Inside forti os-v524-r5

© Copyright Fortinet Inc. All rights reserved.

Inside FortiOSVersione 5.2.4 – Mar 2015Lan & Wan Solutions – Soluzioni Informatiche per Reti Locali e Geografiche

2

C O N T E N T

System Administration

Routing & Network Services

User Identity Device Identity End Point Control Firewall VPN IPS Application Contr

ol Antivirus Email Filter Web Filter DLP Vulnerability Scan

ning Wireless Controlle

r Traffic Shaping &

QoS Server Load balan

cing SSL Offloading an

d Inspection WAN Optimization Virtual Systems High Availability Log & Report IPv6 Others

3

FortiOS 5.2 Feature Set

ATP OSS Support AAA Central Mgmt. Integrations

Configuration Visibility Log & Report Diagnostics Management

Anti-Malware IPS Application Control

WebFiltering Email Filtering

Firewall VPN DLP User & Device Identity SSL inspection Security Functions

Wireless Controller

Switch Controller

Endpoint Manager Token Server Vulnerability

Scanner Extensions

:::::::::: Virtual Domains :::::::::: Virtual SystemsRouting NAT/CGN WAN Link / Server LB Wan Optimization

Network FunctionsL2/Switching IPv6 QoS High Availability

NAT/Route Transparent Sniffer Operating Modes

LAN WiFi WAN Network Interface

Physical Appliance (+ASICS) Hypervisor Cloud Platform

* Features may varied by models

4

FortiOS Features

5

Overview System Administration

CLI Access – Console, Telnet & SSH GUI Access – Via Web Browsers Dashboard, Viewers & Widgets

Central Management FortiManager & FortiAnalyzer FortiCloud Web Service APIs NMS Integration – SNMP,

sFlow/NetFlow, Syslog Solution Partners - Tufin, Arcsight, etc Rapid Deployment - USB Auto-Install &

Scripts

Quick Setup Setup Wizards (1RU Models & below) FortiExplorer (Desktop & Mobile Client)

Simplifies Device ManagementSupports Enterprise Management

Systems & Architecture

FortiExplorer

Diagnostic Tools Packet Capture

V5.2

6

Dashboard & Widgets

Quick look into system, threat and network status

Customizable Built-in CLI access


Dashboard with Widgets

V5.2

7

Powerful on-demand query tool that provides contextual results with drill down capabilities

Assists in network troubleshooting

Provides insights to optimizing networks

& productivity

Why a particular group of users is

having trouble using the cloud based ERP

system?

Acquires proactive security knowledge Supports proactive

security management

Is there an abnormality that

needs further investigation?

Identifies network and threat status Resolves threats and networking

problems quickly

Is my users abusing the network and

how so?

FortiViewer System Administration

V5.2

8

FortiView System Administration

V5.2

Sort rows to display Top sessions

Setup query using Easy-to-use auto-complete filters

Examine real-time or historical data

Select row for drill down

9


V5.2.3

Summary of selected item

Selection of scope

Select row for drill down

Drill down panels Presents associated details based on different

scopes Further drill down to filtered Session Viewer

10

FortiView

Session viewer (Real Time) Excellent Troubleshooting tool


NAT’ed IP and Port Applications and their usage

Device & User Info

Concurrent Session & New session per sec

Geo IP Info

FortiGuard Encyclopedia Integration

V5.2

11

FortiView

Session viewer (Historical) Presents timeline filtered session list

with details using log entries


V5.2

Complete detail of selected session

Setup filter by clicking on cell

Mouse over device details

Move and configure field columns

12

FortiView

Threat Weight Unique: Normalized threat level value x hit counts Scores can be sorted to reveal most critical items to investigate

More meaningful than other singular measurements


V5.2

13

Features With Local Storage Without Local Storage

Now 5 min 1 hr 24 hr * Now 5 min 1 hr 24 hr

Viewer – Sources ✔ ✔ ✔ ✔ ✔Viewer – Applications ✔ ✔ ✔ ✔ ✔Viewer – Cloud Application ✔ ✔ ✔ ✔ ✔Viewer – Destinations ✔ ✔ ✔ ✔ ✔Viewer – Websites ✔ ✔ ✔ ✔Viewer – Threats ✔ ✔ ✔Viewer – All Sessions ✔ ✔ ✔ ✔ ✔Viewer – System Events ✔ ✔ ✔Viewer – Admin Logins ✔ ✔ ✔Viewer – VPN ✔ ✔ ✔Viewer – FortiSandbox ✔ ✔ ✔Sniffer Mode Support (All Viewers) ✔ ✔ ✔

* Not available for desktop models with SSD


V5.2.3

14

Monitors

Real time status indicators In-box Over 20+ types Serves as

administrative & diagnostic tools

Also available on CLI and web service API (JSON)


SYSTEMSDHCP MonitorLink Monitor

ROUTERRouting Monitor

FIREWALLPolicy MonitorLoad Balancing MonitorTraffic Shaping Monitor

UTMAV MonitorIntrusion MonitorWeb MonitorEmail MonitorArchive & Data Leak MonitorApplication MonitorFortiGuard Quota

VPNIPSEC MonitorSSL-VPN Monitor

USER & DEVICEFirewall MonitorBanned User MonitorFortiClient Monitor

WIFI CONTROLLERClient MonitorRogue-AP MonitorWireless Health MonitorLOG&REPORTLogging Monitor

V5.2

15

Network Management

SNMP Support SNMP v1, v2c & 3 Traps MIBs

Fortinet proprietary MIBs standard RFC 1213 & 2665

MIBs


V5.2

16

Network Management

sFlow/NetFlow monitoring the traffic on the network to identify areas on the network

that may impact performance and throughput Agent is embedded in the FortiGate unit, sends the sampled traffic

to an external 3rd party Collector/Analyzer. Available on CLI only


3rd Party sFlow Analyzer - sFlow Trend

V5.2

17

Quick Setup

Feature Select Configure GUI elements according to desired deployment needs

using presets Allow further customizations by toggling the feature buttons


18

Features/Presets NGFW ATP WF NGFW+ATP UTM Full

UTMSecurity* Advanced Threat

Protection✔ ✔ ✔ ✔

NGFW (IPS) ✔ ✔ ✔NGFW (App Control) ✔ ✔ ✔ ✔Web Filter ✔ ✔ ✔ ✔ ✔Email Filter ✔DLP ✔Explicit Proxy ✔ ✔Endpoint Control ✔ ✔ ✔ ✔

Basic VPN, IPv6, WiFi Controller, Wanopt , etc Defaults settings depends on FGT models

Minor ICAP, VoiP, DNS DB, Multicast policy, etc

* Default settings

Quick Setup System Administration

V5.2

19

Quick Setup

FortiExplorer Software Application for

Windows, Mac OS and iOS

Uses USB connection Quick Setup Wizard,

Direct GUI & CLI access without network setup


V5.2

20

FortiCloud

Hosted security management and log retention service Default reporting option for

Desktop Models Central web-based

management console to manage individual or aggregated FortiGate and FortiWiFi devices Configuration backup Scripting Remote Firmware upgrade

Access to hosted Sandbox results


V5.2

21

Diagnostic Tools

Sniffer packet capture on GUI Similar to CLI Sniffer setup

» Supports Filters» IPv6 & Non-IP Packets

Output as pcap file download Local Storage required


22

User Notification System Administration

Replacement Messages Supported on Proxy and some flow based UTM Customizable, can be assigned per VDOMs

V5.2

23

User Notification

Fortinet Top Bar Notify users in real-time

» Blocked Applications» Denied Traffic» Quotas Status» FortiClient Alerts

Supported for IE, Firefox, Chrome, Safari

Appears on HTTP websites as embedded frame in the web browser


24

Overview Routing & Network Services

Routing Link Redundancy and load balancing Policy Routing Dynamic Routing Protocol Support: RIP,

