The year 2018 is coming to an end and it is becoming increasingly clear to me that I am not going to finish some planned things. For example, the OSCP (Offensive Security Certified Professional) certification I was looking forward to and planning to “hack” virtual environments on weekends.
Because I am not able to catch up, I am trying to not to start new things (it is killing me when I work on multiple projects at the same time). However, sometimes there is an exception to the rule. This time, two technologies have come together that are a small revolution in network management (as well as the new password management software and connecting the first half of the year).
Fortinet Security Fabric
We have been deploying FortiGate routers for our customers for many years, and we use the central FortiAnalyzer for these (where we have our own report templates and logs for 1 year back diagnostics). However, we have used Mikrotik routers in our company. Since we need our network to be more secure than customer networks (when our network breaks, all customer networks are broken – see my article “Network Security: Tier Model and PAW“), we’ve also decided to acquire FortiGate, including FortiSwitch, FortiAP and Cloud FortiSandbox.
We’ve been using their AP for years. We currently have 181 of them with our customers (absolutely satisfied) and operate our own UniFi Controller. The UniFi product line also includes switches and “security” routers (USG – UniFi Security Gateway). One of our customers has purchased a UniFi Switch to power the UniFi AP (so it doesn’t have to have so many injectors). When I saw the functionality and configuration integrated into the UniFi Controller, I was enchanted. We bought our own UniFi Switch with UniFi Security Gateway to test the products for our selves.
To not to keep you wondering any longer (although the following sentences should probably be in the conclusion), I got absolutely enthusiastic about both technologies. I have already done my first presentation to my colleagues. They too see the benefits (see below). Likewise, it seems to me that both technologies have just “matured” (FortiOS 6+ and UniFi Controller 5.7+) in recent releases and are well-suited to production environments. We have decided to not to sell any switches other than UniFi Switch and FortiSwitch in our company. Just like Wifi AP only UniFi AP and FortiAP (which we have been doing for several years). For routers, we will go for FortiGate, UniFi USG and possibly Mikrotik (irreplaceable for some things and the cost is pennies on a dollar).
Shortcomings of the current state with multiple manufacturers and product lines of devices
Maybe my subsequent description will look rather negative to you, as I am summarizing things that do not suit my current situation. It’s not so bad, of course. Our customer networks work and the problems are minimal. But the point is that we are still striving for “perfect” solutions.
The network is one of the few things we haven’t had standardized much yet (see our article on our belief in standardization “Standardization – Doing IT as Simple as That“). We have had more manufacturers for each element. For example:
- Routers – We have been deploying Mikrotik and FortiGate routers. We would sometimes have even some unknown DSL modems from different ISPs.
- Switches – We have been deploying HPE (multiple series) switches recently, but there were often D-Link and TP-Link switches among customers. In addition, even those HPE lines are vastly different (they have different OS) and series end at a time.
- Wifi AP – Fortunately, we have been using Ubiquiti UniFi for a few years already, to our full satisfaction.
As it is so fragmented with customers, we are mainly struggling with the following issues:
Due to the different brands and models, we do not have switch central management. We update them manually. Because we have so many of them, it takes a lot of time. Especially with the TP-Link brand, we have experienced a lot of fun before (binary configuration files, factory reset made from upgrades, bugs in the style of “random VLAN slowdowns” during the reboot).
We deploy Mikrotik upgrades through Dude server (such a quickie), FortiGate manually and UniFi Wifi AP through a controller (a quickie as well)).
I wish for central logging for a few years already. In order to be able to collect logs from network devices to a central repository and to be able to efficiently evaluate and archive them. The problem is that the logs on some devices (mainly from switches) are deleted by the reboot (they do not have their own disk and logs are stored only to RAM).
And even if the logs are on the device, they are even harder to evaluate – times often do not fit (even if there is SNTP, some older elements do not work properly with summer timezone) and it is necessary to connect to each device separately.
This is hell. On one hand, it is laborious to put everything together (if there are multiple switch models within the network), but also to modify the configuration afterward.
It happens that while a function is named in the same way for two manufacturers, it does not behave in the same way (eg storm control). The functions could also be named differently but they are identical. Then the STP settings are added, when some switches can only use RSTP and others switch to MSTP. Another challenge is to deploy 802.1X or ARP inspection.
If you need to get more VLANs into your network, you need to connect to the router and add an interface to it (the most common “router-on-a-stick”). Subsequently, one has to connect to each switch, set up a VLAN, configure port membership in the VLAN, and modify other parameters (eg, DHCP snooping and STP). Finally, to document everything. It takes some time. And if one is not careful, you can easily make a mistake.
In addition, each element has a different interface. So even if a person knows what he wants to set up, he has to search a while and possibly google if the checkbox really does what he expects it to do.
Each device has different debugging commands and a slightly different functionality behavior. This makes debugging so much fun. Not all of us can do it and, moreover, it is often not billable per customer.
Another of my favorite topics. If, in addition to writing down a job (which is absolutely necessary), colleagues do not like something, it is the documentation. Basically, nothing is older than yesterday’s documentation. Our customers’ environment is alive. Sometimes a device is added, something is connected, a port pair is reconfigured. As a result, the documentation does not match the current configuration. That’s why I’m still trying to get some form of “dynamic” documentation (to generate it from the current state itself).
