Fortinet offers a range of what it calls 'anti-virus firewalls' for all markets, from the home user to the large enterprise and carrier-class service provider.
We tested version 2.36 of the code on the top-of-the-range FG3600, which is rated at 4Gbits/sec throughput across six separate gigabit interfaces. The next release (2.50)will be out by the time you read this, and adds a number of new features.
In fact, 'anti-virus firewall' is a somewhat modest description of what this product has to offer. Besides the obvious firewall and anti-virus functionality, it includes a VPN, intrusion detection, content filtering and traffic management. Its ASIC-based design is unique for such a multi-faceted appliance. The FG3600 has hot-swappable dual redundant fans and power supplies. It can also be configured together with another FG3600 to failover in high-availability mode.
The firewall offers stateful inspection, routing (RIP), bridging (for transparency), network address translation and an IPsec VPN. Of particular interest is an H.323 NAT traversal feature that enables voice- and video-over IP to work transparently in NAT environments.
The anti-virus is based on Fortinet's own ICSA-certified engine, which scans all HTTP, SMTP, POP3, and IMAP traffic for viruses, worms and Trojans in real time. Version 2.50 will add FTP scanning.
The network-based intrusion-detection engine currently has a customizable database of in excess of 1,300 attack signatures. Version 2.50 will add intrusion prevention for denial-of-service signatures.
Content filtering can block Java applets, cookies and ActiveX content as well as URLs. It can be customized to block by keyword/ phrase search. The version tested does no content filtering (other than anti-virus) on email, but version 2.50 will tackle spam in all email traffic. Traffic management provides policy-based traffic shaping, bandwidth guarantees and limits and prioritization.
No version has a user limit - the only limitations are those of concurrent session capability and throughput. This is a major benefit in the anti-virus market, where most competitors charge per seat or user. The price of the unit covers all of the six functions within the box and allows you to have unlimited users behind it.
Flexibility is good because you can run it in transparent mode (with no changes on the client side), as a router or with NAT.
Fiber interfaces are not GbIC-based, therefore NICs are not changeable. (According to Fortinet versions with GbIC interfaces will be released in the near future.)
Fortinet's approach of running all six major functions on the same ASIC leads to tight integration and good performance.