Forescout Platform Reviews

The most valuable features of ForeScout is the fact that it can do network access control either with 802.1x or without 802.1x. Many network devices are not ready to do 802.1x. Lots of endpoints are not ready to do it, or they're poor at it, so having a non-.1x solution is critical for maintaining stability on our network.

We did not have a NAC prior to ForeScout. It provides constant monitoring of the endpoints either through an agent or periodic monitoring with a local admin account. This makes posturing very easy to do. Once the device is on the network, we're able to determine, does it continue to meet the requirements that we need for a device to stay on the network?

Definitely, having more third-party integration would be an improvement. This is something that they're doing. Other products that we have on our network, if we're able to get ForeScout to talk with them, we'll get much better information to those products, things like Splunk and other data gathering.

Also, I think we have Rapid7, so all these different programs that want to collect a lot of information, ForeScout is able to do that. So having it being able to talk to them, the more it can talk to, the better it is.

I think there are some product maturity issues in terms of the web interfaces that its able to present for end users. They're working on those. Those are improving, and just other features that come along with them growing into this space that they have. They're getting feedback from us, and they're getting feedback from other very large customers on what to do to improve, and they respond very well.

2 years

We've had no issues with deployment.

We had a few issues that were unique to our environment, but ForeScout tech support has been very timely in being able to respond to them and getting us support we needed. We have had to have a few reboots due to some outages, but again, these are things that were able to be resolve very quickly. Overall, I would say that this is a stable solution.

We're a huge company, over 100,000 employees, and it does require that we have done our homework ahead of time -- that we know where our address space is, that we know what's out there, and being able to come up with a deployment plan is our responsibility. Once we had that, we were able to go with it, and it works very well.

Very good.

Very good.

Device setup is straightforward - NAC itself is always a complex thing due to its profiling of EVERY device that connects to the network.

The ForeScout engineers were there to help us without the standard, "Oh, you have over 100,000 endpoints? Well here's what every 100,000-endpoint company does."

We compared ForeScout to Cisco ISE. There were some other vendors in this space, but we felt they were for mid-sized companies at largest. Cisco looked like they had an offering that would be able to compete head-to-head with it in terms of size. The reason we picked this over ISE was because ForeScout had a non-802.1x solution for the wired network. We would avoid a lot of chaos and a lot of destruction if we go that route. Also, ForeScout had fewer vulnerabilities whereas Cisco ISE had several level-10 vulnerabilities that have been observed over the years. While we were testing it, two of them came out.

ForeScout has never had a vulnerability above 7.0, so when we look at the security of the system, it definitely meets that requirement where this is not something that's going to be compromised the way it looked, as though Cisco ISE had some potential for that. Much less disruptive, both Cisco ISE and ForeScout really require a client to get the full features of the system. They say that it can run client-less, but having the client gives a lot better functionality, and the ForeScout client just worked a lot better for us on our endpoints.

The most important thing would be that a NAC project involves more than just the network. You've got to have client people, PKI people, active directory people all working together with the network to make this product work and make it happen. There's so many ways that it could interrelate. If you're in a very large company, you've got to break down the silo walls and get everybody together from the beginning to make this thing work out, but once you have those people together, this is something that every group wants to have. Desktop people want it, the mobile people want it, the scanning people. Everybody wants it once they see it, so it does sell itself, but you've got to have that education meeting up front.

• Immediate relocation of network devices to segregated "Vendor" network based on autonomous analysis. Prevents scanning, malware spread, corporate asset (i.e. printer) misuse, and reconnaissance on our network by third-party devices. Allows us to block VPN from our corporate network but still allow Vendors to establish them.
• Better information provided by Level 1 support (helpdesk) regarding asset information as we provide them with R/O access to the tool
• Visitor policy communication & acceptance

• Network Access Control, its core use
• Asset Intelligence for deskside
• "What port is it plugged into" intelligence for deskside
• Patch-level Auditing
• Emergency response, risk assessment information to get a view of the vulnerability
• "What PC is a user on" for helpdesk/IT security/deskside
• Forces PEN Testers to request permission to exist on your network

• JAVA Memory management - leaving the app running for multiple days requires relaunch
• Search - needs boolean functionality (or psudeau operand now working)

Stability has been good.

• It is very scalable, allowing additional strategic appliances as required in either physical or VM format.
• We control >400 field sites, two Oilsands mines, multiple remote platform locations, 2 Canadian Metro offices and 1 UK office with 4 appliances centrally located.

Customer Service:

It's excellent! 

Technical Support:

It's excellent!

No previous solution was used.

It was straightforward, although I recommend having a strong relationship with network-asset owners to ensure SNMP rights are looked after.

