Fortinet SASE Overview & Pricing Examples

Fortinet is a globally recognised leader across cybersecurity solutions, the company has made significant strides in the Secure Access Service Edge (SASE) market. With their integration of security and network features, Fortinet offers a platform designed to meet the complex demands of most enterprise businesses. This article provides an overview of Fortinet’s SASE capabilities, market positioning, competitive landscape, pricing strategies, and management features, concluding with an outlook and strategic recommendations.

Fortinet SASE Overview
Fortinet SASE Overview

Table of Contents

Market Positioning and Analysis

Fortinet is recognised by industry analysts for its strong presence in the SASE market. However, understanding their position requires a detailed comparison with key competitors. 

Fortinet technology is relied upon globally to connect and protect companies from small to very large and in diverse sectors, ranging from retailer, central governments, and global financial service companies.

 Gartner and Forrester Insights

  • Gartner’s View: Gartner positions Fortinet as a Challenger, acknowledging its integrated security and networking approach.

As of 18/3/2023 “Gartner® Peer Insights™ Customers’ Choice for SD-WAN. This marks the fifth year in a row that Fortinet has received this distinction for our Secure SD-WAN solution based on user reviews.”

  • Forrester’s Evaluation: Forrester names Fortinet a Leader in Zero Trust Edge solutions, highlighting their comprehensive security capabilities.

Fortinet state the following of their SASE capabilities, we have added (context) to these statements.

  • Secure your hybrid workforce (zero trust and zero trust network access)
  • Get network and security visibility across the organisation (combining various Fortinet products, WAN, LAN, WiFi and end-user)
  • Modernise to a zero-trust architecture (zero trust principles of just enough access)
  • Protect internet access, private access, and SaaS access (Fortinet SASE including Secure Internet Access (SIA).

Fortinet’s SASE strategy combines different security and network services to ensure safe and uninterrupted access to applications, no matter where they are used. Here are three key facts about Fortinet’s SASE strategy:

  1. Comprehensive Security and Networking Integration: Fortinet’s SASE model is built on the integration of its FortiGate Next-Generation Firewall (NGFW) with advanced security services and networking capabilities. This integration allows for consistent security policies and enforcement across all network edges, including branch offices, remote workers, and cloud environments, ensuring a secure and unified network infrastructure.
  2. Cloud-Native Architecture: Fortinet’s SASE solution leverages a cloud-native architecture, enabling scalable and flexible deployment options. This architecture supports the dynamic and on-demand nature of cloud services, allowing organisations to rapidly adapt to changing business needs and network conditions without compromising security. Fortinet’s SASE cloud service is designed to deliver low latency and high-performance connectivity to applications, regardless of their location.
  3. Centralised Management and Analytics: Fortinet offers a centralised management platform, known as FortiSASE, which provides visibility and control over the entire SASE solution. This platform enables organisations to manage security and network policies from a single console, simplifying operations and improving efficiency. In addition, Fortinet’s SASE solution incorporates advanced analytics and threat intelligence to enhance security posture and facilitate proactive threat detection and response. 

These elements demonstrate Fortinet’s commitment to delivering a comprehensive and integrated SASE solution that meets the evolving needs of modern enterprises, focusing on security, performance, and manageability.

Fortinet Hardware

Given Fortinet’s pedigree in delivering own brand hardware appliances they have one of the broadest ranges of appliances available. Additionally, they have a unique position in the market, using their own ASIC chipset. The latest version of ASIC 5th generation supports superior hardware performance for the core components of SASE (NGFW, zero-trust network access (ZTNA), SD-WAN, and SSL inspection). Fortinet’s reliance on the ASIC hardware Fortinet SD-WAN/SASE does not lend itself to running on 3rd party hardware or cloud-based deployments.

How much does Fortinet SASE & SD-WAN cost?

Fortinet have taken an interesting decision with the licensing of SD-WAN features and functions. They include the capabilities free of charge.

Based upon our own research and use-cases, here are some suggestions and indications on the models for different use-cases and anticipated costs (CAPEX and 3-year TCO).

