2. 2
C O N T E N T
System
Administration
Routing &
Network Services
User Identity
Device Identity
End Point Control
Firewall
VPN
IPS
Application
Control
Antivirus
Email Filter
Web Filter
DLP
Vulnerability
Scanning
Wireless
Controller
Traffic Shaping &
QoS
Server Load
balancing
SSL Offloading
and Inspection
WAN Optimization
Virtual Systems
High Availability
Log & Report
IPv6
Others
3. 3
FortiOS 5.2 Feature Set
ATP OSS Support AAA Central Mgmt. Integrations
Configuration Visibility Log & Report Diagnostics Management
Anti-Malware IPS
Application
Control
Web
Filtering
Email Filtering
Firewall VPN DLP
User & Device
Identity
SSL inspection Security Functions
Wireless
Controller
Switch
Controller
Endpoint
Manager
Token Server
Vulnerability
Scanner Extensions
:::::::::: Virtual Domains :::::::::: Virtual Systems
Routing NAT/CGN WAN Link / Server LB Wan Optimization
Network Functions
L2/Switching IPv6 QoS High Availability
NAT/Route Transparent Sniffer Operating Modes
LAN WiFi WAN Network Interface
Physical Appliance (+ASICS) Hypervisor Cloud Platform
* Features may varied by models
6. 6
Dashboard & Widgets
Quick look into system, threat
and network status
Customizable
Built-in CLI access
System Administration
Dashboard with Widgets
7. 7
Powerful on-demand query tool that provides
contextual results with drill down capabilities
Assists in network
troubleshooting
Provides insights to
optimizing networks
& productivity
Why a particular
group of users is
having trouble using
the cloud based ERP
system?
Acquires proactive
security knowledge
Supports proactive
security
management
Is there an
abnormality that
needs further
investigation?
Identifies network
and threat status
Resolves threats
and networking
problems quickly
Is my users abusing
the network and how
so?
FortiViewer System Administration
8. 8
FortiView System Administration
Sort rows to display
Top sessions
Setup query using
Easy-to-use
auto-complete filters
Examine real-time or
historical data
Select row for drill
down
9. 9
FortiView System Administration
Summary of selected
item
Selection of scope
Select row for drill
down
Drill down panels
Presents associated details based on different
scopes
Further drill down to filtered Session Viewer
10. 10
FortiView
Session viewer (Real Time)
Excellent Troubleshooting tool
System Administration
NAT’ed IP and Port Applications and their
usage
Device & User Info
Concurrent Session &
New session per sec
Geo IP Info
FortiGuard Encyclopedia
Integration
11. 11
FortiView
Session viewer (Historical)
Presents timeline filtered session list
with details using log entries
System Administration
Complete detail of
selected session
Setup filter by clicking
on cell
Mouse over device
details
Move and configure
field columns
12. 12
FortiView
Threat Weight
Unique: Normalized threat level value x hit counts
Scores can be sorted to reveal most critical items to investigate
More meaningful than other singular measurements
System Administration
13. 13
Features With Local Storage Without Local Storage
Now 5 min 1 hr 24 hr * Now 5 min 1 hr 24 hr
Viewer – Sources ✔ ✔ ✔ ✔ ✔
Viewer – Applications ✔ ✔ ✔ ✔ ✔
Viewer – Cloud Application ✔ ✔ ✔ ✔ ✔
Viewer – Destinations ✔ ✔ ✔ ✔ ✔
Viewer – Websites ✔ ✔ ✔ ✔
Viewer – Threats ✔ ✔ ✔
Viewer – All Sessions ✔ ✔ ✔ ✔ ✔
Viewer – System Events ✔ ✔ ✔
Viewer – Admin Logins ✔ ✔ ✔
Viewer – VPN ✔ ✔ ✔
Viewer – FortiSandbox ✔ ✔ ✔
Sniffer Mode Support
(All Viewers) ✔ ✔ ✔
* Not available for desktop models with SSD
FortiView System Administration
14. 14
Monitors
Real time status
indicators
In-box
Over 20+ types
Serves as
administrative &
diagnostic tools
Also available on
CLI and web
service API
(JSON)
System Administration
SYSTEMS
DHCP Monitor
Link Monitor
ROUTER
Routing Monitor
FIREWALL
Policy Monitor
Load Balancing Monitor
Traffic Shaping Monitor
UTM
AV Monitor
Intrusion Monitor
Web Monitor
Email Monitor
Archive & Data Leak Monitor
Application Monitor
FortiGuard Quota
VPN
IPSEC Monitor
SSL-VPN Monitor
USER & DEVICE
Firewall Monitor
Banned User Monitor
FortiClient Monitor
WIFI CONTROLLER
Client Monitor
Rogue-AP Monitor
Wireless Health Monitor
LOG&REPORT
Logging Monitor
15. 15
Network Management
SNMP Support
SNMP v1, v2c & 3
Traps
MIBs
Fortinet proprietary MIBs
standard RFC 1213 & 2665
MIBs
System Administration
16. 16
Network Management
sFlow/NetFlow
monitoring the traffic on the network to identify areas on the network
that may impact performance and throughput
Agent is embedded in the FortiGate unit, sends the sampled traffic
to an external 3rd party Collector/Analyzer.
Available on CLI only
System Administration
3rd Party sFlow Analyzer - sFlow Trend
17. 17
Quick Setup
Feature Select
Configure GUI elements according to desired deployment needs
using presets
Allow further customizations by toggling the feature buttons
System Administration
18. 18
Features/Presets NGFW ATP WF
NGFW+
ATP
UTM
Full
UTM
Security* Advanced Threat
Protection
✔ ✔ ✔ ✔
NGFW (IPS) ✔ ✔ ✔
NGFW (App Control) ✔ ✔ ✔ ✔
Web Filter ✔ ✔ ✔ ✔ ✔
Email Filter ✔
DLP ✔
Explicit Proxy ✔ ✔
Endpoint Control ✔ ✔ ✔ ✔
Basic VPN, IPv6, WiFi
Controller, Wanopt ,
etc Defaults settings depends on FGT models
Minor ICAP, VoiP, DNS DB,
Multicast policy, etc
* Default settings
Quick Setup System Administration
19. 19
Quick Setup
FortiExplorer
Software Application for
Windows, Mac OS and
iOS
Uses USB connection
Quick Setup Wizard,
Direct GUI & CLI access
without network setup
System Administration
20. 20
FortiCloud
Hosted security
management and log
retention service
Default reporting option for
Desktop Models
Central web-based
management console to
manage individual or
aggregated FortiGate and
FortiWiFi devices
Configuration backup
Scripting
Remote Firmware upgrade
Access to hosted Sandbox
results
System Administration
21. 21
Diagnostic Tools
Sniffer packet capture on GUI
Similar to CLI Sniffer setup
» Supports Filters
» IPv6 & Non-IP Packets
Output as pcap file download
Local Storage required
System Administration
22. 22
User Notification System Administration
Replacement Messages
Supported on Proxy and some flow based UTM
Customizable, can be assigned per VDOMs
23. 23
User Notification
Fortinet Top Bar
Notify users in real-time
» Blocked Applications
» Denied Traffic
» Quotas Status
» FortiClient Alerts
Supported for IE, Firefox,
Chrome, Safari
Appears on HTTP websites
as embedded frame in the
web browser
System Administration
24. 24
Overview Routing & Network Services
Routing
Link Redundancy and load balancing
Policy Routing
Dynamic Routing Protocol Support: RIP,
BGP, OSPF, IS-IS
Multicast Routing
Interface Features
VLANs, 802.3ad port aggregation, STP,
port span, redundant interface, loopback,
software switch, Security mode
Sniff/One-arm Mode
WAN Link
USB modem
FortiExtender
Link Load Balancing
Robust L3 and L2 capabilities to
facilitated vast variety of network
design and setup requirements
Route Monitor
Network Services
Free FortiGuard NTP, DDNS & DNS
service
Content Routing – WCCP and ICAP
Support
DHCP & DNS Server
LLDP
25. 25
Interfaces
Interface Configurations
Support *various interface types:
» Physical: Ethernet and wireless
» Virtual: VLANs, WiFi SSID, VDOM link
» Group: Port aggregation group, redundant Interface, H/W & S/W Switches,
Virtual WAN Link, zone
Routing & Network Services
Color coded access
methods
DHCP server info
Graphic presentation
of interfaces
A variety of
Interface types
* May not be available to all models
Interface members
26. 26
Interfaces
Interface/Switch Modes
Routing & Network Services
* May not be available to all models
The main difference is that for ”virtual hardware switch", it uses the
underlying switch chip/driver to handle all of the switching directly, whereas
virtual “software switch” needs to do that in the kernel (ie, higher in the stack,
more CPU/memory intensive, etc). There are feature disparities which will be
documented later.
