Sunday, July 6, 2014

Understanding fortinet lifecycle; hardware & software

All items within a network,   typically has a life cycle. Just like a human has "cradle"  to  "grave ",  we have a life cycle process.

But ours is not planned out or determine by any process or comes with  advance notices & dates.  But we might do things that could  speed up and terminate our  life-cycle :)

Within fortinet, you have support that can be looked at  in one of two ways ; hardware & software.

With regards to the support contracts. Fortinet is obligated to maintain the systems during the life-time of the Support Cycle. So  if  my little FWF30B should die before it reaches the End of Support, and I have a validate support contract, Fortinet is on the hook for replacing it or doing what's required to make it correct.

One good thing about the fortinet products; They seem to last & holdup quite good imho. My older gear has done great over the course of 6-7+ years now. The only bad thing with the older gear, you don't get the chance to take advantage of new features that's available in the new code releases. 

Fortinet almost always add new features & technologies, but constricts these improvement to the software releases and these usually doesn't include support for any of the older hardware due to  the model hardware-type, ASIC-type, cpu, memory,disk-storage,etc....

Here's a few terms you should get comfortable with & with regards to the life-cycle  process

The last order date,  means exactly that. This is the extreme last date that a fortinet partner will except orders for a particular model. After this date, you will need to order the replacement model. Your fortinet sales team or  security consultant, can guide you to what's best for you and your environment.

Example  here's the  fortigate 30B models. This is a lowend SOHO device that  was designed around the home users who might need a smaller and cheaper Security Appliance. Or the home telecommuter who has more than 1+ devices & his/her home &  that needed security services & connectivity  back to the main HQ, but  didn't want to use the forticlient for vpn access.

The last possible order date ( LoD )  for this model is just around the corner from this blog-post date @  ( 07/09/2014 )

The last possible date for extending your maintenance contract is 4 years later ( 07/09/2018 ) 

And finally,  the end of support (EoS ) is deemed at  ( 07/09/2019 )

Technically and legality,  at the conclusions of the  EoS date the hardware is deem obsolete & fortinet will not honor any maintenance actions  against this product. If you tried to contact TAC with regards to a problem ( software or hardware ) they will politely turn you down.

As security/network consultant, I'm face with the cheaper and low budget organizations that comes to me for support. When I find their device is out of warranty, has no contract & is  EoL. I can only shrug my arms and say " there's nothing I can do for you ".

Also Fortinet will not allow a support contract to be sold or registered outside of the last maintenance date for contract extensions. So even if the Security Appliances is not at EoL,  but after the last possible support contract sales date, there's nothing that can be done from a support stance. 

btw: Juniper, Checkpoint , Cisco, and others, all works in this exact same fashion.

For software we have another issues to contend with. Almost all software has a "GA" release versions ( general availability ) & guess what? They have a life-cycle also.

What this means,  Fortinet will  continue to support and build  minor revisions or builds against the parent code for 36months. This typically boils down to bug fixes, correction for items that didn't work and any major security fixes. Almost always, they never add new features within that software train from my experience.

So 4.0 GA release will have a MR ( Maintenance Release  )  and 36 months later, they will end software support for that maintenance release train. The same for  4.0 MR2 and the same for  5.0 MR1 and so on.

This way they can build faith in the end-user & ensure that they will not abandon the customer by keeping a  continual support with regards to software improvements & fixes.

Now why do you need to know this?

From a IT-dept role, you should ask and review the EoS date to ensure the product your buying is not going to be obsolete at any near future date for both software and hardware.


It would not make any sense to buy a  30B  model Security appliances

By selecting a Fortigate  30D model  you would have a longer time before EoS;

Keep in mind the following;

  •  not all partners/resellers are honest 
  •  some will try to sell you want they  have in stock & at that time
  •  a few seller website will not disclose that the product is coming soon to  a LoD or  even discuss the life-cycle concerns with regards to that model of Security Appliance that you thinking of buying

NOTE: I don't want to bad mouth any one single  partners or resellers, but you should always inquiry about the life-cycle of the product before committing to purchasing any gear. I 've seem some  fishy  action going along with a few of these folks  that are " listed   as authorized resellers of brand xyz "

 IMHO, you should always protect your interest and deal with an reputable partner. You should always consultant with a security consultant ( at minimum ) or partner before buying any security appliance.

For the a IT director position, he/she  should budget for  gear change out for new features and for taking advantage of new technologies over the course of  <3-4 years of the life-cycle of the product.

Example, maybe your in a healthcare sector, and you know  DLP  is required for compliance regulations. You aging old  cisco PIX is not reliable any more,  stuck at fast-ethernet speeds,  and lacks any advance UTM features. You might want to leverage buying a single device that can offer DLP and other UTM features.

So by leveraging a single plane of device, you can use a fortigate security-appliance that offers the DLP and at  the same time, make a big  improvement within your security firewall.

With proper  IT-dept  design & budgeting concerns, we should include some type of  refreshing and renewing  of  your hardware at every 4-5 years.  This will  ensure that you are up to date with regards to security threats and compliance.

With fortinet, you can ask for trade-in  considerations  and/or find out if any trade-in or trade-up programs are in place. The partner will quickly explain what they do offer,  and offer any  rebate that they can offer at that time. To learn more about  this program follow this link;

The trade-up program is a way for fortinet to enhance their customer loyalty and to give you some type of price break for being a fortinet end-user.  It never hurts to ask.

NOTE:  For a good & reputable partner , please look at maxis360

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- Socpuppets ---dot---com

   ^    ^
=( $ $ )=
     /  \

No comments:

Post a Comment