So I wrote the below e-mail for the FortiManager team and tried to have my account representative share my experience with them. It's been a week and still no reply. Does any one know a better option to manage FortiGates, because I'm sick of the FortiManager?
This was the e-mail i sent to Fortinet. Let me know if you guys are having similar issues and came up with a work around.
First off let me start by saying FortiGates are one of the best firewalls I have ever tested or used. The FortiGates checked all the fields I was looking for my company. With that being said the FortiManager is the worst product I have ever been forced to use (the Forticlient and EMS is a close second (due to constant bugs)). A good centralize management tool needs to accomplish three thing. Number one: making changes on the manager needs to be faster than logging into multiple individual firewalls and making the change locally. Number Two: changes made on the local firewall should easily replicate to the manager and allow you to replicate those changes to other firewalls sharing the same policy. Number three: arguable the most important is the manager should be user friendly and simple to use. The FortiManager has manage to fail at all three areas. The only good part of the FortiManager is the built-in FortiAnalyzer feature (a great and simple to use centralize logging and reporting tool).
A brief background about me, I’ve been in the IT field since the early 2000’s. I started working on network devices in 2004. Since then I have work with and tested Cisco ASA’s, SonicWall’s with its GMS, Meraki Security appliance, Microsoft ISA, TMG, UAG, Palo Alto 3020 with Panorama, Check Point’s 5400 along with their management system, F5 Big IP, FortiGate’s with FortiManager, and Barracuda’s NG with its central Control. I’ve also attended Fortinet NSE 4 classes for Fortigate 1 and 2, NSE 5 class for FortiManager 5.2.1, and NSE 6 class for FortiWeb 5.6. I also have a bachelors in computer science with emphasis in information security.
In early 2017 we purchased 25 FortiGates to improve our security posture and redesign communications between the branches (move from MPLS to site to site VPNs). We also purchased a FortiManager VM with a FortiAnalyzer license. The initial deployment of the 25 firewalls was done without using the FortiManager. That should have been the first red flag. There was no real easy way to deploy new firewalls using a FortiManager. So I ended up using other programs to make templets that could push out a base configuration for each of my different firewalls after I entered the WAN and LAN information. At this point I decided I will attend the FortiManager training before I imported the 25 FortiGates into the FortiManager. After attending the class I realize the FortiManager had some limitations but most importantly the design of the product was solely geared to function instead of practicality. For example I can import and push configuration changes and even see the difference and what change the manager is pushing to the firewall but I can’t even take a simple backup of the firewall from the manager.
Other major issues with the design of the FortiManager is there is no way to create a shared policy package that that only affect a few policy on the FortiGates. For example if I have 12 IPv4 policies on Fortigate 1 and 6 IPv4 policies on Fortigate 2 but the only have 2 similar policies (like the HR traffic to the internet and All traffic to the internet) I have 2 options in configuring the policy package or packages in FortiManager (no option is ideal).
Option one: I can make one policy package that combines all the policies on both firewall and any policy that is similar can have both the installation targets (FortiGates) and the unique once and have it individual targets assigned. With this option you have one place to update the shared policies and one step to push it to all your affected FortiGates. The draw back to this is your policy package will get incredibly long (largely depending on how may unique policies you have on the grouped FortiGates). Policy placement also gets confusing because of the length and which firewalls the above and below policies apply to. You cannot make any changes on the local firewalls that is tied to the policy or objects. The reason you cannot make the changes on the local firewall is importing the change to the FortiManager assigned policy package with also delete any policies in that package not assigned to that Fortigate. This will wipe off important unique policies on other firewalls.
The second option: you have is having a second policy package for each Fortigate. This fixes the issue of not being able to make a change locally on the FortiGates and importing the change into the FortiManager. However you will not have the ability to share policies between the policy packages. So if you make a change to a policy in one policy package, you will need to modify each policy package that have a similar package manually. As much as that sucks, it gets worse. You will then need to push each policy package one at a time to each affected firewall. The FortiManager does not allow you to push more than one policy package at a time. With 25 firewalls (2 in HA so I have 23 Policy packages) it takes over 20 minutes to push changes that affect all the firewalls.
Other than the lack of user friendliness the FortiManager seems buggy at times. The reason I’m saying the product is not user friendly is there is almost no way a competent Fortigate administrator can integrate and manage the Fortigate without detailed training in my opinion. Even after attending the FortiManager training a user will still have issues using the product to its full ability. Since we have had the FortiManager I have personally open 18 tickets ranging from configuration issues to bugs in the program. I have to give credit to the Fortinet Tech. They are very knowledgeable and polite. They have help me fix mistakes I’ve made in my configurations and submitted issues to developers that have been found in the code. I have never been left hanging with any issue. They are also quick with sharing their knowledge and expertise with their product. It is an absolute pleasure working with the Fortinet team (from sales to Tech support).
The best part of the FortiManager application is the FortiAnalyzer portion. I love the ability it give us to run reports on all our FortiGates and maintain a centralized database of our logs. The threat analyst (fortiView) feature of the FortiManager for lack of a better work pretty cool. The Analyzer portion has help us playback attacks in the past, stop attack vectors in our Fortigate configurations, and track potential problems on our network. However using the analyzer feature of the FortiManager has caused performance problems with the appliance. This has forced me to open tickets because the FortiManager seems to respond very slowly at times. I was very shocked to hear the Fortinet Tech notify that my performance issue with the FortiManager is due to me using the FortiAnalyzer feature of the appliance. He (actually 2 different techs) then explain to me that it is not recommended to run FortiManager and FortiAnalyzer on the same box. I was very confused since we had Fortinet engineers size our Fortinet deployment. Also, why will you sell a product with a feature that won’t work properly? Add to that why will you charge a customer a fee to use the additional feature (had to buy license to use the analyzer feature) if it not recommended. I of course pointed this out to the techs. I was then told I will need to increase the resources to use the additional features. That of course make more sense so I told him that we can give it as much resources it needs and more. After he did his calculations based on the FortiManager and FortiAnalyzer requirement we increase the memory to 24GB (way more than needed based on his calculations). Since the increase the memory never reaches over 25%. This definitely helped at first. After the last update (5.6.5) the FortiManager once again has become noticeably slow.
Please understand I’m not trying to bash your product. Fortinet makes in my opinion one of the best firewalls on the market. In certain application, hands down the Fortigate is the best firewall. The only issues I have had with the Fortigate is memory leak issues and horrible QA in Firmware releases (the last not limited to the FortiGates). I like your products, but you guys need to do something about your FortiManager. It needs a full redesign. In my opinion Check Point did it right when I comes to seamless integration of a centralize manager for their firewalls. Even Dells manager for their firewalls is leaps and bounds simpler than the FortiManager. I’m to the point that I’m considering making a management solution that updates the firewalls via SSH myself. So is there any way we can get this issues fixed with the product? I would prefer to use the product we paid for instead or making one myself.
No comments:
Post a Comment