Fortinet FortiSIEM Reviews

The primary thing I use it for is monitoring IPS because we have 12 or 14 Cisco IPS devices, and the Cisco solution for monitoring that many IPS devices is hokey at best, aside from it being expensive. I also use it when we’re trying to track down activity on a particular IP address – I use the query engine to search for things like that.

We’ve had some situations where we’ve either gotten hit with a DOS attack or we’ve gotten notification that we’ve been blacklisted because some IP that belongs to us is roaming the internet trying to bogusly log in to SNMP servers. So, we’ll take that IP, or wherever the DoS is coming from, and run a query over the last 30 days or so, to see just what the activity on that machine has been, and make various decisions from that. In a couple of cases it’s meant to shut down the machines and get them off the network because they’ve obviously got some kind of malware on them. In other cases, it’s been a matter of determining the exact scope of DoS – where it came from, how long it lasted, how intense it was, etc.

One of the things that actually opened a ticket about (and they couldn’t help me) is when traffic is leaving our network, it’ll only report the source. I would think that if it’s examining the packets that it should also be able to give me the destination. It’s not possible to tell me whether it reached the destination, but it would be helpful to know where it was headed when it left the network. That field is always empty in the query.

I've used it for about a year.

No serious issues.The biggest issue I had with their deployment methodology as a virtual appliance – with the way things our VM farms are structured – there are only a couple of people that are allowed to bring up OVAs, which is the way they ship the product, so I have to get their time to do any kind of upgrade.That’s why I recently queried the helpdesk on what was required to do the upgrade that’s available to us (at no cost), and they pointed me to a manual which I haven’t had time to download yet. My guess is I’m going to have to deploy a separate OVA.

No issues encountered.

We've not had any issues so far.

The only complaint I have is that they wouldn’t issue a license until they had the check in their hands, which is not my experience with other vendors. If you issue a PO for something, usually you get a license immediately – in their case they wouldn’t until they had actually gotten payment, which was a little frustrating.

I have tried to open some tickets, and usually they’ll respond with a note at the top of the response. It says “if you’re responding to this email do it above this line,” and I didn’t see that the first time I got an email like that, so for weeks they kept sending me emails saying I hadn’t responded to their initial contact. To me that was a little bit nit-picky.

I inherited a solution that was discontinued by the vendor, and I was charged with finding a replacement.

Once we got the OVA file, and I was able to commandeer some time from the appropriate people here, it wasn’t an issue.

It was in-house. Part of the initial purchase included some on-site time with one of their engineers, so I used that time to do an upgrade while he was here.

The pricing seems fairly standard in terms of the pricing model, so how it compares to other similar products I don’t know. The people I took this to about replacing the other product didn’t seem to blink at the price.

We ran a PoC for Accelops for a trial period, so we didn’t look as much into other products.

It would be to get as good an estimate as you can of what EPS's you’ll need before you get pricing and so forth. We underestimated what we would need, which is what precipitated ordering additional licensing and not being able to get them right that.

We're using FortiSIEM as the main metadata server for all the security and infrastructure devices. We integrate a lot of nodes, switches, firewalls, and sandboxes with it to gain and covers performance, availability, change, and security monitoring aspects of network devices, servers, and applications.

FortiSIEM gives us a lot of valuable events and details by using a unified event-based framework to analyze all data including logs, performance monitoring data and provides a broad range of metrics.

The comprehensive view of the dashboard and the attribute base interface and the flexibility of implementation methods.

 The Fortinet Fabric should be more easy more friendly to use. They use a different parsing log format.

for example Symantec ATP is not supported by FortiSIEM. Our reseller provided us FortiSIEM as a service. They should also provide us with a dashboard to monitor and to deploy a correlations.

I think fortinet should improve the AI correlations by combining advanced statistical and heuristic analysis with behavioral whitelisting .

Stability is the main feature we had looked for because of our environment, i.e. why we chose FortiSIEM. The stability is good. We just install a connector on the supervisor outside. 

With the stability of the connector, we faced some problems. The reseller asked us to reinstall the connector. The problem was with the reseller, not the connector.

We used the solution's technical support for a lot of cases and tickets. Their responses are very good, kind, and quick. 

They have a poor correlation. They didn't use any new concepts like Fortinet. They just display the logs as it is with no attribute base.

The initial setup with Fortinet FortiSIEM Accelops was not easy. We had faced a few problems. but I think Fortinet should give more training courses for their resellers.

We needed to find what the weak points were.  in our network. Our deployment took up to two months. 

We were looking to deploy a unique correlation between nodes. We wanted to track the packets from our clouds Services like cloud sandbox and anti-spam to log our end-to-end connections.

The reseller told us that they comply with our solution. After that, we figured out that it was not going to very easy. FortiSIEM doesn't support ATP Symantec. 

They also did not support our web gateway log format.

The interface is  easy to use but initial setup is not . The connector in the core has FortiSIEM support from the vendor. FortiSIEM supports a lot of vendors. It is a good product for us.

