Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The 111C provides eight switched Fast Ethernet LAN ports plus a pair of Gigabit WAN ports, and supports both NAT and transparent modes. It employs the FortiASIC system processor, but the cooling fans are noisy so small offices will want this in a cabinet.
At its foundation, the 111C provides a high-performance SPI firewall along with support for IPsec and SSL VPNs. A standard feature of all FortiGate appliances is their integral wireless controller so you can centrally manage FortiAP devices.
Extra security features include protection against viruses, spyware and malware, plus IPS, web filtering, traffic shaping and application controls. There's more as you can add DLP (data leak prevention), endpoint protection and vulnerability scanning.
Two appliances can be teamed up for high availability, and they can perform WAN optimisation for site-to-site links. The appliance has a removable drive carrier at the rear for an optional 64GB SSD, which is used as a high-speed web cache, log store, archive and quarantine area.
The appliance claims a high IPS throughput of 450Mbps. To test this we hooked it up to the lab's Ixia Optixia XM2 chassis equipped with two Xcellon-Ultra NP blades, and saw throughput settle at nearly 460Mbps.
We used the transparent mode and placed the appliance between the lab's LAN and internet connection. The main web interface is very well designed, making it easy to locate and configure. The LAN ports are normally configured as a single interface with one address for the entire switch, but the Interface mode allows you to assign different subnets to each port. The pairing feature also allows two ports to be bound together so you can apply specific security policies.
The console's dashboard provides a wealth of information about real-time activity, and its use of widgets means it can be easily customised. Widgets include graphs for traffic history, top applications and sessions, SSD usage and system resources.
Firewall policies control traffic and services between selected interfaces and port zones, and each can contain various UTM profiles. For web filtering, Fortinet provides eight main URL categories and nearly 80 subcategories. For each category and subcategory you can opt to log, block, allow, warn or require user authentication. Options are also provided for enforcing web usage quotas, activating the Safe Search feature and scanning HTTPS traffic.
Anti-virus profiles define which protocols you want scanned and if you want infections to be removed or quarantined. DLP sensor profiles are used to look out for file types, file sizes, fingerprints, conditions or expressions such as credit card numbers. Files are fingerprinted by uploading them to the appliance or pointing it at a remote store where it will generate a checksum for each one.
Vulnerability scans use asset definitions based on IP addresses and ranges and can include Windows and Unix authentication details. Scans can be run on demand or to a schedule, and the results viewed from the web console. The FortiGuard anti-spam measures are managed using profiles that define the mail protocols to scan and how to handle spam.
Using Outlook clients, we created rules to move tagged messages to separate local folders and left the appliance scanning live email for three weeks. We recorded only eight false positives and a 99 per cent spam detection success rate.
Application profiles also use sensors for selected apps, and the appliance has nearly 2,000 predefined ones to choose from. Control options are very good as you can log and monitor usage, block them, reset the client connection, or limit bandwidth.
Fortinet's FortiAP wireless devices can be managed easily by the 111C and the web console has a separate section for these. As they come online, the appliance automatically identifies them and applies predefined policies. Rogue AP detection comes as standard and you can even use the appliance to suppress them. Rogues are listed in the web interface and with suppression selected, they and any associated clients will be forced off the network.
Extensive logging and reporting features can be used to create quite detailed web reports on areas such as bandwidth, application, web, email and VPN usage. If you want more, the FortiGuard Analysis and Management Service is highly recommended. Multiple appliances at remote offices can be managed centrally via FortiManager.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.