I work with Fortinet, Palo Alto, and pfSense firewalls. None are prefect but Fortinet is consistently the one that I have to emergency patch the most often it's not even close.
NGL we had an emergency window set up to patch a Fortigate due to a zero day and the zero day got exploited actually on day zero. First time I've ever had that happen. Didn't even make it to business close for our window.
Because Fortinet is the only one who releases patches actively and reacts fast as they are under the scrutiny of many security experts. All the others are not on the radar, but have all flaws that have not been disclosed yet.
We have a mix of firewalls as well but Fortigate are the majority of ours (about 160 deployments) it always feels like there is some major exploit or zero day patch. Some of it is a bad rap but they deff need to spend more time polishing their patches before they roll them out.
@@Gearbhall bit confused here, was this zero day exploit in the management plane? if yes then i assume it was internal, and how did the internal intruder get into the segregated off managament plane to exploit the zero day Above implying your customer has bigger security issues then anytihng to do with fortinet :)
@@keyboard_g Yeah but it's annoying as hell to hear some dude shit on one brand while shilling for PFSense and Ubiquiti so hard when they themselves have plenty of their own issues and vulnerabilities yet I don't remember ever hearing Lawrence talk about cve-2024-46538 last year
@@marcogenovesi8570 I mean Junipers backdoor was instated by the US government, but yes its not good to have backdoors on principle as it will be found and exploited.
As a manager of a company that uses Fortinet, we are absolutely dumping their product at the end of our licensed period. The fact that there is too many stupid blunders that are absolutely avoidable with simple code-review processes, is unacceptable to me.
They do Code reviews. And have secure coding practices. They have been thoroughly tested by both black-box and white-box audits. Sure, they have vulnerabilities (and bugs). But who doesn't? Just have a look at Mitre stats and you'll see how much vulnerabilities are released. Fortinet at least disclose all their vulnerabilities. Even the internally-discovered ones. That's why you have to patch them. Because it's a good thing that you do. You don't want to have to? Ask Fortinet to upgrade it for you (they can). Or ask any Security Service company (probably much cheaper for such a simple task). You want auto-upgrade? Oh, wait. You can (and it's now enabled by default on small appliances not centrally managed).
@@Mahikukundefinitely not the words of a competent security professional. stop defending them. no other security vendor has anywhere near as many vulns as Fortinet. sure you can compare the number to Apache or Adobe or whatever, and yes they are bad and frustrating, but those aren't security companies which have the sole purpose of protecting your network ! if your defense/protection system is itself letting the bad guys in, is it really a security system? why people defend these guys completely boggles my mind..
My first thought , a programmer that hardcodes user credentials should not be on the team, it is asking for problems. low level did a deep dive in what Fortinet does not check and it is not good
Indeed, its a bit of a red flag when your companies focus is security... they are supposed to be "experts" in it. "Don't roll your own cryptography" in programming is a very strong recommendation because so many minute details can have major ramifications. Fortinet are big in the SMB space where there isn't a large IT department (assuming there is one at all) to even keep on top of patching; said companies are practically outsourcing their network security to them. I've read some of these issues over the years and would not like to toss a fellow coder under the bus but some are bordering on negligence.
If these companies concentrated their efforts on efficiency and security like they do complex licensing, pay gateways, function gateways, their devices would be impervious to hackers.
sonicwall, fortigate, and others have been suffering in the QA department as of the past few years. The key is no mater what product you use; just use good security practices, dont leave defaults for anyting; set admin passwords for 14 character minimum with MFA; turn on logging for any mgmt access or change; disable management over WAN interfaces and lock things down so that only certain management interfaces can get in. Im not a coder, so I have to rely on these vendors do do their jobs. MSPs make sure you have good errors and omissions insurance! haha!
Fortinet sells to the PHBs, and that is what their salespeople, at least where I live, focus on. Buzzwords, scare tactics, Gartner reports, power play. In a meeting they will throw the entire playbook at you. And if they notice you are technically sophisticated, and not biting the hook, they become aggressive, arrogant. and insulting, not even wanting to defend the products any longer or enlighten the potential customer. How do I know this? One of my worst sales meeting in 34 years of experience was with them, end of last year.
Met a sales guy from Oracle some 20 years ago behaving like that. Unfortunately for him I am the boss and we're only using open source database products ever since.
Already asked on the video that started this: Is there a chance to do one on Meraki? Maybe a Unifi/Meraki compare? Not a "Meraki Bad" video - an honest compare (or a Meraki Bad, if that's what you believe, of course )
I was pondering Fortinet this Summer just for testing but by November and December I got hints of security issues and kinda glad I'm not playing with them for home/dev/test. I chatted with some sec vendor over lunch last month and made mention of Fortinet's issues and they agreed things aren't looking great security wise with them. They have been removing and replacing Fortinet gear.
Oh...I totally forgot. Probably the biggest red flag for Fortinet is that they are partnering with CrowdStrike. I'm guessing they have similar developer cultures of "never test, let the interns handle it all" or something.
I'm installing a network in my home, it's a lot less fun doing it without trained colleagues and also not getting paid. I also didn't realise just how expensive all the gear I've been installing for years is.
Lawrence so many thanks to answer my questions. i just got a nse 4 and i was under why a simple 61e cost around 300$ if you get pfsense for less than that and like you said its better
So, serious question then...do you have a brand you would recommend for firewall/switches? (not Unifi, as I'm thinking of a much larger network than one would typically use Unifi)
We do Cisco & Arista but Juniper is not bad either. The UnIFi firewalls have become much better since version 9 and UniFi is used a lot in some bigger environments.
@@LAWRENCESYSTEMSThis is the funny part. I often hear that Ubiquiti isn’t ’serious’ enough or too many functions are only accessible in the web interface. They’ll then propose Fortinet or Juniper. I used to describe UniFi as ‘Enterprise Lite’, but it’s seriously not now. Add in licence free software, no lock ins and technology that makes it relatively simple for any normal system administrator to manage them effectively, then they’ve become compelling. We used to sell Meraki if you had budget, Ubiquiti if you didn’t. Whilst the margins on Meraki are still fantastic and we can easily pitch them, we rarely do now.