Switch ports are individual
physical interfaces
Switch ports can be created
by grouping interfaces with
“Virtual
Hardware/Software
Switch”
27. 27
Interfaces Routing & Network Services
* May not be available to all models
Virtual VLAN Switch
Emulation of a VLAN
switch
Assigns ports to VLANs
and dedicated VLANs
trucks
Allow users to extend
number of available
switch ports (with
VLANs) by VLAN truck
stacking
Interface Mode
External Switch
28. 28
Interfaces Routing & Network Services
* May not be available to all models
Switch Controller
Similar to Wireless Controller Concept
» uses Fortlink Protocol – modified CAPWAP
» With selected FortiSwitches only
Administrators can create VLANs on the Switch(es)
» VLANs across switches can be managed and configured like a FortiGate
interface
Virtual Switch VLANs
FortiLink Connectivity
29. 29
Switch Controller Routing & Network Services
* May not be available to all models
Switch Controller Support
FortiGate
FG/FWF-60D/-POE ✔
FG/FWF-90D/-POE ✔
FG-100D Series ✔
FG-200D Series ✔
FG-600C/800C/1000C CLI enabled
FortiSwitch
FSW-28C ✔
FSW-108D ✔
FSW-124D/-POE ✔
FSW-324B ✔
FSW-348B ✔
FSW-448B ✔
FSW-224D ✔
30. 30
Port Spanning
Also called ‘Port Mirroring’
» Supported by 100D & 200D platforms
» Ingress &/or Egress traffic from a single port in a switch group can be
copied to another port (in the same group)
Routing & Network Services
31. 31
Link Load Balancing
Virtual WAN interface
Interface group
» interfaces used will not appear
for policy table
» Single interface to select in
Policy
Defines link selections
Routing & Network Services
Virtual
WAN
Interface
32. 32
Link Load Balancing
Link Load Balancing Methods
Only one is selectable
Assign Interface members to Interface Group
Per Interface Configurations
» Probe Server settings (for link failure detection)
» Selection Definition – eg. Weight, Ratio etc
Routing & Network Services
Gateway
selection based
on Source IP
address
Gateway
selection based
on session ratio
assigned
Gateway
selection based
on threshold
bandwidth
assigned
Source IP
Based
(Hashed)
Weighted
Round Robin
Spill-over
Gateway
selection based
on Source and
destination IP
address
Gateway
selection based
on Traffic
volume ratio
assigned
Source-
Destination IP
Based
Measured-
Volume Based
33. 33
Link Load Balancing
Traffic Route Overrides
Admin can assign specific
routings among the interface
group based on certain or
combination of criteria
Routing & Network Services
Uses TWAMP to determine
each link’s quality -
Latency, Jitter. Select route
to highest or lowest quality
link
Route based on defined
protocol type and its service
port.
Route based on TOS
settings
Link Quality Service Definition Type of Service (TOS)
34. 34
Policy Based Routing
Features:
Policy routes are applied before destination
routes
Can be used to create multiple routes to the
Internet
» Static load-sharing
Routing decision can be made from:
» Source & Destination addresses
» Protocol, service type, or port range
» Incoming interface
» ToS
Routing & Network Services
HTTP
Other Traffic
35. 35
WCCP Server
WCCP Client
WCCP
Features:
Supports WCCPv1, WCCPv2
L2 and GRE Mode
May operate either as Server of
Client (per VDOM)
Uses Port 2048
Option for Authentication, GRE
Encapsulation6
CLI Commands
Routing & Network Services
36. 36
ICAP
Allow users to configure a
list of ICAP servers that the
FortiGate may utilized for
various purposes
Useful for legacy firewall
Migration
Features:
Streaming content bypass
ICAP Server
Routing & Network Services
37. 37
Network Services
DHCP Service
DHCP Relay and WINS
support
DHCP server
» Multiple IP-pools for each interface
» Exclude ranges and IPs
» DHCP IP Reservation
» DHCP Options support
» MAC address reservation &
Access control
IPv6 DHCP
DHCP Monitoring
Routing & Network Services
38. 38
Network Services
DNS Service
Integrated Basic DNS Server
» Per-Vdom support
» in transparent and NAT/Route mode
Recursive DNS (split DNS)
IPv6 DNS
Dynamic DNS support
Routing & Network Services
39. 39
Network Services
DDNS Service
FortiGuard DDNS Server
» Provided with valid Forticare
contracts
» Ease of setup
» Suitable for VPN deployment and
remote administration.
Routing & Network Services
40. 40
Network Services
FortiGuard NTP Service
» Provided with valid Forticare
contracts
» Alternatively, admin can choose 3rd
party Servers
NTP Server
» Provide NTP services to connected
devices
Routing & Network Services
41. 41
Operation Modes
• Implementing access
controls between
different network
segments
• Static, dynamic and
policy based routing,
WAN link redundancy &
load balancing
• Implementing access
controls on a network
segment transparently
• Behaves like a switch
• L2 switching protocols
support
• Monitoring network
activities offline
• Behaves like a Sniffer
Transparent/BridgeNAT/Route Sniffer
Hybrid: Organization can implement various modes within a single FGT using VDOMs
43. 43
3G/4G Interface Routing & Network Services
FortiExtender
3G/4G(LTE)
Ethernet
FortiExtender
As primary connection in “remote/lights-out” devices like ATM and
point of sale devices.
As fail-over connection for network equipment that supports redundant
WANs.
As remote antenna, which allows you to get the best 3G/4G signal
available by placing it in the best location for receiving the signal.
Extension device that works with FortiGate to provide
3G/4G Wireless WAN connection
44. 44
3G/4G Interface
FortiExtender Setup
Discovery – Auto or manual (for
routed networks)
Similar to adding a FortiAP
Device Authorization
Comprehensive Modem
settings on GUI
Monitoring
Signal and usage status
monitoring widget
Diagnostic tools
» Ping, AT command
Routing & Network Services
45. 45
Overview User Identity
Authentication Services
Local User Database
Remote Auth. services – LDAP, Radius &
TACACS+
Single Sign-on
Windows AD, Novell eDirectory integration
SSO with POP3/POP3S, Access Auth. &
FortiClient
Citrix & Terminal Server Agent
Dynamic Profile
PKI and Certificates
X.509 certificates, SCEP support
Certificate signing request (CSR) creation
Auto-Renewal of Certificates before Expiry
OCSP Support
Secures access to internal
networks with user identification
User Monitor
2 Factor Authentication
External 2FA support
Integrated Token Server with Physical,
SMS & Soft Tokens
46. 46
Auth. Services
FortiGate supports User
Authentication for:
User Identity based Firewall
Policies
Client VPN (IPSEC, SSL)
Network Access
Administration Console (CLI, GUI)
User Identity
SSL
VPN
FortiGate
Administ
ration
IPSEC
VPN
Network
Access
Identity-
based
Policies
* On limited Models
47. 47
Integrated 2FA
Extended Authentication Support
Integrated solution using the FortiToken, Email or SMS side-channels
Further extension using FortiAuthenticator
FortiToken Email SMS*
User Identity
* Requires FortiGuard SMS service
48. 48
Integrated 2FA User Identity
Eliminates requirement for additional physical device
Low cost to deployment – low initial and operational costs
Simple licensing, pricing and provisioning
Operates with free mobile applications, available on iOS and
Android platforms
Secure - Seeds are only on mobile device and FortiGate.
