FortiOS

1. © Copyright Fortinet Inc. All rights reserved.
Inside FortiOS
Versione 5.2.4 – Mar 2015
Lan & Wan Solutions – Soluzioni Informatiche per Reti Locali e Geografiche

2. 2
C O N T E N T
 System
Administration
 Routing &
Network Services
 User Identity
 Device Identity
 End Point Control
 Firewall
 VPN
 IPS
 Application
Control
 Antivirus
 Email Filter
 Web Filter
 DLP
 Vulnerability
Scanning
 Wireless
Controller
 Traffic Shaping &
QoS
 Server Load
balancing
 SSL Offloading
and Inspection
 WAN Optimization
 Virtual Systems
 High Availability
 Log & Report
 IPv6
 Others

3. 3
FortiOS 5.2 Feature Set
ATP OSS Support AAA Central Mgmt. Integrations
Configuration Visibility Log & Report Diagnostics Management
Anti-Malware IPS
Application
Control
Web
Filtering
Email Filtering
Firewall VPN DLP
User & Device
Identity
SSL inspection Security Functions
Wireless
Controller
Switch
Controller
Endpoint
Manager
Token Server
Vulnerability
Scanner Extensions
:::::::::: Virtual Domains :::::::::: Virtual Systems
Routing NAT/CGN WAN Link / Server LB Wan Optimization
Network Functions
L2/Switching IPv6 QoS High Availability
NAT/Route Transparent Sniffer Operating Modes
LAN WiFi WAN Network Interface
Physical Appliance (+ASICS) Hypervisor Cloud Platform
* Features may varied by models

4. 4
FortiOS Features

5. 5
Overview System Administration
 CLI Access – Console, Telnet & SSH
 GUI Access – Via Web Browsers
 Dashboard, Viewers & Widgets
Central Management
 FortiManager & FortiAnalyzer
 FortiCloud
 Web Service APIs
 NMS Integration – SNMP,
sFlow/NetFlow, Syslog
 Solution Partners - Tufin, Arcsight, etc
 Rapid Deployment - USB Auto-Install &
Scripts
Quick Setup
 Setup Wizards (1RU Models & below)
 FortiExplorer (Desktop & Mobile Client)
 Simplifies Device Management
 Supports Enterprise
Management Systems &
Architecture
FortiExplorer
Diagnostic Tools
 Packet Capture

6. 6
Dashboard & Widgets
 Quick look into system, threat
and network status
 Customizable
 Built-in CLI access
System Administration
Dashboard with Widgets

7. 7
Powerful on-demand query tool that provides
contextual results with drill down capabilities
Assists in network
troubleshooting
Provides insights to
optimizing networks
& productivity
Why a particular
group of users is
having trouble using
the cloud based ERP
system?
Acquires proactive
security knowledge
Supports proactive
security
management
Is there an
abnormality that
needs further
investigation?
Identifies network
and threat status
Resolves threats
and networking
problems quickly
Is my users abusing
the network and how
so?
FortiViewer System Administration

8. 8
FortiView System Administration
Sort rows to display
Top sessions
Setup query using
Easy-to-use
auto-complete filters
Examine real-time or
historical data
Select row for drill
down

9. 9
FortiView System Administration
Summary of selected
item
Selection of scope
Select row for drill
down
Drill down panels
 Presents associated details based on different
scopes
 Further drill down to filtered Session Viewer

10. 10
FortiView
Session viewer (Real Time)
 Excellent Troubleshooting tool
System Administration
NAT’ed IP and Port Applications and their
usage
Device & User Info
Concurrent Session &
New session per sec
Geo IP Info
FortiGuard Encyclopedia
Integration

11. 11
FortiView
Session viewer (Historical)
 Presents timeline filtered session list
with details using log entries
System Administration
Complete detail of
selected session
Setup filter by clicking
on cell
Mouse over device
details
Move and configure
field columns

12. 12
FortiView
Threat Weight
 Unique: Normalized threat level value x hit counts
 Scores can be sorted to reveal most critical items to investigate
 More meaningful than other singular measurements
System Administration

13. 13
Features With Local Storage Without Local Storage
Now 5 min 1 hr 24 hr * Now 5 min 1 hr 24 hr
Viewer – Sources ✔ ✔ ✔ ✔ ✔
Viewer – Applications ✔ ✔ ✔ ✔ ✔
Viewer – Cloud Application ✔ ✔ ✔ ✔ ✔
Viewer – Destinations ✔ ✔ ✔ ✔ ✔
Viewer – Websites ✔ ✔ ✔ ✔
Viewer – Threats ✔ ✔ ✔
Viewer – All Sessions ✔ ✔ ✔ ✔ ✔
Viewer – System Events ✔ ✔ ✔
Viewer – Admin Logins ✔ ✔ ✔
Viewer – VPN ✔ ✔ ✔
Viewer – FortiSandbox ✔ ✔ ✔
Sniffer Mode Support
(All Viewers) ✔ ✔ ✔
* Not available for desktop models with SSD
FortiView System Administration

14. 14
Monitors
Real time status
indicators
 In-box
 Over 20+ types
 Serves as
administrative &
diagnostic tools
 Also available on
CLI and web
service API
(JSON)
System Administration
SYSTEMS
DHCP Monitor
Link Monitor
ROUTER
Routing Monitor
FIREWALL
Policy Monitor
Load Balancing Monitor
Traffic Shaping Monitor
UTM
AV Monitor
Intrusion Monitor
Web Monitor
Email Monitor
Archive & Data Leak Monitor
Application Monitor
FortiGuard Quota
VPN
IPSEC Monitor
SSL-VPN Monitor
USER & DEVICE
Firewall Monitor
Banned User Monitor
FortiClient Monitor
WIFI CONTROLLER
Client Monitor
Rogue-AP Monitor
Wireless Health Monitor
LOG&REPORT
Logging Monitor

15. 15
Network Management
SNMP Support
 SNMP v1, v2c & 3
 Traps
 MIBs
 Fortinet proprietary MIBs
 standard RFC 1213 & 2665
MIBs
System Administration

16. 16
Network Management
sFlow/NetFlow
 monitoring the traffic on the network to identify areas on the network
that may impact performance and throughput
 Agent is embedded in the FortiGate unit, sends the sampled traffic
to an external 3rd party Collector/Analyzer.
 Available on CLI only
System Administration
3rd Party sFlow Analyzer - sFlow Trend

17. 17
Quick Setup
Feature Select
 Configure GUI elements according to desired deployment needs
using presets
 Allow further customizations by toggling the feature buttons
System Administration

18. 18
Features/Presets NGFW ATP WF
NGFW+
ATP
UTM
Full
UTM
Security* Advanced Threat
Protection
✔ ✔ ✔ ✔
NGFW (IPS) ✔ ✔ ✔
NGFW (App Control) ✔ ✔ ✔ ✔
Web Filter ✔ ✔ ✔ ✔ ✔
Email Filter ✔
DLP ✔
Explicit Proxy ✔ ✔
Endpoint Control ✔ ✔ ✔ ✔
Basic VPN, IPv6, WiFi
Controller, Wanopt ,
etc Defaults settings depends on FGT models
Minor ICAP, VoiP, DNS DB,
Multicast policy, etc
* Default settings
Quick Setup System Administration

19. 19
Quick Setup
FortiExplorer
 Software Application for
Windows, Mac OS and
iOS
 Uses USB connection
 Quick Setup Wizard,
Direct GUI & CLI access
without network setup
System Administration

20. 20
FortiCloud
Hosted security
management and log
retention service
 Default reporting option for
Desktop Models
 Central web-based
management console to
manage individual or
aggregated FortiGate and
FortiWiFi devices
 Configuration backup
 Scripting
 Remote Firmware upgrade
 Access to hosted Sandbox
results
System Administration

21. 21
Diagnostic Tools
Sniffer packet capture on GUI
 Similar to CLI Sniffer setup
» Supports Filters
» IPv6 & Non-IP Packets
 Output as pcap file download
 Local Storage required
System Administration

22. 22
User Notification System Administration
Replacement Messages
 Supported on Proxy and some flow based UTM
 Customizable, can be assigned per VDOMs

23. 23
User Notification
Fortinet Top Bar
 Notify users in real-time
» Blocked Applications
» Denied Traffic
» Quotas Status
» FortiClient Alerts
 Supported for IE, Firefox,
Chrome, Safari
 Appears on HTTP websites
as embedded frame in the
web browser
System Administration

