What is our primary use case?
We use the product for spam filtering and as a second layer of filtering for Office 365. I use it for encrypting emails and monitoring all emails that have sensitive data and policies are applied there as well. In addition to having it as a user portal for spam emails and quarantined emails, users can manage their spam, their quarantined emails, and whether they want an address on the blacklist or the white list.
Our security department is responsible for all emails that are quarantined by the system so they are monitored. There is two-way communication — not just one way — and FortiMail is doing all the work. We have to assign some people to control and monitor the operation for FortiMail. Due to the spam traffic, they have to change the scripts and the configuration. It is a two-way configuration and communication between the system and the administrators.
FortiMail is not just something that you configure once and leave alone, it is a learning configuration. So you can not just use any configuration and think that it should continue to work optimally. Every organization has its own configuration. I have three companies working with FortiMail and every company has a different configuration, a different approach and different ways of controlling security. FortiMail is what their organization needs for security, but they must adapt it in practice. There is no universal solution for all of the companies. It is a very flexible solution.
I worked with many email monitoring products and really they are all the same except for the engine and what the vendor companies provide to you for the filtering as far as the updates and security trends. But with each type or brand of email filter, you need to enhance your configuration as per your company requirements.
What needs improvement?
As far as improvement, I would like to see additional troubleshooting tools. It would be useful to have different types of reporting so that you can monitor how your emails are flowing and not just have to go to the logs and see them one by one. Maybe you want to look separately at the details on your main server, SMTP server or how your head spam controller controls are working. It would be useful to have the reporting tools to do this. Maybe the reporting just needs some improvement.
Troubleshooting tools are the first concern but I would also like to see some additional notification options in the system. For example, when the system quarantines emails there should be an option to notify administrators that a quarantine has been performed. This way you don't have to go and manually check the server periodically to see if anything is quarantined and needs attention. It should have live spam and live quarantine portal accessibility. It is not really optimal to have it every two or three hours or two hours. With a live portal, you could attend to the issues more efficiently and either release the emails or delete them. Live access is really something that I think would be good.
For how long have I used the solution?
We have been using FortiMail for three years.
What do I think about the stability of the solution?
This product is stable. I actually do not remember the last time I restarted the server or where I have done restarts because of performance or had the system hang. So it is stable, but you need first to do a good assessment to know which product license you need to use. For example, the first time the consultant we used proposed a level of service that was lower than the specs of the one I have now. I disagreed on that at the time but the consultants said it was the better way to go. So we did what he said and it didn't work. If you do a good assessment in the first place you get to work with a stable product. For me now, the product that I'm using is stable and it was only unstable earlier because the assessment was faulty.
The parts you need to get for a hardware upgrade are very easy to find and inexpensive. It isn't very complex to install them to upgrade. Just put the parts together and upgrade, if it is better it is worth wait. If it doesn't work and there is trouble, you can easily just return back to the old version.
What do I think about the scalability of the solution?
This solution is definitely scalable. Really for scalability, it is wonderful.
We have around 500 people using this solution within our company right now. But the actual volume or capacity or load on FortiMail depends on the flow through the email filter and the number of emails you receive per day. My flow is not less than 15 to 18 thousand emails per day. Of course, within that, there is a huge amount of spam and a huge number of files and everything is controlled and passed through FortiMail. We would not have a problem scaling our usage.
How are customer service and support?
We have been in touch with FortiMail technical support and submitted some tickets to them for issues we had. They are good, they reply fast, and they give you guidance with troubleshooting to try to work out the problem yourself. If it does not work, they can access your system remotely to help you — of course after your permission. In every case we have submitted there is always good communication between them and us and the problems are resolved.
Which solution did I use previously and why did I switch?
I used to work with Sophos Email Filter. I used to work with Websense Email Security Gateway. I used to work with Symantec. I also worked with Microsoft Exchange Edge. I have the experience for all of these and mostly the change had to do with changing jobs. But what I have realized lately is that they are all essentially the same. The only difference is the engines you are working with and the vendor company that provides you with updates and security trends. That is the only real difference for all mail filters.
How was the initial setup?
The initial setup is straightforward. After that, you need to configure some policies and then you are up and running.
Going forward, and as you gain experience and see the behavior of that product, you can start to enhance the results with new policies. So at first, you might leave everything open and then you will start closing things. You start adding to the white list, you start adding to the blacklist, then you start considering the greylist or start configuring for domains. The product needs someone working with it who knows about email and who has knowledge of flow and the terms. These are the two main things that need to be known by people who are going to administer FortiMail. They need to have an understanding of email communication system knowledge but they do not need to be experts. There are a lot of policies that require that the administrator is familiar with the terminology.
