I’ve been tasked with developing a solution for a customer, and I would like to use Fortinet.
Our service delivery model is designed for banks and credit unions - we use DIA and SD-WAN to route branch traffic into our data centers and within the data centers we provide them with access to core banking services. The circuit into our DCs has an aggregate of 1G and the SD-WAN uses a legacy Viptela solution that is hardware limited to about 240 M aggregated. After routing between branches and to/from core banking services, we provide internet access directly from the DCs, with the ingress being the choke point - a shared 1 G and/or 240M SD-WAN.
Being banks, their AUP is pretty rigid and the bandwidth is adequate for them. As a result, I think the 100F in HA will work for the primary DC, with a single 90G in the backup DC (the DCs fail over entirely via BGP).
I feel ok about that hardware selection, with one concern - remote access VPN users. The bank we are developing a solution for has 482 VPN users, and last year, 430 of them logged in at some point. The 100F has a max count of 500 users.
I’ve never worked with a 'Gate that was taxed in this way, and I don’t know what to expect - what’s the impact at or near capacity? I also know this leaves virtually no room for growth in the remote access userbase, but IIRC the next step up is with the 600F, and that’s a much more expensive solution.
WWr/FortinetD?
Thanks in advance for any insights or anecdotal experience.
I’ll tell you that the next step up isn’t all the way up to a 600F. There is a 200F that would be the most logical step up.
You are pushing the limits and the limits are always in a lab environment. That isn’t to say that the 100F can’t handle it, but it doesn’t allow much for growth so I would go for 200F’s in HA.
That depends on what mode of VPN, if you’re talking 500 max users, I’m guessing it’s SSL VPN.
You have to keep in mind, that SSL vpn isn’t offloaded, so the impact to cpu is going to be higher.
If you’re using the FortiGate 100F just for a VPN gateway, you should be able to get away with it, though 482 isn’t leaving a lot of room for growth, even as a standalone gateway I’d go with a 400/401F (200F has the same 500 tunnel limit).
If it’s a shared architecture (internet edge + vpn + other uses) go straight to 400F minimum. Keep in mind the values you see on the datasheet while real, are not tested in combination with other use cases, and you’ll likely find the ceiling to be lower on a multi role FortiGate.
Almost same bank environment. Not as many VPN users but peak covid, we had to upgrade from a 100E to 400E due to CPU maxes from VPN and branch traffic. Sounds like yours is more dispursed since we had everything flowing through the gate for logging. 400E is slightly overkill for us, but we didn’t want to have those very painful issues when the firewall would go into conserve mode on a busy day. Also, if you create any policies with the ssl gateway, that’s only going to add to the workload. I’ve been in a bank environment for 4 years and can say that if you present the added cost as room for grown and acquisitions without added infrastructure cost, they usually sign off pretty quick. Also, the more security profiles you can throw on the traffic, the better when it comes to audits. So, I would want to make sure and have plenty of horsepower to cover that down the road.
You’re right - I was looking at VPN user count primarily as the 100F is adequate for my throughput needs. The 200F has the same user count of 500. I had misread the matrix and missed that the 400/401 is a thing. That might be the way to go.
Thank you so much for the reply - this is the feedback I needed. Your reply and that of u/chapel316 have me reoriented. I’m really glad, because we will be discussing this with the customer on Monday and my initial recommendation, with this input, would have put us in a bad situation. This bank is one of our highest-asset customers and they need a solution that works OOB with no nasty gotchas down the road.
It will be the internet edge device for them, including SSL VPN access to their corporate resources. After reading this and a refreshed view of the product matrix, there’s no reason not to propose the 400/401F in HA as the primary DC, and a single 400F for the backup DC. The primary is a tier 4 DC, so in a perfect world the backup never sees traffic.
I don’t think 500 is a hard limit though, only recommendation. And since 400F has a recommendation of 5000 there is probably some wiggle room inbetween.
Glad I could help. One more tip- don’t strictly rely on the product matrix, each model FortiGate has its own datasheet as well. Not all models are on the matrix.
Just wanted to say this is the right path for you from the data you’ve given.
My experience relevant; I just put some 400Fs in a hotel with 1000 guests and faster access than you have, and it handles really well. IPsec to my other DCs can push 1Gbps no problem. Sslvpn usage is limited to a much lower user count, but the 400F has a 10G internet, it handles fine. There’s plenty of horrsepower here to handle more vpn users I’m sure. If you have the choice, I’d try to get the remote access vpn on ipsec, as the performance will be asic offloaded, rather than cpu bound.
I’m also in the midst right now to propose 400F to a credit union internal DC with more than 25 but less than 50 branches and similar user base (900 total, probably 350 that use vpn). We’re replacing their existing 1000-series that have been idling for 5 years, but nothing else had the 10G port count in 2018 we needed (600E was only 2 ports we need more than that). Their setup is a little different with 1G MPLS from the telco and not backhauled internet - we distributed internet access in 2019 / 2020 at the same time that MPLS went from 100Mbps to Gigabit. In their banking app data centre, there’s a 1G MPLS link from same network with a 100F, and dual 1G internet links but that’s edge only for those apps and third party ipsec tunnels.
u/ultimatt has you on the right path here — and is one of the top SEs at Fortinet, so it’s well informed. Thanks once again, Matt!
We have one customer with 100F acting as an Internet edge, hub for 50+ sites and also a SSLVPN concentrator. Looking at the history, I see about 200 concurrent users as the maximum and it’s doing pretty okay in this role (resource usage : ~10% CPU / 35% MEM). However in the beginning we did have to lighten AV/IPS inspection because of performance issues .
But yes, I would suggest something a bit bigger because if you’re hitting almost 100% of some limit right off the bat, there’s really no room for future grow.
If the customer insist that because of budget reasons, I would at least want black & white from them that they acknowledge this and are fine with it.