24. 24
Overview Routing & Network Services
Routing
 Link Redundancy and load balancing
 Policy Routing
 Dynamic Routing Protocol Support: RIP,
BGP, OSPF, IS-IS
 Multicast Routing
Interface Features
 VLANs, 802.3ad port aggregation, STP,
port span, redundant interface, loopback,
software switch, Security mode
 Sniff/One-arm Mode
WAN Link
 USB modem
 FortiExtender
 Link Load Balancing
 Robust L3 and L2 capabilities to
facilitated vast variety of network
design and setup requirements
Route Monitor
Network Services
 Free FortiGuard NTP, DDNS & DNS
service
 Content Routing – WCCP and ICAP
Support
 DHCP & DNS Server
 LLDP

25. 25
Interfaces
Interface Configurations
 Support *various interface types:
» Physical: Ethernet and wireless
» Virtual: VLANs, WiFi SSID, VDOM link
» Group: Port aggregation group, redundant Interface, H/W & S/W Switches,
Virtual WAN Link, zone
Routing & Network Services
Color coded access
methods
DHCP server info
Graphic presentation
of interfaces
A variety of
Interface types
* May not be available to all models
Interface members

26. 26
Interfaces
Interface/Switch Modes
Routing & Network Services
* May not be available to all models
The main difference is that for ”virtual hardware switch", it uses the
underlying switch chip/driver to handle all of the switching directly, whereas
virtual “software switch” needs to do that in the kernel (ie, higher in the stack,
more CPU/memory intensive, etc). There are feature disparities which will be
documented later.
Switch ports are individual
physical interfaces
Switch ports can be created
by grouping interfaces with
“Virtual
Hardware/Software
Switch”

27. 27
Interfaces Routing & Network Services
* May not be available to all models
Virtual VLAN Switch
 Emulation of a VLAN
switch
 Assigns ports to VLANs
and dedicated VLANs
trucks
 Allow users to extend
number of available
switch ports (with
VLANs) by VLAN truck
stacking
Interface Mode
External Switch

28. 28
Interfaces Routing & Network Services
* May not be available to all models
Switch Controller
 Similar to Wireless Controller Concept
» uses Fortlink Protocol – modified CAPWAP
» With selected FortiSwitches only
 Administrators can create VLANs on the Switch(es)
» VLANs across switches can be managed and configured like a FortiGate
interface
Virtual Switch VLANs
FortiLink Connectivity

29. 29
Switch Controller Routing & Network Services
* May not be available to all models
Switch Controller Support
FortiGate
FG/FWF-60D/-POE ✔
FG/FWF-90D/-POE ✔
FG-100D Series ✔
FG-200D Series ✔
FG-600C/800C/1000C CLI enabled
FortiSwitch
FSW-28C ✔
FSW-108D ✔
FSW-124D/-POE ✔
FSW-324B ✔
FSW-348B ✔
FSW-448B ✔
FSW-224D ✔

30. 30
Port Spanning
 Also called ‘Port Mirroring’
» Supported by 100D & 200D platforms
» Ingress &/or Egress traffic from a single port in a switch group can be
copied to another port (in the same group)
Routing & Network Services

31. 31
Link Load Balancing
Virtual WAN interface
 Interface group
» interfaces used will not appear
for policy table
» Single interface to select in
Policy
 Defines link selections
Routing & Network Services
Virtual
WAN
Interface

32. 32
Link Load Balancing
Link Load Balancing Methods
 Only one is selectable
 Assign Interface members to Interface Group
 Per Interface Configurations
» Probe Server settings (for link failure detection)
» Selection Definition – eg. Weight, Ratio etc
Routing & Network Services
Gateway
selection based
on Source IP
address
Gateway
selection based
on session ratio
assigned
Gateway
selection based
on threshold
bandwidth
assigned
Source IP
Based
(Hashed)
Weighted
Round Robin
Spill-over
Gateway
selection based
on Source and
destination IP
address
Gateway
selection based
on Traffic
volume ratio
assigned
Source-
Destination IP
Based
Measured-
Volume Based

33. 33
Link Load Balancing
Traffic Route Overrides
 Admin can assign specific
routings among the interface
group based on certain or
combination of criteria
Routing & Network Services
Uses TWAMP to determine
each link’s quality -
Latency, Jitter. Select route
to highest or lowest quality
link
Route based on defined
protocol type and its service
port.
Route based on TOS
settings
Link Quality Service Definition Type of Service (TOS)

34. 34
Policy Based Routing
Features:
 Policy routes are applied before destination
routes
 Can be used to create multiple routes to the
Internet
» Static load-sharing
 Routing decision can be made from:
» Source & Destination addresses
» Protocol, service type, or port range
» Incoming interface
» ToS
Routing & Network Services
HTTP
Other Traffic

35. 35
WCCP Server
WCCP Client
WCCP
Features:
 Supports WCCPv1, WCCPv2
 L2 and GRE Mode
 May operate either as Server of
Client (per VDOM)
 Uses Port 2048
 Option for Authentication, GRE
Encapsulation6
 CLI Commands
Routing & Network Services

36. 36
ICAP
 Allow users to configure a
list of ICAP servers that the
FortiGate may utilized for
various purposes
 Useful for legacy firewall
Migration
Features:
 Streaming content bypass
ICAP Server
Routing & Network Services

37. 37
Network Services
DHCP Service
 DHCP Relay and WINS
support
 DHCP server
» Multiple IP-pools for each interface
» Exclude ranges and IPs
» DHCP IP Reservation
» DHCP Options support
» MAC address reservation &
Access control
 IPv6 DHCP
 DHCP Monitoring
Routing & Network Services

38. 38
Network Services
DNS Service
 Integrated Basic DNS Server
» Per-Vdom support
» in transparent and NAT/Route mode
 Recursive DNS (split DNS)
 IPv6 DNS
 Dynamic DNS support
Routing & Network Services

39. 39
Network Services
DDNS Service
 FortiGuard DDNS Server
» Provided with valid Forticare
contracts
» Ease of setup
» Suitable for VPN deployment and
remote administration.
Routing & Network Services

40. 40
Network Services
FortiGuard NTP Service
» Provided with valid Forticare
contracts
» Alternatively, admin can choose 3rd
party Servers
NTP Server
» Provide NTP services to connected
devices
Routing & Network Services

41. 41
Operation Modes
• Implementing access
controls between
different network
segments
• Static, dynamic and
policy based routing,
WAN link redundancy &
load balancing
• Implementing access
controls on a network
segment transparently
• Behaves like a switch
• L2 switching protocols
support
• Monitoring network
activities offline
• Behaves like a Sniffer
Transparent/BridgeNAT/Route Sniffer
Hybrid: Organization can implement various modes within a single FGT using VDOMs

42. 42
Sniffer Mode
One-arm Sniffer
 Offline Monitoring with Flow based UTM
 Works with Windows AD FSSO
Routing & Network Services

43. 43
3G/4G Interface Routing & Network Services
FortiExtender
3G/4G(LTE)
Ethernet
FortiExtender
 As primary connection in “remote/lights-out” devices like ATM and
point of sale devices.
 As fail-over connection for network equipment that supports redundant
WANs.
 As remote antenna, which allows you to get the best 3G/4G signal
available by placing it in the best location for receiving the signal.
Extension device that works with FortiGate to provide
3G/4G Wireless WAN connection

44. 44
3G/4G Interface
FortiExtender Setup
 Discovery – Auto or manual (for
routed networks)
 Similar to adding a FortiAP
 Device Authorization
 Comprehensive Modem
settings on GUI
Monitoring
 Signal and usage status
monitoring widget
 Diagnostic tools
» Ping, AT command
Routing & Network Services

45. 45
Overview User Identity
Authentication Services
 Local User Database
 Remote Auth. services – LDAP, Radius &
TACACS+
Single Sign-on
 Windows AD, Novell eDirectory integration
 SSO with POP3/POP3S, Access Auth. &
FortiClient
 Citrix & Terminal Server Agent
 Dynamic Profile
PKI and Certificates
 X.509 certificates, SCEP support
 Certificate signing request (CSR) creation
 Auto-Renewal of Certificates before Expiry
 OCSP Support
 Secures access to internal
networks with user identification
User Monitor
2 Factor Authentication
 External 2FA support
 Integrated Token Server with Physical,
SMS & Soft Tokens

46. 46
Auth. Services
FortiGate supports User
Authentication for:
 User Identity based Firewall
Policies
 Client VPN (IPSEC, SSL)
 Network Access
 Administration Console (CLI, GUI)
User Identity
SSL
VPN
FortiGate
Administ
ration
IPSEC
VPN
Network
Access
Identity-
based
Policies
* On limited Models

47. 47
Integrated 2FA
Extended Authentication Support
 Integrated solution using the FortiToken, Email or SMS side-channels
 Further extension using FortiAuthenticator
FortiToken Email SMS*
User Identity
* Requires FortiGuard SMS service

48. 48
Integrated 2FA User Identity
 Eliminates requirement for additional physical device
 Low cost to deployment – low initial and operational costs
 Simple licensing, pricing and provisioning
 Operates with free mobile applications, available on iOS and
Android platforms
 Secure - Seeds are only on mobile device and FortiGate.
 2 free units are available
FortiToken Mobile is a software token solution for the mobile
devices, allowing users to generate secure and one-time passwords
directly on the device wherever strong authentication is required.

