We use the solution for perimeter fiber and to control the external access.

The solution helps to control all the processes and information going on.

I have configured some SD-WAN features, and it's worked pretty well. It manages pretty well, connecting all links to the firewall. It can lower balance and traffic management.

I have been using FortiGate CNF for three years.

We can offer FortiGate customized solutions tailored to small and medium-sized customers, as it can accommodate up to five hundred users.

The initial setup is easy.

There is a good correlation between cost and value because this is ready equipment, and the prices are very low compared to other brands. It will be suited to the customer's needs. The product is cheap.

Before offering a firewall solution, we assess the site, service, and customer requirements. Then, we determine the project scope and the available funds to buy a firewall.

Some customers need a big firewall with high performance and certain specific features that FortiGate might not have. They have good performance, capacity, and scalability, but FortiGate may need adjustments to meet some customers' very high requirements. For example, some carriers prefer another kind of fiber instead of FortiGate because they have customers covered by it.

If you're seeking a Firewall with robust performance at a more affordable price point, I recommend FortiGate.

Overall, I rate the solution an eight out of ten.

The first thing that happens is that any incoming cyber threat is stopped. The fiber channels that are coming into the country—let's say there are five or six main channels providing all communication into the country—the first layer of protection is essentially switched. Before the data enters the fiber, load balancing occurs, allowing the system to disable one input channel and switch to another. If one device fails, the system can reroute the traffic quickly to the appropriate destination.

The first application entrance is the denial of service (DoS) protection. For instance, if China is bombarding the Ministry of Defense of Morocco with traffic, and it's all targeting the same IP address, the DoS protection will recognize this as abnormal traffic and activate the necessary defenses. Each manufacturer has a different strategy to prevent such attacks. For example, in the case of Juniper, instead of outright blocking the IP, they reroute the traffic to a fake IP and server, which sends out dummy data while analyzing the traffic and user behavior. This process also filters out hidden cyber attacks to gather more information.

After the initial screening, the next step involves Deep Packet Inspection (DPI). DPI examines all packets, whether they are encrypted or not, and applies specific rules to them. For example, an operator might decide that all traffic to streaming services like Netflix or Prime Video should go to a particular set of servers within the country.

In the DPI section, we often use a passive split of the fiber. It's not a common technique, but in this case, before the data is sent to the firewall, the fiber is split and dispatched across several servers that will inspect the data. You can have rules applied based on the origin of the traffic—like all traffic coming from a specific country, or all voice over IP traffic being directed to a particular server.

Sometimes, there are requirements from companies like Google, or specific mobile regulations, stating that traffic must be routed according to certain rules. For instance, Google Maps might require that any call coming to a certain company or individual be intercepted by law enforcement. This is usually authorized by a judge, and the telecom operator will do its best to intercept and reroute the traffic to a server that is dedicated to law enforcement in that country.

In such cases, the telecom operator might treat the network as their own intranet, allowing them to intercept traffic while providing a security certificate to the end user. This is related to the "man-in-the-middle" attack, where traffic is intercepted for security reasons, and law enforcement can use this method to intercept calls.

In some countries, this is a highly monitored situation. Traffic, at least the destination and initiation IPs, is monitored, and even if the traffic is encrypted, authorities often want to record it for future use. This is all managed and directed by the firewall, which also provides additional capabilities.

Take an example of NVIDIA. They have a competing SIP solution for firewalls that can handle very high terabyte bandwidth, and they can be programmed to work in conjunction with the firewall. In that case, you have a piece of software running inside FortiGate or Juniper that directs specific traffic to and from NVIDIA's platform, working with the firewall to perform certain tasks. 

If our customers were private companies or banks, I would look at this from a different angle. But as a user at the edge of normal usage, the ones dealing with international traffic, if something goes wrong with a service.

All my criticisms are based on large-scale applications. For example, here is a good use case. Very often, telecom companies consider the Internet they offer to their clients as their own Internet. If you’re a banker, you often take services from major providers like T-Mobile or Verizon.

Basically, if you do that, the bank can offer you your own private network. They can say, "We are providing the firewall as a telecom, and we are providing a VPN specifically for all your customers." In that case, very often, the bank will dedicate firewall resources. They will issue an RFP, and if the firewall they need to buy meets the requirements of their customers, they will sell security as a service.