2 free units are available
FortiToken Mobile is a software token solution for the mobile
devices, allowing users to generate secure and one-time passwords
directly on the device wherever strong authentication is required.
49. 49
Integrated 2FA
Soft Token Provisioning
User Identity
SMS/EMAIL
• Admin assign the token
based on serial number
• choose type of delivery to
users
• Randomly generated
activation code (Not visible to
admin) is forwarded to users
• Admin acquire license and
adds revealed registration
code on FortiGate
• Upon successful
verification, token serial
numbers will be available for
provisioning.
• User install the
FortiToken mobile app
and enter the code given
to activate the soft token
51. 51
SSO
User Identity Acquisitions
Using both active and passive acquisition methods
Reuse user login info for user Identity based policies
User Identity
External Radius Service
Windows AD, NTLM
Terminal Servers
= M.Jones =
= S.Lim =
= V.Baker =
= J.Jackson =
Captive Portal
Network Access
FortiClient
DMZ
DMZ
Novell eDirectory
POP3/POP3s
52. 52
SSO
Active Acquisition :
System Wide – Per VDOM
» WIN AD, NTLM, Radius, terminal server
SSO
Passive Acquisition :
Interface Based - physical or virtual
Interfaces
» User Input on Captive Portal or other
prompts
» Captive Portal exemption: per policy or
interface
User Identity
53. 53
SSO
Single Sign-On with Windows AD
Option to use inbuilt-in DC Polling
Supports Windows AD usergroup policies or indivdual AD user
Ability to allow access to an AD user only if he/she comes from
defined workstation (via CLI)
User Identity
54. 54
Polling Mode
SSO
Collection Modes for
AD
Domain Controller Agent
» Agents are installed on DCs
to monitor & push login
information to FortiGate
Polling
» No agent is required on DC
» Uses FortiGate local polling
agent
» Option to run a collector
Agent on a server which
polls the DCs
Domain Controller Agent Mode
User Identity
Domain Controller
Agent
Polling
DC Requirement Agent is needed Agentless
Target
Deployment
Large deployments; Remote
DC
Small Deployment
DHCP Tracking Yes No
Support for MAC
terminals
Limited
May enable
WinSecLog
Implementation Complex Easy
Level of
Confidence
Capture all logons
Potential to miss
logons if polling period
is too great
55. 55
SSO
Single Sign-On with NTLM
is used when the MS Windows Active Directory (AD) domain
controller can not be contacted
browser-based method of authentication
Option for guest or users with unsupported browsers to bypass NTLM
on CLI
1
2
3
User attempts access to
network and gets prompted
by FortiGate for user
credential
Credential information is
provided by browser
FGT queries Windows AD
User Identity
56. 56
SSO
Single Sign-On with Terminal Servers
Requires TS agent to be installed on terminal servers and FSSO
Collector on the network
Supports Citrix and Windows Terminal Server.
1
User login to AD
& open terminal
session
Credential information is
passed to FGT using TS
agent via FSSO Collector
2
User Identity
57. 57
Radius Accounting message
with attribute-value pair
that refers to usergroup a
user belongs, along with IP
address info is forwarded
to FortiGate
Users get
authenticated by
Radius Server (eg.
access control)
SSO
Single Sign-On with Radius (RSSO)
IPv6 Clients supported
User Identity
2
FortiGate uses listening
agent and maps info to its
own context table. When a
session enters, it looks up
to the table to determine
its action based on identity
based policies configured
3
IP, usergroup_x
1
58. 58
SSO
Single Sign-On with Network Access
Supports various network access modes: captive portal, wireless
auth., 802.x
Via FortiAP (per SSID), FortISwitch (per Vlans) & FortiGate interfaces
Users get
authenticated for
network entry
1
FGT communicates
with Auth. Servers
for verification
2
FGT becomes aware of
user and may apply
Identity based policies
3
User Identity
59. 59
On-Net
Off-Net
SSO
SSO Mobility Agent
Caches credentials, so that
information is passed to
FortiGate seamlessly without
user’s action
Eliminates the additional
user identification prompt
from FortiGate
Works on AD environment
on both On-net & Off-net,
also NTLM
User Identity
60. 60
Guest Access
Temporary user Provisioning &
Access
Allow non-IT staff to create Guest
account via web portal
» Specialized admin-id for guest
access management
Assign Time quota, generate
temp password,
Distribute guest credentials by
printing, email or SMS
Batch guest users creation option
User Identity
61. 61
Contact Harvest
Email Harvesting
Policy intercepting sessions until users provide an email address
Useful in some areas to harvest email and provide free WiFi access
User Identity
62. 62
Overview Device Identity
Device Identification
Device & OS Fingerprinting
Device Classification & Management
Contextual Device Information
Device Based Policies
Policies using Device/Device Group
Identify device type to add into
contextual information for better
visibility
Enforce policies based on device
types or devices
Allow organization to embrace
BYOD environment securely
Device Group
List
63. 63
Overview
Securing BYOD environment
Identifying device/device types to apply appropriate policy
enforcements
Additional control beyond traditional Windows AD environment
Device Identity
Identity Policies
Device Identification Access Control Security Application
UTM Profiles
Awareness
Agentless
Agent based
64. 64
Identification Techniques
Agentless
» TCP Fingerprinting
» MAC address vendor codes
» Network discovery protocols, DHCPv6
etc
» Requires “direct” connectivity to
FortiGate
Agent Based
» Uses FortiClient
» Location & Infrastructure Independent
Device Identification Device Identity
INTERNETDMZ
FC
FC
Agentless
with Agent
65. 65
• Based on regularly
updated device/OS
signatures and MAC
address vendor lists DB
• Automatic detection &
categorization into
predefined device
groups
• Enabled per Device-
based Policy
• Force detect device by
HTTP communication
(HTTP User-Agent)
• Email collection/
Endpoint compliance
portal
• Agent captures systems
information and relay to
FortiGate, 100%
Accurate
• Allow device
identification on remote
networks
TCP Fingerprinting,
Network Discovery
& MAC Address
Vendor Code
Captive Portal Endpoint Agent
Device Identification Device Identity
66. 66
Additional device information detection
Hostname: Internal DHCP server, traffic
scan
Email address: Email collection Captive
portal
Username: Authentication services or
“device-user-identification enable” which
extracts info via traffic scanning (enable
default)
Device Identification Device Identity
67. 67
Device Detection
A webpage that should let the user send some traffic in order to detect the
device type
No replacement message when successful, user have to reload the webpage
If failed, a replacement message will be present
Email Collection
Collect an email address as a means of identifying the device user
When the email address has been verified, the device is added to the
Collected Emails device group
Endpoint Compliance
Acts as a quarantine for devices that are not protected by FortiClient
Provides links to obtain the FortiClient software
Device Captive Portals Device Identity
68. 68
Device Management Device Identity
Device Group
Management
Manual add/edit
Devices
Status
Connection
Information
User Information
Device Definition
Multiple MAC address
merge
69. 69
Device Management Device Identity
Device Groups
Device Group
Drill-down
Predefined group for
auto categorization
Manual defined
Custom group
74. 74
Mobile Security End Point Control
INTERNET
LAN
OFF
ON
• FortiClient enrolls into
the FortiGate and then
receives its end point
policy
• FortiClient uses last
known security
policies & VPN
Configurations
Configuration Provisioning
Provides consistent end point
security policies “on-net” and
“off-net”
Reuse *Application Control &
Web Filter Profiles
1
2
* Application control config for Windows and OS X only
75. 75
Mobile Security End Point Control
INTERNET
LAN
OFF
ON
• FortiGate informs
FortiClient that it’s
“on-net” using DHCP
“cookies”
• FortiClient Doesn’t
receive “on-net”
information and
activate “off-net” mode
On/off-net Properties
FortiClient adopts separate “on-
net” and “off-net” configurations
depending on locations.
