This is one that we have been working on for some time. We are adding Fortinet and other traditional firewall vendors to our review stable. The Fortinet FortiGate FG-40F is an “F” SKU, but it is still listed as a current-generation model. Since we know these are immensely popular, we wanted to use our high-end Keysight CyPerf tool and run it through security testing. Let us just say, we have a decidedly more refined suite versus when we did the Ubiquiti UCG-Fiber Review.
Get ready because we are about to do what is probably the first real review of a Fortinet product online in a long time, getting all the way down to the silicon. If you want to purchase one of these, here is an Amazon affiliate link.
Fortinet FortiGate FG-40F Hardware Overview
The Fortinet FG-40F is a small white box that measures about 1.5 x 8.5 x 6.3in or 38.5 x 216 x 160mm.
First off, we get the logo and model number.
Then we get power and perhaps most interestingly a HA LED.
Then we get indicators for the ports link and activity. A controversial view I have, and this borders on a religious debate, is that I prefer status indicators for ports next to the ports themselves, or on both sides of the chassis. With silent boxes, if you are looking at them from the port side, it is hard to tell if they are on because the status LEDs are on the opposite side. It is also something I notice on many of the NVIDIA GB10 systems. Feel free to disagree on this one, but while testing a set of these, I had to switch sides to even figure out if it was on.
On the side, we get a lock port.
There is also a big vent.
On the other side, we get a lot more venting.
On the top, it says Fortinet.
On the bottom, we get rubber feet and more venting along with labeling.
The back of the unit is the real show.
First, we get a grounding point and a reset button. Then we get a 12V DC power input. Fortinet does something great here (others like SonicWall do too) and has a locking connector to ensure that the power does not unexpectedly come loose.
Next to that, there is a USB port as well as a console port. The console port is fairly standard, and we used a cheap $10 USB adapter to connect it (Amazon affiliate link). I wish this had a USB Type-C port and an internal serial-to-USB function. That would add cost, but it would prevent people from using cheap USB adapters with questionable supply chains.
Next, we have our five 1GbE ports. There is a WAN port and a FortiLink port to connect Fortinet switches to. We will show you one of the management screens for the FortiLink in our management section.
There are three additional ports you can use for LAN connectivity or other purposes.
Next, let us get inside the gateway to see how it works.
I can’t wait for y’all to do more firewall reviews. Talk ’bout an opaque industry.
Any chance you will review the Watchguard Firebox M-Series (M270, M290) ?
We’ve got a few hundred of these deployed. They’re far from perfect, but you don’t have millions of hours of experience on them. You’re right. I’ve never seen a review like this and excellent work
Please test the IPsec performance vs other products (enterprise or not) in this price range! Forti does it all in the ASIC and IPsec performance is insane, even on a small box like this. I’d like to see if any other vendors can compare. Just a note that it is particular on what algos it will accelerate, but AES256/SHA256 should not be an issue at all.
HeloPatrik, excellent work. Could you please test the firmware on the PA-440 firewall?
Thank you, and I wish you many pleasant days ahead.
How about flow setup rate, under different conditions? Flow setup (of permitted flows) is also a very basic attack (generally against an Internet-connected device). Most devices can deny at a decent rate, but setup is another matter.
A 5 page ad for Fortigate.
As someone that manages a fleet of 50+ Fortigates, there are serious issues with these models and the firmware, but none of that seems to be mentioned here. Coincidence, I’m sure.
Wonder if HPE will ever release an update to the SRX branch devices, the SRX300 line is 10 years old now, been looking at fortinet now because at least the hardware is current, even PA needs a refresh too at that level
I don’t see this as a Fortigate ad. I’ve never seen anything like the license discussion in an ad. Greybeard IT must be like an old highly quantized llama2 with that bad of comprehension. lolz @ the low IQ bots
These are 2G devices so they’re on the way out on Forti anyway.
Hehe… never thought I’d see a review on the sites I frequent for Fortinet hardware I’ve deployed; big thanks for this guys.
I can say the 40F is one hell of a step up from the 30E; it was a joke at 1GB RAM. You had to run limited geoip or ips rule sets IIRC, but that was 2020ish; right around the beginning of IT security apocalypse.
I agree that these routers (fortigate) aren’t perfect. But for piece of mind they can provide if you’ve done your diligence in designing your networks; as long as the client is willing to pay the license costs, i sure sleep better at night knowing there’s a team of engineers working on the CVE’s & fixes. Also that i can pick up the phone and have them help of I’m stumped. Big plus in my books.
@Greybeard IT I don’t have a doubt that this chinese spyware has a lot of issues. ^^
Please tell us more about licensing costs, ongoing or one-shot ? How much? Can they be bought directly?
Great idea, firewall / router tests! I would love to see vs. Sophos XGS comparison when all security features are on.
This right here is the mainstream appeal of STH. Anyone working IT with 20-200 end users can use real, hard, data like this to guide and inform decisions, report to management, or check the recommendations from a VAR. I will continue to read STH and watch the YouTube channel as long as reviews like this are being made!
