I am trying to secure my home internet. Hence looking at Fortinet FortiGate 40F/60F UTP. Do these go on sale?
Also what other alternatives are available at similar price point?
Fortinet FortiGate 40F/60F UTP for Home Use
apple2016 on 31/10/2022 - 11:34
Last edited 31/10/2022 - 11:43 by 1 other user
Last edited 31/10/2022 - 11:43 by 1 other user
Comments
I prefer a one box solution. Not looking for a software based. I would still need a dedicated harware to run this.
They also make hardware appliances https://shop.opnsense.com/product-categorie/hardware-applian…
What exactly do you need feature wise? FortiGates are overkill for home internet, but you must have a feature set in mind? Difficult to suggest alternatives if we don't know what you are looking for…
Yes just having a look at them.
The primary need is UTP - Webfiltering , malware, anti spam , IOT protection etc.
added bonus would be access point controller , vpn, dual wan etc.
No they don't go on sale.
It's rare to find someone actually putting a price on enterprise gear.
You generally get a quote from a MSP and depending on the size of the order, how good your relationship is with them, the purpose (lab or cold standby), etc. they will give you a quote, you either tell them to sharpen their pencils or you accept it.Difficult to answer without knowing, what are you trying to protect or your requirements as there are countless ways to do things at different price points. But if it's a household network with a few home users. These are just thoughts that come to mind:
A lot of those are enterprise features that help when you are looking to add layers of control for a large environment. Unless of course, you want something to be able to tinker and play with as an area of interest/hobby. If that is the case then by all means get whatever you want.
Keep in mind, almost all web content is delivered over SSL, so unless you terminate your SSL session on your appliance and inspect it before passing it on to your endpoints, you're only going to be able to check on URL names that give a limited amount of protection (From a web filtering, malware, antispam perspective.). To do this you will also need to get all your end devices to trust your firewall to decrypt before passing the traffic to you.
In terms of protection and simplicity, Im assuming you have already addressed your client's connecting and implemented strong controls in that area before locking at permitter security. This would include:
a. Limiting/restricting admin access
b. Using hardened operating systems and browsers.
c. Have cloud backups in place for your data
d. Well-balanced antivirus software to give your client some protection
e. Everyone in the household has been trained on good and bad things to do on the internet to avoid getting compromised.- For IOT, put your simple devices in an isolated VLANS(s) or Portgroup so nothing can get to them from your network and prevent them from accessing the rest of your network/devices, and the only path out is to the service that it is connecting to. A switch/port-based firewall can go a long way in this space and is cheap and cheerful
I am specifically looking at firewalls that have ssl deep packet inspection so that it can intercept https traffic. I dont think end devices should be affected by this.
I do not want to put all IOT in a seperate VLAN as this would mean they can only be accessed via cloud based platforms, but I would prefer direct local access where possible. Also its one of the reasons I am looking for a reasonably good firewall.
The devices that form the network are :
Windows Laptops/Desktop
Macbook pro, Ipads, apple tv
TV, PS5, Media player, Washing machine, Dishwasher
Air con / Air purifiers / heaters
smart lights / switches
smart locks.
I do not want to put all IOT in a seperate VLAN as this would mean they can only be accessed via cloud based platforms, but I would prefer direct local access where possible.
I do the exact opposite of your comment - all IOT on VLAN with no egress on said VLAN and I very comfortably can access the interfaces with a simple firewall policy (granted it is usually off. Most IOT is set-and-forget).
Using a bridge or controller (I use Home Assistant), it has access to that locked down VLAN clients with all static addressing.
Source Fortinet 60E user ;)
Deep packet inspection is tedious as you need to install a trusted certificate on all clients - really not fun and even impossible on some clients.
I do the exact opposite of your comment - all IOT on VLAN with no egress on said VLAN and I very comfortably can access the interfaces with a simple >firewall policy (granted it is usually off. Most IOT is set-and-forget).
This - 100%
SSL Deep inspection of packets will not work if you do not have your firewall certificates installed and trusted by each end device where you are doing SSL. Your end devices will complain and not accept traffic passing through "unless" you trust your firewall certificates on each end user device where you are doing SSL inspection. This is because the payload would have been modified by your firewall as part of the SSL inspection. This is by design and the way you want it to work but will give you overhead to manage your end devices.
For IOT, You can access a different VLAN (from your local network) if you have an interface in that VLAN or can route into it. As "String Name" has mentioned a simple firewall policy from your management device/network to your IOT VLAN should give you local access across routed VLANs.
For the list of devices, I would personally start thinking about what you need before deciding on a solution as there are many ways to do things with varying costs and complexity. As a suggestion and this is an example and by no means a representation of what you want
Requirement 1
I have devices which i use to manage my network:
Windows Laptop/Desktop/MacbookManaged devices need to be able to access and manage all local devices and access the internet.
Managed devices need to be SSL deep inspected.Requirement 2
I have smart devices which i use to consume internet content and do nothing else.
AppleTV, TV, PS5
Internet consumption devices need to be SSL deep inspectedRequirement 3
I have (IOT) devices that need access to the internet or need to be accessed by a managed device.
IOT devices should not have access to any other part of the local network
IOT devices should not be able to see their neighbors in the same network segment.Thanks for the details on SSL DPI. I will have a closer look at this before making any decisions.
Your not going to get enterprise grade hardware for home use, certainly not unless you find a second hand device somewhere.
Unless your running a home based business? in which case you could get one but even then I would go a managed solution with the Firewall hosted in a Datacentre as this will save on space and power costs and give you more bandwidth for filtering as most Datacentres have 10GBPS ports available.
Plus multiple upstream providers.
Plus the cost for a managed solution will be something like $50 a month depending on requirements.
Maybe slightly higher then that I would need to know more requirements.
How did you go with this in the end?
I picked up a secondhand fortigate 100d. No av scanner / threat protection yet as fortinet would not renew license for secondhand devices!
Depending on the brand of smart devices, I would have them on the same network, as the Google devices as an example are all designed to work together and share data otherwise it defeats the purpose a bit.
Why FortiGate in particular? Take a look at https://opnsense.org/