We used a vendor, Conexsys (Graham Cheng & Jerry G), who were excellent.

Forescout's flex licensing has made our deployment more agile and helps us adapt our environment without buying more hardware.  

Under their old model, licensing was tied to 4k and 10k appliances which strained under the new v7 and v8 Forescout OS when nearing their designed capacity.  To acquire a new appliance, physical or virtual, meant buying licensing for that size of appliance.

Under the new flex licensing model, we've been able to deploy VM appliances, responsible for host interrogation and management, while retaining our physical appliances for SNMP switch management, and span aggregation.  

Under the flex licencing model, we've deployed to our ICS segments, and are deploying VMs to our DCS environment, allowing for full visibility under one 'pane of glass' of nearly every host on our network.

Ensure you consider everything you want to monitor that has an IP. Devices with multiple IP's count multiple times against your license count.

This was chosen without hands-on evaluation based on reviews and industry feedback.

If you have distributed services (DHCP), strategically ensure you generate reliable traffic to establish timely inspections. We've avoided the use of traps by centralizing our DHCP at HQ, but it causes black holes during inspection schedules in case of a static device being plugged in.

Our primary use cases of Forescout Platform are network access control, user access control, and Wi-Fi network access control.

The most valuable feature of Forescout Platform is that it has everything that Aruba has at significantly less cost.

Unfortunately, Forescout Platform can only be accessed by Android systems. iOS is not supported, so there are some limitations to the operating system. I would like to see all devices have access to the solution.

Forescout needs to upgrade its development in the future.

I have been using Forescout Platform for the last two years.

Forescout Platform is very stable.

The solution is scalable. It is not one box that has limitations on licenses. Forescout Platform is more capable than Aruba ClearPass. 

Customer service and support is a four out of five overall. I am satisfied with the support I receive. 

Positive

Comparing Forescout to Aruba ClearPass, the difference is in the price and the level of policy enforcement.

The initial setup of Forescout Platform is very easy because it is pre-configured. I would rate it a five of five for the ease of setup of this product.

Forescout Platform licenses include everything integrated into the system including eyesight, recovery, and valid license. All three come in one box. It is a very competitive product, being half the price of its competitors.

5,000 user licenses will cost you between seven and eight million dollars, compared to 20 million for Aruba.

Overall, I would rate Forescout an eight out of ten.

Endpoint visibility, policy flexibility, compatibility and integration with other products.

Automation! One broad example is that we can now stop network threats right away and without intervention.

Forescout is constantly adding new features, so this may change as of this writing, but sometimes the switch management interface doesn't display accurate information which relates to false positives on individual switch access errors.

1 year

None that were Forescout related. CounterACT always opens a bunch of little IP sessions with endpoints, ake sure you have a large enough connection table on your firewall if you plan to put it behind one.

Minor. Had to reinstall one virtual appliance, which is painless when you have an Enterprise Manager.

No, this is one of the products strengths.

10 out of 10. Very responsive and address concerns quickly.

9 out of 10. Really fast response, high level of competency.

I switched from Cisco NAC because it is reliant on 802.1X, and has no other function than to ensure endpoints have authenticated via your method of choice.

Straightforward. Setup is simple with a solid, pre-defined set of policies that you build on and customize as you learn.

In house.

Without access specific numbers, we now have the ability to instantly shut down internal malicious hosts or traffic, refuse or restrict access to non-compliant hosts, discover risks on the network we didn't know were there, and automate the remediation of a multitude of security risks. As I work for an organization that spends a lot on security administration, at a minimum, the cost savings must have already paid for the product.

Palo Alto

Make sure to plan for all endpoints. If you want full coverage of your networks, account for anything that has an IP address. For example, a busy core switch can have 20+ IP addresses, and each one goes against your license count. Also, if you plan to have it behind a firewall, take into consideration your firewall's connection limitations. Although CounterACT isn't really a heavy bandwidth user, it does open a ton of short connections on a constant basis. The more you tune these down, the less accurate your real time host information becomes.

We use the Forescout Platform for network access control and device management. The solution allows us to check the posture of our workstations to ensure they are compliant before granting them access to the network. We also use it to give people different privileges and access to our routers, switches, and firewalls based on their roles.

The solution's support is excellent. They are making an effort to attract more customers, which is reflected in their fast response times.

Forescout Platform has granular features and one of the most impressive features is the agentless feature. No agent installation is necessary for Forescout, which is amazing! It allows for agentless visibility into our network, even for Cisco devices that normally require the installation of AnyConnect.