The time it takes to have a stable deployment is longer than just the setup. You can deploy it initially in a straightforward way without much configuration. But to have it stable, it needs not less than three or four months of attention. That is the amount of time just to have it to the point where you know it is safe and performing at an optimized level. As long as you use the solution you will constantly be making adjustments. For example, for three years now we have been implementing this solution and for the three years, every year we have some improvements to our internal policies and updates to apply from the vendor. So it is an ongoing configuration. But to have it stable, you need not less than three months. It could even be more depending on the size of the company or the volume of usage.
If the company that has 100 users and they don't have that much email traffic, then one month could be more than enough to have the system working well. But you if have the same volume per user and one thousand employees, you will work on the first configuration for not less than three months to have it fully operational.
We require two people for maintenance and administration. Two is more than enough to manage the system. We use one administrative person and one system engineer. So only two people, and really not more in almost any situation. Of course, I have staff that can do the administrative parts for IT hardware and for supporting infrastructure. But to do the main tasks of configuration, monitoring, and deployment on an ongoing basis, there really is only a need for two people maximum.
What about the implementation team?
I did the implementation by myself. The build was done by the supplier who provided us with the solution. But configuring the email flow, determining and applying policies and the controls are all done by me.
What's my experience with pricing, setup cost, and licensing?
Licensing is on a yearly basis. FortiCare and FortiMail licenses are for the 24/7 support and the email monitoring service. It comes to around 4000 dollars per year. You pay only for those things that you license and there is no additional costs for technical support or warranty. It is all included with the license purchase. If you want to open a case with them, you can open a case. I don't have an SLA (Service Level Agreement) with a local supplier, so the contract for support is all handled by us directly with the vendor. But if we reached a stage with an issue where we really needed serious help with a problem that was not solved remotely, we contact our suppliers here in Lebanon and they have professional people who can come and help us.
Which other solutions did I evaluate?
We used to have Sophos, we used to have Websense, we used to have Symantec, and we used to have Microsoft Exchange Edge. These are from my personal experience, not from the company I'm working with. But in a way drawing from past experience is evaluation.
Unfortunately, we don't have Exchange here, so we not going to be able to benefit from the Exchange Edge. Here, in this company, we worked with three products: Websense by Forcepoint, Sophos Email Filter and then FortiMail. The throwback with Sophos is that it had a huge problem with spam. It was not able to handle and identify all the spam. We had many problems with that. Websense at that time we were using it was a good solution, but it required a lot of administration time. Every day you had to take around two hours just to filter emails. I didn't have the option to take that kind of time with administration.
We moved from Websense to Sophos to save the administration time. FortiMail was not an option at that time because it was not as good as it is now. Sophos was good for us at first. But as email security technology improved, they were left behind. They didn't work on their development and we had a lot of problems with their support. At one point, we were left for one whole week without an email filtering solution because the Sophos support did not call us or get back to us on an issue we were having. I don't know why that was. In response to their failure to return our call, I went directly to FortiMail. Within a couple of days, we had the systems up and running. We got a three-month free subscription just to work with all the configuration stuff and after that, we had a yearly license renewal.
What other advice do I have?
Overall, I recommend this solution to other people. But in addition, I recommend a few additional steps before just accepting a recommendation.
First, they should do a POC (proof of concept). Taking the time to do this is one of the main reasons that will motivate you either to choose a product or not based on actually evaluating if the solution can do what you need it to do.
Next, evaluate the reputation. By this, I don't mean to look at what people are saying who are using the product in discussion forums but to take a look at the market itself. You want to see what the company's future is so that you know that you will invest in a product with a future. You want to look at the ratings on professional sites that are dedicated to evaluating email filter products. You also want to do some pretty extensive testing on-premises over more than just in a week. You want to do all of this before choosing a product.
Maybe for me, FortiMail was one of the products that really provided what I needed in my business. Maybe other companies, FortiMail could be too much for them or more than they need. So they need to consider less robust solutions. They might go for Exchange Edge instead, for example. Exchange Edge is one product that also has very good spam filters. Because we didn't have Exchange, it wasn't on my list of solutions to consider. For our situation, FortiMail was a reliable solution that made the most sense.
Virtual Image is one product I did not mention but it is also one of the most reliable solutions. It is more business-oriented. It can work out very nicely in some situations because it is deployed as a virtual machine so you do not have to worry about adding or maintaining other hardware as an email server. It is a good virtual email filter that does not require a lot of resources like the Fortinet solution.
So that is my advice. Do a POC. Do a market study and technical study on the internet. If you want you can take another step and find a company using the same product as the one you are considering and ask them their opinion. But those are the keys for choosing the right email filter.
Of course, I recommend Fortinet because I use it and it works well for me.
On a scale from one to ten where one is the worst and ten is the best, I would rate this product as 8.59. But let's say eight. There is room for improvement.
Which deployment model are you using for this solution?
On-premises
*Disclosure: My company does not have a business relationship with this vendor other than being a customer.