What I see is that more and more, this is where the telecom operators want to make money because they control the infrastructure. In the past, the infrastructure and the firewall were there to block attacks. Today, the philosophy has changed. It's about how fast you can respond once there is an attack.

Ten or fifteen years ago, the IT manager might have thought, "This is the internet. Nobody is coming inside the bank or inside the network." But today, it's a reality. The question is, how fast can you detect abnormalities?

This is where telecom operators say, "Oh, we are great at that. We have tools that see all the traffic way before it goes to the bank and way after it leaves the bank. We have more information. Now, we can offer IT services to large customers." They are making less and less money with connectivity, but they see IT services as a goldmine for the future.

So, that means the way you manage a server, both Juniper and FortiGate, they are both really well done for remote management.

The ability to launch third-party software is one of the best features because of the variety of software available. For me, it's one of the best ones.

Another valuable aspect is that it's a large platform in terms of development, with a full line of products. This means that once you're educated on one of their products, you understand the full range of their offerings. That's a good side.

The bad side is that they are not really geared for DPI usage in telecom applications. They're great at DPI if you have a bank or a smaller network, but on a large-scale network, the DPI performance is declining. Their DPI performance dies. It acts more like a firewall or router, applying rules with minimal analysis.

For in-depth analysis, the ability to associate with more powerful processors is critical. Today, only two manufacturers produce silicon that are able to deal with fiber-level processing: Intel and NVIDIA. Intel had the best technology but stopped developing new products. NVIDIA, on the other hand, took parallel processing and the ability to handle high levels of information simultaneously, gaining ground in that market.

At the end of the day, it's really about processing power. More and more, firewalls need to be smart, but often, the processors inside are designed to function like traditional firewalls from a long time ago. But with very large volumes, they don't perform as well as they could. We often end up reducing the ability to be smart, which can slow down traffic.

More processing power is needed. Security using firewalls used to be fairly straightforward, but now you technically need to run AI-based intelligence. For example, if you have a denial-of-service attack at the first level, do you block everyone trying to reach an address, or do you maintain a specific user?

And how do you deal with regular users who are already connected? They may be trying to block the service by overloading access. If FortiGate CNF has stronger processors with AI-based capabilities; these issues can be addressed extremely fast. So far, most manufacturers aren't ready for that. They depend on third-party software that is very good but lacks the processing capability inside the device. Or you end up oversizing the device you’re buying because it doesn't perform well. You might need to go from a $100,000 device to a $400,000 device to get the performance you need.

If you had a stronger processor that could do the work, it would be great. This is what many manufacturers, from Juniper to FortiGate, Cisco, and others, are trying to do—they’re designing silicon optimized for firewalls. 

Fortinet is producing its own silicon, which is great, but it’s not doing the entire job. It’s good at handling the packet quickly, but it lacks the processing capability to be truly smart. There is a change coming to the market [telecom], especially with the 5G changeover, which will change the structure of data centers and firewalls worldwide. Today, most of the data goes to a data center.

Another improvement is in terms of security, with companies offering next-level protection in monitoring threats. They have international call centers where all threats are aggregated, allowing them to respond in real-time to cyberattacks. The idea is good, but it needs improvement because it's not yet perfect.

It's a fairly recent product; I've been using it and providing it to our clients for about two years. 

The stability and scalability of the solution are among the best available today. However, what threatens the stability of this platform is its capability to manage large-scale operations efficiently.

If I were an end-user, I’d like to see these platforms offer open access to the software side. Currently, each company has its own set of rules. When developers want to create solutions, they often have to follow FortiGate’s way of doing things, using their specific tools. This means the software must be adjusted for specific hardware, which makes it difficult to transfer developments from one platform, like Juniper, to FortiGate. 

Open-source software would likely make things cheaper and better. The architecture of these tools also needs to be improved in the future.

The people involved in calling for support are usually experienced in this field, especially in telecom companies. They typically follow an internal process to isolate and document problems before contacting external support. When the issue reaches Fortinet or Juniper, it's usually well-documented, making it easier to resolve. In general, the customers are very professional, which helps ensure effective support.

