Fortinet has managed to become one of the top industry leaders in security infrastructure in a relatively short amount of time.
In many cases they have managed to displace other traditional security vendors such as Cisco, Juniper, Checkpoint etc by offering more cost effective and flexible solutions.
For example, in the company that I work we were extensively using Cisco ASA firewalls in many parts of the network which are now gradually being replaced by Fortigate firewalls.
- FortiGate 30E: Value for Money option for home networks, small office or even SMB networks.
- Fortigate 50E: A “middle-ground” appliance between 30E – 60E.
- Fortigate 60E: The most powerful from the three. Best option for Small to Medium Size business. UPDATE: Here is the newer and better Fortigate 60F with great specs and features.
One of the characteristics of Fortinet in the hardware firewall market is that they have launched more than 40 different models of firewalls with varying specs and features to cover the whole range of industry needs.
Being a “security focused” company, their business model is just that: To cover every security need of companies, from SMBs up to larger Enterprises and Service Providers.
In this article I will compare and describe three popular entry-level Fortigate models, the 30E, 50E/51E and 60E/60F/61E. (NOTE: The only difference between 50E vs 51E and 60E vs 61E is that the 51E and 61E models include also an internal SSD disk drive for log storage).
The models above are compact fanless devices mainly used in branch office networks of large enterprises or in small to mid-size businesses (with up to around 50-60 users or more depending on traffic usage).
Before going any further, let’s first see a quick comparison table between the 4 models. I have included the most important specs in my opinion that a professional should look at when selecting a hardware firewall model.
Last update on 2021-02-25 at 18:06 / Affiliate links / Images from Amazon Product Advertising API
Notes on Throughput
- Firewall Throughput = Raw firewall throughput (without any extra protections).
- IPS Throughput = Measured when IPS protection is enabled.
- NGFW Throughput = Measured when IPS and Application Control are enabled.
- Threat Protection Throughput = Measured when All protections are enabled. (Firewall, IPS, Application Control, Malware Protection).
Many people want to select a firewall model based on the number of users in the network. However, this is not a good approach because in some cases the traffic usage might just be email and web browsing and in some other cases the traffic might be heavier like streaming, downloading large files etc.
It is generally better to select a model based on the traffic bandwidth usage, the WAN link speed and what security features you will have enabled on the device.
I would suggest to take the lowest throughput rating on the datasheet (see also Table above) and use that as a soft rule of thumb.
For example, assume you have a small office network with around 50-70 Mbps WAN link (or ISP Internet link). This means that Full-Duplex bandwidth would be 100-140 Mbps. For that scenario, the 30E or 50E would be a great option.
On the other hand, if you have a 100Mbps WAN link (200 Mbps full-duplex), then you should be looking at the 60E model in order to accommodate full Threat Protection throughput.
EDIT: The newest Fortigate 60F model can support 1Gbps Internet speed with full Next Generation Firewall (NGFW) features enabled.
Fortigate Subscription Security Licenses
All Fortigate firewalls run on the same FortiOS operating system which controls all security and networking features of the firewall devices.
Moreover, if you want to un-lock the real security benefits of Fortinet Next Generation Firewalls (NGFW) with advanced protections (which work at Application Layer 7), you will need to buy a recurring FortiGuard subscription license (optional).
The FortiGuard subscription license gives you access to AI-driven security intelligence services such as App Control, Intrusion Prevention (IPS), Malware Protection, Antivirus, Web Filtering etc.
The above license subscription comes in various flavours and time-length (1-year, 3-year, 5-year).
Moreover, there are four bundle categories of subscriptions (360 Protection, Enterprise Protection, UTM, Threat Protection) providing different levels of protection features as shown in the Table below:
All license options above are available for purchasing with all Fortigate models that we will discuss in this article. The above subscriptions are optional though.
If you don’t buy a subscription license you can still use the Fortigate box as a pure firewall device for network protection up to Layer 4 (including VPN for site-to-site and remote access, NAT, firewall policies etc).
However, keep also in mind that the subscription license gives you also FortiCare support service which offers firmware updates, patches, hardware support etc in addition to other support features.
Let’s now discuss briefly each FortiGate appliance below:
Fortigate 30E Brief Review
Last update on 2021-02-25 at 18:06 / Affiliate links / Images from Amazon Product Advertising API
This is the smallest model manufactured by Fortinet and comes in two flavours, the Fortigate 30E and the FortiWiFi 30E. They are exactly the same in terms of features and performance with the only exception of WiFi support (dual band) on the latter model.
As a hardware appliance, it is a powerful Desktop-size firewall with one WAN port for connecting to the ISP (or other ethernet WAN connection) and 4xLAN ports (these are switch ports) for connecting to internal network hosts. Of course, you can connect the LAN ports to a switch for accommodating more internal hosts if needed.
You can either use this appliance as normal hardware firewall (i.e doing NAT, TCP ports restriction, traffic policy controls, VPN for remote access etc) without buying any recurring FortiGuard license.
Many people prefer the option above (i.e use the appliance as pure hardware firewall as an SD-WAN device without any license).
This means that you can even connect it to a high-speed Internet connection line (even close to gigabit speeds) and utilize fully the 950 Mbps firewall throughput which is the raw firewall performance of FG-30E when it works only as a firewall device.
However, as mentioned above, the real security benefits come when you buy a subscription to the FortiGuard services.
