Where Fortinet Is Messing Up

As a Network Engineer / Security Consultant I see many different types of technologies. My daily focus is operating on Fortinet hardware which enables me to see where Fortinet is really dropping the ball in regards to their technology and software. This page isn’t a knock on Fortinet or their business model etc. Instead, it should be viewed more as a recommendation from an end user that experiences daily troubles with these items. This page will be updated on a regular basis as more of these items come to mind. Take note, if it is posted here that means I have submitted the feature request or change request to Fortinet for implementation. These recommendations may or may not be considered by Fortinet since I don’t work for them directly and I don’t particularly sell a bunch of hardware by their standards (I am a service guy, I get called in when another vendor fails on a deployment).


Fortinet is a company that was created and to this day ran by engineers. That is awesome because it means that they have the technical people up top that are able to design superior products. Unfortunately, that is a bad thing because engineers don’t think like a marketer. I was really excited when I saw that Holly Rollo was hired on as CMO. Holly was the Vice President of Corporate Marketing at FireEye. A wonderful job was done which led her to come to Fortinet back in September of 2015. Unfortunately, she seems to have left (as of March 22, 2016?). This is a total bummer as I had high hopes for her. Hopefully, Fortinet will be able to conquer this hurdle as I feel that marketing is the main thing that is keeping Fortinet from seeing the growth that they most likely want. Marketing will also assist in slowing the competition.

Application Control:

EDIT 1-26-2017: The application control may have to be removed soon. The 5.6 Beta version that just came out enables NGFW style policy creation (basically the same type of policy creation as a PAN device. Needless to say I am pretty stoked. If you are still running 5.4.x or older though please read below!

Application control is one of the main selling points of UTM and Next Generation Firewalls. Fortinet applies the UTM (Unified Threat Management) approach to application control which is fine and dandy but it leaves a lot to be desired when it comes to actual application of policy to the firewall. This is the one area that I think Palo Alto has a significantly superior product. When creating a policy on a Palo Alto Networks device you have application as a policy parameter. This means you are able to say I want this source to talk to this destination over any port as long as it is “Skype” or whatever application you choose.

On a Fortinet device you have to create a separate application sensor that either allows, traffic shapes, or blocks the application. Then you apply said sensor to the policy. This is cumbersome and doesn’t allow you to get as granular as you would want for your policy set. After all, who is going to create 900 application sensors for each source and destination specific policy. Sure, you can create a sensor that gets applied to multiple policies, but again, that doesn’t allow you a granularity level on policy that I prefer.

I understand that the way Fortinet’s FortiOS processes a packet that enabling application control in the same manner that Palo Alto Networks and other vendors would most likely require a major recode or overhaul. I personally think that if Fortinet wants to successfully fight off Palo Alto (who is growing 100%+ year over year) They will need to consider this as security experts are seeing this as a major area for improvement.