49. 49
Integrated 2FA
Soft Token Provisioning
User Identity
SMS/EMAIL
• Admin assign the token
based on serial number
• choose type of delivery to
users
• Randomly generated
activation code (Not visible to
admin) is forwarded to users
• Admin acquire license and
adds revealed registration
code on FortiGate
• Upon successful
verification, token serial
numbers will be available for
provisioning.
• User install the
FortiToken mobile app
and enter the code given
to activate the soft token

50. 50
User Definition
Local User Creation
 Wizard Based
 Remote server user to local DB mapping
User Identity

51. 51
SSO
User Identity Acquisitions
 Using both active and passive acquisition methods
 Reuse user login info for user Identity based policies
User Identity
External Radius Service
Windows AD, NTLM
Terminal Servers
= M.Jones =
= S.Lim =
= V.Baker =
= J.Jackson =
Captive Portal
Network Access
FortiClient
DMZ
DMZ
Novell eDirectory
POP3/POP3s

52. 52
SSO
Active Acquisition :
 System Wide – Per VDOM
» WIN AD, NTLM, Radius, terminal server
SSO
Passive Acquisition :
 Interface Based - physical or virtual
Interfaces
» User Input on Captive Portal or other
prompts
» Captive Portal exemption: per policy or
interface
User Identity

53. 53
SSO
Single Sign-On with Windows AD
 Option to use inbuilt-in DC Polling
 Supports Windows AD usergroup policies or indivdual AD user
 Ability to allow access to an AD user only if he/she comes from
defined workstation (via CLI)
User Identity

54. 54
Polling Mode
SSO
Collection Modes for
AD
 Domain Controller Agent
» Agents are installed on DCs
to monitor & push login
information to FortiGate
 Polling
» No agent is required on DC
» Uses FortiGate local polling
agent
» Option to run a collector
Agent on a server which
polls the DCs
Domain Controller Agent Mode
User Identity
Domain Controller
Agent
Polling
DC Requirement Agent is needed Agentless
Target
Deployment
Large deployments; Remote
DC
Small Deployment
DHCP Tracking Yes No
Support for MAC
terminals
Limited
May enable
WinSecLog
Implementation Complex Easy
Level of
Confidence
Capture all logons
Potential to miss
logons if polling period
is too great

55. 55
SSO
Single Sign-On with NTLM
 is used when the MS Windows Active Directory (AD) domain
controller can not be contacted
 browser-based method of authentication
 Option for guest or users with unsupported browsers to bypass NTLM
on CLI
1
2
3
User attempts access to
network and gets prompted
by FortiGate for user
credential
Credential information is
provided by browser
FGT queries Windows AD
User Identity

56. 56
SSO
Single Sign-On with Terminal Servers
 Requires TS agent to be installed on terminal servers and FSSO
Collector on the network
 Supports Citrix and Windows Terminal Server.
1
User login to AD
& open terminal
session
Credential information is
passed to FGT using TS
agent via FSSO Collector
2
User Identity

57. 57
Radius Accounting message
with attribute-value pair
that refers to usergroup a
user belongs, along with IP
address info is forwarded
to FortiGate
Users get
authenticated by
Radius Server (eg.
access control)
SSO
Single Sign-On with Radius (RSSO)
 IPv6 Clients supported
User Identity
2
FortiGate uses listening
agent and maps info to its
own context table. When a
session enters, it looks up
to the table to determine
its action based on identity
based policies configured
3
IP, usergroup_x
1

58. 58
SSO
Single Sign-On with Network Access
 Supports various network access modes: captive portal, wireless
auth., 802.x
 Via FortiAP (per SSID), FortISwitch (per Vlans) & FortiGate interfaces
Users get
authenticated for
network entry
1
FGT communicates
with Auth. Servers
for verification
2
FGT becomes aware of
user and may apply
Identity based policies
3
User Identity

59. 59
On-Net
Off-Net
SSO
SSO Mobility Agent
 Caches credentials, so that
information is passed to
FortiGate seamlessly without
user’s action
 Eliminates the additional
user identification prompt
from FortiGate
 Works on AD environment
on both On-net & Off-net,
also NTLM
User Identity

60. 60
Guest Access
Temporary user Provisioning &
Access
 Allow non-IT staff to create Guest
account via web portal
» Specialized admin-id for guest
access management
 Assign Time quota, generate
temp password,
 Distribute guest credentials by
printing, email or SMS
 Batch guest users creation option
User Identity

61. 61
Contact Harvest
Email Harvesting
 Policy intercepting sessions until users provide an email address
 Useful in some areas to harvest email and provide free WiFi access
User Identity

62. 62
Overview Device Identity
Device Identification
 Device & OS Fingerprinting
 Device Classification & Management
 Contextual Device Information
Device Based Policies
 Policies using Device/Device Group
 Identify device type to add into
contextual information for better
visibility
 Enforce policies based on device
types or devices
 Allow organization to embrace
BYOD environment securely
Device Group
List

63. 63
Overview
Securing BYOD environment
 Identifying device/device types to apply appropriate policy
enforcements
 Additional control beyond traditional Windows AD environment
Device Identity
Identity Policies
Device Identification Access Control Security Application
UTM Profiles
Awareness
Agentless
Agent based

64. 64
Identification Techniques
 Agentless
» TCP Fingerprinting
» MAC address vendor codes
» Network discovery protocols, DHCPv6
etc
» Requires “direct” connectivity to
FortiGate
 Agent Based
» Uses FortiClient
» Location & Infrastructure Independent
Device Identification Device Identity
INTERNETDMZ
FC
FC
Agentless
with Agent

65. 65
• Based on regularly
updated device/OS
signatures and MAC
address vendor lists DB
• Automatic detection &
categorization into
predefined device
groups
• Enabled per Device-
based Policy
• Force detect device by
HTTP communication
(HTTP User-Agent)
• Email collection/
Endpoint compliance
portal
• Agent captures systems
information and relay to
FortiGate, 100%
Accurate
• Allow device
identification on remote
networks
TCP Fingerprinting,
Network Discovery
& MAC Address
Vendor Code
Captive Portal Endpoint Agent
Device Identification Device Identity

66. 66
Additional device information detection
 Hostname: Internal DHCP server, traffic
scan
 Email address: Email collection Captive
portal
 Username: Authentication services or
“device-user-identification enable” which
extracts info via traffic scanning (enable
default)
Device Identification Device Identity

67. 67
Device Detection
 A webpage that should let the user send some traffic in order to detect the
device type
 No replacement message when successful, user have to reload the webpage
 If failed, a replacement message will be present
Email Collection
 Collect an email address as a means of identifying the device user
 When the email address has been verified, the device is added to the
Collected Emails device group
Endpoint Compliance
 Acts as a quarantine for devices that are not protected by FortiClient
 Provides links to obtain the FortiClient software
Device Captive Portals Device Identity

68. 68
Device Management Device Identity
Device Group
Management
Manual add/edit
Devices
Status
Connection
Information
User Information
Device Definition
Multiple MAC address
merge

69. 69
Device Management Device Identity
Device Groups
Device Group
Drill-down
Predefined group for
auto categorization
Manual defined
Custom group

70. 70
Visibility
Device contextual Information available on widgets, logs & reports
Device Identity

71. 71
Overview End Point Control
FortiClient
 Multi-OS support
 Support Posture Checking
 Support remote user and device
identification
 “Off-net” and Mobile Security Policy
Enforcement
 VPN & Security Setting Provision
 Custom Install and Rebranding
 Endpoint Logging
 Ensures that workstation
computers (endpoints) meet
security requirements
 Distribute Client Security & VPN
Settings
 Logs Client activities
FortiClient

72. 72
FortiClient V5.2 End Point Control
Windows Mac OSX iOS Android
IPSec VPN ✓ ✓ - ✓
SSL VPN ✓ ✓ Web Mode Only ✓
2FA ✓ ✓ ✓ ✓
Anti-Virus ✓ ✓ - -
Web Filtering ✓ ✓ ✓ ✓
WAN Optimization ✓ - - -
Registered for Central Management
Config Provisioning ✓ ✓ ✓ ✓
Logging (to FMGR/FAZ) ✓ ✓ - -
Windows AD SSO Agent ✓ ✓ - -
Application Firewall ✓ ✓ - -
Vulnerability Scanning &
Reporting
✓ ✓ - -