No disrespect because I like your content but, you will not find a Unifi firewall in an enterprise network but you will find PAN and FGTs. Cisco and Checkpoint are certainly below both PAN and FGTs in independent security testing and have been getting replaced by PAN and FGTs. I saw mention of the SSL vulnerability, all firewalls that use the common libraries will have it as well. Fortinet is moving away from SSL VPN and recommends IPSec or better yet ZTNA. While we can talk about vendor vulnerabilities they pale in comparison to how most organizations don’t even use the features of the firewalls and if they do they are not decrypting traffic. That should be the discussion.
@@LAWRENCESYSTEMSUnifi is not used in bigger environments unless you mean their access points, but that's not really a Unifi network. I love Unifi and I use it myself on my home net, but it is far from what Cisco is.
I worked for a decently sized MSP in the USA that was heavy Meraki (over 600+ sites). I recently moved to New Zealand (family reasons) and took a job with a different MSP. NZ is HEAVY Forti. Almost everyone uses Forti. I miss the management and patching in Meraki. Forti leaves sooo much to be desired.
I wonder why Meraki has had very little vulnerabilities over the years. Good code practices combined with heavily locked down product that has ONLY cloud mgmt plane?
And Fortinet is by far the most incompetent product like in any category by far. I work for an MSSP, and one of our clients have Fortinet everything. FortiSIEM, FortiSOAR, FortiGate, FortiEDR, etc. The whole deal! And guess what? We all hate it because it's terrible to use, training materials are actually just marketing bull, and the products themselves are over hyped and genuinely just laughable when it comes to real gear like Cisco with Firepower, Splunk, etc. It's just funny how this one client that uses Fortinet is always close to being backed because of how bad their network solution is. We conducted analysis and audits for them and it's all set to be secure, but yet here we are.
The problem is that people already voting with their dollars. All other similar enterprise solutions have double to triple the cost. As weaker as the implementation is compared to other companies like Palo Alto most organizations (especially the non profit ones) do not have the funds to sustain the cost or the knowhow to choose other solutions that are more robust but need more internal expertise. Unfortunately its a value for money issue.
Secure by default should be the uhhh default. Making it so that something can be secured is very different from just making a secure product. End users have better things to do than to read through all of your documentation just to make sure they configured it according to your best practices. If it is important enough to be a best practice it should just be the default too. IT frustrates me when people don't do that in the name of things like backwards compatibility. Like the fact that you have to go into your firewall to allow this super old standard that is no longer considered secure should be an indicator that you should look into either updating the config on the other device if it supports it or to upgrade the device entirely to a newer model.
I'm just really disappointed because I've used them in the past and I'd love to recommend them in my current environment because I love the functionality and flexibility of the platform. I really hope they get their shit together in the near future and I can get rid of these damn Meraki's.
Thanks, wasn't aware of that. Considered buying used on eBay for home office setup. Thankfully the news of hard coded credentials, admin accts wo passwords, lack of MFA, etc turned up just in time before I acquired e-waste too.
I am a former QA and it literally sickens me how little companies give a shit about QAing, and still make billions. That's a larger societal problem at that point
I’m pretty sure some industrial ICS/OT network devices are just fortinet products in fancy chassis’s. I don’t know if that means they have all the same flaws, but considering the OT stuff is usually 10x the cost of normal enterprise gear, I wouldn’t want to be the one to find out. 😂
Palo alto for me is the best. Worked with PA, checkpoints since that old Nokia boxes, SonicWall, Cisco asa, Meraki, fortigates... PS: checkpoint updates are a nightmare....
The problem is not Fortinet, or the others very expensive firewalls of the world, firewalls should be open source, period, this ensure that thousands of people’s are looking at the code. All the others one will never have the same scrutiny.
Admin ~23 Fortigates and never had a serious issue. Fantastic pieces of equipment in our experience. Their support is quick to provide fixes in the 2-3 times a specific issue arose.
Together with several colleagues, I am admin of several hundred FortiGate firewalls. The products are really good and I haven't had any major problems so far. The most annoying were the SSLVPN vulnerabilities last year ... And every manufacturer has already been hit ... Cisco / PAN / SonicWall / pfSense etc. As long as you don't publish Admin MGMT on the Internet, you are generally on the safe side.
Actually, I was considering jumping from UDMs to Fortinet because we're wanting some more control.... But I guess i'll just wait for Unifi's product to mature. lol
Fortinet look to be just as competent as TP-Link, how the likes of Gartner continue to rate them as the top firewall of 2025, only the accountants will know!
I mean, can you purchase your position in that idiotic quadrant? No responsible tech person give a sht about the gartner magic quadrant crap. It may be fancy 20 years ago, but means nothing in 2025. But self-important dcks (ceo, ciso, cto) want to look well-informed, when they bring up this gartner clowns
Fortinet are open and transparent, actively test their own equpiment. A large percentage of the vulnerabilities they discover themselves. I wish other vendors were so open and active! Yes I am looking at the other big players... you know the ones that are enterprise level equipment, aka Palo Alto, Checkpoint and Cisco for example.
I don't understand the haters who say anything against this channel. I find this guy actually quite smart.. he has found and is using in anger the youtube algorithm to make more money aka throw s**t on something/someone in a fully uniformed way :) I bow to his intelligence. Anyway, I admit I'm a fortinet employee so maybe biased (eheheh), but I find all these Forti-hating comments quite funny :D I think I read only 1 or two that could come from (tech) decision-making people, which is quite obvious.
I’ve used a lot of Fortinet devices and generally I’ve had no issues thankfully. Performance is incredible. However, the security issues, has been alarming over the passed year. This is not uncommon though, as with anything tech the more of a specific technology gets adopted, fortinet has seen a big increase in passed few years. The more people also try and find holes in the device. So it’s swings and roundabouts, not good at all, but I, not surprised
Exactly! Fortinet is the GO TO firewall to get for SMB, and even large businesses because their stuff is really need and fast. I do love them, but I also hate that they maintain 3-4 or even 5 firmware lines per devices. This is what is killing their QA. If being exposed force them to get their sh*t together and produce better stuff, all the best for us after. I will never go back to pfsense, WatchGuard or SonicWall. And I will not take a second mortgage to buy Palo or CheckPoint. Anything else (HP/Aruba, Dell, pfsense, etc) is just crap.
You probably won't be surprised, but a lot of colleges are really strong on Forti products, it's hard seeing this and not saying anything. The bias is very strong for these things.
Even Fortinet TAC are complaining about crazy stuff going on with the developers. It's frustrating for everyone when seemingly small changes have huge impact.
