Sr. Network Engineer Ash Bekele weighs in on what makes a great next generation firewall.
As a network and security engineer who has worked in the field for more than 10 years, I have had plenty of opportunities to work with a variety of vendor equipment and solutions. Specific to the NGFW space, I have deployed, migrated and operated Cisco ASAs, Check Points and FortiGate’s. Each NGFW has its own unique feel and feature sets. Setting aside comparison of NGFW capital expenditures for a moment, I’ll share my experience from deployment and operational perspectives.
One of the most important qualities I look for in an NGFW solution is for it to offer powerful and cutting-edge business protection features while at the same time presenting these complex features in a simple and accessible format. What good are powerful features if you can’t access and leverage them easily!?
From an operational perspective, when administering an NGFW and spending my entire days interacting with it, I expect for the solution to present me the knobs to turn visibly and to help me find them with the fewest number of clicks. A well-designed NGFW product is integrated with its own components and FortiGate’s web-based interface is the most intuitively organized GUI I have come across so far.
As an administrator, I prefer not to have to go to one web interface to add routes, a different interface to affect shell settings and yet another interface to activate policies from. For a solution that offers the abundance of features that it does, you’d think it might feel overwhelming and cluttered. That is absolutely not the case. The hierarchy of features is well-maintained, and the command line stanza structure is easy to follow. The GUI even provides the option to customize or hide features that are determined irrelevant to the running of the business.
In new deployments and migrations, the last thing I want is too much time-consuming manual tinkering that introduces risk when there doesn’t need to be. For example, migration of an existing NGFW solution should be as simple as cloning, exporting or importing configurations with the very minimum manual process as possible. I appreciate it when vendors build-in the tools to accomplish this. With its management platform FortiManager, Fortinet gives you these tools. This dispenses with the necessity to write or scour the web in search of third-party scripts or API tools that that work only when a specific set of conditions are met and are not officially supported by the vendor.