73. 73
Posture Checking
Enforcement Captive
Portal
 Check for install and
running of FortiClient
 Replacement page with
download and installation
instruction
End Point Control

74. 74
Mobile Security End Point Control
INTERNET
LAN
OFF
ON
• FortiClient enrolls into
the FortiGate and then
receives its end point
policy
• FortiClient uses last
known security
policies & VPN
Configurations
Configuration Provisioning
 Provides consistent end point
security policies “on-net” and
“off-net”
 Reuse *Application Control &
Web Filter Profiles
1
2
* Application control config for Windows and OS X only

75. 75
Mobile Security End Point Control
INTERNET
LAN
OFF
ON
• FortiGate informs
FortiClient that it’s
“on-net” using DHCP
“cookies”
• FortiClient Doesn’t
receive “on-net”
information and
activate “off-net” mode
On/off-net Properties
 FortiClient adopts separate “on-
net” and “off-net” configurations
depending on locations.
 “On-net” options include turning
off local security features,
enables client logging
 “Off-net” options include turning
on security features and enable
VPN automatically.
1
2
* Application control config for Windows and OS X only

76. 76
Mobile Security
Endpoint Profile
 For distributing Endpoint
Configurations
 Reuse UTM Profiles
» App Control
» Web Filter
 Provision Multiple VPN settings
 Multiple Endpoints may be
created and assigned to different
Device Groups
End Point Control

77. 77
FGT identify device/user
upon successful Logon
Mobile Security
Endpoint Control Profiles Assignment
 Multiple profiles can be assigned to Device Groups/User
groups/Users
2
User logon using
Authentication Service (eg.
AD, radius etc)
1
Push corresponding EC
profile to FortiClient
3
End Point Control

78. 78
Mobile Security End Point Control
Advanced Endpoint Profile Setting
1. Setup and configure a sample client
2. Export the setting and then import into FortiGate
3. Distribute settings to other clients
1
2
3

79. 79
Overview Firewall
Policy Management
 Section & Global View
 IP, User & Device based Policies
 Policy Objects, Object tagging &
Coloring
 Traffic counters
NAT
 Static NAT, Dynamic NAT Support
 Central NAT Table
Traffic Support
 SCTP, GTP, ICMP
 Session helpers & ALGs
Hardware Acceleration*
 High performance across all packet size
 Ultra-low latency
 Innovative features that allows
accurate and effective policy
setup
Policy Table
*applicable to supported models

80. 80
Policy Table Firewall
Section View
Global View

81. 81
Policy Table Firewall
Configurable column
settings
Object Coloring
Policy counters
Smart object search
Drag-and-drop policy
rearrangement or
moving objects
Direct object/policy
edit with right click

82. 82
Identity based Policy
User Identity based
Security Policies
 Assign access policy
and profiles to each
User Groups or Users
Device Identity based
Security Policies
 Assign access policy
and profiles to each
Device Type or Device
Group
User Group #1
User #1
User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
Firewall
SRC
#1
SRC
#1
Device Group #1
Device Type #1
Device Type #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
SRC #1
SRC #1

83. 83
Policy Management
Policy
 Control Traffic when they
transverse through the device
» Interfaces, zones (group of
interfaces), VLANs and SSIDs
segments
 Components
» Firewall configuration
» NAT settings, Traffic shaping
settings
» Security instructions, eg, scan
for viruses, detect attacks, etc
» Logging Options
Firewall

84. 84
Policy Management
Source Types
 Merged policies (IP, User & Device)
 “AND” Operations if more than one type of source is used
AND AND
Firewall

85. 85
User Group #1
User #1
User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
IP #1
IP #1
-
Device Group #1
✔
✔
- -Service Port #2
DST #1
DST #2
IP #1 - ✗
User #1
User #2
-Service Port #2DST #3IP #3 Device Group #2 ✗
User #1
User #2
-Service Port #2DST #3IP #3 - ✔
Policies are matched top-down. The policy table may
consist of different policy types.
Policy Management Firewall

86. 86
Policy Objects
FortiGuard GeoIP DB
 Distributed as FortiGuard
Update, Requires Valid FortiCare
Contract
 Manual update required using
CLI Command
 GeoIP override is configurable
 Supports IPv6 addresses
Firewall

87. 87
Policy Objects
Intelligent Object Searching
 Initial implement on Firewall Address list
 Search by name, IP, wildcards, etc.
Firewall

88. 88
H/W Acceleration Firewall
Legacy Security Gateway
Appliances
FortiGate with FortiASIC
CPU offload
Initial session
setup
Instruction
download

89. 89
Overview VPN
IPSEC VPN
 Standard Based Protocol Support
 Policy and route based configurations
 Hub-and-Spoke, mesh VPN
architectures
 Redundant tunnels
 Spilt Tunneling
 Remote VPN with FortiClient
 VPN Wizard
SSL VPN
 Web and Tunnel Mode
 Customizable Portal with bookmarks
 Virtual Desktop & Host Check
Other VPN Features
 L2TP (Microsoft) & GRE
 Hardware Acceleration*
 No Additional Licenses required
 Integrates with UTM functions
protects Internal resources
against remote traffic
SSL VPN Portal
*applicable to supported models

90. 90
Wizard
 Step-by-step Guided IPSEC
configurations
» Custom defined
» Predefined Templates
 Covers authentication &
Network settings
» No need to create separate
phase1 objects for different user
groups as authorization is
handled by Firewall policy
IPSEC VPN

91. 91
Web Application Mode
• Support via Java
Applets
• Limited application
support: HTTP/HTTPS,
FTP, SMB/CIFS,
TELNET, SSH, VNC,
RDP, Citrix
• Ease of use
Access Modes
Tunnel Mode
• Support via SSL VPN
Client, requires
download & install
• Unlimited L3 application
support
SSL VPN
Port Forward Mode
• Support via Java
Applets
• Extends applications
supported by web
application mode
• Does not need admin
privilege to install and
run

92. 92
SSL VPN Portal
Customized header,
logo, themes and page
layout
Customized Widgets
Tunnel Mode Widget
SSL VPN
Web Mode bookmarks
Session Stats and status

93. 93
SSL VPN Portal
User group based portal access
 Ability for MSP to create and set different portal access without using
VDOMs
» URL path (i.e. suffix to bind to), Max concurrent users, Custom login page
 Custom login profile selection on per SSL VPN usergroup policy
SSL VPN
https://sslvpn/customerA/ https://sslvpn/customerB/

94. 94
Virtual Desktop
 CLI Command
 Available for Windows terminals only
SSL VPN
Application Control:
• Controls which applications
users can run on their virtual
desktop.
• By creating a list of either
allowed or blocked applications
which you then select when you
configure the virtual desktop.
• Application Definitions is by
MD5 Signatures
Host Check:
• Enforces the client’s use of
antivirus or firewall software,
• Offers predefined list which can be
edited
• Customized applications can be
added with globally unique
identifier (GUID)
• Windows patch check (on CLI only)
allows admin to define the
minimum Windows version and
patch level allowed
» Supports Windows 2000, XP,
Vista & 7
File Access:
• Completely isolates the SSL VPN
session from the client
computer’s desktop environment
• All data is encrypted, including
• cached user credentials
• browser history
• cookies
• temporary files and user files
created during the session.
• When the SSL VPN session ends
normally, the files are deleted.