Cisco Firepower. But you need two firewalls, one internal and one external. We use Cisco Firepower internally and pfsense externally for some clients that can't afford multiple firewalls.
I don't think it's any worse then other vendors and there have been severe issues on others as well. Fortinet does have a large presence in the security landscape and issues will get large news coverage, which sometimes is justified as a kick in the butt. Some of the flaws are just facepalming , stuff that static analysis could have picked out, like hardcoded passes/certifcates etc. Part of these issues are from dealing with old code, code from acquisitions, the push to implement new features from product managers and the integrations it needs to keep with their other products in the security fabric etc. etc. Have they been working hard on pushing out old code and are they committed on resolving issues, yes for sure, but I would not want to be part of their the dev team. We are not done with issues yet, some of the patches are just that, patches, but the underlying code is still flawed. It's not only CVE's though, sometimes an update fundamentally breaks even the most obvious of functionality. It really has made me wonder why some updates even made it trough QA. Don't get me started on mature vs feature, because this has meant very little. I would personally liked to see them ditch the current method of firmware releases as blobs and rather have the ability to install and update the components where needed. If only we had systems and methods in place that have done that for many years =D The best thing Fortinet could do, is cut the product stack in half by selling off all their non core items and focus on the key components, hold off on new features and get a grip on their QA. However, all focus is on AI AI AI all the AI, everything MUST AI !! Less humans, more AI, less knowledge needed, more AI. It must also be said that it's upon partners and customers to also implement proper security practices. If you decide to put your management interface open from the internet with default accounts, a weak password and no MFA, it's a matter of time before someone gets in. That hasn't been any different for many years and holds true for any product. Stuff like virtual patching can help to mitigate improper usage, but it starts with a proper mindset on how to implement security products and what opening up services actually could have an impact upon. The number of times I have to repeat that story...pff
Ah, nice. Another case of the company I work for "upgrading" to the worst possible thing. They literally just rolled out Fortinet Proxy. I assume because it was the cheapest option.
Ah well, that what happens when you keep adding new products the list instead of investing in improving the existing ones or just rushing out new features on the core product without caring about code quality and proper Q&A.
Huh, have you looked at Cisco ASAs? They all have their flaws. Also, not a reseller. Just a overworked system administrator. It's easier said to just rip and replace.
We are a MSP and as a technician I hate products which stop working when a license expires. Every customer we have which has a Fortinet, Watchguard, Sophos or whatever will be replaced once the license is about to expire. pfSense isn't the holy grail, but their appliances like the old 7100 are running at customers since they came out and never asked for a license or had other stupid limitations which aren't hardware related. If that will change at some point, they will be replaced with some other product that don't require a license.
To be extremely blunt, Fortinet has had SHIT security since day one. Company i'm at years ago started swapping out Checkpoint appliances for Fortinets and it was a predictable disaster.
Together with several colleagues, I am admin of several hundred FortiGate firewalls. The products are really good and I haven't had any major problems so far. The most annoying were the SSLVPN vulnerabilities last year ... And every manufacturer has already been hit ... Cisco / PAN / SonicWall / pfSense etc. As long as you don't publish Admin MGMT on the Internet, you are generally on the safe side.
Ahem, Cve-2024-20148 Cisco cwe CVE-2023-24104 - Ubiquiti CWe CWE 94, 79,77 ALL clasified under pfsense. If the security world was perfect then nobody would have a job. Is any vendor pefect? Nope. If any security engineer focuses on one device such as a firewall for security alone he should go back to grade 1. Its called a security architecture for a reason.
Honestly, if you have a product that ceases to function properly without a support license, you've already gone too far down a path that incentivizes you having product issues that can only be fixed when you've got an active support license. ;) If anyone has a good guide for reflashing their hardware, though, lmk! Got nothing bad to say about the silicon, just the firmware/software that is achingly bad.
I don't get the point of this video when every vendor out there has security issues and their own bad security. If the point is to point out the obvious, well then, no shit?
As I said in the video, it's not about security issues from complexity, it's about having security issues caused by ignoring modern secure development practices.
@@LAWRENCESYSTEMS Then don't just highlight Fortinet. You could have added or even mentioned that other vendors have also used the same development practices. Cisco has used hardcoded credentials. Palo Alto has had more recent (2024) CVEs with its own SSL VPN implementation. As of FGT 7.6, Fortinet no longer recommends SSL VPN, probably because SSL VPN isn't actually a standard, but instead recommends use of IPSec or ZTNA. Just the title of the video itself singles out Fortinet as the main baddies of insecure development practices, when this is an industry wide issue. Speaking of bad practices, network engineers are equally at fault when they are exposing management interfaces to the Internet when they should be using local in policies. If you wanted to highlight bad security in development, you could have easily covered companies like TP-Link that the government has actually talked about banning because of those practices. TP-Link doesn't just sell consumer devices but are trying to move into the prosumer/SMB market with their Omada line.
@@LAWRENCESYSTEMS Then don't just highlight Fortinet. You could have added that other vendors have also used the same development practices. Cisco has used hardcoded credentials. Palo Alto has had more recent (2024) CVEs with its own SSL VPN implementation. Fortinet no longer recommends SSL VPN, probably because SSL VPN isn't actually a standard, but instead recommends use of IPSec or ZTNA. Just the title of the video itself singles out Fortinet as the main baddies of insecure development practices, when this is an industry wide issue. Speaking of bad practices, network engineers are equally at fault when they are exposing management interfaces to the Internet when they should be using local in policies. If you wanted to highlight bad security in development, you could have easily covered companies like TP-Link that the government has actually about banning because of those practices. TP-Link doesn't just support consumer devices but are trying to move into the prosumer/SMB market with their Omada line.
I may be making a huge mistake, but we have run a fortigate for years now. Now that it is EOL, I am working on transposing all our rules over to an EFG.
End of the day a Firewall isn't that expensive unless you need a lot of them, for a small company its a lesson learned and move on if its giving you lots of grief.
Nothing is perfect but Fortinet isn't even putting a best effort to minimize attack vectors. This is silly stuff that Fortinet shouldn't even be letting happen. PERIOD, full stop!