Likewise, when someone changes the configuration, he has to store it in our repository. This is done for “archiving” and a situation where an element fails and needs to be replaced. Fortunately, colleagues usually follow through, but it still requires some work.
How the new technologies resolve it
Ubiquiti UniFi and Fortinet Security Fabric have charmed me because they solve the abovementioned issues. For the sake of clarity, I have created a table with a comparison of the functions (see the picture below) and I have added a word comment for you as well:
- Central Management: All Ubiquiti UniFi features of all customers can be managed through one central UniFi Controller (and each customer can access it). Fortinet Security Fabric manages all customer elements through its FortiGate (or centrally through FortiCloud or FortiManager – but that is extra $).
- Configuration Backups: Both solutions can do them automatically. So we save some time and it won’t happen that someone forgets. 🙂
- Documentation: Both solutions draw dynamic network maps. In one click, you can see how the individual elements are connected together (network map) and where are the endpoints connected (no more searches to which port a PC is connected to).
- Updates: With UniFi, we can update all elements through the central UniFi Controller, including regular updates (eg, you plan to update everything on Sunday morning when no one works at the customer). For FortiNet, it seems that everything has to be done through FortiGate for every customer (I think they plan to implement FordiClound and FortiManager in the future). For some graphical example, I recommend “Unbiquiti all the things: how I finally fixed my dodgy wifi” and presentation Fortinet Security Fabric Deep Dive Demo from Tech Field Day)
- Configuration: Two interfaces are easier to learn than dozens of them. Both interfaces include the configuration of all elements (routers, switches, and Wifi AP). So there’s no need to connect to each element separately, and if you want to add a VLAN to the entire network, it’s a matter of a few clicks.
- Debugging: As with configuration, you only need to learn fewer commands. In addition, by being single-manufacturer devices, there is also better compatibility. When a manufacturer decides to upgrade a number of devices, the hardware changes, but the interface management and functionality remains.
Everything is unified and all devices log into one central location that understands and evaluates logs. At the same time, there are no problems with time inaccuracy. 🙂
- UniFi: Logs to UniFi Controller. You can set how much “granular” and historical data are to be stored. It can do very nice power charts (eg: workload and jamming with Wifi band, CPU, the amount of data in time through each port), reports (what devices and when they were connected, the amount of data by apps and websites).
- FortiNet: Logs to our FortiAnalyzer (or FortiCloud) where all data are centrally stored and archived for 1 year (or longer according to the settings). Unfortunately, FortiAnalyzer does not create graphs like UniFi Controller (eg to see data flow to the Internet within some timeframe), but it also allows us to dig in network traffic logs in more details (except for individual connections) and to report on them.
- Switches: Both technologies can do all the functions we use. Ubiquiti switches are not yet capable of DAI (dynamic arp inspection), but neither can the price-comparable HPE 1920s we use now.
- Routers: FortiGate can do more than UniFi USG, but it is also more expensive and it is necessary to pay an annual subscription. Other than that, the functionality of both routers suits us.
- Wifi: I have nothing to criticize manufacturers for at the moment. FortiWifi can do a bit more (a few times the price), it can detect multiple attacks on Wifi and defend itself in case of rogue AP (by sending “death” clients).
Network Technology Overview – Ubiquiti Unifi and Fortinet Security Fabric
There are plenty of little features that both Ubiquiti UniFi and FortiNet Security Fabric are proud of. I could make the article at least double the length. I’ll see in time what works best, and then I could write “a year after” article. If you like technology, or have found yourself in some difficulty that we have also dealt with in our current situation, I strongly recommend that you test the technologies.
The Ubiquiti UniFi price is almost identical to the HW we have sold previously. Maybe in small 8-port switches, it will get more expensive (US-8-60W for 2.450 CZK) than no-name switch without management for a few hundred. On the other hand, human labor is becoming increasingly expensive (it will not get cheaper) and the switch is able to save a few hours of work in its lifetime, all thing considered it is cheaper nonetheless. 🙂
FortiNet Security Fabric is more expensive and is not cost-effective for everyone. However, it´s functionally is more advanced and is suitable even for large companies. Ubuquiti UniFi is more of a household and small businesses device (eg up to 50 PCs).
I wonder how the technology will work and whether things will be as I imagine them to be. We should “rebuild” one customer at FortiNet Security Fabric and another at UniFi Ubiquiti by the end of the year. We will see.
What do you think about it? Do you already have Ubiquiti UniFi or FortiNet Security Fabric? Please share your experience in the comments below the article. Or stop by if we meet somewhere, we’ll discuss it in person. 🙂
Update 9. 11. 2018:
- Martin M. has reminded me on FB that USG also supports OpenVPN. In the GUI, OpenVPN is available at a site-to-site tunnel. However, it seems that OpenVPN can also be put into the VPN server mode (via CLI) https://medium.com/server-guides/how-to-setup-an-openvpn-server-on-a-unifi-usg-e33ea2f6725d).
- Daniel P. has shown me that you can do packet capture via SSH and TcpDump even on Unifi. Thanks to the fact that it is possible to connect to SSH elements through Unifi Controller (device – tools – debug terminal), it is also quite comfortable (probably up to possible PCAP file download).