95. 95
Single Sign-on
 Available on Admin defined
Web-Mode HTTP/HTTPS
bookmarks
 Allow user to log into the SSL
VPN without having to enter
any more credentials to visit
preconfigured website
 2 Modes:
» Automatic - Use user’s SSL
VPN credentials for login
» Static - Fill in the login
credentials as defined by
specified field name
SSL VPN

96. 96
Overview IPS
IPS Signatures
 Over 7,000+ Signatures
 Integrated FortiGuard IPS encyclopedia
 Zero-day Threat Protection & Research
 Custom Signatures
 Rate based Signatures
 Signature Filtering
 User Quarantine, Packet Logging
DOS Protection
 Rate based - set thresholds for various
types of network operations
Deployment Options
 Sniffer Mode
 Bypass Interface & FortiBridge
 Low latency, superior coverage
and cost/performance integrated
IPS
2012 NSS Security Value Map

97. 97
IPS Sensor
Regular IPS Signatures
 Protect against
» Known Vulnerability & Zero day
exploits
» Protocol abnormalities
 Details Pop-Up linked to FortiGuard
IPS encyclopedia
 Filtered by
IPS
Severity OS Protocol
Applications Target (Client/Server)

98. 98
Rate Based Signatures
 Brute force protection by blocking subsequent requests when
threshold (incident per defined sec.) is reached
» Definable block duration
» Various tracking methods
IPS Sensor IPS

99. 99
FortiGuard Service
Outstanding Detection Rate
 100% resistance to evasions, 97.9%
Detection rate (NSS Test 2011)
Vigorous Benchmark Testing
 Tested on over 4 different tools Weekly
 Determine & Improve effectiveness of a
security device to detect network
vulnerabilities
IPS

100. 100
FortiGuard Service
FortiGuard Center
 FortiGuard Encyclopedia – detailed description of known threats
 IPS Updates log (RSS Feed)
 Vulnerability Advisories
 Threat Monitor – Top attacks by geographic breakdowns
Zero-Day Research
• Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the
appropriate vendor(s)
IPS

101. 101
Performance IPS
0 20 40 60 80 100 120 140 160
Latency (μs)
NSS IPS Latency (July 2012)
Check Point 12600 Stonesoft 1302 Juniper IDP 8000 Sourcefire 3D8120
Sourcefire 3D8260 Sourcefire 3D8250 SonicWALL SuperMassive IBM GX7800
PA 5020 HP/TippingPoint 6100N McAfee M-8000 FortiGate 3240C
FortiGate 3240C also beats all IPS
competition with Lowest Latency

102. 102
Packet Logging
Forensic Tool
 Packet Capture triggered IPS
signatures
 Can be saved as pcap file for
forensic studies
 Can be either log to disk,
FortiAnalyzer or FortiCloud
IPS

103. 103
User Quarantine
 Intelligently blocks attackers from launching further attack
» Most attacks are conducted via several steps. Eg. port scan, followed by more
targeted hacking activities
 Free up IPS resources since traffic is now stopped by firewall.
 Manually or set expiry time to remove from banned list
User Quarantine
Attackers IP Address
Antivirus IPS DLP
Duration
Endpoint Control
IPS

104. 104
Advanced Features IPS
NGIPS
 Contextual Awareness
» Correlate with related information such as users & applications
 Automation
» Automated impact assessment for quick policy tuning with FortiView
» Network behavior analysis using Threat Score

105. 105
DOS Sensors
DOS Protection
 Detects and mitigate traffic that is is part of a DoS attack
 Applied as DOS Policies prior of Firewall Policies
 Rate based: set thresholds for various types of network operations
 Sensor list can be updated only when the firmware image is upgraded on the
unit.
TCP UDP ICMP
Packet Rate to a Destination IP TCP_SYN_FLOOD UDP_FLOOD ICMP_FLOOD
Packet Rate from a Source IP TCP_PORT_SCAN UDP_SCAN ICMP_SWEEP
# of Concurrent Sessions to a
Destination IP
TCP_DST_SESS UDP_DST_SESS ICMP_DST_SESS
# of Concurrent Sessions From a
Source IP
TCP_SRC_SESS UDP_SRC_SESS ICMP_SRC_SESS
IPS

106. 106
Overview Application Control
Application Control Sensors
 Over 3,300+ Signatures, 19 Categories
 User notifications using FortiBar or HTTP
replacement message
 Granular Controls for popular apps
 Cloud Apps. visibility
 Application Control Traffic Shaping
 SPDY protocol support
 SSH Inspection
 Custom Signatures
 More flexible and fine-grained
policy control
 Increased security
 Deeper visibility into network
traffic
FortiGuard Application library

107. 107
App Signatures
App List
 Application signatures
can be filtered by
Category, Technology,
Popularity and Risk
level.
 It is useful for override
setting and FortiView
search
Application Control

108. 108
App Signatures
5-point-risk levels
 Each application signature is assigned with a risk level to assist administrator in
understanding their threat status on logs and FortiView.
Application Control
Risk Level Description Example
Critical
Applications that are used to conceal
activity to evade detection.
Tor, SpyBoss
High
Applications that can cause data leakage,
or prone to vulnerabilities or downloading
malware.
Remote Desktop, File Sharing,
P2P
Medium Applications that can be misused
VoIP, Instant Messaging, File
Storage, WebEx, Gmail
Elevated
Applications are used for personal
communications or can lower productivity.
Gaming, Facebook, Youtube
Low
Business Related Applications or other
harmless applications.
Windows Updates

109. 109
App Signatures
Custom Signatures
 Creates signatures and
assign to their categories
Application Control

110. 110
Application Sensor
Ease of use
 Applies actions to
various categories
» Allow, Block, Monitor, reset,
traffic shaping
 Create overrides that
exempts from category
settings
Flexibility
 Applies different profiles
to users, devices and/or
IPs and their respective
destinations on the
security policies.
Application Control

111. 111
Application Control
Granular Controls
 Granular control popular Facebook and other online app usage
 Facebook app pages can also be controlled via Web Filtering categories and
custom signatures
Application Control

112. 112
Application Control
SPDY Protocol Support
 Open networking protocol developed primarily at Google for transporting web
content, similar to HTTP
» to reduce web page load latency and improve web security
 Supported by most browsers
Application Control

113. 113
Application Control
Deep Application Visibility
 Capture details of popular online
applications
» Cloud-based file storage and video
sites
» Logins to popular apps/sites
» Via web browsers
 Info extracted includes
» (upload/download) filenames
» video titles played,
» user ID when login is detected
Application Control

114. 114
SSH Inspection
 As part of SSL/SSH
Inspection Profile
 Uses SSH proxy to
intercept the SSH key
exchange and content
 After inspection, the
session is re-encrypted and
forwarded to the recipient
Application Control

115. 115
Overview Antivirus
AntiMalware
 Proxy and Flow based AV
 Filename & File Type filtering
 Heuristic AV Engine
 File Analysis with Cloud-based or on-
premise sandboxing
 AV Databases options
 File Quarantine
Anti-Botnet
 Application Control Category
 Botnet IP Blacklist Database  Protect internal network devices
against malware and other
malicious codes
AV Configuration

116. 116
Technologies
SignaturesSignatures
• Detects and blocks
known malware
and some variants
• Highly accurate,
low false positives
• Requires up-to-date
signature updates
• 3rd party validated
Behavioral
Evaluation
• Detects and blocks
malware based on
scoring system of
known malicious
behaviors or
characteristics
• Can be used to flag
out suspicious files
for further analysis
File Analysis
• Detects zero-day
threats by
executing codes on
emulators to
determine malicious
activities.
• Resource intensive,
performance and
latency impact
Antivirus

117. 117
Technologies
Application Control
• Detects and blocks nearly 50 active
botnets
• Botnet network activities by
examining traffic
• Prevents zombies from data leaks
or communicates for instructions
Botnet IP Reputation DB
• Detects and blocks known Botnet
C&C Communication by matching
against Botnet command blacklisted
IPs
• Stops dial back by infected
zombies.
Antivirus

118. 118
In-box AV functions
FortiGate as AV Gateway
 Network based, no agents required on hosts
 Can be proxied or flow based
 Signature set options: Normal, Extended or Extreme
 File Quarantine if Local storage is available
Antivirus

119. 119
NORMAL
• list of currently active threats
• recently added by the Fortinet Antivirus team
• detected by the FortiGuard network
• the wild list database.
EXTENDED
• older and recently active threats (already dropped by wild list) .
EXTREME
• remaining detection signatures for all threats
• zoo entries, and historical curiosities such as old DOS based viruses.
AV Signature DB Antivirus

120. 120
AntivirusAV Engine
Code Emulator
 Lightweight
Emulators
» Good against VM
evasion
 OS-Independent file
analysis, all file type
» Java Scripts, Flash,
PDF
 Best against
Malware Injections
via (compromised)
web 2.0 applications
Signature Match
(CPRL/Checksum)
File Sample
Decryption/unpackin
g System
Code EmulatorBehavior Analysis
Suspicious
Forward to cloud-based
FortiGuard AV service
Pass
No Further Action
FortiGate AV Engine 2.0
Blocked
File discarded, option to
Quarantine and event logged

121. 121
In-box AV functions Antivirus
Proxy Based Flow Based
External Sandboxing
• FortiCloud
Sandbox
• FortiSandbox
• FortiCloud
Sandbox
• FortiSandbox
Anti-Bot
• FortiGuard Botnet
Servers Black List
• FortiGuard Botnet
Servers Black List
Protocols Supported
• HTTP/HTTPS
• SMTP/SMTPS
• POP3/POP3S
• IMAP/IMAPS,
• MAPI
• FTP/SFTP
• NNTP (CLI)
• HTTP/HTTPS
• SMTP/SMTPS
• POP3/POP3S
• IMAP/IMAPS
• FTP/SFTP
• NNTP
Replacement message
• All supported
Protocols
• Limited to
HTTP/HTTPS