I love your channel Tom, but your continuous bashing on Fortinet is getting long in the tooth. And since you always say that you DON'T KNOW the product, why doing this? I don't see you going after Palo Alto, Sophos, Checkpoint, Cisco, WatchGuard, SonicWall, Juniper, etc. Stick to your guns with pfsense and Unifi's DMP, that will be better for your credibility in the networking and security department. Unless you have considerable knowledge with the Fortinet's products and how their ecosystem works, stop using CVE and click-bait video title to get view on what were good informational videos in the past but are now just all show and no go. And while here, why don't you also go after Microsoft and Windows and all their security issues they have that are WAY worse then anything Fortinet faces. Edit: And I have a question for all of you Fortinet haters that all seems to know everything about Fortinet's product: What will you recommend instead? What will you say at your CyberSecurity audit, that you are moving from Fortinet to pfsense? Let's see how long and hard they will laugh at you while they pack their stuff and void your CyberSecurity insurance..
@@PvtAnonymous Sadly I am not a FortiEmployee. Just a regular network admin that as seen a lot more than 99% of people commenting here about Fortinet being bad because they had one or two bad bad experiences. You must one of them!
All software has bugs, but Fortinet has a proven history of making the same mistake basic mistakes over and over again. It's one thing if it was an one off mistake, it's another thing when you consistently make the same mistakes for decades, especially when your meant to be an expert in security. There's clearly some systemic issue at Fortinet that we are not aware of.
Fortinet is used by a lot of government agencies because of where the components and software is made (Canada)... Fortinet makes a ton of different products and some are hot trash compared to the other ones. I'd say Fortinet firewalls are just as good or better than the Cisco product line. PaloAlto is starting to be adopted a lot, but for tonight does have some high end products which work pretty good.
I inherited a network based on fortinet in a crazy overbuilt HA/Failover setup (they're a machine shop, wtf?) and when the SSL-VPN bug came out we discovered Fortinet would not be patching our devices as it was EOL/EOS just a few weeks prior. For simplicity we went with a new fortigate (smaller unit, non redundant because HA really isn't a need for the business) but I do regret that choice. When warranty runs out I'll probably be pushing for a netgate or similar pfsense solution. The biggest advantage I see with a lot of open source products is that when security flaws are found, they usually are just fixed and acknowledged. No egos, no brand salvaging BS, just "yup, that's a big problem but we are addressing it." It's a level of accountability you don't see from publicly traded companies that care about stock value more than anything else.
Wow, you Ubiquiti fanboys use a product with horrible security and horrible support, but you’re critical of Fortinet for vulnerabilities from FIVE YEARS AGO? As an IT admin, I don’t use FortiManager, and SSL VPNs are for amateurs anyway so I don’t use those either. I wouldn’t say Tom is lying, but he’s sure close.
He's been critical of Fortinet since long before he recommended Ubiquity's gateways to use for small business; that's only with the newly released update The Fortinet vulnerability that just hit the news with 500,000 leaked VPN passwords was a vulnerability from 2022 that they never patched until recently. They need to get better at following best practices and fixing their issues.
As I said in the video, it's not about security issues from complexity, it's about having security issues caused by ignoring modern secure development practices. I provided plenty of evidence in those links. Are you saying the CWE type does not matter and OWASP is wrong?
I work with Fortinet, Palo Alto, and pfSense firewalls. None are prefect but Fortinet is consistently the one that I have to emergency patch the most often it's not even close.
NGL we had an emergency window set up to patch a Fortigate due to a zero day and the zero day got exploited actually on day zero. First time I've ever had that happen. Didn't even make it to business close for our window.
Because Fortinet is the only one who releases patches actively and reacts fast as they are under the scrutiny of many security experts. All the others are not on the radar, but have all flaws that have not been disclosed yet.
@@Traumatree bullshit, Checkpoint and Juniper have very low to nonexistent cves and they’re under the same scrutiny
We have a mix of firewalls as well but Fortigate are the majority of ours (about 160 deployments) it always feels like there is some major exploit or zero day patch. Some of it is a bad rap but they deff need to spend more time polishing their patches before they roll them out.
@@Gearbhall bit confused here, was this zero day exploit in the management plane?
if yes then i assume it was internal, and how did the internal intruder get into the segregated off managament plane to exploit the zero day
Above implying your customer has bigger security issues then anytihng to do with fortinet :)
Tom, knowing what not to say to keep Fortinet Lawyers in check. That's how it's done. Great to the point content as usual. Thank you!
Is it that bad? They had a backdoor. Its not an “Oops”.
The answer is Yes, they are that bad.
hey even higher end firewalls like Juniper had backdoors for the agencies and whatnot
@@marcogenovesi8570 That doesn’t make it Ok.
@@keyboard_g Yeah but it's annoying as hell to hear some dude shit on one brand while shilling for PFSense and Ubiquiti so hard when they themselves have plenty of their own issues and vulnerabilities yet I don't remember ever hearing Lawrence talk about cve-2024-46538 last year
@@keyboard_g if everybody is bad then noone is. Or in other words it's not a useful descriptor anymore
@@marcogenovesi8570 I mean Junipers backdoor was instated by the US government, but yes its not good to have backdoors on principle as it will be found and exploited.
As a manager of a company that uses Fortinet, we are absolutely dumping their product at the end of our licensed period. The fact that there is too many stupid blunders that are absolutely avoidable with simple code-review processes, is unacceptable to me.
What are you going to use in future?
They do Code reviews. And have secure coding practices. They have been thoroughly tested by both black-box and white-box audits. Sure, they have vulnerabilities (and bugs). But who doesn't? Just have a look at Mitre stats and you'll see how much vulnerabilities are released. Fortinet at least disclose all their vulnerabilities. Even the internally-discovered ones. That's why you have to patch them. Because it's a good thing that you do. You don't want to have to?
Ask Fortinet to upgrade it for you (they can). Or ask any Security Service company (probably much cheaper for such a simple task).
You want auto-upgrade?
Oh, wait. You can (and it's now enabled by default on small appliances not centrally managed).
@@Mahikukundefinitely not the words of a competent security professional. stop defending them. no other security vendor has anywhere near as many vulns as Fortinet. sure you can compare the number to Apache or Adobe or whatever, and yes they are bad and frustrating, but those aren't security companies which have the sole purpose of protecting your network ! if your defense/protection system is itself letting the bad guys in, is it really a security system? why people defend these guys completely boggles my mind..
My first thought , a programmer that hardcodes user credentials should not be on the team, it is asking for problems. low level did a deep dive in what Fortinet does not check and it is not good
The senior architect share a large share of the responsibility since they have not instituted and enforced code coding practices.