So, once the problem is documented and duplicated, the issue is in good hands. In my experience with public safety agencies in Canada and large customers, users have professionals communicating with professionals. 

However, if users are dealing with customers in regions like Africa, where there might be a lack of training or support, the issues often stem from insufficient training on the specific device. This training needs to be refreshed regularly, and both companies offer that option, though not all customers take advantage of it.

Positive

The deployment process is complex, but it's not the fault of Fortinet because it's a complex industry, and it's very rarely deployed the way it's shown in the book. 

The first thing we do is split the traffic. Before it goes to the firewall, we split it and send addressing traffic to servers that will process this, and at the end, maybe give the data back to the firewall or bypass the firewall completely.

The complexity is that both companies use the best they can, but when something goes wrong, there is still time to resolve the issue. You probably haven't seen that in detail, but for example, in Canada, Rogers, a telecom company, lost the ability to make mobile phone calls for three days for all their users.

The CRTC, which is the equivalent of the FCC in the US, said, "What the hell? How can you lose the ability to firewall communication for a few days?" This was basically because the reaction time from the firewall side was too slow. Some of the automatic protections against external attacks did not work, and when they engaged them manually, it caused more trouble than it solved.

As a result, one-third of the Canadian population didn't have communication. The details weren't fully disclosed, but the job should have been done at the level of the firewall of all the traffic coming into Canada. The firewall software should have reacted. In fact, every time it reacted, it was because of a large network issue. 

"Is it easy to deploy?" The answer is, if you have 400 firewalls, like they do, it's extremely difficult to recycle them if everything goes wrong. When you are at that level, it goes wrong extremely fast, and it's extremely slow to recover.

Before we sell the product, there's a qualification period. We respond to the RFP; then, the customer has two to three months to ask questions and decide who has the best offer.

Then, we have some time to deliver the first model and often demonstrate and validate the technology. This isn't exactly a pilot project, but it's part of the RFP. Then you have the deployment, and usually, it goes from one operator's data center to another.

For example, in Morocco, we have the three main operators as our clients.

We are a value-added reseller. We bought the technology for our own use, but it's oversized, mainly for demonstrating the technology.

We sell a lot of solutions to telecom operators. We are the largest SIM card manufacturer in Canada, and we develop software used by most telecom operators in Western and North Africa.

So, when we look at these products, we usually get specification requirements from the client. They publish an RFP, and we look for the best product to fit the RFP requirements.

Usually, we form a co-solution, meaning both companies respond together, or we are the prime, or sometimes the customers are. We respond together to the RFP because when they are doing an RFP for that type of solution, they don't just want the equipment. They want software installation. If it's an on-site installation, CNF needs telecom engineers. I am certified on the Zscaler platform, and they are also authorized to install inside the data center of the operator. They have to have special accreditation for that.

We do that very often. There is a specific need because most of these platforms will accept third-party software that will run on Juniper platform or on FortiGate. We also carry other products for large telecom operators. So, we bundle the solution together to respond to the RFP. From one country to the other, the use of the equipment can be very different because they have different architectures.

For the operator, it's a solid product because it can be technically upgraded, and both companies provide excellent service and support.

It's extremely good. There aren't many choices on the market, so it offers a better return compared to alternatives. It's also cheaper, especially when compared to some Chinese firewalls, which I would avoid if I were a telecom operator.

I'd rate it around a nine or nine out of ten. It's one of the best in the industry today.  

The choice often depends on the legacy equipment already installed and its upgradeability. Juniper is really good at replacing Cisco devices, as Cisco is losing ground in the telecom operator market. Sometimes, choosing equipment is influenced by the legacy systems already in place.

So, as a customer, I often can't remove all legacy equipment and must work in parallel with it. That's one of the key issues when it comes to integration. If users have a hybrid platform, it can dramatically complicate deployment.

We use the platform for virtualization, malware protection, and VPN client support.

They should offer more affordable renewal options or flexible plans for license upgrades. It would make the product more accessible to a wider range of users.

We have been using FortiGate Cloud-Native Firewall (FortiGate CNF) for the last eight months.

The platform has good stability.

