Within a profile you can activate virus scanning on HTTP, FTP, IMAP, POP3, SMTP, IM and NNTP, add your own file filters and block email attachments over a certain size. Two options are provided for web filtering, where the first enables you to apply keyword matching plus black and white URL lists. You can also add the usual blocks for Java, ActiveX and cookies from here. The FortiGuard feature provides URL filtering and the eight main categories cover around eighty subcategories. You can block or allow entire categories or select options at the subcategory level and activate logging for each individual entry.
FortiGuard worked well during testing. With the gambling sub-category blocked we Googled for on-line bingo sites and gave up after the appliance blocked us from the first 100 hits. With social networks such a big issue in the workplace we tested this and found access to sites such as Facebook and MySpace could be easily blocked. Finding the right category can be tricky but Fortinet has this covered as you enter a URL on its main web site and it'll tell you what into which category it fits.
Profiles include your Intrusion Prevention System (IPS) settings, where you assign a predefined sensor or create your own. For testing we opted for the default sensor with a filter that covered all targets, operating systems, protocols and applications and merely logged all activity. However, it's easy enough to create custom sensors for selected systems, application and protocols and decide whether to block, allow or log them.
IM and P2P usage needs to be controlled in the workplace and the 3810A has a modest range of facilities for controlling these. For P2P you can choose from five main types, including Bittorent and eDonkey and allow, block or apply rate limits. From the IM and P2P menu option you also get a page of statistics showing logged in IM users, chat sessions and file downloads, whilst for P2P you can see how much network bandwidth is being sucked up.
Initially, we had some problems controlling our clients using Windows Live Messenger. Merely selecting the MSN option in the profile immediately blocked all further logins although we hadn't specifically requested this. After a chat with Fortinet's helpful support it transpired that the appliance is set to automatically block all unknown users for AIM, MSN and so on. With this total block now lifted we could allow our clients to log in but stop them from downloading files or using video.
We tested the P2P controls using one client running a Bittorent download and found that you can't passively monitor this type of activity. With our profile set to pass Bittorent traffic the statistics screen showed zero activity. We could block this traffic but only when we applied rate limits could we see usage figures in the statistics screen. Fortinet advised us that it believes with the profile set to pass Bittorent traffic the appliance won't activate its proxy for this so can't see what's occurring.
For sheer features the FortiGate-3810A has a lot going for it and we found it easy enough to install and deploy in the lab. The use of VDOMs, zones, policies and protection profiles make it extremely versatile but you'll also need to factor in the cost of anti-spam measures and possibly the additional FortiAnalyzer reporting systems.
Verdict
The FortiGate-3810A delivers an impressive range of security features, with port expansion high on the agenda. Fortinet’s VDOM feature is a great idea as you can create multiple virtual appliances each with their own separate security policies. Performance is also a key feature, but for the price the hardware specification could be more up to date and the IM and P2P controls are fairly basic.
Chassis: 2U rack CPU: 2 x 1.8GHz AMD Opteron 265HE Memory: 2GB 400MHz DDR Expansion: 4 x expansion slots Network: 10 x Gigabit Ethernet (8 x copper, 2 x SFP) Power: 2 x 600W hot-plug supplies Management: Web browser