122. 122
FortiGuard AV Service Antivirus
Fortinet

123. 123
File Analysis
Integration with FortiSandbox/ FortiCloud Sandbox
 Automated submission all files or when file is flagged as suspicious
by AV engine
 Summary report is available on FortiGate dashboard
Antivirus
FortiCloud Sandbox/
FortiSandbox
Suspicious files and related
logs are uploaded
1
Scan results are available on
FortiCloud Portal
2
Summary results are displayed
on FortiGate’s Widget
3

124. 124
File Analysis
FortiSandbox Cloud
Integration
 FortiSandbox Viewer
 View detailed analysis
 Manual source
quarantine
Antivirus

125. 125
Overview Email Filter
Antispam
 Supports SMTP, STMPS, IMAP, POP3,
IMAPS and POP3S
 FortiGuard AS Filtering: RLB, SURLB,
checksum
 Phishing URL detection
 HELO DNS lookup
 Manual BWL
Content Filtering
 Banned words, scoring method
 Detects and remove spam emails
to prevent malicious activities
from occurring
Email Filter Profile

126. 126
Antispam
FortiGate as Antispam Gateway
 Tag subject or discard when spam is detected
 Uses both local and FortiGuard DB to detect spams
 Also detects phishing URLs on Emails
Email Filter

127. 127
Spam Filters Email Filter
Checksum Check
URL Check
Banned
Word
(body)
IP BWL
(received
header)
Banned
word
(Subject)
Return Email
DNS Check
MIME Header
Email Address
BWL Check
DNSBL/ORDBL
HELO DNS lookup
IP Check
IP BWL
Last Hop IP
Email Header Email ContentSMTP/SMTPS
Checksum Check
URL Check
Banned Word
(body)
Banned word
(Subject)
MIME Header
Email address BWL
Check
Email Header
Email ContentIMAP, IMAPS, POP3, POP3S
Order of Spam Filters
IP BWL
(received
header)
FortiGuard Service
Local Filter
Local Filter, CLI only

128. 128
Overview Web Filter
URL Filtering
 URL, web content, MIME Filtering
 Time usage Quota
 Transparent Safe Search
 Policy Objects, Object tagging &
Coloring
 Local Rating & Category
 User override option
Proxy Avoidance Prevention
 Proxy Service Site blocking
 Language translation & Cache blocking
 Rate site by IP addresses
 Application Control – Proxy avoidance
category
 IPS proxy behavior detection
 …
Web Filtering Block Page

129. 129
FortiGuard Service Web Filter
• 78 Categories in 6 Groups
• Over 250 million URLs rated
• 70 Languages
• 40-80 Billion queries per week
• 40K URLs get automatically rated daily
• 96% of all queried websites are rated
More Accurate
Less Wrongly Rated
More Coverage

130. 130
Safe Search Web Filter
Advantages over client’s browser configuration:
✔ Easy to provision – no need to “touch” clients
✔ Prevents safe search avoidance
User does a search
from portal
1
FortiGate transparently inserts Safe-
Search parameter to the query
2
Search engines
response with Safe-
Search results
3

131. 131
Google Access
Restrict by Domain
• Allows a workplace to restrict Google access to only their corporate
accounts.
» Proxy WF only
» Deep inspection required
Web Filter

132. 132
Manual URL Filter Web Filter
URL Definition
• Static, regular expression or wildcard
HTTP-Referrer
• Allows websites to be blocked/allowed except when clicking a link on
another website

133. 133
Proxy Avoidance
 Blocking known sites that:
» Provide listing of HTTP Proxy services
» Provide Proxy Avoidance techniques & Instructions, software downloads etc
» (Language) Translate websites
 Identify and rates redirected websites
» Cache & Translation sites
 Rate sites by IP addresses
Web Filter

134. 134
Proxy Avoidance Web Filter
Defense-in-Depth
Category = Proxy
Application Control
http_proxy_activity
IPS Signature
• Prevents Proxy Avoidance further …
» Application Control stops Proxy Avoidance applications
» IPS signature detects and block “zero-day” proxy activities

135. 135
Inspection Modes Web Filter
Proxy Based Flow Based DNS Based
Hardware Acceleration No No No
HTTPS Deep-Scan
- Active-X, Cookie & Java
Applet Filters
- Other advance filtering
options
Yes No No
Safe Search
Inject Safe
Search
Parameters
Blocks non-safe
search request
No
Replacement Message Yes Yes Redirect
Concurrent Sessions
Based on max
proxy sessions
Very High Very High
Asymmetric Traffic Support No Yes. HTTP only Yes. HTTP only
Category actions All
Auth & Warning
not supported
Auth & Warning
not supported

136. 136
Overview DLP
DLP Sensor
 Document Fingerprinting
 File name, type & size Filter
 Encrypted file/message Filter
 Watermark Filter
 Sample profiles: SSN, credit card
number, etc detection
Content Archive
 Archive Email, FTP, HTTP, IM, and
session control content
 protects intellectual property
from internal mishandling
 Prevents sensitive information
from transmitting to
unauthorized networks
DLP Sensor Filter

137. 137
Data leakage can be intentional or unintentional result of
human/software error, it is often the result of specific,
targeted actions, sometimes by trusted insiders, which
leads to the loss of sensitive information.
Overview DLP
Data at Rest
Scanning of content storage
repositories, to identify where
sensitive data exists
Data at Motion
Intercepting and inspecting traffic
which is traversing the network,
to identify potentially sensitive
data
Endpoint solutions that
monitor endpoint system
activity and identify sensitive
data
Data in Use
DLP solutions typically have 3 main components

138. 138
DLP Sensor
DLP Actions
(per-rules)
 Log (Full Content Archive
or Summary)
 Block
 Quarantine User, IP or
Interface
DLP Rule Filters
 Finger Print
 File size, type
 Regular Expression
 Encrypted
File Type Supported
 Text file
 PDF
 MS Word
DLP
 Can either be proxy or flow based
 Host a set of DLP rules
 A DLP Sensor is applied to protection profile

139. 139
Overview Vulnerability Scanning
Vulnerability Management
 Asset Discovery & OS Detection
 Manual or scheduled scans
 Results visible on monitor, logs and
reports
 Links to FortiGuard Threat Encyclopedia
for details & remediation advice
FortiAnalyzer Integration
 Report correlation
 Protect network assets (servers
and workstations) by scanning
them for security weaknesses
 Facilitate Proactive patching
against known vulnerabilities
Vulnerability Scan report

140. 140
Overview Wireless
Integrated Wireless Controller
 Based on CAPWAP RFC standards
 Support up to 1024 APs per controller
 QoS Support
Wireless Security
 Wireless IDS
 WPA/WPA2-Personal and WPA/WPA2-
Enterprise (802.11i), Captive portal
modes
 Rogue AP monitoring and suppression
Wireless Deployment
 FortiPlanner
 Automatic Radio Resource Provisioning
 Fast Roaming
 Wireless Mesh & Bridging
 AP Loadbalancing
 Secures wireless access with
integrated wireless Controller
 Implements PCI requirements
AP Profile

141. 141
Overview
Unified Secured Access
 Integrated WLAN management with security gateway
 Shared authentication services & access policies
Wireless Access
Wired Access
Remote Access
DIGITAL ASSET • Content Inspection
• Attack Mitigation
• User Identification
• Access Control
Wireless

142. 142
Thin AP
CAPWAP
 Standard based Protocol for
Control and provisioning of wireless
access points
Fast Roaming*
 Users in a multi-AP network,
can move from one AP
coverage area to another
without impair most wireless
traffic and applications.
Wireless
Floor
Wiring Closet
Aggregation
FortiGate Controller Data Center
CAPWAP
Thin AP architecture tunnels all
traffic to the FortiGate
Controller for added security
and ease of management
* Only in L2 networks

143. 143
Captive Portal
• Web browsing intercept user login
User Access
FortiGate Wireless Controller supports:
WPA Personal (PSK)
• Wireless access using pre-shared keys
WPA-Enterprise (802.1x)
• More secure access with individual user logins
Wireless

144. 144
Wireless Security
Rogue AP Identification by 'On Wire Scan’
 Auto distinguish unknown AP’s (aka neighbors) from unknown AP’s that are
on the retail network (rogue)
 By correlating packets seen on the wireless side with packets seen on the
wired side.
 An event log is generated when an rogue AP is detected
Wireless