The platform is mostly suitable for enterprise businesses.

The initial setup is complicated. It requires technical experts to set up firewall communications easily. It takes a few days to complete.

It is an expensive platform.

We have been using FortiGate Cloud-Native Firewall for a few years now. It is the most stable and recommended firewall. Users with less technical knowledge can easily manage complex network and security components using it.

I rate it an eight out of ten.

I primarily use FortiGate for web filtering, IPS, DDoS protection, and IP segment VPN in an enterprise environment.

The tool's documentation and online resources availability have been valuable.

The solution needs to improve on box clustering and IPS configuration. 

I have been using FortiGate CNF since 2019. 

The product is stable. 

FortiGate CNF is scalable. 

The solution's tech support is good. 

Positive

The initial setup was very easy. Two resources are needed for the deployment. One resource can maintain the product, which is easy. 

We can get ROI with the tool's use. 

The tool's licensing costs are cheap and yearly. 

I rate the solution an eight out of ten. 

We primarily use it for cybersecurity measures, focusing on detecting cyber incidents and maintaining overall cybersecurity hygiene.

Currently, it meets customer expectations, and although there have been comments regarding containerization, our clients have not encountered any issues. The cloud deployment ensures smooth operations, and as for integration with monitoring systems, there haven't been any reported problems thus far.

The focus is on the comprehensive coverage of threats and the reliability of the chosen solution. Ease of use and familiarity are crucial. In comparison to Palo Alto, it offers competitive pricing, and when measured against Cisco, it stands out as a more cost-effective option. It has successfully demonstrated practical use cases that resonate well with our clients. Additionally, we find their regional support to be robust, which adds to the overall appeal of the solution in the specific operational area we are engaged in.

There could be more detailed descriptions regarding version upgrades, particularly in terms of the upgrade process.

We have been using it for two years now.

I would rate its stability capabilities nine out of ten.

It is highly scalable. Our primary focus is on medium and enterprise-level clients, catering to larger-scale product needs. I would rate it nine out of ten.

The initial setup was straightforward.

The pricing is competitive. I would rate it four out of ten.

Overall, I would rate it eight out of ten.

We use FortiGate Cloud-Native Firewall as a firewall. We use the solution for IPS, IDS, UTM, routing, and VPNs.

Unlike other products, the FortiGate Cloud-Native Firewall has many features under one appliance. For example, you have only two interfaces with Cisco Meraki for SD-WAN, but with the FortiGate Cloud-Native Firewall, you can have multiple ports in one interface. The solution has some vulnerabilities, but the good thing is that whenever there are any vulnerabilities, you have a new patch within one or two weeks.

They are improving their service and putting in more features. They are also improving the CPU and traffic part. People like the solution because it is reliable. Apart from that, the solution has been among the leaders in the Gartner report for more than four to five years.

The solution is not stable in terms of switching.

I have been using FortiGate Cloud-Native Firewall (FortiGate CNF) for five to six years.

I rate FortiGate Cloud-Native Firewall a nine and a half out of ten for stability.

For one network, I have 11 sites with more than 1,500 users.

If you don't know the device, the solution's initial setup will be complicated. The solution's setup is easy for someone who understands the network, security, and how to do policies.

I rate FortiGate Cloud-Native Firewall a nine out of ten for the ease of its initial setup.

FortiGate Cloud-Native Firewall is not an expensive solution.

Overall, I rate the solution a nine out of ten.

The solution is very advanced and has good monitoring features. 

The product is very expensive.

I have been working with the solution for two years. 

The solution is stable. 

FortiGate CNF's scalability is good. We have around 50-100 users for the product. 

FortiGate CNF has good tech support. 

Positive

FortiGate CNF is easy to install and takes around one to days to complete. My 10-member team is involved in the installation. 

I feel Sophos is better compared to FortiGate CNF since it has a better response. I rate it a nine out of ten. 

ATP ( Advanced Threat Protection) next-generation firewall is the most valuable feature. 

There is room for improvement in terms of support. 

I have experience with this solution. 

The solution is very expensive. I would rate the pricing out of ten, where one is expensive and ten is low price. 

Overall, I would rate the product a five out of ten.