Updated: 2026-03-31
Published: 2026-02-06
Description
An improper neutralization of special elements used in an sql command (‘sql injection’) vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CWE 1 Total
Learn more
CWE-89: Execute unauthorized code or commands
CVSS 1 Total
Learn more
Score Severity Version Vector String
9.1 CRITICAL 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Product Status
Learn more
Vendor
Fortinet
Product
FortiClientEMS
Versions 1 Total
Default Status: unaffected
affected
affected at 7.4.4
References 1 Total
fortiguard.fortinet.com: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
One of many ongoing issues with FortiNET environs.
Next time, at least check CISA for advisories prior to giving such an unmerited glittering review, right now.
There is also significant history. I am not going to list all 10+ known issues…I have already already compiled a comprehensive report on these issues and it is available on demand
Looking at a new firewall cluster to set-up later this year, and Fortinet is a probable candidate. So I’m very glad I could read your review. I would have liked if the “HA” feature would have been reviewed or even just described.
Y’all are freakn’ out over Fortinet has CVEs. Every Linux distro just had a big ugly one. There’s going to be so many soon. CVEs get found and reported when someone is looking. It’s way worse to have a small vendor firewall and no CVEs.
I like that STH is at least doing the hardware teardown and providing something new and useful in the space. They’re doing what they do for servers.
I have hundreds of these deployed across the EU in smaller sites, along with their 60F brothers for larger locations. While these boxes certainly have some minor issues, I like their cost/performance point and remote management features. Licensing is troublesome, and license renewals are painful, but that is the Forti business case: cheap up front, get paid during renewal, although licensing is not Oracle-level abusive. Enterprise-level discounts are significant btw.
Someone mentioned CVEs, but I see this as a plus when it comes to Forti’s transparency and their speed in fixing them.
Watchguard (inherited 100+ installed units) has proven to be cheaper but much more troublesome, to the point that we’re ripping them out for Forti’s.
Fortinet, the Swiss cheese of firewalls.
Some of these comments are hilarious. The one guy posting a a CVE about FortiClientEMS apparently thinking it’s a firewall is just classic. I’ve worked for a large MSSP for over 24 years and we deploy Check Point, Cisco, Fortinet, Juniper, and Palo firewalls. Fortinet is by far the easiest to deal with. They are very upfront about everything, provide advance noticed concerning CVEs and remediation. Some of the vendors I mentioned almost never mention CVEs in patch release notes unless they’ve made the news cycle. I’ve got firewalls from each of those listed in my home lab, but only the FortiGate is connected to the Internet and in production.
Some notes for the folks asking about the licensing.
These firewalls are meant for business use; the licensing is best done via business write-offs. It’s an annual license, with many levels of care; think similar to anti-virus licenses, just with a different set of protection tools (network level versus endpoint level).
Something I’m not sure if anyone’s mentioned having worked with Fortinet support – I’ve used it a fair amount, and it’s an INCREDIBLE safety net in the event your IT guy gets hit by a bus (for example). They can provide remote support for type devices so long as they are actively licensed; just be aware that they have two license ranges: 8×5 support (no evenings or weekends), and 24×7 support.
They also do 24hr cross-ship on defective units, depending on the level of unit (enterprise cloud units likely have shorter).
Just like any highly recognized brand, they’re going to have security flaws. Fortinet is pretty good about informing off these, as well as remediation techniques, just make sure you set up these notifications within your Fortinet support portal.
Dr_b_: SRX 400 series have been “paper released”. It will come in a 420,440,460 and 480 editions 4x SFP+ ports on 460 and 480 if my memory does not play games with me.
Anyway, SSL decrypt should also be considered when enterprise grade NGFW solutions is validated, aswell as possible SASE integrations and also thirdparty compliance/integration
I use one of these at home and some 100f’s at work. I got mine used with no license, because that’s way cheaper and still has many features that beat consumer crap. They’re down to like $50-100 now IIRC. I would suggest pointing out a few things about the ports on page 1 for this 40f. The A / fortilink port can be reassigned to be just another lan port, giving you 4 lan ports. The usb however can’t do the cheapo-nas function that many consumer routers use. The power connector is the same spec as the other brand of firewall, IIRC sonicwall, to the point that you can save a few bucks buying theirs as a replacement if you got one of these used without an adapter. The underside of the 40f has a place where on a related model, m.2 storage would go, but that’s also not for nas use.
The 40f has a couple fewer license-free features than the 60f IIRC, sorry that I don’t remember which ones. Of course if you keep it licensed, that’s fine. But unlicensed ones are very cheap on ebay, for 40f and 60f. Do keep in mind the rating comparison chart, which indicates the 40f may have insufficient performance for some purposes, and of course it’s gigabit only at this tier. I wouldn’t use their built in SSL vpn anyway, I’d run a separate server with some other type and port forward. And some of the performance-hogging filters / features are licensed, so I don’t use them. You can still define your own filters which can pull from public lists, for certain purposes. So you could definitely do dns filtering like people do with pihole / adguard. I also enjoy being able to define domain names (using the .internal tld) for local use in the same device that defines what those devices can do.
If your wan and any segmented parts of your network don’t need to be mutually accessible at more than a gigabit, e.g. iot and guest devices don’t need multi-gig and your wan connection is not multi-gig, then you can use vlans and switches to let your lan devices access each other and a nas device or server faster than that, with only the other segments being limited.