“On-net” options include turning
off local security features,
enables client logging
“Off-net” options include turning
on security features and enable
VPN automatically.
1
2
* Application control config for Windows and OS X only
76. 76
Mobile Security
Endpoint Profile
For distributing Endpoint
Configurations
Reuse UTM Profiles
» App Control
» Web Filter
Provision Multiple VPN settings
Multiple Endpoints may be
created and assigned to different
Device Groups
End Point Control
77. 77
FGT identify device/user
upon successful Logon
Mobile Security
Endpoint Control Profiles Assignment
Multiple profiles can be assigned to Device Groups/User
groups/Users
2
User logon using
Authentication Service (eg.
AD, radius etc)
1
Push corresponding EC
profile to FortiClient
3
End Point Control
78. 78
Mobile Security End Point Control
Advanced Endpoint Profile Setting
1. Setup and configure a sample client
2. Export the setting and then import into FortiGate
3. Distribute settings to other clients
1
2
3
79. 79
Overview Firewall
Policy Management
Section & Global View
IP, User & Device based Policies
Policy Objects, Object tagging &
Coloring
Traffic counters
NAT
Static NAT, Dynamic NAT Support
Central NAT Table
Traffic Support
SCTP, GTP, ICMP
Session helpers & ALGs
Hardware Acceleration*
High performance across all packet size
Ultra-low latency
Innovative features that allows
accurate and effective policy
setup
Policy Table
*applicable to supported models
81. 81
Policy Table Firewall
Configurable column
settings
Object Coloring
Policy counters
Smart object search
Drag-and-drop policy
rearrangement or
moving objects
Direct object/policy
edit with right click
82. 82
Identity based Policy
User Identity based
Security Policies
Assign access policy
and profiles to each
User Groups or Users
Device Identity based
Security Policies
Assign access policy
and profiles to each
Device Type or Device
Group
User Group #1
User #1
User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
Firewall
SRC
#1
SRC
#1
Device Group #1
Device Type #1
Device Type #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
SRC #1
SRC #1
83. 83
Policy Management
Policy
Control Traffic when they
transverse through the device
» Interfaces, zones (group of
interfaces), VLANs and SSIDs
segments
Components
» Firewall configuration
» NAT settings, Traffic shaping
settings
» Security instructions, eg, scan
for viruses, detect attacks, etc
» Logging Options
Firewall
84. 84
Policy Management
Source Types
Merged policies (IP, User & Device)
“AND” Operations if more than one type of source is used
AND AND
Firewall
85. 85
User Group #1
User #1
User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
IP #1
IP #1
-
Device Group #1
✔
✔
- -Service Port #2
DST #1
DST #2
IP #1 - ✗
User #1
User #2
-Service Port #2DST #3IP #3 Device Group #2 ✗
User #1
User #2
-Service Port #2DST #3IP #3 - ✔
Policies are matched top-down. The policy table may
consist of different policy types.
Policy Management Firewall
86. 86
Policy Objects
FortiGuard GeoIP DB
Distributed as FortiGuard
Update, Requires Valid FortiCare
Contract
Manual update required using
CLI Command
GeoIP override is configurable
Supports IPv6 addresses
Firewall
88. 88
H/W Acceleration Firewall
Legacy Security Gateway
Appliances
FortiGate with FortiASIC
CPU offload
Initial session
setup
Instruction
download
89. 89
Overview VPN
IPSEC VPN
Standard Based Protocol Support
Policy and route based configurations
Hub-and-Spoke, mesh VPN
architectures
Redundant tunnels
Spilt Tunneling
Remote VPN with FortiClient
VPN Wizard
SSL VPN
Web and Tunnel Mode
Customizable Portal with bookmarks
Virtual Desktop & Host Check
Other VPN Features
L2TP (Microsoft) & GRE
Hardware Acceleration*
No Additional Licenses required
Integrates with UTM functions
protects Internal resources
against remote traffic
SSL VPN Portal
*applicable to supported models
90. 90
Wizard
Step-by-step Guided IPSEC
configurations
» Custom defined
» Predefined Templates
Covers authentication &
Network settings
» No need to create separate
phase1 objects for different user
groups as authorization is
handled by Firewall policy
IPSEC VPN
91. 91
Web Application Mode
• Support via Java
Applets
• Limited application
support: HTTP/HTTPS,
FTP, SMB/CIFS,
TELNET, SSH, VNC,
RDP, Citrix
• Ease of use
Access Modes
Tunnel Mode
• Support via SSL VPN
Client, requires
download & install
• Unlimited L3 application
support
SSL VPN
Port Forward Mode
• Support via Java
Applets
• Extends applications
supported by web
application mode
• Does not need admin
privilege to install and
run
92. 92
SSL VPN Portal
Customized header,
logo, themes and page
layout
Customized Widgets
Tunnel Mode Widget
SSL VPN
Web Mode bookmarks
Session Stats and status
93. 93
SSL VPN Portal
User group based portal access
Ability for MSP to create and set different portal access without using
VDOMs
» URL path (i.e. suffix to bind to), Max concurrent users, Custom login page
Custom login profile selection on per SSL VPN usergroup policy
SSL VPN
https://sslvpn/customerA/ https://sslvpn/customerB/
94. 94
Virtual Desktop
CLI Command
Available for Windows terminals only
SSL VPN
Application Control:
• Controls which applications
users can run on their virtual
desktop.
• By creating a list of either
allowed or blocked applications
which you then select when you
configure the virtual desktop.
• Application Definitions is by
MD5 Signatures
Host Check:
• Enforces the client’s use of
antivirus or firewall software,
• Offers predefined list which can be
edited
• Customized applications can be
added with globally unique
identifier (GUID)
• Windows patch check (on CLI only)
allows admin to define the
minimum Windows version and
patch level allowed
» Supports Windows 2000, XP,
Vista & 7
File Access:
• Completely isolates the SSL VPN
session from the client
computer’s desktop environment
• All data is encrypted, including
• cached user credentials
• browser history
• cookies
• temporary files and user files
created during the session.
• When the SSL VPN session ends
normally, the files are deleted.