BGP, OSPF, IS-IS Multicast Routing

Interface Features VLANs, 802.3ad port aggregation, STP,

port span, redundant interface, loopback, software switch, Security mode

Sniff/One-arm Mode

WAN Link USB modem FortiExtender Link Load Balancing

Robust L3 and L2 capabilities to facilitated vast variety of network design and setup requirements

Route Monitor

Network Services Free FortiGuard NTP, DDNS & DNS

service Content Routing – WCCP and ICAP

Support DHCP & DNS Server LLDP

V5.2

25

Interfaces

Interface Configurations Support *various interface types:

» Physical: Ethernet and wireless» Virtual: VLANs, WiFi SSID, VDOM link» Group: Port aggregation group, redundant Interface, H/W & S/W Switches,

Virtual WAN Link, zone


Color coded access methods

DHCP server info

Graphic presentation of interfaces

A variety of Interface types

* May not be available to all models

Interface members

V5.2

26

Interfaces

Interface/Switch Modes



V5.2.1

The main difference is that for ”virtual hardware switch", it uses the underlying switch chip/driver to handle all of the switching directly, whereas virtual “software switch” needs to do that in the kernel (ie, higher in the stack, more CPU/memory intensive, etc). There are feature disparities which will be documented later.

Switch ports are individual physical interfaces

Switch ports can be created by grouping interfaces with “Virtual Hardware/Software Switch”

27

Interfaces Routing & Network Services


V5.2.1

Virtual VLAN Switch Emulation of a VLAN

switch Assigns ports to VLANs

and dedicated VLANs trucks

Allow users to extend number of available switch ports (with VLANs) by VLAN truck stacking

Interface Mode

External Switch

28

Interfaces Routing & Network Services


Switch Controller Similar to Wireless Controller Concept

» uses Fortlink Protocol – modified CAPWAP» With selected FortiSwitches only

Administrators can create VLANs on the Switch(es)» VLANs across switches can be managed and configured like a FortiGate

interface

Virtual Switch VLANs

FortiLink Connectivity

29

Switch Controller Routing & Network Services


Switch Controller SupportFortiGate

FG/FWF-60D/-POE ✔FG/FWF-90D/-POE ✔FG-100D Series ✔FG-200D Series ✔FG-600C/800C/1000C CLI enabled

FortiSwitch

FSW-28C ✔FSW-108D ✔FSW-124D/-POE ✔FSW-324B ✔FSW-348B ✔FSW-448B ✔FSW-224D ✔

V5.2.3

30

Port Spanning

Also called ‘Port Mirroring’» Supported by 100D & 200D platforms» Ingress &/or Egress traffic from a single port in a switch group can be

copied to another port (in the same group)


V5.2

31

Link Load Balancing

Virtual WAN interface Interface group

» interfaces used will not appear for policy table

» Single interface to select in Policy

Defines link selections


Virtual WAN

Interface

V5.2

32

Link Load Balancing

Link Load Balancing Methods Only one is selectable Assign Interface members to Interface Group Per Interface Configurations

» Probe Server settings (for link failure detection)» Selection Definition – eg. Weight, Ratio etc


Gateway selection based

on Source IP address

Gateway selection based on session ratio

assigned


on threshold bandwidth assigned

Source IP Based

(Hashed)Weighted

Round RobinSpill-over

Gateway selection based on Source and destination IP

address


on Traffic volume ratio

assigned

Source-Destination IP

Based

Measured-Volume Based

V5.2

33

Link Load Balancing

Traffic Route Overrides Admin can assign specific

routings among the interface group based on certain or combination of criteria


Uses TWAMP to determine each link’s quality -

Latency, Jitter. Select route to highest or lowest quality

link

Route based on defined protocol type and its service

port.

Route based on TOS settings

Link Quality Service Definition Type of Service (TOS)

V5.2

34

Policy Based Routing

Features: Policy routes are applied before destination

routes Can be used to create multiple routes to the

Internet» Static load-sharing

Routing decision can be made from:» Source & Destination addresses» Protocol, service type, or port range» Incoming interface» ToS


HTTP

Other Traffic

35

WCCP Server

WCCP Client

WCCP

Features: Supports WCCPv1, WCCPv2 L2 and GRE Mode May operate either as Server of

Client (per VDOM) Uses Port 2048 Option for Authentication, GRE

Encapsulation6 CLI Commands


36

ICAP

Allow users to configure a list of ICAP servers that the FortiGate may utilized for various purposes

Useful for legacy firewall Migration

Features: Streaming content bypass

ICAP Server


37

Network Services

DHCP Service DHCP Relay and WINS

support DHCP server

» Multiple IP-pools for each interface» Exclude ranges and IPs» DHCP IP Reservation» DHCP Options support» MAC address reservation &

Access control

IPv6 DHCP DHCP Monitoring


V5.2

38

Network Services

DNS Service Integrated Basic DNS Server

» Per-Vdom support» in transparent and NAT/Route mode

Recursive DNS (split DNS) IPv6 DNS Dynamic DNS support


39

Network Services

DDNS Service FortiGuard DDNS Server

» Provided with valid Forticare contracts

» Ease of setup» Suitable for VPN deployment and

remote administration.


40

Network Services

FortiGuard NTP Service» Provided with valid Forticare

contracts» Alternatively, admin can choose 3rd

party Servers

NTP Server» Provide NTP services to connected

devices


41

Operation Modes

• Implementing access controls between different network segments

• Static, dynamic and policy based routing, WAN link redundancy & load balancing

• Implementing access controls on a network segment transparently

• Behaves like a switch• L2 switching protocols

support

• Monitoring network activities offline

• Behaves like a Sniffer

Transparent/BridgeNAT/Route Sniffer

Hybrid: Organization can implement various modes within a single FGT using VDOMs

42

Sniffer Mode

One-arm Sniffer Offline Monitoring with Flow based UTM Works with Windows AD FSSO


43

3G/4G Interface Routing & Network Services

FortiExtender3G/4G(LTE)

Ethernet

FortiExtender As primary connection in “remote/lights-out” devices like ATM and

point of sale devices. As fail-over connection for network equipment that supports redundant

WANs. As remote antenna, which allows you to get the best 3G/4G signal

available by placing it in the best location for receiving the signal.

Extension device that works with FortiGate to provide 3G/4G Wireless WAN connection

V5.2

44

3G/4G Interface

FortiExtender Setup Discovery – Auto or manual (for

routed networks) Similar to adding a FortiAP Device Authorization Comprehensive Modem

settings on GUI

Monitoring Signal and usage status

monitoring widget Diagnostic tools

» Ping, AT command


V5.2

45

Overview User Identity

Authentication Services Local User Database Remote Auth. services – LDAP, Radius &

TACACS+

Single Sign-on Windows AD, Novell eDirectory integration SSO with POP3/POP3S, Access Auth. &

FortiClient Citrix & Terminal Server Agent Dynamic Profile

PKI and Certificates X.509 certificates, SCEP support Certificate signing request (CSR) creation Auto-Renewal of Certificates before Expiry OCSP Support

Secures access to internal networks with user identification

User Monitor

2 Factor Authentication External 2FA support Integrated Token Server with Physical,

SMS & Soft Tokens

V5.2

46

Auth. Services

FortiGate supports User Authentication for: User Identity based Firewall

Policies Client VPN (IPSEC, SSL) Network Access Administration Console (CLI, GUI)

User Identity

SSL VPN

FortiGate

Administrati

on

IPSEC

VPN

Network

Access

Identity-

based

Policies

* On limited Models

47

Integrated 2FA

Extended Authentication Support Integrated solution using the FortiToken, Email or SMS side-channels Further extension using FortiAuthenticator

FortiToken Email SMS*

User Identity

* Requires FortiGuard SMS service

48

Integrated 2FA User Identity

Eliminates requirement for additional physical device Low cost to deployment – low initial and operational costs Simple licensing, pricing and provisioning Operates with free mobile applications, available on iOS and

Android platforms Secure - Seeds are only on mobile device and FortiGate. 2 free units are available

FortiToken Mobile is a software token solution for the mobile devices, allowing users to generate secure and one-time passwords directly on the device wherever strong authentication is required.