Even if the 30E is the smallest model of Fortinet, it can provide all NGFW advanced security features of larger models when subscribed to FortiGuard services.
These advanced protection features include web filtering, antivirus, malware protection, Intrusion Prevention, Anti-spam and much more.
However, the more “advanced” features and inspection controls you enable, the less becomes the performance/throughput of the device.
If you want a robust and solid hardware firewall for a small office or small business (for around 10-20 users approximately and around 50Mbps WAN link) then the FortiGate 30E is a great option.
You can even use it initially as a powerful SD-WAN router/firewall (for network protection, VPNs, NAT, firewall policies etc) without buying a security subscription and then expand further your security posture with a FortiGuard license as needed.
Overall, the FG 30E will give you a lot for your money. This little device offers Enterprise level security in a small and economical appliance.
Fortigate 50E/51E Brief Review
Last update on 2021-02-25 at 14:36 / Affiliate links / Images from Amazon Product Advertising API
This model is right in the middle (in terms of performance) of the devices we are comparing in this article.
Unlike the previous 30E model, the 50E contains 2 WAN ports (for ISP redundancy, load balancing etc) and also 5 LAN switch ports.
Moreover, starting with this model, customers can also select a device with an internal SSD storage disk for log retention. The FG 51E contains an internal 32GB SSD drive for log storage. This is very useful for troubleshooting purposes.
NOTE: For log retention you can also install an external open-source syslog server and collect logs on that one instead of relying on the internal SSD drive for storage (you can configure the firewall to send syslog logs to the external server).
Fortinet officially recommends the 50E model in use cases of UTM (Unified Threat Management) deployments in Small Offices or as secure SD-WAN in Enterprise Branch networks.
In my opinion, the 50E/51E would also be ideal in stand-alone SMB networks with approximately 15-25 users and Internet speed connections of around 50-70Mbps.
In the above scenario, the FG 50E performance would be sufficient even if all Threat Protection features are enabled.
Fortigate 60E/60F/61E Brief Review
Last update on 2021-02-25 at 17:36 / Affiliate links / Images from Amazon Product Advertising API
The Fortigate 60E/60F/61E model is one of the most popular devices in the Entry-level category.
Just like the 51E, in this appliance we have also an internal SSD disk drive (128GB) on the 61E model. The drive size is definitely much larger than the 51E so you will be able to keep logs for a much longer duration compared to the 51E device (although an external syslog server would be a better option in my opinion).
Looking at the physical interfaces of this model (2 WAN, 1 DMZ, 7 LAN ports) you immediately understand that the FG 60E/60F/61E can easily be used in mid-size businesses with the capability to implement WAN redundancy and also create a DMZ zone for connecting public servers such as a Web Server for the company, an Email server etc.
Another hardware characteristic of this model is that it is powered by a SoC3 SPU (Security Processing Unit). This processing unit supports firewall acceleration and enhanced performance which reduces the firewall latency by a lot. NOTE: The new FG 60F is powered by a SOC4 RISC-based CPU.
Mid-size networks with around 30-50 users and an Internet/WAN circuit of around 100Mbps can utilize a 60E model with all Threat Protection features enabled. Moreover, if you purchase the 60F you can even reach 1Gbps internet speeds with NGFW features.
Many people select the 60E device even for smaller business networks in order to be able to expand in the future and also for having performance expansion room for enabling many advanced security features.
In my opinion, if you have the budget I would definitely recommend the FortiGate 60E/60F/61E over all the other models in this article. It is a future-proof appliance with lots of “horse-power” for supporting mid-size business networks.
FortiGate 30E Vs 50E
These two models are pretty similar with the 50E having a little higher performance throughput and also better physical interfaces.
If you want to protect a smallish network with around 10-20 users and close to 50 Mbps WAN circuit on a budget, the 30E is ideal. Moreover, many power users purchase the 30E even for their home network for robust protection and performance.
If you want to protect a small business network with some room for expansion (around 15-25 users and 50-70 Mbps link) then go for the 50E which is somewhat more powerful.
I wouldn’t suggest to buy the 51E just for the log storage. Just install a free external syslog server and you will be good to go with regards to logging.
FortiGate 30E Vs 60E/60F
If you have such a dilemma to select between 30E and 60E, the choice is obvious in my opinion.
If you can spend some extra money, I would definitely recommend the 60F over the 30E. The former is much better in all aspects, especially the hardware performance as described in the review sections above.
However, if you are a very small office network with very few users and low performance requirements, the 30E will be the best option with regards to cost.
Regarding software features, both 30E and 60E can unitize the same advanced security features provided there is a paid subscription license.
FortiGate 50E Vs 60E/60F
The price difference between 50E and 60E is not significant in my opinion to change my mind between these two models.
I would definitely recommend the 60F here instead of the 50E. Remember that the 60E uses a SoC3 SPU chipset (or the SOC4 on the 60F) which offloads a lot of firewall functionality on the special-purpose ASIC chip thus improving the hardware significantly. The 50E relies on a regular CPU instead of a dedicated SoC chipset.
All I can say is that Fortinet has managed to manufacture some impressive hardware firewall devices covering the whole range of the market needs.
If you are looking to buy an excellent entry-level firewall appliance for your office/business or even home network, the three models discussed above (30E, 50E, 60E/60F) would be great choices that will serve you well in terms of both security protection and performance.