Built-in AV; excellent management.
Lots of additional tools can make policy generation difficult.
Dual-blade chassis makes it simple to upgrade capacity and have a hard-wired failover link; suitable for any environment.
Fortinet's FortiGate 5020 is built using a powerful chassis containing dual, hot-swappable power supplies as standard, building in redundancy. The chassis can also house two 5001 blades, each of which comes with four copper Gigabit Ethernet ports and four small, form-factor pluggable (SFP) ports.
The 5020's backplane provides a continuous connection between both blades for active-active or active-passive failover.
Each blade can be managed individually through its web-based management, or you can opt for the optional FortiManager application. This gives a single centralized point of management for all FortiGate products including role-based administration.
We stuck with the excellent web-based management. Firewall rules can be created based on ports, but you can also create logical zones. As these encompass multiple ports, it is easier to define your network, especially as changes will not affect policy.
Rules are simple to create and Fortinet has some additional tools up its sleeves. As well as the firewall, the appliance also comes with Fortinet's own-brand antivirus software as standard, which is automatically updated with the latest signatures.
There is also intrusion prevention, anti-spam via realtime blacklist and keyword filtering, and web filtering via user-entered URLs and keywords.
If this sounds like a lot of work, you can use the optional FortiGuard service, where you can block websites by category. You can create attack profiles, which define how you want to scan traffic, and you can choose to apply traffic shaping to each rule, preventing any one service from hogging too much bandwidth. VPNs are no problem, with encryption accelerated and support for up to 10,000 tunnels.
As far as firewalls go, this is an expensive product, but the port flexibility, dual blades and range of features mean it has enough throughput and security to deal with very large networks.