At work we standardized on Fortigate firewalls a while back because they are feature packed, easy to use, and reliable units at a very affordable price. Compared to Juniper and Cisco, it was night and day.
Recently, we purchased some new Fortigate 80C units for our internal firewall replacement and I decided it was time to dive into the FortiOS 5.0 since these were fresh installs. As I was mapping out the virtual IPs to our back end servers, I ran into a strange issue. The unit was telling me it ran into its virtual IP limit at 50. In previous OS versions, that limit was 500. Yes, you read that right: by upgrading to the new version of the OS, you have a ten-fold decrease in the number of virtual IPs you can map!
I couldn’t believe that was true – it must have been a soft limit and I was missing something. So I called support. They didn’t think it was true either because they could see in the documents that it did, indeed, decrease from 500 to 50 for the latest version. They suspected it might be a bug. So I had them escalate it to senior engineer. Here is their official response.
Unfortunately, 50 VIPs is the maximum limit for the size of unit that you have. Due to the change in OS and the features
that are now provided in the device, the limits have been set so that the device is not overloaded and eventually causing it to
go into conserve mode. This has been confirmed by a senior engineer and unfortunately there are no work arounds to this issue.
Fortinet TAC Americas
What a load of BS! A handful of new features necessitated reducing the maximum VIP count by an order of magnitude even if you aren’t using the new features? Shenanigans!
The truth is that they are trying to force users to upgrade to their higher end (read: more expensive) models since they market the 80C more as a branch office type of unit, even though, spec-wise, it is more than capable of being a front end firewall for internet servers. I don’t blame the engineers. They made a fine product. The problem is that some suit up the chain ran some actuaries and saw that people were buying the 80C instead of units that cost two to three times as much from Juniper and Cisco and they want a slice of that delicious pie. I think it might backfire, though.
This sort of corporate behavior pisses me off so much that unless this is changed in the future, I can’t ever recommend Fortigate again. Who knows when or if they’ll change other limits arbitrarily some day and you get screwed by an OS upgrade?
I didn’t ask, but I wonder what happens if somebody already had, say, 150 VIPs configured and they perform an upgrade? Does it just truncate the last 100 and call it a day?
Meanwhile, I downgraded to FortiOS 4.0 MR3 and this should work just fine for our planned lifetime for this equipment. Maybe SonicWall is in my future…