@@cidercreekranchthey probably didn’t even have a architect (joke)
Indeed, its a bit of a red flag when your companies focus is security... they are supposed to be "experts" in it. "Don't roll your own cryptography" in programming is a very strong recommendation because so many minute details can have major ramifications. Fortinet are big in the SMB space where there isn't a large IT department (assuming there is one at all) to even keep on top of patching; said companies are practically outsourcing their network security to them. I've read some of these issues over the years and would not like to toss a fellow coder under the bus but some are bordering on negligence.
It’s supposed to protect my network. If it can’t protect its own login from basic attacks, how can I trust it to protect my network?
If these companies concentrated their efforts on efficiency and security like they do complex licensing, pay gateways, function gateways, their devices would be impervious to hackers.
What I really don’t like about Fortinet is why cant I use my f**king Yubikey with it ? Its 2025
MFA is the worst part
Yubikey supports totp, does fortinet have totp for 2fa, or are they still pushing their fortitoken?
@ Still pushing their stupid ass FortiTokens or you can get mailbox polluting Email Auth codes.
@@GrishTechit’s all fortitokens still with no alternative so far
@@UTVPOWERSPORTS SAML/SSO. yes, we have options for MFA in FortiGates.
Forti ways to get in to that Net.
😂
sonicwall, fortigate, and others have been suffering in the QA department as of the past few years. The key is no mater what product you use; just use good security practices, dont leave defaults for anyting; set admin passwords for 14 character minimum with MFA; turn on logging for any mgmt access or change; disable management over WAN interfaces and lock things down so that only certain management interfaces can get in. Im not a coder, so I have to rely on these vendors do do their jobs. MSPs make sure you have good errors and omissions insurance! haha!
that's what you get when you outsource critical work to the cheapest SWEs possible.
100%
Any firewall regardless of brand is only as secure as your own security practices are.
Fortinet sells to the PHBs, and that is what their salespeople, at least where I live, focus on. Buzzwords, scare tactics, Gartner reports, power play. In a meeting they will throw the entire playbook at you. And if they notice you are technically sophisticated, and not biting the hook, they become aggressive, arrogant. and insulting, not even wanting to defend the products any longer or enlighten the potential customer. How do I know this? One of my worst sales meeting in 34 years of experience was with them, end of last year.
What does PHB mean in this context?
@@ricsip Pointy-haired Boss, a reference to Dilbert's manager in the same name cartoon strip.
Met a sales guy from Oracle some 20 years ago behaving like that. Unfortunately for him I am the boss and we're only using open source database products ever since.
Already asked on the video that started this: Is there a chance to do one on Meraki? Maybe a Unifi/Meraki compare? Not a "Meraki Bad" video - an honest compare (or a Meraki Bad, if that's what you believe, of course )
Great video and valid points. However, unifi is no where an alternative to fortinet as you mentioned in one of comments.
That's a laugh
Cisco Firepower. You're welcome. 75% of the market for good reason.
Fortinet's software QA has been trash for a while now. Devs do all sorts of stupid stuff over there.
I was pondering Fortinet this Summer just for testing but by November and December I got hints of security issues and kinda glad I'm not playing with them for home/dev/test. I chatted with some sec vendor over lunch last month and made mention of Fortinet's issues and they agreed things aren't looking great security wise with them. They have been removing and replacing Fortinet gear.
When a company literally develops a customizable feature designed to control device behavior WHEN it fails, you should be worried (conserve mode).
Oh...I totally forgot. Probably the biggest red flag for Fortinet is that they are partnering with CrowdStrike. I'm guessing they have similar developer cultures of "never test, let the interns handle it all" or something.
Always grateful for the information and quality of your videos!
Say anything to get that first comment amirite
I'm installing a network in my home, it's a lot less fun doing it without trained colleagues and also not getting paid. I also didn't realise just how expensive all the gear I've been installing for years is.
Lawrence so many thanks to answer my questions. i just got a nse 4 and i was under why a simple 61e cost around 300$ if you get pfsense for less than that and like you said its better
So glad I didn't go through with Fortinet
It’s a pattern at this point. At least when other vendors have issues at least itself not monthly… but Fortinet feels weekly.
So, serious question then...do you have a brand you would recommend for firewall/switches? (not Unifi, as I'm thinking of a much larger network than one would typically use Unifi)
We do Cisco & Arista but Juniper is not bad either. The UnIFi firewalls have become much better since version 9 and UniFi is used a lot in some bigger environments.
@@LAWRENCESYSTEMSThis is the funny part. I often hear that Ubiquiti isn’t ’serious’ enough or too many functions are only accessible in the web interface. They’ll then propose Fortinet or Juniper.
I used to describe UniFi as ‘Enterprise Lite’, but it’s seriously not now. Add in licence free software, no lock ins and technology that makes it relatively simple for any normal system administrator to manage them effectively, then they’ve become compelling.
We used to sell Meraki if you had budget, Ubiquiti if you didn’t. Whilst the margins on Meraki are still fantastic and we can easily pitch them, we rarely do now.
No disrespect because I like your content but, you will not find a Unifi firewall in an enterprise network but you will find PAN and FGTs. Cisco and Checkpoint are certainly below both PAN and FGTs in independent security testing and have been getting replaced by PAN and FGTs. I saw mention of the SSL vulnerability, all firewalls that use the common libraries will have it as well. Fortinet is moving away from SSL VPN and recommends IPSec or better yet ZTNA. While we can talk about vendor vulnerabilities they pale in comparison to how most organizations don’t even use the features of the firewalls and if they do they are not decrypting traffic. That should be the discussion.
Cisco Firepower. It's the best firewall on the market and using it is actually good unlike Fortinet products.
@@LAWRENCESYSTEMSUnifi is not used in bigger environments unless you mean their access points, but that's not really a Unifi network. I love Unifi and I use it myself on my home net, but it is far from what Cisco is.
I worked for a decently sized MSP in the USA that was heavy Meraki (over 600+ sites). I recently moved to New Zealand (family reasons) and took a job with a different MSP. NZ is HEAVY Forti. Almost everyone uses Forti. I miss the management and patching in Meraki. Forti leaves sooo much to be desired.
I wonder why Meraki has had very little vulnerabilities over the years. Good code practices combined with heavily locked down product that has ONLY cloud mgmt plane?
