Simply put, what the title says.
The network is based on a centralized location and a bunch of satellite locations around the world. These satellite locations connect to the centralized location via IPSec VPN so we can service the production systems.
In the past these have been based on Fortigate 101 (D for the older ones, E for the newer ones), as well as Aruba 2930m switches, and for the most part this worked well. The only issue is that this was hard to manage on a large scale.
To make it more manageable we moved over to a setup around Cisco Meraki. MX85 as routers and MS225 as switches. This mane the management a lot easier, but with some significant drawbacks:
- ONLY cloud managed
- On our satellite locations the bandwith is often low or completely gone. Meraki don’t like this at all.
- Our satellite locations are mostly onboard ships, and Meraki s8mply doesn’t handle the harsh operating environment as well as Fortigate+Aruba
- Meraki doesn’t provide a whole lot of info as to why when it is unable to connect to its cloud platform. It’s pretty adaptive and tries a lot of configurations before it gives up, but in some cases it’d be nice to be able to set it up according to the wan connection available. Some sort of local diagnostics would be nice.
So, any recommendations for hardware that is:
- Cloud managed
- Allows local configuration when cloud is unreachable
- Durable
- Preferably with load balancing between up to four Wans
I’m just suggesting, but as a MSP we generally go Fortigates managed with fortimanager. That is, hundreds of Fortigates managed in customer specific administrative domains.
I use a combination of device manager, policy manager, and vpn manager to automate deployment of the underlay sdwan (ha Internet with priority rules) , then add templated vpn tunnels. So adopting another Fortigate is basically, add it to fortimanager, add the device settings, add the vpn policy, add the firewall policy. You can direct cli to the Fortigates from fortimanager if you need to. This is the only way I can consider getting like hundreds of vpns managed…
Additionally, for compliance and security your may add as required storage and fortianalyzer licensing which means all traffic logs can be stored to your fortimanager.
Fortimanager also manages fortinet switches and aps if there’s a Fortigate on that site. Personally though we often use Aruba InstantON or instead ubiquiti switches and APs for small clients.
I can recommend this since it makes sense administratively, but it’s not cheap, it’s overall cheaper than Meraki but you must keep licenses on many parts at once. I like the security features and by centralising the policies and policy objects to fortimanager, you only generally update an object, say a new application or new port once, and install it everywhere. Dynamic objects allow it to use the same rule but translated to the individual devices.
Fortimanager isn’t easy though. It’s very powerful and doesn’t hold much back. So you can feel overwhelmed. If your firewall networking is strong you should be fine.