Advertisement


Home Networking Fortinet FortiGate FG-60F Review A Bigger Gateway Firewall

Fortinet FortiGate FG-60F Review A Bigger Gateway Firewall

1

Fortinet FortiGate FG-60F Performance and Security Testing

For this, we are using our high-end Keysight CyPerf testing machine, with our STH traffic profiles that you have seen on a number of STH reviews so far. The machine itself is able to generate over 2Tbps of traffic, and we use it mostly now for our L4-7 network testing since we have the multi-XGS2 chassis and line card setup for L1-3 and switches. One of the cool parts about our setup, if you have seen previous reviews, is that the gateway devices and firewalls being tested look like real traffic. To be clear, we have a setup designed for really high-end 400Gbps and 800Gbps gear, so running it to test a 1Gbps gateway is more than just a bit of overkill.

Now that we are running many more tests, and our automation is getting better, we are going to swap to STH comparison charts rather than the CyPerf screenshots we showed in previous reviews. Let us know about the format. First is just the base throughput we got from the device.

Base Firewall Throughput

Fortinet FortiGate FG 60F STH CyPerf Max Throughput
Fortinet FortiGate FG 60F STH CyPerf Max Throughput

As a plain stateful firewall on the STH gateway mix profile, the FG-60F leads by 29%-35%. This shows the throughput ceiling, since the security features are not in the path. Frankly, for plain 1GbE NAT-and-forward duty, either unit is more gateway than most sites at this tier need.

Next, we turned on various security features and then observed the packet rates through the firewalls with those features turned on to see the impact of them.

Packets Per Second

Fortinet FortiGate FG 60F STH CyPerf PPS
Fortinet FortiGate FG 60F STH CyPerf PPS

Throughput is packet rate times packet size, so the packet-per-second view is worth a look. At the base firewall stage, the FG-60F leads by 41%. Packet rate falls off as the heavier content-inspection features come on, tracking the throughput curve. Here is the throughput look:

Throughput Through the Security Feature Ladder

Fortinet FortiGate FG 60F STH CyPerf Security Ladder
Fortinet FortiGate FG 60F STH CyPerf Security Ladder

The ladder is where the two units separate. On the plumbing-bound stages, the FG-60F leads by 49% for IPS, and the FG-60F leads by 38% for the NGFW profile (IPS plus Application Control). Flow-mode Antivirus and Threat Protection, which layers AV on the NGFW stack, tells the same story: the two units are within a few percent of each other, so it seems like you get a sizable performance gain moving up the stack until flow-mode Antivirus enters the path. Both units land on essentially the same content-scan ceiling, so if the deployment leans on AV or full Threat Protection, the two are much closer than the base firewall numbers suggest.

Next, we wanted to see how many of our STH CyPerf attack profile attacks are being blocked by the firewalls at different levels. Note, there are some we are not testing with the profile, so 0% is an expected result. If we saw a different number, that would be bad.

Attack Profile and Security Efficacy

Fortinet FortiGate FG 60F STH CyPerf Max Throughput Attack Block Rate
Fortinet FortiGate FG 60F STH CyPerf Max Throughput Attack Block Rate

With the full UTM stack, the FG-60F blocks 100% of strike attempts (the FG-40F blocks 100%). The lighter stages block less by design: IPS on its own stops 45% of the in-scope strikes, and the profiles with no content-inspection engine (base firewall, Application Control, DNS Filter) sit at zero, which is exactly what they are supposed to do. Security efficacy tracks the FortiGuard signature set, so it is close between the two units at any given configuration level.

Taking another view, we also wanted to see what the gateway could handle as a connection rate while doing this testing.

Connection Rate and Concurrent Sessions

Fortinet FortiGate FG 60F STH CyPerf Connection Rate
Fortinet FortiGate FG 60F STH CyPerf Connection Rate

Two notes on reading these two charts. First, the light stages are driven by the CyPerf application-mix profile, so the connection-rate and concurrent numbers there reflect the offered load as much as the device. Second, during the heavy content-inspection stages, the concurrent-session count climbs as throughput falls, because a slower data path keeps more sessions open at once. A longer bar there indicates queueing, not necessarily extra capacity.

What we netted out is that the FG-60F is roughly 29% faster than the FG-40F on raw firewall throughput, and the two converge once flow-mode Antivirus is in the path. This was just something interesting to see, especially after we took apart the devices to see how they work. Again, part of the reason we are doing the current-gen F series is that we want to use it as a process pipe cleaner for future reviews. We have a huge number of data points we are collecting with CyPerf, so getting that into something that is easy to digest is harder than one might think.

Fortinet FortiGate FG-60F Power Consumption and Noise

Fortinet has a 12V power adapter that can use different socket adapters. This allows one SKU to be used across different countries.

Fortinet FortiGate 60F Power Supply 1
Fortinet FortiGate 60F Power Supply 1

Something nice was that the power consumption was low. At idle, we were around 5.6W.

Fortinet FortiGate 60F Power Consumption Idle 1
Fortinet FortiGate 60F Power Consumption Idle 1

Simply connecting a port got us to 6.0W.

Fortinet FortiGate 60F GE RJ45 Power Consumption 1
Fortinet FortiGate 60F GE RJ45 Power Consumption 1

Typical is usually rated at something like 10.2W, and maximum is 12.5W. That allows the entire setup to be passively cooled and thus operate silently.

Final Words

Fortinet has been in the news lately for some vulnerabilities. Frankly, there are so many Fortinet devices out there that they make big headline-grabbing news when they are published. I want our reviews to focus more on the hardware, then show some performance views as we do with server and storage gear. This is a box I have wanted to test for our own use for some time, so it was neat to be able to do it. I would also likely buy higher in the stack if we were to deploy Fortinet, and I say this because we have the FG-30G tested.

Fortinet FortiGate 60F Rear Angled 2
Fortinet FortiGate 60F Rear Angled 2

To me, I actually really like the idea of getting the FG-60F over the FG-40F just to have more port options and more throughput. Just because there are way more ports does not mean the device can achieve 2x or 3x the performance. Realistically, it is tens of percent more performance, which is good given the similarity of the underlying silicon.

Where to Buy

You can purchase this on Amazon (affiliate link), but make sure you are purchasing the license and term bundle that you need if you decide to purchase an FG-60F.

1 COMMENT

  1. Speaking of updates, fortigates can’t be directly updated to every version – you have to go in their required sequence. The ideal use case for the 60F might be, in addition to the extra ports, the ability to do a couple more things unlicensed than the 40F does. If you maintain a license, it matters less, of course. But then if you’re buying new, maybe you’ll be considering the G series anyway. And for other purposes you might jump directly to a used 100F or something depending on what you want. BTW the connector these and the sonicwalls use is a known standard which I’ve forgotten, but while YMMV I have found it to be cross compatible. Saves cost if you’re buying used ones and running unlicensed.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.