Fortigate Gurus - Need your input!

jeffbrubaker · 2025-07-22T19:40:52.358Z

Dear Fortigate gurus,

I have a client that is running a Fortigate 100F firewall. They have been paying a MSP the last three years to manage it. This company created the config and all the firewall rules, etc. Their contract runs out in the near future. But the renewal is outrageously priced. More than double the monthly fee plus other costs.
The config does not seem overly complicated. I’m more of a basic Cisco guy and certainly not an expert.
Is it possible - To purchase a Fortigate appliance + enterprise subscription on our own, export the config from the 100F and import to a new one without much trouble? We’re looking at the 70G.
Suggestions???

Jay-Updegrove · 2025-07-22T19:45:31.033Z

Yes, backups and config captures are simple, so is restoring…however, get the 100F if you’re not starting from scratch. Buying a 70G and expecting to load a backup or even just the config from a 100F will leave you with major problems…also, the 100F is a solid firewall.

nerdygearhead · 2025-07-22T20:48:44.317Z

Who owns the 100F? If the client owns it, have them tell the MSP to give them (you) an admin account and take over, the config is already there. Is the MSP holding the admin accounts hostage?

somedude2 · 2025-07-22T20:52:12.418Z

Jay Updegrove:

however, get the 100F if you’re not starting from scratch.

If OP is price sensative, that will be a little shock tho, the 100F is 4x the price of the 70G…

Maybe do a load evaluation here, tho, the 70 is targeted for small business, I am guessing the MSP picked a bigger one for a reason…

PS: to OP, you know there is a subscription included with the monthly cost, right? That is how
the thing gets it’s updated threat data…

adrian_ych · 2025-07-23T06:32:25.420Z

jeffbrubaker:

I have a client that is running a Fortigate 100F firewall. They have been paying a MSP the last three years to manage it. This company created the config and all the firewall rules, etc. Their contract runs out in the near future. But the renewal is outrageously priced. More than double the monthly fee plus other costs.
The config does not seem overly complicated. I’m more of a basic Cisco guy and certainly not an expert.
Is it possible - To purchase a Fortigate appliance + enterprise subscription on our own, export the config from the 100F and import to a new one without much trouble? We’re looking at the 70G.
Suggestions???

There are many questions ??

Your Client vs Yourself ?
What is the relationship ?
How old is the hardware ? Then what does the MSP “fees” cover ?
To be fair, you need to also see the SLA of the hardware as well ? Is the Product near EOS, EOL or already past these dates ? I do not think the “fees” are to maintain the “firewall rules and config” ?
For example, the 1st 3 years support may cost $100 per year. Then the 4th & 5th year may cost $150 per year, but the 6th & 7th may cost $500 per year while 8th & 9th year might cost $1500 per year ?
What is your proficiency ?
For example we do have certain appliance that we bought in a pair for “Criss cross & live failover” redundancy. We signed a 7 year NBD contract with the vendor (they did a 3yr + 2yr subscription with Principal for updates, they said will add on as time approaches).

After the purchase, the vendor asked if we would like to upgrade the support to 9yrs (add on 2 more years) as then they would purchase a 3rd unit as cold spare, then the “downtime” if any could be as short as 2 hrs as all they would need to do is plug in the spare and restore config from backup. We went with 9 yrs.

So by what I meant by “proficiency” as 2 yrs back (about 18 months after purchase), there was a major firmware update, which required several updates to be done first. ..but we had to update Appliance-A then Appliance-B then A…then B…then A…then B as to get the “pair” in sync (due to some redundancy mode features). Then they updated the cold spare. Then they took new backup data set of Appliance-A & Appliance-B,. During a weekend, they tested the cold set with both Appliances configs one at a time.

Sadly, if most people do not know the steps, they would have screwed up…

They may not know the pre-requisites of certain updates (firmware updates, system updates, engine updates)
They may not know that the old config backup data could ot work with newer updates
They may not have tested cold spares or replacement units with the current updates

jeffbrubaker · 2025-07-23T12:24:05.211Z

The MSP owns the current Fortigate. When the contract expires, the client must return it.
No, we have the admin account and we are able to log in, make changes, etc.

phildrew · 2025-07-23T17:52:44.852Z

jeffbrubaker:

Their contract runs out in the near future. But the renewal is outrageously priced. More than double the monthly fee plus other costs.

What other services does the MSP provide? If the only thing they do is provide and maintain the firewall, then they’re probably trying to drop them as a client. They’re not actually interested in keeping them on at the not-profitable current rate, and that’s why the drastic increase - to get your client to terminate the relationship - leaving things on good terms and open to them maybe coming back (at a higher/more profitable rate) at some future point.

Migrating the config to the new Fortigate should be straightforward once you contact support. They have a service to assist with that: Get Free License for FortiGate Conversion | FortiConverter Service 25.1.0 | Fortinet Document Library

Free for Fortigate to Fortigate (when differing models - you don’t need the tool if models are the same). Paid if you are migrating from third-party to Fortigate.

bcrooms · 2025-07-23T18:39:30.683Z

Get them a SonicWALL.

robert-zed · 2025-07-23T20:25:11.973Z

With the 70G you also have to look at the number of users, how much traffic is there and what is the internet connection. For the 70G look at the FG-70G-BDL-809-60 as it is the best value and gives you 5 of Enterprise Support. It can be renewed after that in 1 ,3 and 5 year increments up until it reaches end of life.

Jay-Updegrove · 2025-07-23T20:26:13.064Z

Maybe (as was hinted at above) ask the MSP why they chose the 100F in the first place, as there might be a user/network limitation OP isn’t fully aware of?

jeffbrubaker · 2025-07-24T17:03:57.492Z

This is excellent information. Thank you! Yes, I believe the 100F is overkill. My client is less than 30 users. They have a couple of on-premise Windows Server. 25 users need VPN to access a Remote Desktop Server from outside of the office. Would love to hear recommendations as to what model you think would work. I don’t want to skimp on performance. I’ve contacted Fortinet sales twice this week and haven’t heard anything back.

Jay-Updegrove · 2025-07-24T17:32:34.340Z

Google the new appliance, see what the VPN limitation is, to be safe. Try and contact your VAR instead of direct.

adrian_ych · 2025-07-25T05:48:07.952Z

jeffbrubaker:

This is excellent information. Thank you! Yes, I believe the 100F is overkill. My client is less than 30 users. They have a couple of on-premise Windows Server. 25 users need VPN to access a Remote Desktop Server from outside of the office. Would love to hear recommendations as to what model you think would work. I don’t want to skimp on performance. I’ve contacted Fortinet sales twice this week and haven’t heard anything back.

But again, what is your relationship with your client as they might have given different requirements to their vendors ?
Like many of my IT managers would give vendors a “Xmas wishlist” but then give simple requirements when they submit budget requests ?