Forescout Platform needs to improve how the device works in preventing rogue servers. Cisco has an impressive way of detecting rogue servers or rogue wireless access points to help protect the network. 

There is still room for improvement in this area with the Forescout GUI.

Integration with other products can be improved upon.

Fortinet and Cisco ISE have larger communities than the one available for Forescout Platform. The community size for the Forescout Platform can be improved. Forescout Platform doesn't have a big online community where people can go and ask questions and get solutions.

I have been using the solution for four years.

The solution is stable.

The solution is scalable.

The technical support is great. They are trying to win the hearts of the customers by responding immediately to calls.

Positive

The initial setup is straightforward. Large infra may take few days to deploy.

The price of Forescout is reasonable when compared to Cisco ISE.

I give the solution a nine out of ten.

We have around 50 people using the solution.

I would advise against investing in this solution for a small environment, as it is quite costly. For medium and enterprise-size environments, however, this is an option worth considering. The solution is much cheaper than Cisco ISE and Fortinet. 

The only community is still small.

The most valuable features of the Forescout Platform are NAC for sharing, Network Access Control, and port sharing of the devices.

Forescout Platform could improve the vulnerability management as well as the control on the endpoint, which needs to be connected to my network.

In an upcoming release, they should add security features, such as malware and threat protection.

I have been using the Forescout Platform for approximately six years.

Forescout Platform was not a stable solution in 2015, but over the year it has become more and more stable. At this point in time, it is a stable solution.

The Forescout Platform is scalable.

The support from the Forescout Platform is great.

I rate the support from Forescout Platform a nine out of ten.

Positive

The price of the Forescout Platform is expensive. I purchased it for approximately 94 lakhs.

I rate Forescout Platform a nine out of ten.

Forescout Platform allows actions to be automated, which reduces the response time to any suspicious or malicious activity.

The best parts of Forescout Platform are its orchestration features, discovery capabilities, classification buckets, and flexibility in creating policies.

Forescout Platform sometimes returns false positives, so there's some fine-tuning to be done there. There are also some limitations with the Mac and Linux versions - the company claims they're agentless, but they're actually agent-based. In addition, there are a few actions that don't work in conjunction when we apply multiple actions, such as wanting to send a notification and isolate a device. In the next release, I would want to see better compatibility and visibility on the cloud front, and the system needs to keep up with upcoming technologies and trends.

I've been working with Forescout Platform for four years.

Forescout Platform is stable.

Forescout Platform is scalable.

The initial setup was very simple.

I would rate Forescout Platform's pricing as four out of five.

I would give Forescout Platform a rating of eight out of ten.

Our primary use case of this solution was to control which of our devices were connected to the network. I'm a senior architect advisor. We were customers of Forescout. 

As a result of using Forescout, we had a better overview of all the devices, known and unknown, that were connected to our network; it was a real advantage.

A very valuable feature is the discovery mode. It covers all types of devices on the network, which we didn't know existed.

I don't think we tested the full potential of Forescout. We had some delay implementing it into our organization, due internal organizational issues and also due to a lack of device registrations. Meanwhile we decided to switch to a new network provider that doesn't have Forescout in its portfolio. We favour one-stop shopping for network and security services, and will migrate to Aruba ClearPass (portfolio). 

I used this solution for the past year. 

The solution is stable. 

The product seems to be scalable although we didn't fully test it. 

I think the initial setup was fairly straightforward although I was not involved on a technical level. We had the advantage that the technical engineers knew our networks and how to carry out the implementation and we also had some assistance from British Telecom. We initially focused on our main plant or main location, and then moved to our other locations, which are far smaller, and have a lower risk profile. That was our strategy and implementation took around nine months after the initial implementation which took about a week. At that point, we realized there were more devices than we thought and the process became more complicated. It took a while to get a handle on everything. There were just a couple of us involved in deployment. 

This product demonstrates the possibilities of network access control for the organization. As a pilot project, it changed the minds of people because they could see the potential which included enrolling policies so that all devices can connect to the network. People are more aware now of the security risks when there is no network access control.

Forescout is affordable in terms of the end goal, which is control. We only looked at it in terms of discovery modes and I think it's too expensive to use for that purpose alone. We took a package, managed by British Telecom, which gave us some additional services without additional costs. 

We evaluated a couple of options. We first planned to use Radius which is more of a Microsoft-ended solution. We also looked at Cisco ISE but that's very expensive and I've seen reviews on your site about the difficulty of implementation. 

I would recommend this solution because it has a lot of different ways of discovering different devices and showing networks. It's very flexible. I believe the reason we didn't reach our goal is because of our company decisions and not because of the solution. 

I rate this solution eight out of 10.