I rank it as eight on a scale from one to ten. because It doesn't support a lot of vendors and also the FortiSIEM still not common to use with fortinet partner maybe they doesn't give adequate training.

My primary use case is that it is an analyst tool for hunting on your site network.

The platform is nice. It is not easy to implement, but once you do so, there is a lot of value from the platform. 

AccelOps can handle a lot of data and it's just so important to true monitoring. That is the strong point of AccelOps.

The second one is detecting. I can create a lot of rules to detect anything I like, and this is another strong point.

It's also the only SIEM platform on the market that has health monitoring capabilities, and correlates. For example, if a service is going down I can detect that it is going down and correlate it. For example, if it's because of an exploit can correlate this. It's a nice feature.

I think all SIEM platforms have a problem handling a lot of data. My response is "it depends." Depends on the people, depends on the product, depends on the technology. To implement any technology you need good people, and this is independent of the label of the company or technology. The stability is not bad, it's not good. It's a complicated question.

I don't have any feature for load-sharing or high-availability, and these are important things to implement. I can do the same things in another way, but not naturally having these features makes it complicated. For example, the design is bad because you have one supervisor on one machine and you handle everything off this machine supervisor. It is a design problem. The technology also has limitations because you have a lot of memory and a lot of processors, but you have a limit with processors and memory, which causes problems with scalability. 

It's equal to any technical support. You need to go to level one, level two, level three to reach their engineers. It is complicated. With any technology it is like this. But my level of skill here is high, and going to level one, level two, level three is complicated. You have a ladder to solve the problems quickly. That's the problem. Any platform, any vendor has the same problem. You need to go through levels until you find one guy who can solve your problem.

I used a solution previously. I switched because I needed evolving technology. I needed to evolve to smart features.

The most important criteria when selecting a vendor is price. After that it's detection.

For the first steps you have some help. At the beginning you have priority support, you have engineers. After that you pay.

It's complex because you need to evaluate a lot of things.

I advise that you should plan your financial resources and plan the platform. Also, be sure to test the performance ability, as well as scalability. 

• Log correlation
• Alerting

AccelOps gives us a greater visibility into potential data/network breach attempts with the monitoring and alerting capabilities.

Ease-of-use for end users that do not spend every day in the product.

Also, the presentation of historical and trending data in dashboards needs to be improved immensely. Something as simple as an RRDtool graphing mechanism on a dashboard would be a huge improvement to the product.

I've used it for one and half years.

Not that I recall, but its been over a year since deployment.

No issues encountered.

No issues encountered.

It's high.

Medium to high, some of the problems is just in the maturity of the product and how AccelOps develops this moving forward.

Solarwinds, we assumed that AccelOps would be an easier product to manage moving forward and it was less expensive.

I don't think it was complex.

In-house with a little assistance from support.

From CMDB configuration monitoring, it can provide information changes.

Analytics. It can provide log information from the device. With log information, I can see if there is a threat

In the CMDB configuration monitoring. Example, if there is a configuration on the wrong side of the network or there are changes that result in harm to our IT infrastructure, the solution should immediately fix it.

Yes.

Yes.

Very good.

FortiSIEM is better than previous products.

Complex due to the configuration.

Please be cheaper and more simplified.

Yes, but I cannot mention it because of privacy issues.

Please do a PoC.

We are a system integrator and we resell this solution.

Some of our customers who use this solution have seen improvement in their connection with load balancing on both connections.  

Our customers are noticing configuration available in the GUI interface and I think that they should be equal.

Stability and scalability are perfect. 

The initial setup wasn't complex. It took three days to deploy and we required two people for the deployment. 

I would rate it a nine out of ten. The configuration should be equal with the GUI interface. 

The most valuable feature is the anomaly-reporting alarms.

Areas for improvement would be the ease of use and the integration with Fortinet's own products.

I've been using this solution for three years.

This is a very stable product - we have never had a crash with it. It does use a lot of resources, but this doesn't affect its performance.

The scalability is ok and is improved by using Elasticsearch.

The technical support has improved a lot and is now ok.

The initial setup was a little difficult because no good guidelines were available. However, this has since been improved. It took around six months to finish a complete deployment.

I have a five-year contract for this product, with no additional costs.

I would give this solution a rating of seven out of ten.

We use the on-prem model of this solution. Our primary use case is for malware and behavior monitoring. We also use it to monitor system performance and user behavior. 

The most valuable feature is the dashboard. CMDB database collects data from a lot of pre-configured devices. 

The performance can be improved. Sometimes it takes a long time to fetch data. 

It is very stable. 

Scalability is very good. We currently have 150 users using this solution. We don't have plans to increase usage at the moment. 

We implemented through Fortinet professional services. We were one of the first customers to implement the new version and it was a bit complex. I believe it has become easier. Deployment took them only a few hours. It didn't take a long time. 

I would rate it an eight out of ten. They should implement better behavior monitoring features to make it a perfect ten. It should also have better integration with their own products. They have a lot of interfaces for other products but it's not so easy to integrate their own devices. 

I would recommend this solution to someone considering it.