that company.

Conclusion

I hope you understood how important it is to be on top of Fortinet’s new product development, and how upgrading (Downsizing) your fortigates can save you a lot of money. I personally have taken out Fortigate 3200’s, which cost a fortune to renew each year, and replaced them with Fortigate 500’s, which offered better performance and saved the company enough money to cover most of my salary. Unfortunately, if you work for a low moral company, your CFO might claim it was his idea in the first place. Just make sure you socialize these money saving downsizing yourself and not let someone else claim the prize.

That was my view.
Cheers and beers.

This entry was posted in Articles, Firewalls and tagged . Bookmark the permalink.