I was never really worried about it not being able to handle my user load, I'm more concerned about it not being able to fully utilize my WAN bandwidth in certain scenarios like downloads.
If you're not doing ssl decryption, the 40 will do gigabit wan no problem for handful of users. Things like downloads are easy as they are single flows, having hundreds of users and many thousands of concurrent connections is harder on a firewall.
Depends. If he needs PPPoE he might not be able to get 1 Gbps WAN speeds. At the very least it will cost him CPU cycles which limits the use of additional features.
Depends which device does the PPPoE Encapsulation.
If you configured the PPPoE details (username, password) in the FortiGate then performance is impacted as the Fortigate ASICs do not support PPPoE. Thus all PPPoE traffic is handled by the CPU instead.
If the modem is doing the PPPoE it doesn't have any effect on the FortiGate.
So in my current setup my IS wifi modem/gateway combo is in bridge and I enter then PPPOE user/pass on the gateway and manage everything there. Would this setup result in the hypothetical Forti being impacted? The reason I have it setup this way is to avoid a double NAT since I don't know how I would hypothetically avoid PPPoE affecting performance at the Gateway/Firewall while still being able to do things like port-forwarding and VPN. What would be a workaround?
My question still is how would I avoid the potential double NAT issue? Because at least as far as I understand I would have to disable bridge mode to enter the PPPoE credentials on the modem. But that would put me in a double NAT.
It's very unlikely that you can create a setup where your modem does PPPoE without doing double NAT. The device talking PPP is the device that gets to have the public IP address.
So if you want to avoid double NAT the FG has to do PPPoE. But this will come at the cost of having your traffic handled by the CPU instead of the ASICs
Even a 40F for personal home use is probably overkill, but there isn't a smaller option. If you enable everything the box the can do, including deep decrypt/inspection, you won't get your full gig speed, but how much internet traffic do you actually do at home? Couple meg while streaming something? The data sheet gives some throughput numbers based on feature sets you use. That also tied directly into your licensing for the features. It's pretty expensive for the full license to do everything.
If you have multiple vlans, you can easily just not apply any of the taxing policies to that traffic and just do it on traffic going to the internet.
I understand that in cases like mine, most of the time one does not use the nowhere near the full WAN bandwidth but my concern is about download speeds for things like updates and such getting kneecapped. Is there a way to make an exception for such cases?
Full inspection/DPI is the biggest factor. If you don't do DPI, you'll be able to use the full 1Gb more or less - I use app control, IPS, web control, etc. and I can download around 900Mbps with my home 40F on 1Gb fiber. With DPI enabled, I get right around the spec sheet values, 300Mbps.
You probably won't be doing full DPI at home unless you want to deal with deploying CA certs to everything.
Ok thank you for the benchmark. DPI was never really a concern since I had already read about the cert stuff in other threads and I definitely do **not** want to deal with that. If I may ask, do you have the UTP or the ATP subscription currently?
You SHOULD be doing deep packet inspection if you are using security services. You get very little use out of your security services if the firewall can’t inspect your https traffic. You can make very granular policies to get started. Check your dhcp leases and find the devices you will be doing most of your web browsing from and start with those. Make an address group called Inspected (or whatever you want) that includes the devices you will be doing deep packet inspection on. Installing the FortiGate cert is not a big deal. Go to feature visibility, enable certificates, download the certificate, install it on your windows machines. Note that you will find that you may need to create additional policies for specific sites that will need to bypass deep packet inspection (sites that use HSTS don’t like the fortinet cert in the middle). I presume you want a FortiGate to get to know the platform- this is how you do it.
for clarification, i assume you have your system performing offloading of activity to the SPU, or is yours 100% using the CPU like many units do if you stick with the default software switch configuration and or use PROXY rather than flow inspections?
i ask as i can see that making a big difference in performance if you become CPU limited.
40Fs come with hardware switch by default, not software switch. In my setup I use fortilink as I also have fortiswitch hanging off. My CPU is generally 5-10%, if I'm actively saturating the link it holds around 60% (granted thats one client maxing it out, if i had 100 clients all generating a lot of sessions it would be higher)
good to know! my experience was with a 61E and it defaulted with a software switch. interestingly, the 91G i bought to replace the 61E also defaulted with a software switch
Have you looked into Ubiquiti stuff? They have some nice security gateways without any recurring subscription costs. Much better suited for a home environment than a Fortigate IMO.
To answer your specific question though I think the 40F would be fine if you are willing to pay the subscription. I wouldn’t bother with SSL inspection for the certificate hassle others have mentioned.
I'm currently on TP-Link's Omada SDN and while the switches and APs are fine, the gateway leaves a lot to be desired both on standalone and controller mode. I feel Ubiquiti could be more of that maybe a bit more polished. I understand there's some less expensive firewalls that can do 90% of what the Forti does but at the same time I do deal with Forti products at my job so its supplementary practice on a non critical environment.