@kjlund75 Auto updating via their cloud plane goes a long way.
Meraki is bad, Fortinet is worse. Use real Cisco gear! :D
Do your research, palo have more cves per product than fortinet does. Fortinet have a LOT of products
And Fortinet is by far the most incompetent product like in any category by far. I work for an MSSP, and one of our clients have Fortinet everything. FortiSIEM, FortiSOAR, FortiGate, FortiEDR, etc. The whole deal!
And guess what? We all hate it because it's terrible to use, training materials are actually just marketing bull, and the products themselves are over hyped and genuinely just laughable when it comes to real gear like Cisco with Firepower, Splunk, etc.
It's just funny how this one client that uses Fortinet is always close to being backed because of how bad their network solution is. We conducted analysis and audits for them and it's all set to be secure, but yet here we are.
The problem is that people already voting with their dollars. All other similar enterprise solutions have double to triple the cost. As weaker as the implementation is compared to other companies like Palo Alto most organizations (especially the non profit ones) do not have the funds to sustain the cost or the knowhow to choose other solutions that are more robust but need more internal expertise. Unfortunately its a value for money issue.
I know someone who purchased an additional set of Fortigate 100E’s because it cost less than a bigger VDOM license.
Their licensing is so incredibly random at times.
Secure by default should be the uhhh default. Making it so that something can be secured is very different from just making a secure product. End users have better things to do than to read through all of your documentation just to make sure they configured it according to your best practices. If it is important enough to be a best practice it should just be the default too. IT frustrates me when people don't do that in the name of things like backwards compatibility. Like the fact that you have to go into your firewall to allow this super old standard that is no longer considered secure should be an indicator that you should look into either updating the config on the other device if it supports it or to upgrade the device entirely to a newer model.
I'm just really disappointed because I've used them in the past and I'd love to recommend them in my current environment because I love the functionality and flexibility of the platform. I really hope they get their shit together in the near future and I can get rid of these damn Meraki's.
Literally just been told that they don't allow second hand purchases to be registered. So yeah just spent money to gain e-waste
Thanks, wasn't aware of that.
Considered buying used on eBay for home office setup. Thankfully the news of hard coded credentials, admin accts wo passwords, lack of MFA, etc turned up just in time before I acquired e-waste too.
We called them Fortibug at my work.
We call them Faultynet
Fartinet
We call them FortiShit
I am a former QA and it literally sickens me how little companies give a shit about QAing, and still make billions. That's a larger societal problem at that point
I’m pretty sure some industrial ICS/OT network devices are just fortinet products in fancy chassis’s. I don’t know if that means they have all the same flaws, but considering the OT stuff is usually 10x the cost of normal enterprise gear, I wouldn’t want to be the one to find out. 😂
Palo alto for me is the best.
Worked with PA, checkpoints since that old Nokia boxes, SonicWall, Cisco asa, Meraki, fortigates...
PS: checkpoint updates are a nightmare....
The problem is not Fortinet, or the others very expensive firewalls of the world, firewalls should be open source, period, this ensure that thousands of people’s are looking at the code. All the others one will never have the same scrutiny.
Admin ~23 Fortigates and never had a serious issue. Fantastic pieces of equipment in our experience. Their support is quick to provide fixes in the 2-3 times a specific issue arose.
Nice. 100% of my customers using fortinet got pwned. Storing VPN passwords in clear text was top notch.
Together with several colleagues, I am admin of several hundred FortiGate firewalls.
The products are really good and I haven't had any major problems so far.
The most annoying were the SSLVPN vulnerabilities last year ...
And every manufacturer has already been hit ... Cisco / PAN / SonicWall / pfSense etc.
As long as you don't publish Admin MGMT on the Internet, you are generally on the safe side.
We're constantly getting ASD emails about fortinet vulnerabilities. Happy we have nothing with them.
Actually,
I was considering jumping from UDMs to Fortinet because we're wanting some more control.... But I guess i'll just wait for Unifi's product to mature. lol
These are security bugs, but they also have a number of other software bugs that prevent their products from FUNCTIONING sometimes. It's just sad...
Fortinet look to be just as competent as TP-Link, how the likes of Gartner continue to rate them as the top firewall of 2025, only the accountants will know!
💲💲💲
I mean, can you purchase your position in that idiotic quadrant? No responsible tech person give a sht about the gartner magic quadrant crap. It may be fancy 20 years ago, but means nothing in 2025. But self-important dcks (ceo, ciso, cto) want to look well-informed, when they bring up this gartner clowns
I have used a lot of firewalls and the fortigates are still my favourite to configure, however with issues still coming out it is hard to overlook
What do you think about SonicWalls?
Fortinet are open and transparent, actively test their own equpiment. A large percentage of the vulnerabilities they discover themselves. I wish other vendors were so open and active! Yes I am looking at the other big players... you know the ones that are enterprise level equipment, aka Palo Alto, Checkpoint and Cisco for example.
I don't understand the haters who say anything against this channel. I find this guy actually quite smart.. he has found and is using in anger the youtube algorithm to make more money aka throw s**t on something/someone in a fully uniformed way :) I bow to his intelligence. Anyway, I admit I'm a fortinet employee so maybe biased (eheheh), but I find all these Forti-hating comments quite funny :D I think I read only 1 or two that could come from (tech) decision-making people, which is quite obvious.
I’ve used a lot of Fortinet devices and generally I’ve had no issues thankfully. Performance is incredible. However, the security issues, has been alarming over the passed year. This is not uncommon though, as with anything tech the more of a specific technology gets adopted, fortinet has seen a big increase in passed few years. The more people also try and find holes in the device. So it’s swings and roundabouts, not good at all, but I, not surprised
Yep, this is probably the best take. This spotlight should help them get their asses in gear.
Exactly! Fortinet is the GO TO firewall to get for SMB, and even large businesses because their stuff is really need and fast. I do love them, but I also hate that they maintain 3-4 or even 5 firmware lines per devices. This is what is killing their QA. If being exposed force them to get their sh*t together and produce better stuff, all the best for us after. I will never go back to pfsense, WatchGuard or SonicWall. And I will not take a second mortgage to buy Palo or CheckPoint. Anything else (HP/Aruba, Dell, pfsense, etc) is just crap.
You probably won't be surprised, but a lot of colleges are really strong on Forti products, it's hard seeing this and not saying anything. The bias is very strong for these things.