95. 95
Single Sign-on
Available on Admin defined
Web-Mode HTTP/HTTPS
bookmarks
Allow user to log into the SSL
VPN without having to enter
any more credentials to visit
preconfigured website
2 Modes:
» Automatic - Use user’s SSL
VPN credentials for login
» Static - Fill in the login
credentials as defined by
specified field name
SSL VPN
96. 96
Overview IPS
IPS Signatures
Over 7,000+ Signatures
Integrated FortiGuard IPS encyclopedia
Zero-day Threat Protection & Research
Custom Signatures
Rate based Signatures
Signature Filtering
User Quarantine, Packet Logging
DOS Protection
Rate based - set thresholds for various
types of network operations
Deployment Options
Sniffer Mode
Bypass Interface & FortiBridge
Low latency, superior coverage
and cost/performance integrated
IPS
2012 NSS Security Value Map
97. 97
IPS Sensor
Regular IPS Signatures
Protect against
» Known Vulnerability & Zero day
exploits
» Protocol abnormalities
Details Pop-Up linked to FortiGuard
IPS encyclopedia
Filtered by
IPS
Severity OS Protocol
Applications Target (Client/Server)
98. 98
Rate Based Signatures
Brute force protection by blocking subsequent requests when
threshold (incident per defined sec.) is reached
» Definable block duration
» Various tracking methods
IPS Sensor IPS
99. 99
FortiGuard Service
Outstanding Detection Rate
100% resistance to evasions, 97.9%
Detection rate (NSS Test 2011)
Vigorous Benchmark Testing
Tested on over 4 different tools Weekly
Determine & Improve effectiveness of a
security device to detect network
vulnerabilities
IPS
100. 100
FortiGuard Service
FortiGuard Center
FortiGuard Encyclopedia – detailed description of known threats
IPS Updates log (RSS Feed)
Vulnerability Advisories
Threat Monitor – Top attacks by geographic breakdowns
Zero-Day Research
• Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the
appropriate vendor(s)
IPS
101. 101
Performance IPS
0 20 40 60 80 100 120 140 160
Latency (μs)
NSS IPS Latency (July 2012)
Check Point 12600 Stonesoft 1302 Juniper IDP 8000 Sourcefire 3D8120
Sourcefire 3D8260 Sourcefire 3D8250 SonicWALL SuperMassive IBM GX7800
PA 5020 HP/TippingPoint 6100N McAfee M-8000 FortiGate 3240C
FortiGate 3240C also beats all IPS
competition with Lowest Latency
102. 102
Packet Logging
Forensic Tool
Packet Capture triggered IPS
signatures
Can be saved as pcap file for
forensic studies
Can be either log to disk,
FortiAnalyzer or FortiCloud
IPS
103. 103
User Quarantine
Intelligently blocks attackers from launching further attack
» Most attacks are conducted via several steps. Eg. port scan, followed by more
targeted hacking activities
Free up IPS resources since traffic is now stopped by firewall.
Manually or set expiry time to remove from banned list
User Quarantine
Attackers IP Address
Antivirus IPS DLP
Duration
Endpoint Control
IPS
104. 104
Advanced Features IPS
NGIPS
Contextual Awareness
» Correlate with related information such as users & applications
Automation
» Automated impact assessment for quick policy tuning with FortiView
» Network behavior analysis using Threat Score
105. 105
DOS Sensors
DOS Protection
Detects and mitigate traffic that is is part of a DoS attack
Applied as DOS Policies prior of Firewall Policies
Rate based: set thresholds for various types of network operations
Sensor list can be updated only when the firmware image is upgraded on the
unit.
TCP UDP ICMP
Packet Rate to a Destination IP TCP_SYN_FLOOD UDP_FLOOD ICMP_FLOOD
Packet Rate from a Source IP TCP_PORT_SCAN UDP_SCAN ICMP_SWEEP
# of Concurrent Sessions to a
Destination IP
TCP_DST_SESS UDP_DST_SESS ICMP_DST_SESS
# of Concurrent Sessions From a
Source IP
TCP_SRC_SESS UDP_SRC_SESS ICMP_SRC_SESS
IPS
106. 106
Overview Application Control
Application Control Sensors
Over 3,300+ Signatures, 19 Categories
User notifications using FortiBar or HTTP
replacement message
Granular Controls for popular apps
Cloud Apps. visibility
Application Control Traffic Shaping
SPDY protocol support
SSH Inspection
Custom Signatures
More flexible and fine-grained
policy control
Increased security
Deeper visibility into network
traffic
FortiGuard Application library
107. 107
App Signatures
App List
Application signatures
can be filtered by
Category, Technology,
Popularity and Risk
level.
It is useful for override
setting and FortiView
search
Application Control
108. 108
App Signatures
5-point-risk levels
Each application signature is assigned with a risk level to assist administrator in
understanding their threat status on logs and FortiView.
Application Control
Risk Level Description Example
Critical
Applications that are used to conceal
activity to evade detection.
Tor, SpyBoss
High
Applications that can cause data leakage,
or prone to vulnerabilities or downloading
malware.
Remote Desktop, File Sharing,
P2P
Medium Applications that can be misused
VoIP, Instant Messaging, File
Storage, WebEx, Gmail
Elevated
Applications are used for personal
communications or can lower productivity.
Gaming, Facebook, Youtube
Low
Business Related Applications or other
harmless applications.
Windows Updates
110. 110
Application Sensor
Ease of use
Applies actions to
various categories
» Allow, Block, Monitor, reset,
traffic shaping
Create overrides that
exempts from category
settings
Flexibility
Applies different profiles
to users, devices and/or
IPs and their respective
destinations on the
security policies.
Application Control
111. 111
Application Control
Granular Controls
Granular control popular Facebook and other online app usage
Facebook app pages can also be controlled via Web Filtering categories and
custom signatures
Application Control
112. 112
Application Control
SPDY Protocol Support
Open networking protocol developed primarily at Google for transporting web
content, similar to HTTP
» to reduce web page load latency and improve web security
Supported by most browsers
Application Control
113. 113
Application Control
Deep Application Visibility
Capture details of popular online
applications
» Cloud-based file storage and video
sites
» Logins to popular apps/sites
» Via web browsers
Info extracted includes
» (upload/download) filenames
» video titles played,
» user ID when login is detected
Application Control
114. 114
SSH Inspection
As part of SSL/SSH
Inspection Profile
Uses SSH proxy to
intercept the SSH key
exchange and content
After inspection, the
session is re-encrypted and
forwarded to the recipient
Application Control
115. 115
Overview Antivirus
AntiMalware
Proxy and Flow based AV
Filename & File Type filtering
Heuristic AV Engine
File Analysis with Cloud-based or on-
premise sandboxing
AV Databases options
File Quarantine
Anti-Botnet
Application Control Category
Botnet IP Blacklist Database Protect internal network devices
against malware and other
malicious codes
AV Configuration
116. 116
Technologies
SignaturesSignatures
• Detects and blocks
known malware
and some variants
• Highly accurate,
low false positives
• Requires up-to-date
signature updates
• 3rd party validated
Behavioral
Evaluation
• Detects and blocks
malware based on
scoring system of
known malicious
behaviors or
characteristics
• Can be used to flag
out suspicious files
for further analysis
File Analysis
• Detects zero-day
threats by
executing codes on
emulators to
determine malicious
activities.
• Resource intensive,
performance and
latency impact
Antivirus
117. 117
Technologies
Application Control
• Detects and blocks nearly 50 active
botnets
• Botnet network activities by
examining traffic
• Prevents zombies from data leaks
or communicates for instructions
Botnet IP Reputation DB
• Detects and blocks known Botnet
C&C Communication by matching
against Botnet command blacklisted
IPs
• Stops dial back by infected
zombies.
Antivirus
118. 118
In-box AV functions
FortiGate as AV Gateway
Network based, no agents required on hosts
Can be proxied or flow based
Signature set options: Normal, Extended or Extreme
File Quarantine if Local storage is available
Antivirus
119. 119
NORMAL
• list of currently active threats
• recently added by the Fortinet Antivirus team
• detected by the FortiGuard network
• the wild list database.
EXTENDED
• older and recently active threats (already dropped by wild list) .
EXTREME
• remaining detection signatures for all threats
• zoo entries, and historical curiosities such as old DOS based viruses.
