Can moving to a new next-gen firewall be… easy enough?

As someone who loves to tinker and learn new things, once in a while I’d like to challenge myself with something that I know will present some interesting problems. The process of resolving those issues is something that makes me a better asset to my customers, as well as a better engineer. Who better to test moving to a whole new firewall than your own family? My household now for the most part is wireless, and with pre-teen kids in the house, I needed something that had the next-gen application-layer visibility into network traffic. Originating not only from traditional devices like computers and tablets, but also smart TVs, and a host of new IoT devices that are popping up in homes here and there (think Amazon’s Echo, Google Home, etc.).

 

I already had a pretty robust enterprise-grade system from one of the major network equipment manufacturers, but the system was at its best when the management and configuration is done via the command line, and the solution was currently less than ideal as far as its next-gen capabilities. I then switched to another very popular enterprise-grade solution and it did what it is supposed to do…, however, management of this platform was somewhat cumbersome when you need to fix something quick and simple and your spouse and kids are giving you the evil eye for breaking the Internet at home. This solution was very robust, but I found the management interface to be too saturated with options, almost giving you everything under the sun in your face, but not really focusing on the things you would need to look at the most. Oh yea and compiling and committing the configuration on this platform took a little too long for me. Who has the time to look at a little bar anymore that shows you the slow progression of a configuration commit? I was lucky enough to discuss this with my local team from Fortinet and they challenged me to give their product a fair chance.

 

I was a bit apprehensive because unlike most households, mine has a more “advanced” network than most, with multiple VLANs, dynamic routing protocols, and IPv6 internally and IPv6 from my ISP. I wanted to see if any new device I introduce or move to will easily support this type of environment and I certainly do not have the time to spend hours on troubleshooting any major issues. Re-architecting my network was out of the question. I fired up the newly delivered FortiGate 60E and was pleasantly surprised to see an elegant and easy to navigate GUI, without any Flash or Java. I fired up the configuration wizard, that literally walked me through seven or eight steps to configure the WAN interface, the internal networking, basic SSL VPN configuration. The system came with FOS 5.4.1 and as soon as it was able to obtain a DHCP IP address from my ISP, it contacted Fortinet’s servers to check for an update. The system told me that 5.4.4 was available already and it was a GA release. So, I wanted to see how easy would it be to upgrade the firmware (5.6 is available as well, but I was going to hold off on that). It was a breeze, the system downloaded the software, asked me to back up the config, and rebooted. The firewall booted back up without any issues and kept humming along. At that point, it was late enough, my network was functional, it was time to let the firewall bake in and see what I can uncover in the morning.

 

But, that’s a story for next time….