Fortinet FortiSIEM Reviews

There are several examples, but the flexibility in reporting and alerting has given us the ability to have numerous teams be alerted for various security situations affecting each team's responsibilities.

The most valuable features for us are the built-in reports and alerts, along with the extreme flexibility in reporting and rule generation. The logs and search engine are also valuable features.

Creating parsers to try make unknown events or currently unsupported devices produce meaningful information is extremely cumbersome.

Additionally, lately there have been releases which have broken existing functions. This directly relates to support being an area that also needs improvement.

In general, the system is stable.

We had to deploy several workers to keep up with event collection. This was one reason that the AO agent was developed and released -- to reduce the load on the managers and workers.

Customer Service:

Customer service is mediocre, but the relationship is improving with focused attention on customers.

Technical Support:

Technical support is good.

We were a a Cisco MARS customer and needed to replace the solution once Cisco ceased support.

The initial setup is straightforward. There is a learning curve for the software, but overall it was up and running and collecting information in a matter of an hour post setup.

We implemented it with out in-house team.

We didn't evaluate other options as this was a direct, suggested replacement to MARS.

Watch the sizing requirements for the virtual machines and quantities needed to support the environment. Make sure you get sign-off from Accelops on proposed the configuration and load for what’s being planned on the deployment.

• The automation piece -- its ability to dynamically discover which services need to be monitored and to automatically setup the appropriate monitoring.
• We also like the intelligence behind the alerting; we like the out-of-the-box rules that don’t require a lot of tuning.
• The product doesn’t require a lot of manpower, so there isn’t a lot of tuning or management overhead required for it.

We outsource a lot of our IT. We are able to monitor performance and security and to perofrm audits to ensure our outsourcing partners are doing what we are pay them for.

The way that upgrades are handled could be a bit cleaner. That might have been improved in the new version, but where we are, the upgrade process takes the system down for the period of the upgrade. So the lost data during that downtime can be frustrating.

I've used it for four years.

We did, but AccelOps were very, very helpful. I don’t think the product was configured or tuned for an environment as large as ours, so there were some performance issues at first, but they were very helpful and they had developers and engineers on the phone with us to help resolve those issues. They even used the experience with us as a test case to build improvements into the product.

No issues since the product was installed.

No issues since the product was installed.

Their sales people have always been helpful and friendly, and they’ve given us some things for free, like training. It’s been good. We’ve even had some of the higher-ups at AccelOps call us with new product offerings for us because they know our organization so well.

I would say it’s more on the average side. Once I can get someone engaged they’re good about getting the problem solved, but sometimes it’s hard to get someone on the line to help resolve your problem.

No, this is the first solution like this that we’ve had.

The setup was straightforward, but the performance issues we had were the biggest stumbling block. In terms of getting it out of the box and up and running, it really wasn’t difficult at all.

I did it myself in-house.

The pricing is very, very affordable. For the value you get, I think it’s about the cheapest solution on the market.

I think the biggest thing to understand is that it’s like a Swiss Army knife. You get a lot of tools for a lot of things, but don’t expect it to be a killer app in any one area.

• Log correlation
• Alerting

AccelOps gives us a greater visibility into potential data/network breach attempts with the monitoring and alerting capabilities.

Ease-of-use for end users that do not spend every day in the product.

Also, the presentation of historical and trending data in dashboards needs to be improved immensely. Something as simple as an RRDtool graphing mechanism on a dashboard would be a huge improvement to the product.

I've used it for one and half years.

Not that I recall, but its been over a year since deployment.

No issues encountered.

No issues encountered.

It's high.

Medium to high, some of the problems is just in the maturity of the product and how AccelOps develops this moving forward.

Solarwinds, we assumed that AccelOps would be an easier product to manage moving forward and it was less expensive.

I don't think it was complex.

In-house with a little assistance from support.

The primary thing I use it for is monitoring IPS because we have 12 or 14 Cisco IPS devices, and the Cisco solution for monitoring that many IPS devices is hokey at best, aside from it being expensive. I also use it when we’re trying to track down activity on a particular IP address – I use the query engine to search for things like that.

We’ve had some situations where we’ve either gotten hit with a DOS attack or we’ve gotten notification that we’ve been blacklisted because some IP that belongs to us is roaming the internet trying to bogusly log in to SNMP servers. So, we’ll take that IP, or wherever the DoS is coming from, and run a query over the last 30 days or so, to see just what the activity on that machine has been, and make various decisions from that. In a couple of cases it’s meant to shut down the machines and get them off the network because they’ve obviously got some kind of malware on them. In other cases, it’s been a matter of determining the exact scope of DoS – where it came from, how long it lasted, how intense it was, etc.

One of the things that actually opened a ticket about (and they couldn’t help me) is when traffic is leaving our network, it’ll only report the source. I would think that if it’s examining the packets that it should also be able to give me the destination. It’s not possible to tell me whether it reached the destination, but it would be helpful to know where it was headed when it left the network. That field is always empty in the query.

I've used it for about a year.

No serious issues.The biggest issue I had with their deployment methodology as a virtual appliance – with the way things our VM farms are structured – there are only a couple of people that are allowed to bring up OVAs, which is the way they ship the product, so I have to get their time to do any kind of upgrade.That’s why I recently queried the helpdesk on what was required to do the upgrade that’s available to us (at no cost), and they pointed me to a manual which I haven’t had time to download yet. My guess is I’m going to have to deploy a separate OVA.

No issues encountered.

We've not had any issues so far.