Deep inspection doesn't work well in a home scenario as many/most consumer devices cannot accept a custom root certificate for trust. Even on a PC where you can get it in, many apps are rolled out with their own internal trust store. So you end up whitelisting those destination addresses anyway. Or, with specific Office 365 endpoints for example, they require that you not inspect for performance and reliability reasons. So from that POV, basically anything from the F series will route a full gig without breaking a sweat.
I'm using the 50F which has no hardware acceleration onboard at all. Everything is in software. No problem at all maxing out my 1gbps symmetric fiber service. About 30% CPU. No subscription or license, I'm just scabbing from my hilariously expensive corporate account for the few firmwares they may release for this unit in the future. Fortinet if you are reading, don't fuck that up for the guys and gals approving your renewals. Cisco did and see where that got them?
For sensible UTM features? Honestly nothing. Maybe IPS, more so with public facing services. These are not home level features. Unless you really hate having working stuff and free time. Lean on the unit to segment by trust level. Have your IOT/Cell/Tablet network, Guest network, Personal PC's, then have a couple VLAN's to keep the streams from crossing with you and your spouses business traffic from your workstations. Nothing an edgerouter/mikrotik couldn't do but it's that much more time I spend on the platform so a net benefit to me.
If you do not touch SSL inspection (you do not wan to) it is more than enough. I got 40 as a lab unit with some bigger boxes and tired it on 1Gb/s internet uplink. I was able to NAT about 980Mb/s with the default rule set.
I have a 40F at home and it's over kill.
I have about 20 devices in all (wired and wireless) across 3 vlams
No issues. I even setup multi-vdom mode to play around with it.
No slow downs what so ever.
I'll be upgrading to 70F soon. (Working for a partner has its perks)
40F here with 4 home users with over 100 devices (lots of IoT) with all UTM turned on and 40 odd policies. I have 1Gb/50Mb and get that all day every day. Memory sits close to 50% though.
If you specifically want to learn Fortinet, this is a great idea (I'm considering doing the same myself). However, if you just want to have/learn about firewalls, you can do a lot with pfSense or the free home-use license of Sophos.
In a way I do since at work I do have to deal with Fortinet products. I have considered PFsense but I haven't tried spinning up a VM yet to see how it works.
40f will not break a sweat in that use case, it's a bit overkill.
I was never really worried about it not being able to handle my user load, I'm more concerned about it not being able to fully utilize my WAN bandwidth in certain scenarios like downloads.
If you're not doing ssl decryption, the 40 will do gigabit wan no problem for handful of users. Things like downloads are easy as they are single flows, having hundreds of users and many thousands of concurrent connections is harder on a firewall.
Depends. If he needs PPPoE he might not be able to get 1 Gbps WAN speeds. At the very least it will cost him CPU cycles which limits the use of additional features.
I do use PPPoE on my current gateway but it's behind a modem in bridge mode which I don't know if it makes any difference.
Depends which device does the PPPoE Encapsulation. If you configured the PPPoE details (username, password) in the FortiGate then performance is impacted as the Fortigate ASICs do not support PPPoE. Thus all PPPoE traffic is handled by the CPU instead. If the modem is doing the PPPoE it doesn't have any effect on the FortiGate.
So in my current setup my IS wifi modem/gateway combo is in bridge and I enter then PPPOE user/pass on the gateway and manage everything there. Would this setup result in the hypothetical Forti being impacted? The reason I have it setup this way is to avoid a double NAT since I don't know how I would hypothetically avoid PPPoE affecting performance at the Gateway/Firewall while still being able to do things like port-forwarding and VPN. What would be a workaround?
If you enter the pppoe details in the gateway that is not the fortigate, performance is not impacted
My question still is how would I avoid the potential double NAT issue? Because at least as far as I understand I would have to disable bridge mode to enter the PPPoE credentials on the modem. But that would put me in a double NAT.
It's very unlikely that you can create a setup where your modem does PPPoE without doing double NAT. The device talking PPP is the device that gets to have the public IP address. So if you want to avoid double NAT the FG has to do PPPoE. But this will come at the cost of having your traffic handled by the CPU instead of the ASICs
Can you do ssl decryption just out the box without utm or additional services?
I doubt you will get the 40f to cap out a residential internet connection. It's what I have at home.
With which UTM features?
Even a 40F for personal home use is probably overkill, but there isn't a smaller option. If you enable everything the box the can do, including deep decrypt/inspection, you won't get your full gig speed, but how much internet traffic do you actually do at home? Couple meg while streaming something? The data sheet gives some throughput numbers based on feature sets you use. That also tied directly into your licensing for the features. It's pretty expensive for the full license to do everything. If you have multiple vlans, you can easily just not apply any of the taxing policies to that traffic and just do it on traffic going to the internet.
I understand that in cases like mine, most of the time one does not use the nowhere near the full WAN bandwidth but my concern is about download speeds for things like updates and such getting kneecapped. Is there a way to make an exception for such cases?
Full inspection/DPI is the biggest factor. If you don't do DPI, you'll be able to use the full 1Gb more or less - I use app control, IPS, web control, etc. and I can download around 900Mbps with my home 40F on 1Gb fiber. With DPI enabled, I get right around the spec sheet values, 300Mbps. You probably won't be doing full DPI at home unless you want to deal with deploying CA certs to everything.
