By Owen Siebert
During my time as a computing security student at the Rochester Institute of Technology, most of my education has been very Cisco centric. Walking through the labs, all you see are racks full of Cisco networking equipment. As great as it is, I knew there had to be more out there. During my freshman year, I received the opportunity to volunteer at the Rochester Security Summit hosted by the Rochester chapter of the Information Systems Security Association (ISSA). For the simple price of pointing people in the right direction, I received free admission to the conference. The bright eyed and bushy tailed freshman I was immediately dropped all things I was assigned to do as a volunteer and instead went and talked to all of the companies there, one of them being Fortinet. I spent a long time talking with their representatives, who eventually informed me of a raffle at the end of the conference for a 90d firewall that we had been discussing. For my love of free things, I immediately ripped a corner off a pamphlet to approximately the size of a business card, and wrote my info on it. Long story short, I won.
Overall the Fortigate 90d is a pretty standard looking piece of networking equipment, 14 LAN and 2 WAN ports on the back, a console some blinking lights aka the best part on the front, plus some USB and a management port on the back. Mine being the WI-FI enabled version also has a 2.4 GHz radio antenna on either side. Out of the box, it is surprisingly easy to set up, for being an enterprise grade product. Much like a generic home router, it come pre-configured with a 192.168.1.0/24 network setup, a DHCP server automatically configured and enabled, and a default IP of 192.168.1.99. A default administrator account is automatically enabled, with no password for login purposes.
The GUI is extremely impressive for an enterprise networking device. It’s fast, simple and well laid out. After seeing things like Cisco routers and switched that are limited to command line configuration, and Cisco access points with web based GUIs that look older than I am, and act like to too, it was a nice change of pace.
In terms of routing, the Fortigate 90d has everything one could expect in terms of basic networking, routing, DNS, etc. One noticeable feature that it has is the ability to do packet captures on its interfaces. It will grab groups of up to 4000 packets at a time, which then can be downloaded as a pcap to then analyze with a tool like Wireshark. I have seen rudimentary versions of this in things like PFSense, but have never seen full pacp exports like this before, and I think it’s awesome. There is also to the ability to do load balancing across the two WAN interfaces, which I feel is another nice touch. Load balancing can be configured to do several different algorithms, including based on volume, sessions, and spillover, as well as source and destination IP addresses. When enabled, this provide nice graphs for monitoring purposes.
For being a security device, the Fortigate 90d is pretty average. There are basic IP based rules that can be put in place, but nothing particularly special. One neat thing that I does have to make that process simpler, is the ability to add profies to things like addresses, or address ranges so instead of keeping track of IP schemes, they can be given a name to make tracking them easier. Address groups can also be made for blocking rules for every one in that group, but still allowing individuals in that group to have different permissions. This could prove useful for situations like having a project team that shouel Fortinet also keeps a list of certain FQDN’s and makes them accessible right in the web GUI to make to make managing and/or limiting traffic out of the network simpler. Ironically, getting to their domain is blocked by default straight out of the box, for some strange reason. The one downside to this “address book”, is that all ruled created need to have defined entries in this. For instance, one wanted to make a rule to block all traffic to all of RIT’s network there would have to be a subnet entry in the address book for 220.127.116.11/16
The real benefit to using Fortinet is their service. They offer their FortiGuard service which does things like web filtering and DNS filtering and intrusion prevention based on their top of line, updated daily list of evil domains, IPs and subnets. Their web filtering services group’s things in several categorys like ‘Potentially liable’, which contain things like ‘Hacking’ and ‘Plagiarism’, and ‘Adult Content’ which had a surprising number of sub categories that just said porn in many different ways. There is also different applications under their application control profile which can just mass block ‘Email’ or ‘Game’ or ‘Botnet’. Overall this just seems like a lot of buzz words that are just specific enough to get companies to pay for their service. Since my licensing ran out after a year, I no longer have access to their updated lists of things to block, so I no longer have default protection against things that have happened since 2017, so the service is definitely the key part of this product.
Overall this is a fairly cool product, especially one that l received for free. It has descent hardware, with its various gigabit ports, Wi-Fi antenna radios, and power over Ethernet capabilities. Its software is surprisingly nice to work with, with its modern feel, and fast load times over HTTP. The real benefit of this device is its subscription based services that come at a price, and not a cheap one at that. For a company that has a competent security team, the benefit might not be there, as other hardware and software options exist, which might be less customizable, but more cost effective solutions exist. For a company with money to blow, but not as good of a security backing, this product could be for them.