49

Integrated 2FA

Soft Token Provisioning

User Identity

SMS/EMAIL

• Admin assign the token based on serial number

• choose type of delivery to users

• Randomly generated activation code (Not visible to admin) is forwarded to users

• Admin acquire license and adds revealed registration code on FortiGate

• Upon successful verification, token serial numbers will be available for provisioning.

• User install the FortiToken mobile app and enter the code given to activate the soft token

50

User Definition

Local User Creation Wizard Based Remote server user to local DB mapping

User Identity

V5.2

51

SSO

User Identity Acquisitions Using both active and passive acquisition methods Reuse user login info for user Identity based policies

User Identity

External Radius Service

Windows AD, NTLM

Terminal Servers

= M.Jones = = S.Lim = = V.Baker == J.Jackson =

Captive Portal

Network Access

FortiClient

DMZ

DMZ

Novell eDirectory

POP3/POP3s

V5.2

52

SSO

Active Acquisition : System Wide – Per VDOM

» WIN AD, NTLM, Radius, terminal server SSO

Passive Acquisition : Interface Based - physical or virtual

Interfaces» User Input on Captive Portal or other

prompts» Captive Portal exemption: per policy or

interface

User Identity

V5.2

53

SSO

Single Sign-On with Windows AD Option to use inbuilt-in DC Polling Supports Windows AD usergroup policies or indivdual AD user Ability to allow access to an AD user only if he/she comes from

defined workstation (via CLI)

User Identity

54

Polling Mode

SSO

Collection Modes for AD Domain Controller Agent

» Agents are installed on DCs to monitor & push login information to FortiGate

Polling» No agent is required on DC» Uses FortiGate local polling

agent» Option to run a collector

Agent on a server which polls the DCs

Domain Controller Agent Mode

User Identity

Domain Controller Agent

Polling

DC Requirement Agent is needed Agentless

Target Deployment

Large deployments; Remote DC Small Deployment

DHCP Tracking Yes No

Support for MAC terminals Limited May enable

WinSecLog

Implementation Complex Easy

Level of Confidence Capture all logons

Potential to miss logons if polling period

is too great

55

SSO

Single Sign-On with NTLM is used when the MS Windows Active Directory (AD) domain

controller can not be contacted browser-based method of authentication Option for guest or users with unsupported browsers to bypass NTLM

on CLI

1

2

3

User attempts access to network and gets prompted by FortiGate for user credential

Credential information is provided by browser

FGT queries Windows AD

User Identity

56

SSO

Single Sign-On with Terminal Servers Requires TS agent to be installed on terminal servers and FSSO

Collector on the network Supports Citrix and Windows Terminal Server.

1

User login to AD & open terminal session

Credential information is passed to FGT using TS agent via FSSO Collector

TS DC

2Collector

User Identity

57

Radius Accounting message with attribute-value pair that refers to usergroup a user belongs, along with IP address info is forwarded to FortiGate

Users get authenticated by Radius Server (eg. access control)

SSO

Single Sign-On with Radius (RSSO) IPv6 Clients supported

User Identity

RADIUS 2FortiGate uses listening agent and maps info to its own context table. When a session enters, it looks up to the table to determine its action based on identity based policies configured

3

IP, usergroup_x

1

V5.2

58

SSO

Single Sign-On with Network Access Supports various network access modes: captive portal, wireless

auth., 802.x Via FortiAP (per SSID), FortISwitch (per Vlans) & FortiGate interfaces

Users get authenticated for network entry

1FGT communicates with Auth. Servers for verification

2

FGT becomes aware of user and may apply Identity based policies

3

User Identity

59

On-Net

Off-Net

SSO

SSO Mobility Agent Caches credentials, so that

information is passed to FortiGate seamlessly without user’s action

Eliminates the additional user identification prompt from FortiGate

Works on AD environment on both On-net & Off-net, also NTLM

User Identity

60

Guest Access

Temporary user Provisioning & Access Allow non-IT staff to create Guest

account via web portal» Specialized admin-id for guest

access management

Assign Time quota, generate temp password,

Distribute guest credentials by printing, email or SMS

Batch guest users creation option

User Identity

61

Contact Harvest

Email Harvesting Policy intercepting sessions until users provide an email address Useful in some areas to harvest email and provide free WiFi access

User Identity

62

Overview Device Identity

Device Identification Device & OS Fingerprinting Device Classification & Management Contextual Device Information

Device Based Policies Policies using Device/Device Group

Identify device type to add into contextual information for better visibility

Enforce policies based on device types or devices

Allow organization to embrace BYOD environment securely

Device Group List

63

Overview

Securing BYOD environment Identifying device/device types to apply appropriate policy

enforcements Additional control beyond traditional Windows AD environment

Device Identity

Identity Policies

Device Identification

Access Control Security Application

UTM Profiles

Awareness

AgentlessAgent based

64

Identification Techniques Agentless

» TCP Fingerprinting» MAC address vendor codes» Network discovery protocols, DHCPv6

etc» Requires “direct” connectivity to

FortiGate

Agent Based» Uses FortiClient» Location & Infrastructure Independent

Device Identification Device Identity

INTERNETDMZ

FCFC

Agentless

with Agent

V5.2

65

• Based on regularly updated device/OS signatures and MAC address vendor lists DB

• Automatic detection & categorization into predefined device groups

• Enabled per Device-based Policy

• Force detect device by HTTP communication (HTTP User-Agent)

• Email collection/ Endpoint compliance portal

• Agent captures systems information and relay to FortiGate, 100% Accurate

• Allow device identification on remote networks

TCP Fingerprinting, Network Discovery

& MAC Address Vendor Code

Captive Portal Endpoint Agent


V5.2

66

Additional device information detection Hostname: Internal DHCP server, traffic

scan Email address: Email collection Captive

portal Username: Authentication services or

“device-user-identification enable” which extracts info via traffic scanning (enable default)


67

Device Detection A webpage that should let the user send some traffic in order to detect the

device type No replacement message when successful, user have to reload the webpage If failed, a replacement message will be present

Email Collection Collect an email address as a means of identifying the device user When the email address has been verified, the device is added to the

Collected Emails device group

Endpoint Compliance Acts as a quarantine for devices that are not protected by FortiClient Provides links to obtain the FortiClient software

Device Captive Portals Device Identity

68

Device Management Device Identity

Device Group Management

Manual add/edit Devices

StatusConnection Information

User Information

Device Definition

Multiple MAC address merge

69

Device Management Device Identity

Device Groups

Device Group Drill-down

Predefined group for auto categorization

Manual defined Custom group

V5.2

70

Visibility

Device contextual Information available on widgets, logs & reports

Device Identity

71

Overview End Point Control

FortiClient Multi-OS support Support Posture Checking Support remote user and device

identification “Off-net” and Mobile Security Policy

Enforcement VPN & Security Setting Provision Custom Install and Rebranding Endpoint Logging

Ensures that workstation computers (endpoints) meet security requirements

Distribute Client Security & VPN Settings

Logs Client activities

FortiClient

V5.2

72

FortiClient V5.2 End Point Control

Windows Mac OSX iOS AndroidIPSec VPN ✓ ✓ - ✓SSL VPN ✓ ✓ Web Mode Only ✓2FA ✓ ✓ ✓ ✓Anti-Virus ✓ ✓ - -

Web Filtering ✓ ✓ ✓ ✓WAN Optimization ✓ - - -

Registered for Central Management

Config Provisioning ✓ ✓ ✓ ✓Logging (to FMGR/FAZ) ✓ ✓ - -

Windows AD SSO Agent ✓ ✓ - -

Application Firewall ✓ ✓ - -

Vulnerability Scanning & Reporting ✓ ✓ - -

73

Posture Checking

Enforcement Captive Portal Check for install and

running of FortiClient Replacement page with

download and installation instruction

End Point Control

V5.2

74

Mobile Security End Point Control

INTERNET

LAN

OFF

ON

• FortiClient enrolls into the FortiGate and then receives its end point policy

• FortiClient uses last known security policies & VPN Configurations

Configuration Provisioning Provides consistent end point

security policies “on-net” and “off-net”

Reuse *Application Control & Web Filter Profiles

1

2

* Application control config for Windows and OS X only

75


INTERNET

LAN

OFF

ON

• FortiGate informs FortiClient that it’s “on-net” using DHCP “cookies”

• FortiClient Doesn’t receive “on-net” information and activate “off-net” mode

On/off-net Properties FortiClient adopts separate “on-

net” and “off-net” configurations depending on locations.