Fortinet SASE

wdt_ID wdt_created_by wdt_created_at wdt_last_edited_by wdt_last_edited_at Feature Small Medium Large X-Large
1 hyelland 28/10/2024 03:43 PM hyelland 28/10/2024 03:43 PM Model 40F 60F 100F 200F
2 hyelland 28/10/2024 03:43 PM hyelland 28/10/2024 03:43 PM Per device, 3 years with Support £950 £1,250 £5,350 £12,250
3 hyelland 28/10/2024 03:43 PM hyelland 28/10/2024 03:43 PM SSL Inspection Throughput 310mb 630mb 1gb 4gb
Feature Small Medium Large X-Large

Site specific or mixed licence bundles should be considered as these will deliver a more granular TCO. For example, centralised breakout versus a Next-Gen perimeter at every location. Mixed licensing could improve your TCO by up to 50%.

Like all Secure SD-WAN appliances the more tasks you are asking it to perform the bigger the box. Gone are the days of hub and spoke networks with security deployed in the data centre. Networks are typically meshed and nearly always have the need to protect the local security boundary. Datasheets give an indication of the VPN throughput. We strongly recommend speaking with certified partners to get real-world throughput. Other useful resources included Cyber Ratings, during October 2023 they strongly recommended Fortinet.

Fortinet Managed Services

Fortinet offers centralised management for security and SD-WAN via FortiManager. At the time of writing the management for another component of SASE, ZTNA, is via the FortiClient. Additionally, some of the Public Cloud/SASE on-ramp is also controlled via another single pane of glass. We strongly believe that over time FortiManager will become the defacto and true single pane of glass.

Fortinet Managed Services Overview
Fortinet Managed Services Overview

The management experience from Fortinet is not as rich as other vendors, for example the ability to have deep and granular role-based access and multi-tenancy. If you have multiple business lines or divisions, you will need to carefully consider how you best implement to suit your day-to-day management and administration needs.

The overall management experience has been reported to be less intuitive that other SASE vendors, for example limited ability to group configuring by business line or divisions, additionally making changes on a per group basis.

Analytics – all Fortinet SASE components (NGFW, SD-WAN, ZTNA) analytics data can be stored, viewed, and analysed via FortiAnalyser. Additionally, you can send the relevant data to 3rd party SIEM and SOAR tools.

Training – as companies want to take more control of their SD-WAN the ability for co-managed networks continues to be a key requirement. Therefore, training on the SASE platform is essential.

Fortinet provides broad options for enablement, Hands on Labs, and formal certification via NS labs.  Hands on Labs are a great way to test-drive the technology with the support from either Fortinet or one of their partners.

Fortinet have a stated commitment to educating and enabling IT professionals with comprehensive and real-world scenarios.

Implementation

The SD-WAN capabilities are available in a software upgrade, version 6.2 of FortiOS. Fortinet have taken an interesting position in that the SD-WAN features are available at no extra cost to existing Fortinet customers.

FortiDeploy is required for zero touch provisioning. Without this tool set-up will be more manual, requiring DNS/DHCP to be configured.

Reference architectures – like most of the mature technology vendors there are various technical documents that explain how to achieve recommended configurations. These are relevant if you are considering setting up the network yourself. We would always recommend that an experienced individual or partner is engaged to help you achieve the most relevant topology that has aspects, such as zero trust, designed from the outset.

Fortinet Professional Services engagement

Due to the maturity of Fortinet’s partner ecosystem, there are deeply experienced partners that offer a broad range of professional services. They range from design, build, implementation, and in-life support.

Fortinet does offer their own professional services. From our own research we understand that the typical professional service engagement is primarily focus on complex security deployments such as data centres, not broad secure SD-WAN. Furthermore, partners with deep SD-WAN experience would likely offer a more cost effective and timely option and be able to provide greater assistance with integrating the ‘as-is’ and ‘to-be’ networks.

Fortinet Lead-time

Like all vendors lead-times are variable. For the SD-WAN models listed, UK distributors typically hold good stock for the small and medium devices, with delivery within 10 working days. For the larger models lead-times can be extended, 3+ weeks. Fortinet’s distributors can provide you with accurate lead-times and offer additional services like pre-staging and drop-shipping to sites. If you are deploying services outside of the UK, consider the tax and logistics implications. A fallout from Brexit. This Brexit effect is true for all technology procurement that has a hardware device.