The only complaint I have is that they wouldn’t issue a license until they had the check in their hands, which is not my experience with other vendors. If you issue a PO for something, usually you get a license immediately – in their case they wouldn’t until they had actually gotten payment, which was a little frustrating.

I have tried to open some tickets, and usually they’ll respond with a note at the top of the response. It says “if you’re responding to this email do it above this line,” and I didn’t see that the first time I got an email like that, so for weeks they kept sending me emails saying I hadn’t responded to their initial contact. To me that was a little bit nit-picky.

I inherited a solution that was discontinued by the vendor, and I was charged with finding a replacement.

Once we got the OVA file, and I was able to commandeer some time from the appropriate people here, it wasn’t an issue.

It was in-house. Part of the initial purchase included some on-site time with one of their engineers, so I used that time to do an upgrade while he was here.

The pricing seems fairly standard in terms of the pricing model, so how it compares to other similar products I don’t know. The people I took this to about replacing the other product didn’t seem to blink at the price.

We ran a PoC for Accelops for a trial period, so we didn’t look as much into other products.

It would be to get as good an estimate as you can of what EPS's you’ll need before you get pricing and so forth. We underestimated what we would need, which is what precipitated ordering additional licensing and not being able to get them right that.

The granular monitoring capabilities. Also, it's very configurable.

It gives greater visibility via the dashboards into the real-time status of the network. Additionally, it also provides specific alerts and performance monitoring.

Some of the out-of-box dashboards could be more useful, as they’re not configured out-of-box. Some other products we’ve used give a lot more information right out of the box. With Accelops, we didn’t get quite enough useful information at the beginning. Ping monitors (STMs) are highly configurable, but it would be nice to have a simpler monitor to go with it, like a simple ping monitor. As it is, we have to go through three different processes and 30 minutes to get the ping monitor up with email notifications. It should have an easier way to configure some of these more common monitors.

I've used it for two years, but the firm has had the solution in place for longer.

The product is always stable, but there were a few bugs. During some of the upgrades, fixing one problem revealed another, so we had to go through several patch iterations to find a bug-free version that works for us.

None. Far more scalable than is required for us.

Great - we’d give it a 10/10.

6/10 - as far as the techs go, they are knowledgeable, but when trying to get a hold of a tech or have them call back, they weren’t responsive. It was one of my biggest frustrations with the product, and I started to look elsewhere for another solution at one point. Issues that could have been resolved in 30-60 minutes sometimes took months, but they have improved.

Just do your research – the product does a lot, but it may be more than you’re looking for. Also, be aware that it requires a lot of time to maintain, set up, and configure.

The security notifications and monitoring features.

With the online-based monitoring we've set up, we've been able to watch trends of attempted attacks on our network.

We're also able to monitor our account issues internally as attackers attempt to log into our accounts.

We fall under HIPAA so security is key.

As we're an SMB, I would like to see different licensing options and the solution is priced out of the reach of some small businesses. It was a priority for us, though, because of the HIPAA regulations we fall under, and a more attractive licensing structure would be nice for SMB's.

For the product itself, it's the configuration. You really have to have their help to configure the product. When hands are off and it's in maintenance mode, it's difficult to configure unless you're totally engrossed in the product on a day-to-day basis.

I've used it for one year.

No issues encountered.

No issues encountered.

No issues encountered.

9/10, based strictly on the limited experience with one person that I've had.

9/10, based strictly on the limited experience with one person that I've had.

We used freeware or third party apps (two or three of them), but we liked the consolidation of this product -- one interface, one screen -- to capture what the other applications were doing.

It was complex because we didn't know the product. It's pretty in-depth, but once we got familiar with the software it made a lot of sense.

We had the vendor help us implement, and they were 8/10.

As mentioned above, they need to improve their licensing, but it depends on what industry segment they're going after. Maybe introduce some kind more attractive bundle for SMB's to help them get started with the product.

We did, but I don't recall which ones.

Everyone's implementation will be different, so be very focused and deliberate in what you want to monitor, because you can inundate the system.

We have nearly 30 analysts currently using FortiSIEM.

FortiSIEM provides a single PIN to monitor SOC and NOC. It's a nice tool for integration and monitoring. It provides multiple categories for monitoring based on security designations like low, medium, and high. 

It's difficult to integrate unsupported devices with FortiSIEM compared to QRadar. It's easier to integrate and develop processes in QRadar. It's harder to develop a custom process in FortiSIEM. 

I've been using FortiSIEM for a year and a half.

FortiSIEM is stable. QRadar and FortiSIEM are both fairly stable. There aren't many issues from an admin point of view.

FortiSIEM is scalable. 

Fortinet support is great. They're more responsive than IBM.

FortiSIEM is easy to set up. Installing the supervisor component of FortiSIEM took around one hour, but the console installation for QRadar takes almost three to four hours.

I rate FortiSIEM seven out of 10. 

We are trying to onboard some devices, which we will analyze using Fortinet FortiSIEM. 

Once it responds smoothly, we will onboard some clients with requests.

It's a very nice solution to work with. It is easy to understand.

There is no proper guide for integration or configuration. They need to improve the documentation library.

We are using the enterprise version in my organization. I have been using it for 30 to 40 days, but not more than two months.

We have contacted technical support. They are good and provide good resolutions.

The initial setup was straightforward.

I will definitely recommend this solution to others. I am still exploring it, as it is new to us. I need more time to analyze it further.

I would rate Fortinet FortSIEM a seven out of ten.