“On-net” options include turning off local security features, enables client logging

“Off-net” options include turning on security features and enable VPN automatically.

1

2

* Application control config for Windows and OS X only

V5.2

76

Mobile Security

Endpoint Profile For distributing Endpoint

Configurations Reuse UTM Profiles

» App Control» Web Filter

Provision Multiple VPN settings Multiple Endpoints may be

created and assigned to different Device Groups

End Point Control

V5.2

77

FGT identify device/user upon successful Logon

Mobile Security

Endpoint Control Profiles Assignment Multiple profiles can be assigned to Device Groups/User

groups/Users

2

User logon using Authentication Service (eg.

AD, radius etc)1

Push corresponding EC profile to FortiClient

3

End Point Control

78


Advanced Endpoint Profile Setting1. Setup and configure a sample client2. Export the setting and then import into FortiGate3. Distribute settings to other clients

1

2

3

79

Overview Firewall

Policy Management Section & Global View IP, User & Device based Policies Policy Objects, Object tagging & Coloring Traffic counters

NAT Static NAT, Dynamic NAT Support Central NAT Table

Traffic Support SCTP, GTP, ICMP Session helpers & ALGs

Hardware Acceleration* High performance across all packet size Ultra-low latency

Innovative features that allows accurate and effective policy setup

Policy Table

*applicable to supported models

80

Policy Table Firewall

Section View

Global View

V5.2

81

Policy Table Firewall

Configurable column settings

Object Coloring

Policy counters

Smart object searchDrag-and-drop policy rearrangement or moving objects

Direct object/policy edit with right click

V5.2

82

Identity based Policy

User Identity based Security Policies Assign access policy

and profiles to each User Groups or Users

Device Identity based Security Policies Assign access policy

and profiles to each Device Type or Device Group

User Group #1

User #1User #2

UTM Profile #1

UTM Profile #2

Service Port #1

Service Port #2

DST #1

DST #2

Firewall

SRC #1

SRC #1

Device Group #1

Device Type #1Device Type #2

UTM Profile #1

UTM Profile #2

Service Port #1

Service Port #2

DST #1

DST #2

SRC #1

SRC #1

V5.2

83

Policy Management

Policy Control Traffic when they

transverse through the device» Interfaces, zones (group of

interfaces), VLANs and SSIDs segments

Components» Firewall configuration» NAT settings, Traffic shaping

settings» Security instructions, eg, scan

for viruses, detect attacks, etc» Logging Options

Firewall

V5.2

84

Policy Management

Source Types Merged policies (IP, User & Device) “AND” Operations if more than one type of source is used

AND AND

Firewall

V5.2

85

User Group #1

User #1User #2

UTM Profile #1

UTM Profile #2

Service Port #1

Service Port #2

DST #1

DST #2

IP #1

IP #1

-

Device Group #1

✔

✔

- -Service Port #2DST #1DST #2IP #1 - ✗

User #1User #2 -Service Port #2DST #3IP #3 Device Group #2 ✗User #1User #2 -Service Port #2DST #3IP #3 - ✔

Policies are matched top-down. The policy table may consist of different policy types.

Policy Management Firewall

V5.2

86

Policy Objects

FortiGuard GeoIP DB Distributed as FortiGuard

Update, Requires Valid FortiCare Contract

Manual update required using CLI Command

GeoIP override is configurable Supports IPv6 addresses

Firewall

87

Policy Objects

Intelligent Object Searching Initial implement on Firewall Address list Search by name, IP, wildcards, etc.

Firewall

88

H/W Acceleration Firewall

Legacy Security Gateway Appliances

CPU CPU

FortiGate with FortiASIC

CPU offloadInitial session setup

Instruction download

Network Processor

89

Overview VPN

IPSEC VPN Standard Based Protocol Support Policy and route based configurations Hub-and-Spoke, mesh VPN

architectures Redundant tunnels Spilt Tunneling Remote VPN with FortiClient VPN Wizard

SSL VPN Web and Tunnel Mode Customizable Portal with bookmarks Virtual Desktop & Host Check

Other VPN Features L2TP (Microsoft) & GRE Hardware Acceleration*

No Additional Licenses required Integrates with UTM functions

protects Internal resources against remote traffic

SSL VPN Portal

*applicable to supported models

V5.2

90

Wizard

Step-by-step Guided IPSEC configurations

» Custom defined» Predefined Templates

Covers authentication & Network settings

» No need to create separate phase1 objects for different user groups as authorization is handled by Firewall policy

IPSEC VPN

V5.2

91

Web Application Mode

• Support via Java Applets

• Limited application support: HTTP/HTTPS, FTP, SMB/CIFS, TELNET, SSH, VNC, RDP, Citrix

• Ease of use

Access Modes

Tunnel Mode

• Support via SSL VPN Client, requires download & install

• Unlimited L3 application support

SSL VPN

Port Forward Mode

• Support via Java Applets

• Extends applications supported by web application mode

• Does not need admin privilege to install and run

92

SSL VPN Portal

Customized header, logo, themes and page layout

Customized Widgets

Tunnel Mode Widget

SSL VPN

Web Mode bookmarks

Session Stats and status

93

SSL VPN Portal

User group based portal access

Ability for MSP to create and set different portal access without using VDOMs» URL path (i.e. suffix to bind to), Max concurrent users, Custom login page

Custom login profile selection on per SSL VPN usergroup policy

SSL VPN

https://sslvpn/customerA/ https://sslvpn/customerB/

94

Virtual Desktop

CLI Command Available for Windows terminals only

SSL VPN

Application Control:• Controls which applications

users can run on their virtual desktop.

• By creating a list of either allowed or blocked applications which you then select when you configure the virtual desktop.

• Application Definitions is by MD5 Signatures

Host Check:• Enforces the client’s use of

antivirus or firewall software, • Offers predefined list which can be

edited• Customized applications can be

added with globally unique identifier (GUID)

• Windows patch check (on CLI only) allows admin to define the minimum Windows version and patch level allowed» Supports Windows 2000, XP,

Vista & 7

File Access:• Completely isolates the SSL VPN

session from the client computer’s desktop environment

• All data is encrypted, including • cached user credentials• browser history• cookies• temporary files and user files

created during the session. • When the SSL VPN session ends

normally, the files are deleted.