Fortinet – Owned vs Rented

Historically the WAN, circuits, and routers, has been consumed as a rented service over a multi-year term (3-or-5 years). Today, we are seeing more businesses exploring the option to uncouple the overlay and underlay. A few market dynamics have caused this, such as the adoption of SaaS, move to Public Cloud, hybrid workforce. It is no longer about connecting and protecting offices and servers.

In the UK there is also the added tax benefit of ‘Full expensing’, we recommend speaking with a suitably qualified accountant to understand the benefits of such a scheme when considering any technology spend.

Fortinet Partners

As of writing and through our own market research we are aware of a range of partners that offer have built services using some or all the Fortinet SASE portfolio.

A list of Fortinet's Partners
A list of Fortinet’s Partners

The SD-WAN overlay is typically 15-20% of the overall total cost of ownership of a WAN. Choosing the right overlay is essential and the impact of a flexible platform far outweighs the cost.

Each of these partners has varying degrees of capabilities, expertise, and proactive/reactive in-life management options available.

  • Axians
  • BT – via their Security team
  • Claranet
  • Colt Telecommunications
  • Exponential-E
  • Kyndryl

Companies are generally asking for more from their ‘managed’ WAN. For example:

  • Co-managed – ability to make small moves, adds and changes. Without the need for lengthy and sometimes costly changes by a managed service partner.
  • Underlay – ability to have a broader choice of underlay, for example not being restricted to the chosen partners’ network.
  • Single point of contact – ability to procure 3rd party circuits and have them managed by a single partner. 

Enterprise agreements, who are they are for? Fortinet offers Enterprise Agreement (EA), intended for Enterprise customers with a larger spend (£500k+). The Fortinet EA is intended to streamline support and licensing by transitioning from a per-unit to an account-based model, reducing the need for managing separate licenses per asset and enhancing time efficiency, predictability, and flexibility. This EA provides inclusive support and licensing, catering to both the current setup and anticipated expansion, which is particularly beneficial for extensive or expanding security frameworks. It consolidates present and future requirements into a single contract, offering more stable costs and easier management of support and licensing.

Renewal/price changes – like all other vendors Fortinet has consistently increased prices over the last twenty-four months. Over recent years, there have been several price hikes which may impact the cost of renewals since service and support fees are tied to the hardware’s price. Since Fortinet doesn’t sell to the end user directly, they don’t set the final price. A partner’s change in status or their decision to increase their profit margin can influence the cost you pay. It’s advisable to seek quotations from various partners to secure a more favourable rate. We recommend asking your partners regarding year-on-year price changes/renewal particularly for the UTM licence.

Fortinet Competitive landscape

There are a few key areas of weakness for Fortinet SASE:

  1. Cloud connectivity – SASE PoP or on-ramp cloud experience is not as mature as others in the market. Today they use Google Cloud for their Fortinet Secure Internet Access (SIA) product. If you are considering a more SaaS/cloud centric experience there are other vendors that provide a more comprehensive set of capabilities, such as VeloCloud and Versa Networks.
  2. Ease of use – the management tooling is steadily improving. Administrators and users are vocal about the clunky interface and lack of granular controls to administer rules.

Conclusion

We’ve seen that Fortinet’s SASE solution is a suite of specialised tools, each serving a different security need — like their secure networking service (FortiGate), access control (FortiClient & FortiEMS), and their oversight and control systems (FortiAnalyser and FortiManager). They also provide a platform (FortiCloud) that helps businesses transition to a SASE framework. It’s expected that Fortinet will eventually streamline these various elements into a single, more user-friendly system.

Commercially they can be extremely competitive, especially in the scenario that you already have FortiGate appliances that have the necessary licence or ability to upgrade to the minimum software version, FortiOS 6.2 and above.

Fortinet’s 2023 proposition of Secure Access Service Omni (SASO) caught my attention as a noteworthy alternative to the conventional SASE model. By opting for ‘Omni’ instead of ‘Edge,’ Fortinet acknowledges the shifting dynamics in hybrid network environments, advocating for a more adaptable and cost-effective approach to security and networking.

Fortinet is a solid choice for the more security minded secure SD-WAN or SASE deployment. It’s market leading status from such an experienced innovator means that Fortinet should be considered as the platform of choice, for both existing and new Fortinet deployments.