AV Signature DB Antivirus
120. 120
AntivirusAV Engine
Code Emulator
Lightweight
Emulators
» Good against VM
evasion
OS-Independent file
analysis, all file type
» Java Scripts, Flash,
PDF
Best against
Malware Injections
via (compromised)
web 2.0 applications
Signature Match
(CPRL/Checksum)
File Sample
Decryption/unpackin
g System
Code EmulatorBehavior Analysis
Suspicious
Forward to cloud-based
FortiGuard AV service
Pass
No Further Action
FortiGate AV Engine 2.0
Blocked
File discarded, option to
Quarantine and event logged
121. 121
In-box AV functions Antivirus
Proxy Based Flow Based
External Sandboxing
• FortiCloud
Sandbox
• FortiSandbox
• FortiCloud
Sandbox
• FortiSandbox
Anti-Bot
• FortiGuard Botnet
Servers Black List
• FortiGuard Botnet
Servers Black List
Protocols Supported
• HTTP/HTTPS
• SMTP/SMTPS
• POP3/POP3S
• IMAP/IMAPS,
• MAPI
• FTP/SFTP
• NNTP (CLI)
• HTTP/HTTPS
• SMTP/SMTPS
• POP3/POP3S
• IMAP/IMAPS
• FTP/SFTP
• NNTP
Replacement message
• All supported
Protocols
• Limited to
HTTP/HTTPS
123. 123
File Analysis
Integration with FortiSandbox/ FortiCloud Sandbox
Automated submission all files or when file is flagged as suspicious
by AV engine
Summary report is available on FortiGate dashboard
Antivirus
FortiCloud Sandbox/
FortiSandbox
Suspicious files and related
logs are uploaded
1
Scan results are available on
FortiCloud Portal
2
Summary results are displayed
on FortiGate’s Widget
3
125. 125
Overview Email Filter
Antispam
Supports SMTP, STMPS, IMAP, POP3,
IMAPS and POP3S
FortiGuard AS Filtering: RLB, SURLB,
checksum
Phishing URL detection
HELO DNS lookup
Manual BWL
Content Filtering
Banned words, scoring method
Detects and remove spam emails
to prevent malicious activities
from occurring
Email Filter Profile
126. 126
Antispam
FortiGate as Antispam Gateway
Tag subject or discard when spam is detected
Uses both local and FortiGuard DB to detect spams
Also detects phishing URLs on Emails
Email Filter
127. 127
Spam Filters Email Filter
Checksum Check
URL Check
Banned
Word
(body)
IP BWL
(received
header)
Banned
word
(Subject)
Return Email
DNS Check
MIME Header
Email Address
BWL Check
DNSBL/ORDBL
HELO DNS lookup
IP Check
IP BWL
Last Hop IP
Email Header Email ContentSMTP/SMTPS
Checksum Check
URL Check
Banned Word
(body)
Banned word
(Subject)
MIME Header
Email address BWL
Check
Email Header
Email ContentIMAP, IMAPS, POP3, POP3S
Order of Spam Filters
IP BWL
(received
header)
FortiGuard Service
Local Filter
Local Filter, CLI only
128. 128
Overview Web Filter
URL Filtering
URL, web content, MIME Filtering
Time usage Quota
Transparent Safe Search
Policy Objects, Object tagging &
Coloring
Local Rating & Category
User override option
Proxy Avoidance Prevention
Proxy Service Site blocking
Language translation & Cache blocking
Rate site by IP addresses
Application Control – Proxy avoidance
category
IPS proxy behavior detection
…
Web Filtering Block Page
129. 129
FortiGuard Service Web Filter
• 78 Categories in 6 Groups
• Over 250 million URLs rated
• 70 Languages
• 40-80 Billion queries per week
• 40K URLs get automatically rated daily
• 96% of all queried websites are rated
More Accurate
Less Wrongly Rated
More Coverage
130. 130
Safe Search Web Filter
Advantages over client’s browser configuration:
✔ Easy to provision – no need to “touch” clients
✔ Prevents safe search avoidance
User does a search
from portal
1
FortiGate transparently inserts Safe-
Search parameter to the query
2
Search engines
response with Safe-
Search results
3
131. 131
Google Access
Restrict by Domain
• Allows a workplace to restrict Google access to only their corporate
accounts.
» Proxy WF only
» Deep inspection required
Web Filter
132. 132
Manual URL Filter Web Filter
URL Definition
• Static, regular expression or wildcard
HTTP-Referrer
• Allows websites to be blocked/allowed except when clicking a link on
another website
133. 133
Proxy Avoidance
Blocking known sites that:
» Provide listing of HTTP Proxy services
» Provide Proxy Avoidance techniques & Instructions, software downloads etc
» (Language) Translate websites
Identify and rates redirected websites
» Cache & Translation sites
Rate sites by IP addresses
Web Filter
134. 134
Proxy Avoidance Web Filter
Defense-in-Depth
Category = Proxy
Application Control
http_proxy_activity
IPS Signature
• Prevents Proxy Avoidance further …
» Application Control stops Proxy Avoidance applications
» IPS signature detects and block “zero-day” proxy activities
135. 135
Inspection Modes Web Filter
Proxy Based Flow Based DNS Based
Hardware Acceleration No No No
HTTPS Deep-Scan
- Active-X, Cookie & Java
Applet Filters
- Other advance filtering
options
Yes No No
Safe Search
Inject Safe
Search
Parameters
Blocks non-safe
search request
No
Replacement Message Yes Yes Redirect
Concurrent Sessions
Based on max
proxy sessions
Very High Very High
Asymmetric Traffic Support No Yes. HTTP only Yes. HTTP only
Category actions All
Auth & Warning
not supported
Auth & Warning
not supported
136. 136
Overview DLP
DLP Sensor
Document Fingerprinting
File name, type & size Filter
Encrypted file/message Filter
Watermark Filter
Sample profiles: SSN, credit card
number, etc detection
Content Archive
Archive Email, FTP, HTTP, IM, and
session control content
protects intellectual property
from internal mishandling
Prevents sensitive information
from transmitting to
unauthorized networks
DLP Sensor Filter
137. 137
Data leakage can be intentional or unintentional result of
human/software error, it is often the result of specific,
targeted actions, sometimes by trusted insiders, which
leads to the loss of sensitive information.
Overview DLP
Data at Rest
Scanning of content storage
repositories, to identify where
sensitive data exists
Data at Motion
Intercepting and inspecting traffic
which is traversing the network,
to identify potentially sensitive
data
Endpoint solutions that
monitor endpoint system
activity and identify sensitive
data
Data in Use
DLP solutions typically have 3 main components
138. 138
DLP Sensor
DLP Actions
(per-rules)
Log (Full Content Archive
or Summary)
Block
Quarantine User, IP or
Interface
DLP Rule Filters
Finger Print
File size, type
Regular Expression
Encrypted
File Type Supported
Text file
PDF
MS Word
DLP
Can either be proxy or flow based
Host a set of DLP rules
A DLP Sensor is applied to protection profile
139. 139
Overview Vulnerability Scanning
Vulnerability Management
Asset Discovery & OS Detection
Manual or scheduled scans
Results visible on monitor, logs and
reports
Links to FortiGuard Threat Encyclopedia
for details & remediation advice
FortiAnalyzer Integration
Report correlation
Protect network assets (servers
and workstations) by scanning
them for security weaknesses
Facilitate Proactive patching
against known vulnerabilities
Vulnerability Scan report
140. 140
Overview Wireless
Integrated Wireless Controller
Based on CAPWAP RFC standards
Support up to 1024 APs per controller
QoS Support
Wireless Security
Wireless IDS
WPA/WPA2-Personal and WPA/WPA2-
Enterprise (802.11i), Captive portal
modes
Rogue AP monitoring and suppression
Wireless Deployment
FortiPlanner
Automatic Radio Resource Provisioning
Fast Roaming
Wireless Mesh & Bridging
AP Loadbalancing
Secures wireless access with
integrated wireless Controller
Implements PCI requirements
AP Profile
142. 142
Thin AP
CAPWAP
Standard based Protocol for
Control and provisioning of wireless
access points
Fast Roaming*
Users in a multi-AP network,
can move from one AP
coverage area to another
without impair most wireless
traffic and applications.