95

Single Sign-on

Available on Admin defined Web-Mode HTTP/HTTPS bookmarks

Allow user to log into the SSL VPN without having to enter any more credentials to visit preconfigured website

2 Modes:» Automatic - Use user’s SSL

VPN credentials for login» Static - Fill in the login

credentials as defined by specified field name

SSL VPN

96

Overview IPS

IPS Signatures Over 7,000+ Signatures Integrated FortiGuard IPS encyclopedia Zero-day Threat Protection & Research Custom Signatures Rate based Signatures Signature Filtering User Quarantine, Packet Logging

DOS Protection Rate based - set thresholds for various

types of network operations

Deployment Options Sniffer Mode Bypass Interface & FortiBridge Low latency, superior coverage

and cost/performance integrated IPS

2012 NSS Security Value Map

V5.2

97

IPS Sensor

Regular IPS Signatures Protect against

» Known Vulnerability & Zero day exploits

» Protocol abnormalities

Details Pop-Up linked to FortiGuard IPS encyclopedia

Filtered by

IPS

Severity OSProtocol Applicatio

ns

Target (Client/Server)

V5.2

98

Rate Based Signatures Brute force protection by blocking subsequent requests when

threshold (incident per defined sec.) is reached» Definable block duration» Various tracking methods

IPS Sensor IPS

V5.2

99

FortiGuard Service

Outstanding Detection Rate 100% resistance to evasions, 97.9%

Detection rate (NSS Test 2011)

Vigorous Benchmark Testing Tested on over 4 different tools Weekly Determine & Improve effectiveness of a

security device to detect network vulnerabilities

IPS

100

FortiGuard Service

FortiGuard Center FortiGuard Encyclopedia – detailed description of known threats IPS Updates log (RSS Feed) Vulnerability Advisories Threat Monitor – Top attacks by geographic breakdowns

Zero-Day Research• Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the

appropriate vendor(s)

IPS

101

Performance IPS

Latency (μs)

0 20 40 60 80 100 120 140 160

NSS IPS Latency (July 2012)

Check Point 12600 Stonesoft 1302 Juniper IDP 8000 Sourcefire 3D8120 Sourcefire 3D8260 Sourcefire 3D8250

SonicWALL SuperMassive IBM GX7800 PA 5020 HP/TippingPoint 6100N McAfee M-8000 FortiGate 3240C

FortiGate 3240C also beats all IPS competition with Lowest Latency

102

Packet Logging

Forensic Tool Packet Capture triggered IPS

signatures Can be saved as pcap file for

forensic studies Can be either log to disk,

FortiAnalyzer or FortiCloud

IPS

103

User Quarantine

Intelligently blocks attackers from launching further attack» Most attacks are conducted via several steps. Eg. port scan, followed by more

targeted hacking activities

Free up IPS resources since traffic is now stopped by firewall. Manually or set expiry time to remove from banned list

User Quarantine

Attackers IP Address

Antivirus IPS DLP

Duration

Endpoint Control

IPS

V5.2

104

Advanced Features IPS

V5.2

NGIPS Contextual Awareness

» Correlate with related information such as users & applications

Automation» Automated impact assessment for quick policy tuning with FortiView» Network behavior analysis using Threat Score

105

DOS Sensors

DOS Protection Detects and mitigate traffic that is is part of a DoS attack Applied as DOS Policies prior of Firewall Policies Rate based: set thresholds for various types of network operations Sensor list can be updated only when the firmware image is upgraded on the

unit.

TCP UDP ICMP

Packet Rate to a Destination IP TCP_SYN_FLOOD UDP_FLOOD ICMP_FLOOD

Packet Rate from a Source IP TCP_PORT_SCAN UDP_SCAN ICMP_SWEEP

# of Concurrent Sessions to a Destination IP TCP_DST_SESS UDP_DST_SESS ICMP_DST_SESS

# of Concurrent Sessions From a Source IP TCP_SRC_SESS UDP_SRC_SESS ICMP_SRC_SESS

IPS

106

Overview Application Control

Application Control Sensors Over 3,300+ Signatures, 19 Categories User notifications using FortiBar or HTTP

replacement message Granular Controls for popular apps Cloud Apps. visibility Application Control Traffic Shaping SPDY protocol support SSH Inspection Custom Signatures

More flexible and fine-grained policy control

Increased securityDeeper visibility into network

traffic

FortiGuard Application library

V5.2

107

App Signatures

App List Application signatures

can be filtered by Category, Technology, Popularity and Risk level.

It is useful for override setting and FortiView search

Application Control

V5.2

108

App Signatures

5-point-risk levels Each application signature is assigned with a risk level to assist administrator in

understanding their threat status on logs and FortiView.

Application Control

Risk Level Description Example

Critical Applications that are used to conceal activity to evade detection. Tor, SpyBoss

HighApplications that can cause data leakage, or prone to vulnerabilities or downloading

malware.

Remote Desktop, File Sharing, P2P

Medium Applications that can be misused VoIP, Instant Messaging, File Storage, WebEx, Gmail

Elevated Applications are used for personal communications or can lower productivity.

Gaming, Facebook, Youtube

Low Business Related Applications or other harmless applications. Windows Updates

V5.2

109

App Signatures

Custom Signatures Creates signatures and

assign to their categories

Application Control

V5.2

110

Application Sensor

Ease of use Applies actions to

various categories» Allow, Block, Monitor, reset,

traffic shaping

Create overrides that exempts from category settings

Flexibility Applies different profiles

to users, devices and/or IPs and their respective destinations on the security policies.

Application Control

V5.2

111

Application Control

Granular Controls Granular control popular Facebook and other online app usage Facebook app pages can also be controlled via Web Filtering categories and

custom signatures

Application Control

V5.2

112

Application Control

SPDY Protocol Support Open networking protocol developed primarily at Google for transporting web

content, similar to HTTP» to reduce web page load latency and improve web security

Supported by most browsers

Application Control

V5.2

113

Application Control

Deep Application Visibility Capture details of popular online

applications» Cloud-based file storage and video

sites» Logins to popular apps/sites» Via web browsers

Info extracted includes» (upload/download) filenames » video titles played, » user ID when login is detected

Application Control

V5.2.1

114

SSH Inspection

As part of SSL/SSH Inspection Profile

Uses SSH proxy to intercept the SSH key exchange and content

After inspection, the session is re-encrypted and forwarded to the recipient

Application Control

115

Overview Antivirus

AntiMalware Proxy and Flow based AV Filename & File Type filtering Heuristic AV Engine File Analysis with Cloud-based or on-

premise sandboxing AV Databases options File Quarantine

Anti-Botnet Application Control Category Botnet IP Blacklist Database

Protect internal network devices against malware and other malicious codes

AV Configuration

116

Technologies

SignaturesSignatures

• Detects and blocks known malware and some variants

• Highly accurate, low false positives

• Requires up-to-date signature updates

• 3rd party validated

Behavioral Evaluation

• Detects and blocks malware based on scoring system of known malicious behaviors or characteristics

• Can be used to flag out suspicious files for further analysis

File Analysis

• Detects zero-day threats by executing codes on emulators to determine malicious activities.

• Resource intensive, performance and latency impact

Antivirus

117

Technologies

Application Control• Detects and blocks nearly 50 active

botnets • Botnet network activities by

examining traffic• Prevents zombies from data leaks

or communicates for instructions

Botnet IP Reputation DB• Detects and blocks known Botnet

C&C Communication by matching against Botnet command blacklisted IPs

• Stops dial back by infected zombies.

Antivirus

118

In-box AV functions

FortiGate as AV Gateway Network based, no agents required on hosts Can be proxied or flow based Signature set options: Normal, Extended or Extreme File Quarantine if Local storage is available

Antivirus

119

NORMAL• list of currently active threats• recently added by the Fortinet Antivirus team• detected by the FortiGuard network • the wild list database.

EXTENDED• older and recently active threats (already dropped by wild list) .

EXTREME• remaining detection signatures for all threats • zoo entries, and historical curiosities such as old DOS based viruses.

