Strengths: Superb range of security features, easy to deploy, policies and profiles make it very versatile, excellent local and remote reporting services, top value
Weaknesses: Cooling fans very noisy
Verdict: Don’t be fooled by its size as the FortiGate 111C offers an incredible range of security measures and teams them up with excellent reporting facilities and extreme value
Aimed at SMEs and remote office deployments, Fortinet's FortiGate 111C offers a range of security measures that defies belief. Another benefit is that all features are developed by Fortinet, so it doesn't rely on any third-party services.
The 111C provides eight switched Fast Ethernet LAN ports plus a pair of Gigabit WAN ports, and supports both NAT and transparent modes. It employs the FortiASIC system processor, but the cooling fans are noisy so small offices will want this in a cabinet.
At its foundation, the 111C provides a high-performance SPI firewall along with support for IPsec and SSL VPNs. A standard feature of all FortiGate appliances is their integral wireless controller so you can centrally manage FortiAP devices.
Extra security features include protection against viruses, spyware and malware, plus IPS, web filtering, traffic shaping and application controls. There's more as you can add DLP (data leak prevention), endpoint protection and vulnerability scanning.
Two appliances can be teamed up for high availability, and they can perform WAN optimisation for site-to-site links. The appliance has a removable drive carrier at the rear for an optional 64GB SSD, which is used as a high-speed web cache, log store, archive and quarantine area.
The appliance claims a high IPS throughput of 450Mbps. To test this we hooked it up to the lab's Ixia Optixia XM2 chassis equipped with two Xcellon-Ultra NP blades, and saw throughput settle at nearly 460Mbps.
We used the transparent mode and placed the appliance between the lab's LAN and internet connection. The main web interface is very well designed, making it easy to locate and configure. The LAN ports are normally configured as a single interface with one address for the entire switch, but the Interface mode allows you to assign different subnets to each port. The pairing feature also allows two ports to be bound together so you can apply specific security policies.
The console's dashboard provides a wealth of information about real-time activity, and its use of widgets means it can be easily customised. Widgets include graphs for traffic history, top applications and sessions, SSD usage and system resources.
Firewall policies control traffic and services between selected interfaces and port zones, and each can contain various UTM profiles. For web filtering, Fortinet provides eight main URL categories and nearly 80 subcategories. For each category and subcategory you can opt to log, block, allow, warn or require user authentication. Options are also provided for enforcing web usage quotas, activating the Safe Search feature and scanning HTTPS traffic.
Anti-virus profiles define which protocols you want scanned and if you want infections to be removed or quarantined. DLP sensor profiles are used to look out for file types, file sizes, fingerprints, conditions or expressions such as credit card numbers. Files are fingerprinted by uploading them to the appliance or pointing it at a remote store where it will generate a checksum for each one.
Vulnerability scans use asset definitions based on IP addresses and ranges and can include Windows and Unix authentication details. Scans can be run on demand or to a schedule, and the results viewed from the web console. The FortiGuard anti-spam measures are managed using profiles that define the mail protocols to scan and how to handle spam.
Using Outlook clients, we created rules to move tagged messages to separate local folders and left the appliance scanning live email for three weeks. We recorded only eight false positives and a 99 per cent spam detection success rate.
Application profiles also use sensors for selected apps, and the appliance has nearly 2,000 predefined ones to choose from. Control options are very good as you can log and monitor usage, block them, reset the client connection, or limit bandwidth.
Fortinet's FortiAP wireless devices can be managed easily by the 111C and the web console has a separate section for these. As they come online, the appliance automatically identifies them and applies predefined policies. Rogue AP detection comes as standard and you can even use the appliance to suppress them. Rogues are listed in the web interface and with suppression selected, they and any associated clients will be forced off the network.
Extensive logging and reporting features can be used to create quite detailed web reports on areas such as bandwidth, application, web, email and VPN usage. If you want more, the FortiGuard Analysis and Management Service is highly recommended. Multiple appliances at remote offices can be managed centrally via FortiManager.