Wireless
Floor
Wiring Closet
Aggregation
FortiGate Controller Data Center
CAPWAP
Thin AP architecture tunnels all
traffic to the FortiGate
Controller for added security
and ease of management
* Only in L2 networks
143. 143
Captive Portal
• Web browsing intercept user login
User Access
FortiGate Wireless Controller supports:
WPA Personal (PSK)
• Wireless access using pre-shared keys
WPA-Enterprise (802.1x)
• More secure access with individual user logins
Wireless
144. 144
Wireless Security
Rogue AP Identification by 'On Wire Scan’
Auto distinguish unknown AP’s (aka neighbors) from unknown AP’s that are
on the retail network (rogue)
By correlating packets seen on the wireless side with packets seen on the
wired side.
An event log is generated when an rogue AP is detected
Wireless
145. 145
Wireless Security
Rogue AP Suppression
By sending excessive reset signal to the rogue
AP, so client cannot be connected to Rogue
AP. If a client joins a rogue AP, send
deauthentication message to that client.
Automatically Block the MAC address of that
Rogue AP in the Firewall Policy
Feature is only available when there is at least
one radio dedicated to Rogue AP detection
Wireless
FWF-80C doesn’t support rogue suppression*
147. 147
WirelessDeployment Features
Local Bridge
allows the AP to be centrally
managed without backhauling
the traffic to the wireless
controller
bridge an SSID to local port at
the FortiGate using a
softswitch configuration
Allows spilt tunnel to internet
148. 148
WirelessDeployment Features
AP Load Balancing
Used in high density
deployments, such as
conferences, to prevent all
clients connecting to the same
AP
Two methods:
» Signal clients to connect to another
AP
» Signal clients to connect to another
frequency
149. 149
Monitoring
Wireless Dashboard
an easy visual for determining
the health of the network’s
wireless infrastructure
Widgets:
» AP Status
» Client Count over Time
» Top Client Per-AP (2.4 Ghz)
» Top Client Per-AP (5 Ghz)
» Top Wireless Interference (2.4 Ghz)
» Top Wireless Interference (5 Ghz)
» Login Failures Information
Wireless
150. 150
Monitoring
Spectrum Analysis
Illustrates signal interference as
detected by a particular FortiAP
Also point out Top APs and their
SSIDs that are interfering with a
particular FortiAP
Wireless
152. 152
FortiPlanner
Wireless Planning Tool
• For pre-sales step to determine how many FortiAPs the customer
needs to purchase
Wireless site survey upgrade available (>50 APs, site survey)
Download from:
http://www.fortinet.com/wireless/
Wireless
Key Features:
Import floor plans
Structure drawing
Manual or auto AP placing
Placement Analysis
Dynamic- Heatmap
Generate Site and inventory
reports
153. 153
FortiPlanner Wireless
Dynamic Heatmap
Real-time polling of
FortiGate Wireless
Controller
Display current number
of clients, channel, TX
power
Helps to spot Coverage
holes and failed AP
154. 154
Overview Traffic Shaping & QoS
Bandwidth Control
Options: Shared policy shaping, per-IP
shaping & application Control shaping
Max. & Guaranteed Bandwidth
Max. Concurrent Connections per IP
QoS
Traffic prioritization
Type of Service (TOS), Class of Service
(COS) & Differentiated Services
(DiffServ) Support
Protects Critical traffic from
overwhelmed by other traffic
Managed bandwidth usage by
traffic type and applications
Prioritized time sensitive traffic
such as VoIP & streaming videos
Per IP and shared Traffic Shapers
155. 155
Traffic Shaper
Shared Traffic Shaper
bandwidth management by
security policies
» Per policy
» all policies
Maximum and guaranteed
bandwidth
Traffic priority
Assign DSCP value for other
device use
Also used by Application
Control
Guaranteed Bandwidth
Maximum Bandwidth
Traffic priority
DSCP value
Traffic Shaping & QoS
156. 156
Traffic Shaper
Per-IP Traffic Shaper
enables admin to limit the
behavior of every member of a
policy to avoid one user from
using all the available
bandwidth
Maximum bandwidth &
Concurrent Connections
Assign Forward and reverse
DSCP value for other device
use
Traffic Shaping & QoS
Guaranteed Bandwidth
Maximum Concurrent Sessions
Guaranteed Bandwidth
Maximum Concurrent Sessions
Guaranteed Bandwidth
Maximum Concurrent Sessions
157. 157
Overview Server Load Balancing
Load Balancing
Methods: static, round-robin, etc
Persistence: Cookie, SSL session ID,
host
Probes & Health Checks: TCP, HTTP,
ICMP PING
SSL Offloading
HTTP Multiplexing
Integrated server load balancing
features with security applied
Maintains secured and high
availability to application delivery
Load balance cluster status viewer
158. 158
Overview
FortiGate intercept the incoming traffic and share it across the
available servers
» Clients connects to Virtual Server published
» Loadbalancer distributes traffic to cluster of Real Servers with desired Load
balancing & Persistence methods
» Health Checks are performed to monitor the availabilities of real servers.
Virtual Server
Real Server
Extensions SSL Offload Network Security
( Firewall, AV, IPS, DLP)
Load Balancing Methods
Service Type
(HTTP, HTTP, IMAPS,POP3S,SMTPS, SSL, TCP, UDP, IP)
Monitors
(TCP, HTTP, ICMP PING)
Persistence
(cookie, SSL Session ID)
Server Load Balancing
159. 159
LB Methods Server Load Balancing
Method Description
Source IP
Hash
Statically spread evenly across all real
servers.
Round Robin
Directs new requests to the next real
server, and treats all real servers as
equals
Weighted
Higher weight value receive a larger
percentage of connections.
First Alive
Always directs sessions to the first alive
real server, not distributed
Least RTT
Directs sessions to the real server with the
least round trip time, determined by a Ping
health check monitor
Least
Session
Directs requests to the real server that
has the least number of current
connections.
HTTP Host
Using the host’s HTTP header to guide
the connection to the correct real server
160. 160
Overview SSL Offloading & Inspection
SSL Offloading
SSL Offloading for WANOPT & reverse
web caching
SSL Offloading for SLB
SSL Inspection
Facilitate UTM on SSL encrypted
applications
“SSL Cert Inspection” and “Full SSL
Inspection” modes
Intercept and proxy SSL
encrypted Traffic for UTM for
more security
SSL offloading from web servers
to economical secure web
access offering
SSL Inspection Option
161. 161
Overview
SSL Inspection Exemptions
Allows admin to build exclusion list using
» Web Categories with defaults
» (Destination) Address Object - FQDN or IP addresses
Applicable to both “SSL Cert Inspection” and “Full SSL Inspection”
modes
SSL Offloading & Inspection
162. 162
Overview WAN Optimization
WAN Optimization
Protocol Optimization & byte Caching
FortiClient Support
Web Caching
Forward & reverse proxy
Explicit Proxy
Proxy chaining
PAC file distribution
Integrated WANOPT network
services with security
capabilities
Improve user experience and
bandwidth efficiency
Resolves complexities,
management and cost of
involving additional WANOPT
devices
WANOPT Monitors
163. 163
WANOPT Tunneling
Supports various network topologies such as inline and out-of-path
design
Supports multi-peers including FortiClient
Can be used in both transparent or NAT/Route Mode, virtualized per
VDOM
WAN
WAN Optimization
Peers
Authentication group
164. 164
Web Caching
Reducing bandwidth usage with fewer
request and response across WAN
Reducing server load as it has to serve
fewer requests
Perceived latency since data is
obtained from local unit
Forward
Proxy
INTERNET
Reverse
Proxy
WAN Optimization
165. 165
Explicit Proxy
Proxy HTTP/HTTPS & FTP Session
from web browsers
Distribute proxy auto-config (PAC)
Supports SOCKS sessions from
browsers (CLI Command)
Virtualized per VDOM
Proxy Chaining with forward server
load balancing support
User authentication
Transparent Explicit Proxy option
using IP reflect
Allows users web traffic to explicitly proxied via FortiGate,
providing secured restrictive Internet access policies.