AV Signature DB Antivirus

120

AntivirusAV Engine

Code Emulator Lightweight

Emulators» Good against VM

evasion

OS-Independent file analysis, all file type» Java Scripts, Flash,

PDF

Best against Malware Injections via (compromised) web 2.0 applications

Signature Match(CPRL/Checksum)

File Sample

Decryption/unpacking System

Code EmulatorBehavior Analysis

SuspiciousForward to cloud-based FortiGuard AV service

PassNo Further Action

FortiGate AV Engine 2.0

BlockedFile discarded, option to

Quarantine and event logged

V5.2

121

In-box AV functions Antivirus

Proxy Based Flow Based

External Sandboxing • FortiCloud

Sandbox• FortiSandbox

• FortiCloud Sandbox

• FortiSandbox

Anti-Bot • FortiGuard Botnet Servers Black List

• FortiGuard Botnet Servers Black List

Protocols Supported

• HTTP/HTTPS• SMTP/SMTPS• POP3/POP3S• IMAP/IMAPS,• MAPI• FTP/SFTP• NNTP (CLI)

• HTTP/HTTPS• SMTP/SMTPS• POP3/POP3S• IMAP/IMAPS• FTP/SFTP• NNTP

Replacement message • All supported Protocols

• Limited to HTTP/HTTPS

V5.2

122

FortiGuard AV Service Antivirus

Fortinet

123

File Analysis

Integration with FortiSandbox/ FortiCloud Sandbox Automated submission all files or when file is flagged as suspicious

by AV engine Summary report is available on FortiGate dashboard

Antivirus

FortiCloud Sandbox/ FortiSandbox

Suspicious files and related logs are uploaded

1Scan results are available

on FortiCloud Portal

2

Summary results are displayed on FortiGate’s

Widget

3

V5.2

124

File Analysis

FortiSandbox Cloud Integration FortiSandbox Viewer View detailed analysis Manual source

quarantine

Antivirus

V5.2.3

125

Overview Email Filter

Antispam Supports SMTP, STMPS, IMAP, POP3,

IMAPS and POP3S FortiGuard AS Filtering: RLB, SURLB,

checksum Phishing URL detection HELO DNS lookup Manual BWL

Content Filtering Banned words, scoring method

Detects and remove spam emails to prevent malicious activities from occurring

Email Filter Profile

126

Antispam

FortiGate as Antispam Gateway Tag subject or discard when spam is detected Uses both local and FortiGuard DB to detect spams Also detects phishing URLs on Emails

Email Filter

127

Spam Filters Email Filter

Checksum Check

URL Check

Banned Word

(body)

IP BWL(receiv

ed header)

Banned word

(Subject)

Return Email DNS Check

MIME HeaderEmail Address

BWL Check

DNSBL/ORDBLHELO DNS lookup

IP CheckIP BWL

Last Hop IP

Email Header Email ContentSMTP/SMTPS

Checksum Check

URL Check

Banned Word(body)

Banned word(Subject)

MIME HeaderEmail address BWL

Check

Email Header

Email ContentIMAP, IMAPS, POP3, POP3S

Order of Spam Filters

IP BWL(receiv

ed header)

FortiGuard ServiceLocal FilterLocal Filter, CLI only

128

Overview Web Filter

URL Filtering URL, web content, MIME Filtering Time usage Quota Transparent Safe Search Policy Objects, Object tagging & Coloring Local Rating & Category User override option

Proxy Avoidance Prevention Proxy Service Site blocking Language translation & Cache blocking Rate site by IP addresses Application Control – Proxy avoidance

category IPS proxy behavior detection

…

Web Filtering Block Page

129

FortiGuard Service Web Filter

• 78 Categories in 6 Groups• Over 250 million URLs rated• 70 Languages• 40-80 Billion queries per week

• 40K URLs get automatically rated daily• 96% of all queried websites are rated

More Accurate

Less Wrongly Rated

More Coverage

130

Safe Search Web Filter

Advantages over client’s browser configuration:✔ Easy to provision – no need to “touch” clients✔ Prevents safe search avoidance

User does a search from portal

1

FortiGate transparently inserts Safe-Search parameter to the query

2Search engines response with Safe-Search results

3

131

Google Access

Restrict by Domain• Allows a workplace to restrict Google access to only their corporate

accounts.» Proxy WF only» Deep inspection required

Web Filter

V5.2

132

Manual URL Filter Web Filter

URL Definition• Static, regular expression or wildcard

HTTP-Referrer• Allows websites to be blocked/allowed except when clicking a link on

another website

V5.2

133

Proxy Avoidance

Blocking known sites that:» Provide listing of HTTP Proxy services» Provide Proxy Avoidance techniques & Instructions, software downloads etc» (Language) Translate websites

Identify and rates redirected websites» Cache & Translation sites

Rate sites by IP addresses

Web Filter

134

Proxy Avoidance Web Filter

Defense-in-Depth

Category = Proxy

Application Control

http_proxy_activity

IPS Signature

• Prevents Proxy Avoidance further …» Application Control stops Proxy Avoidance applications» IPS signature detects and block “zero-day” proxy activities

135

Inspection Modes Web Filter

Proxy Based Flow Based DNS BasedHardware Acceleration No No NoHTTPS Deep-Scan- Active-X, Cookie & Java

Applet Filters- Other advance filtering

options

Yes No No

Safe SearchInject Safe

Search Parameters

Blocks non-safe search request No

Replacement Message Yes Yes Redirect

Concurrent Sessions Based on max proxy sessions Very High Very High

Asymmetric Traffic Support No Yes. HTTP only Yes. HTTP only

Category actions All Auth & Warning not supported

Auth & Warning not supported

V5.2

136

Overview DLP

DLP Sensor Document Fingerprinting File name, type & size Filter Encrypted file/message Filter Watermark Filter Sample profiles: SSN, credit card

number, etc detection

Content Archive Archive Email, FTP, HTTP, IM, and

session control content

protects intellectual property from internal mishandling

Prevents sensitive information from transmitting to unauthorized networks

DLP Sensor Filter

137

Data leakage can be intentional or unintentional result of human/software error, it is often the result of specific, targeted actions, sometimes by trusted insiders, which leads to the loss of sensitive information.

Overview DLP

Data at RestScanning of content storage repositories, to identify where sensitive data exists

Data at MotionIntercepting and inspecting traffic which is traversing the network, to identify potentially sensitive data

Endpoint solutions that monitor endpoint system activity and identify sensitive data

Data in Use

DLP solutions typically have 3 main components

138

DLP Sensor

DLP Actions (per-rules) Log (Full Content Archive

or Summary) Block Quarantine User, IP or

Interface

DLP Rule Filters Finger Print File size, type Regular Expression Encrypted

File Type Supported Text file PDF MS Word

DLP

Can either be proxy or flow based Host a set of DLP rules A DLP Sensor is applied to protection profile

139

Overview Vulnerability Scanning

Vulnerability Management Asset Discovery & OS Detection Manual or scheduled scans Results visible on monitor, logs and

reports Links to FortiGuard Threat Encyclopedia

for details & remediation advice

FortiAnalyzer Integration Report correlation

Protect network assets (servers and workstations) by scanning them for security weaknesses

Facilitate Proactive patching against known vulnerabilities

Vulnerability Scan report

140

Overview Wireless

Integrated Wireless Controller Based on CAPWAP RFC standards Support up to 1024 APs per controller QoS Support

Wireless Security Wireless IDS WPA/WPA2-Personal and WPA/WPA2-

Enterprise (802.11i), Captive portal modes

Rogue AP monitoring and suppression

Wireless Deployment FortiPlanner Automatic Radio Resource Provisioning Fast Roaming Wireless Mesh & Bridging AP Loadbalancing Secures wireless access with

integrated wireless Controller Implements PCI requirements

AP Profile

141

Overview

Unified Secured Access Integrated WLAN management with security gateway Shared authentication services & access policies

Wireless Access

Wired Access Remote

Access

DIGITAL ASSET • Content Inspection• Attack Mitigation

• User Identification• Access Control

Wireless

142

Thin AP

CAPWAP Standard based Protocol for

Control and provisioning of wireless access points

Fast Roaming* Users in a multi-AP network,

can move from one AP coverage area to another without impair most wireless traffic and applications.

