Fortinet's cloud firewall ditches custom ASICs for Amazon's Graviton CPUs
You might say they've Arm-ed their security suite for battle
For years, Fortinet has leaned on its custom security and networking ASICs to compete against rival vendors like Juniper, Palo Alto Networks, and Cisco in the firewall space.
But when it comes to extending their security stack to the cloud, any advantage offered by its custom silicon starts to erode. Fortinet can’t exactly deploy its hardware in the cloud. Instead, it’s forced to — like most other vendors — run its firewall on general-purpose compute infrastructure, which has traditionally meant x86 CPUs from Intel or AMD.
Fortinet’s latest attempt to sell customers on its cloud firewalls involves repackaging its security stack as a software-as-a-service platform in AWS. Dubbed FortiGate CNF, the service features the standard assortment of security functionality you’d expect from a next-generation firewall, including URL, DNS and application filtering and intrusion prevention/detection to name a few.
However, unlike most virtualized or containerized firewalls, Fortinet’s kit is designed to take advantage of Amazon Web Services (AWS) own custom silicon in the form of its Graviton CPUs.
AWS began offering Arm-based VMs with the launch of Graviton in 2018. Rather than trying to out-perform x86 CPUs from Intel or AMD, the Graviton sought to achieve better value. Amazon claims its third-gen Graviton CPUs offer 40 percent better price-to-performance than “comparable fifth-generation x86-based instances.”
In a similar vein, Fortinet went out of its way to avoid the topic of performance in its announcement. It’s an uncharacteristic move for a company that rarely misses an opportunity to call out the performance gap between its appliances and that of its competitors. Instead, the vendor highlighted the consistent management experience and touting lower operating costs associated with running its software stack on Amazon’s Arm-based CPUs.
- Hive ransomware crooks extort $100m from 1,300 global victims
- Fortinet warns of critical flaw in its security appliance OSes, admin panels
- Fortinet's latest hyperscale kit packs 2.4Tbit/sec of firewall into a 4U chassis
- Fortinet's latest firewall is like your kids' music – you're probably not ready for it, yet
Lower operating costs have been a hallmark of Arm CPUs, as cloud providers attempt to attract customers to the architecture. When Oracle introduced its Ampere Altra-based instances it did so at $0.01 per core per hour.
Whether Fortinet somehow managed to achieve consistent performance across on-prem and cloud deployments by going the cloud native route or opting for Amazon’s Arm cores remains unclear. Pressed on any performance delta between its on-prem and cloud capabilities, Fortinet provided the following vague statement. “We’re running FortiGate-VMs that deliver very-high firewall throughput performance.”
Each customer is assigned its own VM that’s autoscaled to as demands change, Fortinet tells The Register. And a peek at AWS Graviton instances offers some clues as to what the upper limits of Fortinet’s new cloud firewalls may be. Amazon’s largest Graviton instance — the 64-core, 128GB c7g.16xlarge — maxes out at 30Gbps of network bandwidth.
That would put the maximum threat inspection on par with the FortiGate 3000F — a high-throughput firewall appliance aimed at hyperscale environments — but that’s assuming that the CPU can actually keep up. And even if it could, it wouldn’t be cheap. At $2.7/hour plus $0.031 per gigabyte inspected, 30Gbps worth of data flows would run a customer somewhere in the neighborhood of $420 an hour.
With that said, there’s still some merit to maintaining a consistent security stack across on-prem and cloud infrastructure.
While all the major cloud providers offer some kind of firewalling functionality in house, employing them usually requires maintaining two separate security policies. Microsoft’s security wing this summer attributed 80 percent of ransomware attacks back to configuration errors.
Extending an enterprises’ existing security stack to the cloud to minimize this potential has been a major selling point behind any number of virtualized or containerized firewalls, including those from Juniper, Palo Alto Networks, and in this case Fortinet. ®