FortiGate Fortifies Your Traffic Security

Each FortiGate port houses a separate subnet; the device can route packets directly from one port to another or perform many-to-one NAPT (Network Address Port Translation) between ports. Individual ports can be assigned to unique security zones or can be grouped into a shared security zone. Each security zone gets its own separate policy, which means you can group multiple subnets into a zone and set access rights between zones. If two ports are in the same security zone, you can block traffic from flowing between them.

Access Control

To set up the firewall controls between zones, you first need to define traffic flows. From the GUI, I designated flows between internal and external zones, and Zone 1 and the external zone. You can also indicate if these flows should be routed or sent via NAPT. Traffic between interfaces within the same security zone can be blocked or routed as well. After setting flows, you can create policies for each zone.

When entering the policy management interface, you are presented with two drop-down menus, one for source zone and one for destination. You need to select which zones to use for each before you can edit policies for a flow. Each security zone may contain several subnets, and the firewall policy will let you select if you want to apply a rule only to one network or to a group of networks inside a zone instead of to the entire zone. My only problem with this is that the management interface still seems geared toward the three-port FortiGate products. However, when you have multiple security zones, seeing all the interactions and rules between ports is difficult.

At this point, I set up traffic-shaping controls for guaranteed and maximum bandwidth in each policy by queuing packets, as opposed to manipulating TCP window size. I enabled a policy stating that HTTP traffic cannot exceed 30 KBps, and my Web downloads dropped from 250 KBps to approximately 29 KBps per download. You can also create schedules for when the policy will be in effect.

The antivirus capabilities work well, but I've seen better. FortiGate 500 presents identical configuration options for HTTP, SMTP, POP3 and IMAP for IDS, virus scanning and file blocking. Fortinet uses its own virus definition file and provides updates as new signatures are found. To define antivirus policies on your own, you need to select a flow to monitor--you cannot specify a global policy to monitor all traffic across all zones. At this point, you can choose to scan for viruses or to block files based on any of 12 file extensions. Unfortunately, these are not configurable. The inspection software can look inside compressed files but does not recursively check them within the archive. To my disappointment, when I changed the extension of an executable to .jpg, the file was transferred without its being caught. Fortunately, virus scanning, as opposed to blocking, will catch files regardless of the extension.

VPN and Content Filtering

The device supports both client/server and site-to-site VPN access. Client/server access is performed with PPTP (Point-to-Point Tunneling Protocol) or IPsec using the Safenet client. Sessions terminate in the internal zone, so you can't have a user connect through a VPN directly into the DMZ or any of the other security zones. The user's access rights follow those of the internal zone. You can add users manually or through a RADIUS server. Site-to-site access is through IPsec, and DES, 3DES, MD5 and SHA1 are all supported. You can use only preshared secret keys. I ran into interoperability problems in our site-to-site tests with Cisco Systems' 3005 Concentrator and Nortel Networks' Contivity. Fortinet claims the beta bugs that caused the problems will be cleared up before the product's release. Content filtering is simple and uses URL blocking enhanced by a rudimentary user-generated banned-word list. URL blocking supports unicode URLs, and a list of predefined URLs is provided, but you can import other lists or add your own. The script filter will let you choose to block Java applets, ActiveX or cookies. A deal with Secure Computing integrates SmartFilter into the FortiGate 500. Unfortunately, this wasn't announced until after our tests.

The device I examined did not contain a hard drive, so there were no built-in logging capabilities, but Fortinet gives you the option of adding a 20-GB internal hard drive to the appliance for $499. The product would work well as an access control device in smaller networks with multiple subnets to protect. Controlling traffic between subnets with Fortigate 500 doesn't require much skill, but it can get more confusing as the number of networks increase.

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Send your comments on this article to him at [email protected].