Wireless

Floor

Wiring Closet

Aggregation

FortiGate Controller Data CenterC

AP

WA

P

Thin AP architecture tunnels all traffic to the FortiGate

Controller for added security and ease of management

* Only in L2 networks

143

Captive Portal• Web browsing intercept user login

User Access

FortiGate Wireless Controller supports:

WPA Personal (PSK)• Wireless access using pre-shared keys

WPA-Enterprise (802.1x)• More secure access with individual user logins

Wireless

144

Wireless Security

Rogue AP Identification by 'On Wire Scan’ Auto distinguish unknown AP’s (aka neighbors) from unknown AP’s that are

on the retail network (rogue) By correlating packets seen on the wireless side with packets seen on the

wired side. An event log is generated when an rogue AP is detected

Wireless

145

Wireless Security

Rogue AP Suppression By sending excessive reset signal to the rogue

AP, so client cannot be connected to Rogue AP. If a client joins a rogue AP, send deauthentication message to that client.

Automatically Block the MAC address of that Rogue AP in the Firewall Policy

Feature is only available when there is at least one radio dedicated to Rogue AP detection

Wireless

FWF-80C doesn’t support rogue suppression*

146

Deployment Features

Full Mesh

Wireless

147

WirelessDeployment Features

Local Bridge allows the AP to be centrally

managed without backhauling the traffic to the wireless controller

bridge an SSID to local port at the FortiGate using a softswitch configuration

Allows spilt tunnel to internet

148

WirelessDeployment Features

AP Load Balancing Used in high density

deployments, such as conferences, to prevent all clients connecting to the same AP

Two methods:» Signal clients to connect to another

AP » Signal clients to connect to another

frequency

149

Monitoring

Wireless Dashboard an easy visual for determining

the health of the network’s wireless infrastructure

Widgets:» AP Status» Client Count over Time» Top Client Per-AP (2.4 Ghz)» Top Client Per-AP (5 Ghz)» Top Wireless Interference (2.4 Ghz)» Top Wireless Interference (5 Ghz)» Login Failures Information

Wireless

150

Monitoring

Spectrum Analysis Illustrates signal interference as

detected by a particular FortiAP

Also point out Top APs and their SSIDs that are interfering with a particular FortiAP

Wireless

V5.2

151

FortiAPs Family Wireless

3x3:3Resiliency and

Versatility Dual RadioDual

Band

2x2:2Performance

Single Radio

1x1:1Value

Remote Outdoor Indoor

FAP-221/223C

FAP-222B

FAP-210B

FAP-320B

FAP-112DFAP-112B

FAP-28C

FAP-14C

FAP-11C

FAP-320C802.11ac

FAP-222C

FAP-25D

FAP-21D

FAP-224D

802.11ac

802.11acFAP-321C

802.11ac

FAP-221/223B

FAP-24D

152

FortiPlanner

Wireless Planning Tool• For pre-sales step to determine how many FortiAPs the customer

needs to purchase Wireless site survey upgrade available (>50 APs, site survey)

Download from:http://www.fortinet.com/wireless/

Wireless

Key Features: Import floor plans Structure drawing Manual or auto AP placing Placement Analysis Dynamic- Heatmap Generate Site and inventory

reports

153

FortiPlanner Wireless

Dynamic Heatmap Real-time polling of

FortiGate Wireless Controller

Display current number of clients, channel, TX power

Helps to spot Coverage holes and failed AP

154

Overview Traffic Shaping & QoS

Bandwidth Control Options: Shared policy shaping, per-IP

shaping & application Control shaping Max. & Guaranteed Bandwidth Max. Concurrent Connections per IP

QoS Traffic prioritization Type of Service (TOS), Class of Service

(COS) & Differentiated Services (DiffServ) Support

Protects Critical traffic from overwhelmed by other traffic

Managed bandwidth usage by traffic type and applications

Prioritized time sensitive traffic such as VoIP & streaming videos

Per IP and shared Traffic Shapers

V5.2

155

Traffic Shaper

Shared Traffic Shaper bandwidth management by

security policies » Per policy » all policies

Maximum and guaranteed bandwidth

Traffic priority Assign DSCP value for other

device use Also used by Application

Control

Guaranteed BandwidthMaximum Bandwidth

Traffic priority DSCP value

Traffic Shaping & QoS

156

Traffic Shaper

Per-IP Traffic Shaper enables admin to limit the

behavior of every member of a policy to avoid one user from using all the available bandwidth

Maximum bandwidth & Concurrent Connections

Assign Forward and reverse DSCP value for other device use

Traffic Shaping & QoS

Guaranteed BandwidthMaximum Concurrent Sessions



157

Overview Server Load Balancing

Load Balancing Methods: static, round-robin, etc Persistence: Cookie, SSL session ID,

host Probes & Health Checks: TCP, HTTP,

ICMP PING SSL Offloading HTTP Multiplexing

Integrated server load balancing features with security applied

Maintains secured and high availability to application delivery

Load balance cluster status viewer

158

Overview

FortiGate intercept the incoming traffic and share it across the available servers

» Clients connects to Virtual Server published» Loadbalancer distributes traffic to cluster of Real Servers with desired Load

balancing & Persistence methods» Health Checks are performed to monitor the availabilities of real servers.

Virtual Server

Real Server

Extensions SSL Offload Network Security( Firewall, AV, IPS, DLP)

Load Balancing Methods

Service Type(HTTP, HTTP, IMAPS,POP3S,SMTPS, SSL, TCP, UDP, IP)

Monitors(TCP, HTTP, ICMP PING)

Persistence(cookie, SSL Session ID)

Server Load Balancing

159

LB Methods Server Load Balancing

Method Description Source IP Hash

Statically spread evenly across all real servers.

Round Robin Directs new requests to the next real server, and treats all real servers as equals

Weighted Higher weight value receive a larger percentage of connections.

First Alive Always directs sessions to the first alive real server, not distributed

Least RTT Directs sessions to the real server with the least round trip time, determined by a Ping health check monitor

Least Session

Directs requests to the real server that has the least number of current connections.

HTTP Host Using the host’s HTTP header to guide the connection to the correct real server

160

Overview SSL Offloading & Inspection

SSL Offloading SSL Offloading for WANOPT & reverse

web caching SSL Offloading for SLB

SSL Inspection Facilitate UTM on SSL encrypted

applications “SSL Cert Inspection” and “Full SSL

Inspection” modes

Intercept and proxy SSL encrypted Traffic for UTM for more security

SSL offloading from web servers to economical secure web access offering

SSL Inspection Option

V5.2

161

Overview

SSL Inspection Exemptions Allows admin to build exclusion list using

» Web Categories with defaults» (Destination) Address Object - FQDN or IP addresses

Applicable to both “SSL Cert Inspection” and “Full SSL Inspection” modes

SSL Offloading & Inspection

V5.2

162

Overview WAN Optimization

WAN Optimization Protocol Optimization & byte Caching FortiClient Support

Web Caching Forward & reverse proxy

Explicit Proxy Proxy chaining PAC file distribution

Integrated WANOPT network services with security capabilities

Improve user experience and bandwidth efficiency

Resolves complexities, management and cost of involving additional WANOPT devices

WANOPT Monitors

163

WANOPT Tunneling

Supports various network topologies such as inline and out-of-path design

Supports multi-peers including FortiClient Can be used in both transparent or NAT/Route Mode, virtualized per

VDOM

WAN

WAN Optimization

Peers

Authentication group

164

Web Caching

Reducing bandwidth usage with fewer request and response across WAN

Reducing server load as it has to serve fewer requests

Perceived latency since data is obtained from local unit

Forward Proxy INTERNET

ReverseProxy

WAN Optimization

165

Explicit Proxy

Proxy HTTP/HTTPS & FTP Session from web browsers

Distribute proxy auto-config (PAC) Supports SOCKS sessions from

browsers (CLI Command) Virtualized per VDOM Proxy Chaining with forward server

load balancing support User authentication Transparent Explicit Proxy option

using IP reflect

Allows users web traffic to explicitly proxied via FortiGate, providing secured restrictive Internet access policies.