WAN Optimization
Features:
166. 166
Overview Virtual Systems
Virtual Domains
Global and per-VDOM settings
VDOM administrator
Resource allocation
VDOM Licensing
VDOM Logging
FortiGate Virtual Appliance
FortiOS in Virtual Environment
Provides multiple logical entities
in a single physical unit
Out-of-the box Multi-tenant &
department solution
Saving in physical Space &
Power
VDOM Configuration
168. 168
VDOM Admin
Virtual domains can be managed
using either one common
administrator or multiple separate
administrators for each VDOM
Administrators assigned the
super_admin profile can manage all
VDOMs on the FortiGate device
» Can also create other administrator
accounts and assign them to VDOMs
Virtual Systems
169. 169
MGMT VDOM
Management traffic leaves through
management VDOM
Management VDOM Should have access to
Internet or FMGR
Default management VDOM is root
Virtual Systems
DNS, NTP
External
Logging
FortiGuard
Alert
Emails
SNMP
traps
Quarantine
root
Management
170. 170
Resource Allocation
Managing Resources
Customize the resources allocated
to each VDOM to ensure the proper
level of service is maintained on
each VDOM
Global Resources Viewer allows
admin to view available resources as
total
Virtual Systems
171. 171
Resource Allocation
Per Vdom System Resources
Display system stats for each VDOM
» CPU usage, memory usage, concurrent sessions & new session per sec
Meant as good guidance, not completely accurate
No CPU/Memory limiting capabilities
Virtual Systems
172. 172
VDOM Links
Linking VDOMs
Using two virtual interfaces, each on a different VDOM, and they are linked
together to connect those two VDOMs without using additional physical interfaces
Inter-VDOM links can be created with both VDOMs in different operating
modes (but not when both are in transparent mode)
Virtual Systems
VDOM_1 VDOM_EXT VDOM_2
173. 173
Virtual Appliance Virtual Systems
Supports a variety of hypervisors for private and public cloud
infrastructure
Consistent management platform and GUI, similar to physical
FortiGate
Virtual
Appliance
VMware Citrix Open Source Amazon Microsoft
vSphere
v4.0/4.1
vSphere
v5.0
vSphere
v5.1
vSphere
v5.5
Xen
Server
v5.6 SP2
Xen
Server
v6.0
Xen KVM AWS
Hyper-V
2008 R2
Hyper-V
2012
FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔*
174. 174
Overview High Availability
FortiGate Clustering Protocol
Active-Passive, Active-Active, Virtual
Clusters
Redundant heartbeat interfaces
HA Reserved Management Interface
Deployment options
HA with Link Aggregation
Full mesh HA
Geographically dispersed HA
TCP Session Sync
VRRP
FG5000 Chassis based clustering
HA Configuration
Failover
Manual, Session, link & remote link
failover
Subsecond Failover
175. 175
HA Technologies High Availability
SignaturesFortiGate
Clustering
Protocol (FGCP)
• Enhanced reliability
via device failover,
link failover and
remote link failover
• Increased
performance via
active-active HA load
balancing
• uses a virtual
MAC/single IP
address per network
segment
FortiGate Session
Life Support
Protocol (FGSP)
• For supporting
asymmetric traffic and
support scenarios with
load-balancers and
routers distributing
sessions across
multiple appliances
• does not have a
heartbeat mechanism
to detect unit failure,
each FG operates by
itself with config and
session sync
Virtual Router
Redundancy
Protocol (VRRP)
• RFC standard based,
allow 3rd party device
integration
• Resource intensive,
performance and
latency impact
176. 176
Synchronization
Information synchronized by
default
» Configuration
» Routing tables
» IPsec VPN SA
» DHCP server address lease
database
Session failover (aka session
pickup) not enabled by default
Session failover synchronizes
» TCP (IPv4/v6)
» UDP, ICMP
» SIP
» IPsec VPN sessions
Information not synchronized
» UTM sessions
» Explicit Web Proxy
» ARP table
» Multicast
» SSL VPN sessions
High AvailabilityFGCP
177. 177
Virtual Clusters
Similar concept to loadsharing
Can operate in A-A or A-P mode
Available when VDOMs is
enabled
2 Virtual clusters can be created
with as many VDOMs available
assigned to them
Inter-VDOM links must be entirely
within one virtual cluster.
FORTIGATE-01 FORTIGATE-02
VDOM 2VDOM 2
VDOM 3 VDOM 3
VDOM 1 VDOM 1
V.Cluster1V.Cluster2
High Availability
178. 178
Failover
Device & Link Failover
Failover can be triggered when the
master/primary units fails or links connecting it
Remote Link Failover
Uses ping servers on the primary unit to test
connectivity with IP addresses of network
devices that is not directly connected
May be multiple interfaces and/or multiple IPs
on an monitor interface
Subsecond Failover
Normally achievable for a cluster of two units
operating in Transparent mode with only two
interfaces connected to the network
High Availability
179. 179
Event Monitoring
• Quick visual & on current HA status, resource usage and threat situation
• HA Logs details related activities, state and status changes
High Availability
185. 185
Overview IPv6
IPv6 Networking & Routing
IPv6 Coexistence Support
VDOM and administration Support
Hardware acceleration
Dynamic & static routing
Bandwidth Management
DHCP and DNS
IPv6 UTM
Supports major UTM functionalities
Adopts IPv6 ready network
quickly & easily
Comprehensive protection on
IPv6 traffic
USGv6 CORE
Ipv6 Traffic Logs
186. 186
IPv6 Feature Matrix
IPS interface policies for
IPv6
IPv6 static routes
IPv6 firewall addresses &
groups
IPv6 firewall policies
IPSEC VPN with IPv6
addressing
IPv6 over IPv4 tunneling
IPv6 DNS
IPv6 Transparent mode
IPv6 administrative access
IPv6 dynamic routing
using RIPng, BGP, or
OSPF protocols OSPF
protocols
UTM features support
IPv6 traffic - AV scanning,
URL filtering using
FortiGuard rating
SSL VPN Web Mode IPv6
IPv6 Session Display
IPv6 Firewall Auth
DHCP6
IPv6 firewall acceleration
IPv6 support for SNMP
IPv6 support for DLP
sensor, VoIP and ICAP
UTM feature
IPv6 NAT (NAT46,
NAT64, NAT66, DNS64)
IPv6 + IPS Forwarding
Policy
HA Session Pickup for
IPv6
IPv6 Per-IP Traffic Shaper
IPv6 Policy Routing
IPv6 Explicit Proxy
IPv6 MIBs
Ipv6 DOS
V4.0
V4.1
V4.3 V5.0
IPv6
187. 187
FortiSMS
International one-way SMS
messaging service
Covers 962 networks in 224
countries
Based on global leading & proven
mobile messaging infrastructure
(powered by Clickatell)
Usage
Option for FortiToken Mobile
activation code delivery
Option for Guest User credentials
SMS-based 2FA
Also works with FortiAuthenticator
SMS messages top-up
Certificate License for 100
SMSes.
Easy to add by scratching off to
reveal activation code (like
prepaid cards)
Dashboard widget: amount
indicator
FortiGuard Services
188. 188
Contatta il nostro Ufficio Commerciale
Certified experts in Fortimail and email
security
Certified experts in Fortiweb and web
application firewall protection
Certified experts in FortiAp, FortiWifi
and wireless security
Ufficio Commerciale
Tel. +39 049 8843198 DIGIT (5)
ufficio.commerciale@lanewan.it
www.lanewan.it
In questi anni di partnership con la casa madre,
Lan & Wan Solutions ha ottenuto tutte le
specializzazioni previste nei vari iter di
certificazione, raggiungendo la qualifica di
Partner Of Excellence.