I am planning to procure a UTM/Firewall device for our office network of 50 Nodes (can be increased upto 75). I want a comprehensive solution for optimum ISP bandwidth utilization, corporate content protection, Traffice security. Breaking up the requirement in features we can consider ISP failover, Bandwidth shaping, Bandwidth optimization, Browsing control, Intrusion Prevention, Data Leakage Prevention etc. Moreover there will be 10-20 VPN users and one site-to-site VPN.
But my main focus is on local network security and browsing control and performance. Over VPN, the work criticallity won't be much.
In search of a suitable device, I am evaluating tech specs of some Fortigate models. But I bit confused comparing the features of different models. IF some of my question can be clarified here then I can proceed further in my evaluation.
A) Difference in performance of SoC based models and CPU base models considering primary requirement as Browsing control, Traffic security etc and secondary purpose as VPN Gateway?
What I understood 60D/70D/90D are all SoC based models and 80D/92D/100D are all CPU based models.
B) Is there any significant necessity of Internal storage other than log storing capacity?
As I found, 60D, 70D do not have any Internal storage, but 90D, 92D, 100D have internal storage. 70D and 90D have same feature except availability of internal storage.
C) Is it a practical thought to make this UTM/Firewall device works as VLAN router as well?
Best Answer
A) SoC based models are able to offload processing to the silicon, cpu based models are not as optimized and may implement certain functions in software and not hardware
For more information click
B) Depending on the model internal storage may be used for logging, wan optimization and caching purposes
C) It depends... If you need segmentation between your VLANs it might be a consideration but keep in mind that a firewall has certain throughput limitations that you should think of. Your setup is rather small so I think you got about 3 segments (DMZ, Clients, Server).... If that is the case and you are using fileservers etc. you may not want to route Client and Server VLAN on the firewall but only DMZ for seperation between your trusted and untrusted zone...
If you need any more information let me know.