Even Fortinet TAC are complaining about crazy stuff going on with the developers. It's frustrating for everyone when seemingly small changes have huge impact.
Oh man, I can tell you some Fortinet stories...
from the enterprise firewalls (not pfsense/unify), which is best (most secure)
Cisco Firepower. But you need two firewalls, one internal and one external. We use Cisco Firepower internally and pfsense externally for some clients that can't afford multiple firewalls.
I don't think it's any worse then other vendors and there have been severe issues on others as well.
Fortinet does have a large presence in the security landscape and issues will get large news coverage, which sometimes is justified as a kick in the butt.
Some of the flaws are just facepalming , stuff that static analysis could have picked out, like hardcoded passes/certifcates etc.
Part of these issues are from dealing with old code, code from acquisitions, the push to implement new features from product managers and the integrations it needs to keep with their other products in the security fabric etc. etc. Have they been working hard on pushing out old code and are they committed on resolving issues, yes for sure, but I would not want to be part of their the dev team. We are not done with issues yet, some of the patches are just that, patches, but the underlying code is still flawed.
It's not only CVE's though, sometimes an update fundamentally breaks even the most obvious of functionality. It really has made me wonder why some updates even made it trough QA.
Don't get me started on mature vs feature, because this has meant very little.
I would personally liked to see them ditch the current method of firmware releases as blobs and rather have the ability to install and update the components where needed. If only we had systems and methods in place that have done that for many years =D
The best thing Fortinet could do, is cut the product stack in half by selling off all their non core items and focus on the key components, hold off on new features and get a grip on their QA. However, all focus is on AI AI AI all the AI, everything MUST AI !! Less humans, more AI, less knowledge needed, more AI.
It must also be said that it's upon partners and customers to also implement proper security practices. If you decide to put your management interface open from the internet with default accounts, a weak password and no MFA, it's a matter of time before someone gets in. That hasn't been any different for many years and holds true for any product.
Stuff like virtual patching can help to mitigate improper usage, but it starts with a proper mindset on how to implement security products and what opening up services actually could have an impact upon. The number of times I have to repeat that story...pff
Wish I could like this comment 10 times.
Would love to see a SonicWall video 😂
No video needed. It's just trash. /theend lol
It feels like Fortinet just keeps on repeating their mistakes every single year, year after year... its really sad
They should ask Ivanti for help improving their product security.
People may hate on Ubiquiti sometimes, but they are damn secure, their cybersecurity head Marcus Maciel is top of the game over there for sure
backdoors, major and continuing security issues..i just got done replacing one that kept taking a client internet offline...yeah they are terrible.
Ah, nice. Another case of the company I work for "upgrading" to the worst possible thing. They literally just rolled out Fortinet Proxy. I assume because it was the cheapest option.
I moved to one for a single client (before the year of patching) .. so you can blame me, I tend to have a stink on me that bad things follow.
Ah well, that what happens when you keep adding new products the list instead of investing in improving the existing ones or just rushing out new features on the core product without caring about code quality and proper Q&A.
Huh, have you looked at Cisco ASAs? They all have their flaws. Also, not a reseller. Just a overworked system administrator. It's easier said to just rip and replace.
It's funny because some MSP's are in love with Fortinet and will drop customers who don't want to use it and pay the subscriptions
Good margin on reseller programs will keep them buying Fortinet.
We are a MSP and as a technician I hate products which stop working when a license expires. Every customer we have which has a Fortinet, Watchguard, Sophos or whatever will be replaced once the license is about to expire. pfSense isn't the holy grail, but their appliances like the old 7100 are running at customers since they came out and never asked for a license or had other stupid limitations which aren't hardware related. If that will change at some point, they will be replaced with some other product that don't require a license.
To be extremely blunt, Fortinet has had SHIT security since day one. Company i'm at years ago started swapping out Checkpoint appliances for Fortinets and it was a predictable disaster.
At least it's not crowdstrike?
I managed Fortinet firewalls for over 3 years, they are the worst. I prefer Sophos, and I dislike them intensely.
Oh! And I just purchased a 40F, like 48h ago. 😄 Is it really that bad?
Together with several colleagues, I am admin of several hundred FortiGate firewalls.
The products are really good and I haven't had any major problems so far.
The most annoying were the SSLVPN vulnerabilities last year ...
And every manufacturer has already been hit ... Cisco / PAN / SonicWall / pfSense etc.
As long as you don't publish Admin MGMT on the Internet, you are generally on the safe side.
Ahem, Cve-2024-20148 Cisco cwe
CVE-2023-24104 - Ubiquiti CWe
CWE 94, 79,77 ALL clasified under pfsense.
If the security world was perfect then nobody would have a job.
Is any vendor pefect? Nope.
If any security engineer focuses on one device such as a firewall for security alone he should go back to grade 1.
Its called a security architecture for a reason.
Honestly, if you have a product that ceases to function properly without a support license, you've already gone too far down a path that incentivizes you having product issues that can only be fixed when you've got an active support license. ;)
If anyone has a good guide for reflashing their hardware, though, lmk! Got nothing bad to say about the silicon, just the firmware/software that is achingly bad.
Ok, now do Ivanti, Cisco, Juniper, Palo, Microsoft, HPE, Sonicwall, Sophos, etc etc etc...
What happens when you use offshore developers and don’t check your code.
I just use Fortinet with small clients. Client who has bigger budget, there are better alternative.
The solution is obvious, just put all your Fortinet devices behind a good firewall. 😂
Best comment. 👏
people may have to until the license is up
Lol fortinet has an office here in vancouver and it's directly attached to a diploma mill college that does foreign student visa programs.
Do the same but for Watchguard please.
The devs left the backdoor in there... so yes, Fortinet is that bad.
I don't get the point of this video when every vendor out there has security issues and their own bad security. If the point is to point out the obvious, well then, no shit?
As I said in the video, it's not about security issues from complexity, it's about having security issues caused by ignoring modern secure development practices.
@@LAWRENCESYSTEMS Then don't just highlight Fortinet. You could have added or even mentioned that other vendors have also used the same development practices. Cisco has used hardcoded credentials. Palo Alto has had more recent (2024) CVEs with its own SSL VPN implementation. As of FGT 7.6, Fortinet no longer recommends SSL VPN, probably because SSL VPN isn't actually a standard, but instead recommends use of IPSec or ZTNA.