145. 145
Wireless Security
Rogue AP Suppression
 By sending excessive reset signal to the rogue
AP, so client cannot be connected to Rogue
AP. If a client joins a rogue AP, send
deauthentication message to that client.
 Automatically Block the MAC address of that
Rogue AP in the Firewall Policy
 Feature is only available when there is at least
one radio dedicated to Rogue AP detection
Wireless
FWF-80C doesn’t support rogue suppression*

146. 146
Deployment Features
Full Mesh
Wireless

147. 147
WirelessDeployment Features
Local Bridge
 allows the AP to be centrally
managed without backhauling
the traffic to the wireless
controller
 bridge an SSID to local port at
the FortiGate using a
softswitch configuration
 Allows spilt tunnel to internet

148. 148
WirelessDeployment Features
AP Load Balancing
 Used in high density
deployments, such as
conferences, to prevent all
clients connecting to the same
AP
 Two methods:
» Signal clients to connect to another
AP
» Signal clients to connect to another
frequency

149. 149
Monitoring
Wireless Dashboard
 an easy visual for determining
the health of the network’s
wireless infrastructure
 Widgets:
» AP Status
» Client Count over Time
» Top Client Per-AP (2.4 Ghz)
» Top Client Per-AP (5 Ghz)
» Top Wireless Interference (2.4 Ghz)
» Top Wireless Interference (5 Ghz)
» Login Failures Information
Wireless

150. 150
Monitoring
Spectrum Analysis
 Illustrates signal interference as
detected by a particular FortiAP
 Also point out Top APs and their
SSIDs that are interfering with a
particular FortiAP
Wireless

151. 151
FortiAPs Family Wireless
3x3:3
Resiliency and
Versatility DualRadio
DualBand
2x2:2
Performance
SingleRadio
1x1:1
Value
Remote Outdoor Indoor
FAP-221/223C
FAP-222B
FAP-210B
FAP-320B
FAP-112D
FAP-112B
FAP-28C
FAP-14C
FAP-11C
FAP-320C
802.11ac
FAP-222C
FAP-25D
FAP-21D
FAP-224D
802.11ac
802.11ac
FAP-321C
802.11ac
FAP-221/223B
FAP-24D

152. 152
FortiPlanner
Wireless Planning Tool
• For pre-sales step to determine how many FortiAPs the customer
needs to purchase
 Wireless site survey upgrade available (>50 APs, site survey)
Download from:
http://www.fortinet.com/wireless/
Wireless
Key Features:
 Import floor plans
 Structure drawing
 Manual or auto AP placing
 Placement Analysis
 Dynamic- Heatmap
 Generate Site and inventory
reports

153. 153
FortiPlanner Wireless
Dynamic Heatmap
 Real-time polling of
FortiGate Wireless
Controller
 Display current number
of clients, channel, TX
power
 Helps to spot Coverage
holes and failed AP

154. 154
Overview Traffic Shaping & QoS
Bandwidth Control
 Options: Shared policy shaping, per-IP
shaping & application Control shaping
 Max. & Guaranteed Bandwidth
 Max. Concurrent Connections per IP
QoS
 Traffic prioritization
 Type of Service (TOS), Class of Service
(COS) & Differentiated Services
(DiffServ) Support
 Protects Critical traffic from
overwhelmed by other traffic
 Managed bandwidth usage by
traffic type and applications
 Prioritized time sensitive traffic
such as VoIP & streaming videos
Per IP and shared Traffic Shapers

155. 155
Traffic Shaper
Shared Traffic Shaper
 bandwidth management by
security policies
» Per policy
» all policies
 Maximum and guaranteed
bandwidth
 Traffic priority
 Assign DSCP value for other
device use
 Also used by Application
Control
Guaranteed Bandwidth
Maximum Bandwidth
Traffic priority
DSCP value
Traffic Shaping & QoS

156. 156
Traffic Shaper
Per-IP Traffic Shaper
 enables admin to limit the
behavior of every member of a
policy to avoid one user from
using all the available
bandwidth
 Maximum bandwidth &
Concurrent Connections
 Assign Forward and reverse
DSCP value for other device
use
Traffic Shaping & QoS
Guaranteed Bandwidth
Maximum Concurrent Sessions
Guaranteed Bandwidth
Maximum Concurrent Sessions
Guaranteed Bandwidth
Maximum Concurrent Sessions

157. 157
Overview Server Load Balancing
Load Balancing
 Methods: static, round-robin, etc
 Persistence: Cookie, SSL session ID,
host
 Probes & Health Checks: TCP, HTTP,
ICMP PING
 SSL Offloading
 HTTP Multiplexing
 Integrated server load balancing
features with security applied
 Maintains secured and high
availability to application delivery
Load balance cluster status viewer

158. 158
Overview
 FortiGate intercept the incoming traffic and share it across the
available servers
» Clients connects to Virtual Server published
» Loadbalancer distributes traffic to cluster of Real Servers with desired Load
balancing & Persistence methods
» Health Checks are performed to monitor the availabilities of real servers.
Virtual Server
Real Server
Extensions SSL Offload Network Security
( Firewall, AV, IPS, DLP)
Load Balancing Methods
Service Type
(HTTP, HTTP, IMAPS,POP3S,SMTPS, SSL, TCP, UDP, IP)
Monitors
(TCP, HTTP, ICMP PING)
Persistence
(cookie, SSL Session ID)
Server Load Balancing

159. 159
LB Methods Server Load Balancing
Method Description
Source IP
Hash
Statically spread evenly across all real
servers.
Round Robin
Directs new requests to the next real
server, and treats all real servers as
equals
Weighted
Higher weight value receive a larger
percentage of connections.
First Alive
Always directs sessions to the first alive
real server, not distributed
Least RTT
Directs sessions to the real server with the
least round trip time, determined by a Ping
health check monitor
Least
Session
Directs requests to the real server that
has the least number of current
connections.
HTTP Host
Using the host’s HTTP header to guide
the connection to the correct real server

160. 160
Overview SSL Offloading & Inspection
SSL Offloading
 SSL Offloading for WANOPT & reverse
web caching
 SSL Offloading for SLB
SSL Inspection
 Facilitate UTM on SSL encrypted
applications
 “SSL Cert Inspection” and “Full SSL
Inspection” modes
 Intercept and proxy SSL
encrypted Traffic for UTM for
more security
 SSL offloading from web servers
to economical secure web
access offering
SSL Inspection Option

161. 161
Overview
SSL Inspection Exemptions
 Allows admin to build exclusion list using
» Web Categories with defaults
» (Destination) Address Object - FQDN or IP addresses
 Applicable to both “SSL Cert Inspection” and “Full SSL Inspection”
modes
SSL Offloading & Inspection

162. 162
Overview WAN Optimization
WAN Optimization
 Protocol Optimization & byte Caching
 FortiClient Support
Web Caching
 Forward & reverse proxy
Explicit Proxy
 Proxy chaining
 PAC file distribution
 Integrated WANOPT network
services with security
capabilities
 Improve user experience and
bandwidth efficiency
 Resolves complexities,
management and cost of
involving additional WANOPT
devices
WANOPT Monitors

163. 163
WANOPT Tunneling
 Supports various network topologies such as inline and out-of-path
design
 Supports multi-peers including FortiClient
 Can be used in both transparent or NAT/Route Mode, virtualized per
VDOM
WAN
WAN Optimization
Peers
Authentication group

164. 164
Web Caching
 Reducing bandwidth usage with fewer
request and response across WAN
 Reducing server load as it has to serve
fewer requests
 Perceived latency since data is
obtained from local unit
Forward
Proxy
INTERNET
Reverse
Proxy
WAN Optimization

165. 165
Explicit Proxy
 Proxy HTTP/HTTPS & FTP Session
from web browsers
 Distribute proxy auto-config (PAC)
 Supports SOCKS sessions from
browsers (CLI Command)
 Virtualized per VDOM
 Proxy Chaining with forward server
load balancing support
 User authentication
 Transparent Explicit Proxy option
using IP reflect
Allows users web traffic to explicitly proxied via FortiGate,
providing secured restrictive Internet access policies.
WAN Optimization
Features:

166. 166
Overview Virtual Systems
Virtual Domains
 Global and per-VDOM settings
 VDOM administrator
 Resource allocation
 VDOM Licensing
 VDOM Logging
FortiGate Virtual Appliance
 FortiOS in Virtual Environment
 Provides multiple logical entities
in a single physical unit
 Out-of-the box Multi-tenant &
department solution
 Saving in physical Space &
Power
VDOM Configuration

167. 167
Virtual Domains
Global System
VDOM_1
Virtual Systems
VDOM_2 VDOM_N…Management
HA FortiGuard Global
System