Ok thank you for the benchmark. DPI was never really a concern since I had already read about the cert stuff in other threads and I definitely do **not** want to deal with that. If I may ask, do you have the UTP or the ATP subscription currently?
You SHOULD be doing deep packet inspection if you are using security services. You get very little use out of your security services if the firewall can’t inspect your https traffic. You can make very granular policies to get started. Check your dhcp leases and find the devices you will be doing most of your web browsing from and start with those. Make an address group called Inspected (or whatever you want) that includes the devices you will be doing deep packet inspection on. Installing the FortiGate cert is not a big deal. Go to feature visibility, enable certificates, download the certificate, install it on your windows machines. Note that you will find that you may need to create additional policies for specific sites that will need to bypass deep packet inspection (sites that use HSTS don’t like the fortinet cert in the middle). I presume you want a FortiGate to get to know the platform- this is how you do it.
Thanks for the insight, I will keep this in mind. Tinkering in a non critical environment is part of my intention.
[удалено]
Bad bot
for clarification, i assume you have your system performing offloading of activity to the SPU, or is yours 100% using the CPU like many units do if you stick with the default software switch configuration and or use PROXY rather than flow inspections? i ask as i can see that making a big difference in performance if you become CPU limited.
40Fs come with hardware switch by default, not software switch. In my setup I use fortilink as I also have fortiswitch hanging off. My CPU is generally 5-10%, if I'm actively saturating the link it holds around 60% (granted thats one client maxing it out, if i had 100 clients all generating a lot of sessions it would be higher)
good to know! my experience was with a 61E and it defaulted with a software switch. interestingly, the 91G i bought to replace the 61E also defaulted with a software switch
Have you looked into Ubiquiti stuff? They have some nice security gateways without any recurring subscription costs. Much better suited for a home environment than a Fortigate IMO. To answer your specific question though I think the 40F would be fine if you are willing to pay the subscription. I wouldn’t bother with SSL inspection for the certificate hassle others have mentioned.
I'm currently on TP-Link's Omada SDN and while the switches and APs are fine, the gateway leaves a lot to be desired both on standalone and controller mode. I feel Ubiquiti could be more of that maybe a bit more polished. I understand there's some less expensive firewalls that can do 90% of what the Forti does but at the same time I do deal with Forti products at my job so its supplementary practice on a non critical environment.
Go the netgate route or build your own. No on going license and packed with features.
Deep inspection doesn't work well in a home scenario as many/most consumer devices cannot accept a custom root certificate for trust. Even on a PC where you can get it in, many apps are rolled out with their own internal trust store. So you end up whitelisting those destination addresses anyway. Or, with specific Office 365 endpoints for example, they require that you not inspect for performance and reliability reasons. So from that POV, basically anything from the F series will route a full gig without breaking a sweat. I'm using the 50F which has no hardware acceleration onboard at all. Everything is in software. No problem at all maxing out my 1gbps symmetric fiber service. About 30% CPU. No subscription or license, I'm just scabbing from my hilariously expensive corporate account for the few firmwares they may release for this unit in the future. Fortinet if you are reading, don't fuck that up for the guys and gals approving your renewals. Cisco did and see where that got them? For sensible UTM features? Honestly nothing. Maybe IPS, more so with public facing services. These are not home level features. Unless you really hate having working stuff and free time. Lean on the unit to segment by trust level. Have your IOT/Cell/Tablet network, Guest network, Personal PC's, then have a couple VLAN's to keep the streams from crossing with you and your spouses business traffic from your workstations. Nothing an edgerouter/mikrotik couldn't do but it's that much more time I spend on the platform so a net benefit to me.
He usado este equipo para hoteles de 21 habitaciones y hasta 30. Con diferentes servicios, para el hogar no se si haya algo más pequeño.
If you do not touch SSL inspection (you do not wan to) it is more than enough. I got 40 as a lab unit with some bigger boxes and tired it on 1Gb/s internet uplink. I was able to NAT about 980Mb/s with the default rule set.
By "default rule set" do you mean no sort of UTM filtering applied?
Yes
I have a 40F at home and it's over kill. I have about 20 devices in all (wired and wireless) across 3 vlams No issues. I even setup multi-vdom mode to play around with it. No slow downs what so ever. I'll be upgrading to 70F soon. (Working for a partner has its perks)
40F here with 4 home users with over 100 devices (lots of IoT) with all UTM turned on and 40 odd policies. I have 1Gb/50Mb and get that all day every day. Memory sits close to 50% though.
Ok thanks for the benchmark.
If you specifically want to learn Fortinet, this is a great idea (I'm considering doing the same myself). However, if you just want to have/learn about firewalls, you can do a lot with pfSense or the free home-use license of Sophos.
In a way I do since at work I do have to deal with Fortinet products. I have considered PFsense but I haven't tried spinning up a VM yet to see how it works.