Just the title of the video itself singles out Fortinet as the main baddies of insecure development practices, when this is an industry wide issue. Speaking of bad practices, network engineers are equally at fault when they are exposing management interfaces to the Internet when they should be using local in policies. If you wanted to highlight bad security in development, you could have easily covered companies like TP-Link that the government has actually talked about banning because of those practices. TP-Link doesn't just sell consumer devices but are trying to move into the prosumer/SMB market with their Omada line.
@@LAWRENCESYSTEMS Then don't just highlight Fortinet. You could have added that other vendors have also used the same development practices. Cisco has used hardcoded credentials. Palo Alto has had more recent (2024) CVEs with its own SSL VPN implementation. Fortinet no longer recommends SSL VPN, probably because SSL VPN isn't actually a standard, but instead recommends use of IPSec or ZTNA.
Just the title of the video itself singles out Fortinet as the main baddies of insecure development practices, when this is an industry wide issue. Speaking of bad practices, network engineers are equally at fault when they are exposing management interfaces to the Internet when they should be using local in policies. If you wanted to highlight bad security in development, you could have easily covered companies like TP-Link that the government has actually about banning because of those practices. TP-Link doesn't just support consumer devices but are trying to move into the prosumer/SMB market with their Omada line.
I may be making a huge mistake, but we have run a fortigate for years now. Now that it is EOL, I am working on transposing all our rules over to an EFG.
End of the day a Firewall isn't that expensive unless you need a lot of them, for a small company its a lesson learned and move on if its giving you lots of grief.
Fortinet is terrible. Glad to see somebody calling them out as the dumpster fire they are.
Ive stayed away from Fortinet since 2021, in fact I was just mentioning how bad they are, and someone else agreed.
My previous employer tried to force me to work with fortinet...well.. I Left that company..so... ;-)
Now do a video on Sophos >:)
I don't use them, but from what I have noticed is they are on top of security updates.
Nothing is perfect but Fortinet isn't even putting a best effort to minimize attack vectors. This is silly stuff that Fortinet shouldn't even be letting happen. PERIOD, full stop!
Been gettin lots of messages pushing Fortinet. Not going to do it, thanks.
I love your channel Tom, but your continuous bashing on Fortinet is getting long in the tooth. And since you always say that you DON'T KNOW the product, why doing this? I don't see you going after Palo Alto, Sophos, Checkpoint, Cisco, WatchGuard, SonicWall, Juniper, etc. Stick to your guns with pfsense and Unifi's DMP, that will be better for your credibility in the networking and security department. Unless you have considerable knowledge with the Fortinet's products and how their ecosystem works, stop using CVE and click-bait video title to get view on what were good informational videos in the past but are now just all show and no go.
And while here, why don't you also go after Microsoft and Windows and all their security issues they have that are WAY worse then anything Fortinet faces.
Edit: And I have a question for all of you Fortinet haters that all seems to know everything about Fortinet's product: What will you recommend instead? What will you say at your CyberSecurity audit, that you are moving from Fortinet to pfsense? Let's see how long and hard they will laugh at you while they pack their stuff and void your CyberSecurity insurance..
found the Fortinet employee, ehh sorry, Pjnetworks. You really shouldn't hardcore company credentials into your channel name either.
@@PvtAnonymous Sadly I am not a FortiEmployee. Just a regular network admin that as seen a lot more than 99% of people commenting here about Fortinet being bad because they had one or two bad bad experiences. You must one of them!
cybersecurity insurance is part of the problem.
All software has bugs, but Fortinet has a proven history of making the same mistake basic mistakes over and over again. It's one thing if it was an one off mistake, it's another thing when you consistently make the same mistakes for decades, especially when your meant to be an expert in security. There's clearly some systemic issue at Fortinet that we are not aware of.
Juniper, Palo alto, Cisco, F5 and many more
thanks
"Yes"
/video
Fortinet is used by a lot of government agencies because of where the components and software is made (Canada)...
Fortinet makes a ton of different products and some are hot trash compared to the other ones.
I'd say Fortinet firewalls are just as good or better than the Cisco product line. PaloAlto is starting to be adopted a lot, but for tonight does have some high end products which work pretty good.
All the security vendors are the same. Fortinet still smokes pfsense in the enterprise space
I have had nothing but trouble from them for years.
Yes
Updates made it worse
Yep……
fortinet or ala babba gee
😅😂 you are safer without Fortinet
I inherited a network based on fortinet in a crazy overbuilt HA/Failover setup (they're a machine shop, wtf?) and when the SSL-VPN bug came out we discovered Fortinet would not be patching our devices as it was EOL/EOS just a few weeks prior. For simplicity we went with a new fortigate (smaller unit, non redundant because HA really isn't a need for the business) but I do regret that choice. When warranty runs out I'll probably be pushing for a netgate or similar pfsense solution. The biggest advantage I see with a lot of open source products is that when security flaws are found, they usually are just fixed and acknowledged. No egos, no brand salvaging BS, just "yup, that's a big problem but we are addressing it." It's a level of accountability you don't see from publicly traded companies that care about stock value more than anything else.
👍
Yep…. They bad
FortiSieve
Not as bad as SNWL
Wow, you Ubiquiti fanboys use a product with horrible security and horrible support, but you’re critical of Fortinet for vulnerabilities from FIVE YEARS AGO? As an IT admin, I don’t use FortiManager, and SSL VPNs are for amateurs anyway so I don’t use those either. I wouldn’t say Tom is lying, but he’s sure close.
He's been critical of Fortinet since long before he recommended Ubiquity's gateways to use for small business; that's only with the newly released update
The Fortinet vulnerability that just hit the news with 500,000 leaked VPN passwords was a vulnerability from 2022 that they never patched until recently. They need to get better at following best practices and fixing their issues.
As I said in the video, it's not about security issues from complexity, it's about having security issues caused by ignoring modern secure development practices. I provided plenty of evidence in those links. Are you saying the CWE type does not matter and OWASP is wrong?
This is what happens when you hire a tone of unqualified H1B visas from a certain country to write your code.
being one of the most expensive firewalls out there, it is complete dog s***.
I can not stand them.
Fortinet is the worst thing that ever happened in networking
Fortinet exists to enshittify the "internet" for us - blocking sites, VPNs, protcols, ports. AOL went to way of the dodo for a reason.
Any NGFW does this. And there is a valid security reason in doing so.