168. 168
VDOM Admin
 Virtual domains can be managed
using either one common
administrator or multiple separate
administrators for each VDOM
 Administrators assigned the
super_admin profile can manage all
VDOMs on the FortiGate device
» Can also create other administrator
accounts and assign them to VDOMs
Virtual Systems

169. 169
MGMT VDOM
 Management traffic leaves through
management VDOM
 Management VDOM Should have access to
Internet or FMGR
 Default management VDOM is root
Virtual Systems
DNS, NTP
External
Logging
FortiGuard
Alert
Emails
SNMP
traps
Quarantine
root
Management

170. 170
Resource Allocation
Managing Resources
 Customize the resources allocated
to each VDOM to ensure the proper
level of service is maintained on
each VDOM
 Global Resources Viewer allows
admin to view available resources as
total
Virtual Systems

171. 171
Resource Allocation
Per Vdom System Resources
 Display system stats for each VDOM
» CPU usage, memory usage, concurrent sessions & new session per sec
 Meant as good guidance, not completely accurate
 No CPU/Memory limiting capabilities
Virtual Systems

172. 172
VDOM Links
Linking VDOMs
 Using two virtual interfaces, each on a different VDOM, and they are linked
together to connect those two VDOMs without using additional physical interfaces
 Inter-VDOM links can be created with both VDOMs in different operating
modes (but not when both are in transparent mode)
Virtual Systems
VDOM_1 VDOM_EXT VDOM_2

173. 173
Virtual Appliance Virtual Systems
 Supports a variety of hypervisors for private and public cloud
infrastructure
 Consistent management platform and GUI, similar to physical
FortiGate
Virtual
Appliance
VMware Citrix Open Source Amazon Microsoft
vSphere
v4.0/4.1
vSphere
v5.0
vSphere
v5.1
vSphere
v5.5
Xen
Server
v5.6 SP2
Xen
Server
v6.0
Xen KVM AWS
Hyper-V
2008 R2
Hyper-V
2012
FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔*

174. 174
Overview High Availability
FortiGate Clustering Protocol
 Active-Passive, Active-Active, Virtual
Clusters
 Redundant heartbeat interfaces
 HA Reserved Management Interface
Deployment options
 HA with Link Aggregation
 Full mesh HA
 Geographically dispersed HA
 TCP Session Sync
 VRRP
 FG5000 Chassis based clustering
HA Configuration
Failover
 Manual, Session, link & remote link
failover
 Subsecond Failover

175. 175
HA Technologies High Availability
SignaturesFortiGate
Clustering
Protocol (FGCP)
• Enhanced reliability
via device failover,
link failover and
remote link failover
• Increased
performance via
active-active HA load
balancing
• uses a virtual
MAC/single IP
address per network
segment
FortiGate Session
Life Support
Protocol (FGSP)
• For supporting
asymmetric traffic and
support scenarios with
load-balancers and
routers distributing
sessions across
multiple appliances
• does not have a
heartbeat mechanism
to detect unit failure,
each FG operates by
itself with config and
session sync
Virtual Router
Redundancy
Protocol (VRRP)
• RFC standard based,
allow 3rd party device
integration
• Resource intensive,
performance and
latency impact

176. 176
Synchronization
 Information synchronized by
default
» Configuration
» Routing tables
» IPsec VPN SA
» DHCP server address lease
database
 Session failover (aka session
pickup) not enabled by default
 Session failover synchronizes
» TCP (IPv4/v6)
» UDP, ICMP
» SIP
» IPsec VPN sessions
 Information not synchronized
» UTM sessions
» Explicit Web Proxy
» ARP table
» Multicast
» SSL VPN sessions
High AvailabilityFGCP

177. 177
Virtual Clusters
 Similar concept to loadsharing
 Can operate in A-A or A-P mode
 Available when VDOMs is
enabled
 2 Virtual clusters can be created
with as many VDOMs available
assigned to them
 Inter-VDOM links must be entirely
within one virtual cluster.
FORTIGATE-01 FORTIGATE-02
VDOM 2VDOM 2
VDOM 3 VDOM 3
VDOM 1 VDOM 1
V.Cluster1V.Cluster2
High Availability

178. 178
Failover
Device & Link Failover
 Failover can be triggered when the
master/primary units fails or links connecting it
Remote Link Failover
 Uses ping servers on the primary unit to test
connectivity with IP addresses of network
devices that is not directly connected
 May be multiple interfaces and/or multiple IPs
on an monitor interface
Subsecond Failover
 Normally achievable for a cluster of two units
operating in Transparent mode with only two
interfaces connected to the network
High Availability

179. 179
Event Monitoring
• Quick visual & on current HA status, resource usage and threat situation
• HA Logs details related activities, state and status changes
High Availability

180. 180
Overview Log & Report
Logging
 Traffic, UTM & Event Logging
 MAC address logs
 External Syslogging
 Multiple device logging
 Alert Email
 Meeting Compliance
requirements
 Analysis tools
 Notifies key events
Report Customization Panel
Reporting
 In-box or external Reporting
 Report Customization
 FortiManager/FortiAnalyzer Integration

181. 181
Log Structure Log & Report
Forward Traffic
Local Traffic
Sniffer Traffic
System
Router
VPN
User
WiFi
Antivirus
Web Filter
Application Control
Intrusion Protection
Email Filter
DLP
SYSTEM
TRAFFIC SECURITY
Detailed Logging
 Strong admin audit trails
 Unique log association between traffic and security logs
 Threat weight scoring on security logs
Endpoint
HA

182. 182
Log Viewer Log & Report
Log detail Viewer
Pictograms
Log Filter
Tabs to associated
Security Logs

183. 183
Default Reports
On-box Reporting
 Local storage required
 Scheduled or On-demand
 Email delivery option
 PDF output
Log & Report
UTM Security Analysis Report
 Bandwidth & Applications
 Web Usage
 Emails
 Threats
 VPN Usage
 Admin & System events

184. 184
GUI level
 Report Layout & design
 Chart selection
CLI level
 Create dataset and chart with SQL
query
Log & ReportCustomization

185. 185
Overview IPv6
IPv6 Networking & Routing
 IPv6 Coexistence Support
 VDOM and administration Support
 Hardware acceleration
 Dynamic & static routing
 Bandwidth Management
 DHCP and DNS
IPv6 UTM
 Supports major UTM functionalities
 Adopts IPv6 ready network
quickly & easily
 Comprehensive protection on
IPv6 traffic
USGv6 CORE
Ipv6 Traffic Logs

186. 186
IPv6 Feature Matrix
IPS interface policies for
IPv6
IPv6 static routes
IPv6 firewall addresses &
groups
IPv6 firewall policies
IPSEC VPN with IPv6
addressing
IPv6 over IPv4 tunneling
IPv6 DNS
IPv6 Transparent mode
IPv6 administrative access
IPv6 dynamic routing
using RIPng, BGP, or
OSPF protocols OSPF
protocols
UTM features support
IPv6 traffic - AV scanning,
URL filtering using
FortiGuard rating
SSL VPN Web Mode IPv6
IPv6 Session Display
IPv6 Firewall Auth
DHCP6
IPv6 firewall acceleration
IPv6 support for SNMP
IPv6 support for DLP
sensor, VoIP and ICAP
UTM feature
IPv6 NAT (NAT46,
NAT64, NAT66, DNS64)
IPv6 + IPS Forwarding
Policy
HA Session Pickup for
IPv6
IPv6 Per-IP Traffic Shaper
IPv6 Policy Routing
IPv6 Explicit Proxy
IPv6 MIBs
Ipv6 DOS
V4.0
V4.1
V4.3 V5.0
IPv6

187. 187
FortiSMS
International one-way SMS
messaging service
 Covers 962 networks in 224
countries
 Based on global leading & proven
mobile messaging infrastructure
(powered by Clickatell)
Usage
 Option for FortiToken Mobile
activation code delivery
 Option for Guest User credentials
 SMS-based 2FA
 Also works with FortiAuthenticator
SMS messages top-up
 Certificate License for 100
SMSes.
 Easy to add by scratching off to
reveal activation code (like
prepaid cards)
 Dashboard widget: amount
indicator
FortiGuard Services

188. 188
Contatta il nostro Ufficio Commerciale
Certified experts in Fortimail and email
security
Certified experts in Fortiweb and web
application firewall protection
Certified experts in FortiAp, FortiWifi
and wireless security
Ufficio Commerciale
Tel. +39 049 8843198 DIGIT (5)
ufficio.commerciale@lanewan.it
www.lanewan.it
In questi anni di partnership con la casa madre,
Lan & Wan Solutions ha ottenuto tutte le
specializzazioni previste nei vari iter di
certificazione, raggiungendo la qualifica di
Partner Of Excellence.