WAN Optimization

Features:

V5.2

166

Overview Virtual Systems

Virtual Domains Global and per-VDOM settings VDOM administrator Resource allocation VDOM Licensing VDOM Logging

FortiGate Virtual Appliance FortiOS in Virtual Environment

Provides multiple logical entities in a single physical unit

Out-of-the box Multi-tenant & department solution

Saving in physical Space & Power

VDOM Configuration

167

Virtual Domains

Global System

VDOM_1

Virtual Systems

VDOM_2 VDOM_N…Management

HA FortiGuard

Global System

168

VDOM Admin

Virtual domains can be managed using either one common administrator or multiple separate administrators for each VDOM

Administrators assigned the super_admin profile can manage all VDOMs on the FortiGate device» Can also create other administrator

accounts and assign them to VDOMs

Virtual Systems

169

MGMT VDOM

Management traffic leaves through management VDOM

Management VDOM Should have access to Internet or FMGR

Default management VDOM is root

Virtual Systems

DNS, NTP

External Logging

FortiGuard

Alert Emails

SNMP traps

Quarantine

rootManagement

170

Resource Allocation

Managing Resources Customize the resources allocated to

each VDOM to ensure the proper level of service is maintained on each VDOM

Global Resources Viewer allows admin to view available resources as total

Virtual Systems

171

Resource Allocation

Per Vdom System Resources Display system stats for each VDOM

» CPU usage, memory usage, concurrent sessions & new session per sec

Meant as good guidance, not completely accurate No CPU/Memory limiting capabilities

Virtual Systems

V5.2

172

VDOM Links

Linking VDOMs Using two virtual interfaces, each on a different VDOM, and they are linked

together to connect those two VDOMs without using additional physical interfaces

Inter-VDOM links can be created with both VDOMs in different operating modes (but not when both are in transparent mode)

Virtual Systems

VDOM_1 VDOM_EXT VDOM_2

173

Virtual Appliance Virtual Systems

Supports a variety of hypervisors for private and public cloud infrastructure

Consistent management platform and GUI, similar to physical FortiGate

Virtual Appliance

VMware Citrix Open Source Amazon Microsoft

vSphere v4.0/4.1

vSphere v5.0

vSphere v5.1

vSphere v5.5

XenServer

v5.6 SP2

XenServer v6.0

Xen KVM AWS Hyper-V 2008 R2

Hyper-V 2012

FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔*

V5.2

174

Overview High Availability

FortiGate Clustering Protocol Active-Passive, Active-Active, Virtual

Clusters Redundant heartbeat interfaces HA Reserved Management Interface

Deployment options HA with Link Aggregation Full mesh HA Geographically dispersed HA TCP Session Sync VRRP FG5000 Chassis based clustering

HA Configuration

Failover Manual, Session, link & remote link

failover Subsecond Failover

V5.2

175

HA Technologies High Availability

SignaturesFortiGate Clustering

Protocol (FGCP)

• Enhanced reliability via device failover, link failover and remote link failover

• Increased performance via active-active HA load balancing

• uses a virtual MAC/single IP address per network segment

FortiGate Session Life Support

Protocol (FGSP)

• For supporting asymmetric traffic and support scenarios with load-balancers and routers distributing sessions across multiple appliances

• does not have a heartbeat mechanism to detect unit failure, each FG operates by itself with config and session sync

Virtual Router Redundancy

Protocol (VRRP)

• RFC standard based, allow 3rd party device integration

• Resource intensive, performance and latency impact

176

Synchronization Information synchronized by

default» Configuration » Routing tables» IPsec VPN SA» DHCP server address lease

database Session failover (aka session

pickup) not enabled by default

Session failover synchronizes» TCP (IPv4/v6)» UDP, ICMP» SIP» IPsec VPN sessions

Information not synchronized» UTM sessions» Explicit Web Proxy» ARP table» Multicast» SSL VPN sessions

High AvailabilityFGCP

177

Virtual Clusters

Similar concept to loadsharing Can operate in A-A or A-P mode Available when VDOMs is

enabled 2 Virtual clusters can be created

with as many VDOMs available

assigned to them Inter-VDOM links must be entirely

within one virtual cluster.

FORTIGATE-01 FORTIGATE-02

VDOM 2VDOM 2

VDOM 3 VDOM 3

VDOM 1 VDOM 1

V.Cl

uste

r 1

V.Cl

uste

r 2

High Availability

178

Failover

Device & Link Failover Failover can be triggered when the

master/primary units fails or links connecting it

Remote Link Failover Uses ping servers on the primary unit to test

connectivity with IP addresses of network devices that is not directly connected

May be multiple interfaces and/or multiple IPs on an monitor interface

Subsecond Failover Normally achievable for a cluster of two units

operating in Transparent mode with only two interfaces connected to the network

High Availability

179

Event Monitoring

• Quick visual & on current HA status, resource usage and threat situation• HA Logs details related activities, state and status changes

High Availability

180

Overview Log & Report

Logging Traffic, UTM & Event Logging MAC address logs External Syslogging Multiple device logging Alert Email

Meeting Compliance requirements

Analysis toolsNotifies key events

Report Customization Panel

Reporting In-box or external Reporting Report Customization FortiManager/FortiAnalyzer Integration

181

Log Structure Log & Report

V5.2.3

Forward Traffic

Local Traffic

Sniffer Traffic

System

Router

VPN

User

WiFi

Antivirus

Web Filter

Application Control

Intrusion Protection

Email Filter

DLP

SYSTEM

TRAFFIC SECURITY

Detailed Logging Strong admin audit trails Unique log association between traffic and security logs Threat weight scoring on security logs

Endpoint

HA

182

Log Viewer Log & Report

Log detail Viewer

Pictograms

Log Filter

Tabs to associated Security Logs

V5.2

183

Default Reports

On-box Reporting Local storage required Scheduled or On-demand Email delivery option PDF output

Log & Report

V5.2.3

UTM Security Analysis Report Bandwidth & Applications Web Usage Emails Threats VPN Usage Admin & System events

184

GUI level Report Layout & design Chart selection

CLI level Create dataset and chart with SQL

query

Log & ReportCustomization

185

Overview IPv6

IPv6 Networking & Routing IPv6 Coexistence Support VDOM and administration Support Hardware acceleration Dynamic & static routing Bandwidth Management DHCP and DNS

IPv6 UTM Supports major UTM functionalities

Adopts IPv6 ready network quickly & easily

Comprehensive protection on IPv6 traffic

USGv6 CORE

Ipv6 Traffic Logs

186

IPv6 Feature Matrix

IPS interface policies for IPv6

IPv6 static routes

IPv6 firewall addresses & groups

IPv6 firewall policies

IPSEC VPN with IPv6 addressing

IPv6 over IPv4 tunneling

IPv6 DNS

IPv6 Transparent mode

IPv6 administrative access

IPv6 dynamic routing using RIPng, BGP, or OSPF protocols OSPF protocols

UTM features support IPv6 traffic - AV scanning, URL filtering using FortiGuard rating

SSL VPN Web Mode IPv6

IPv6 Session Display

IPv6 Firewall Auth

DHCP6

IPv6 firewall acceleration

IPv6 support for SNMP

IPv6 support for DLP sensor, VoIP and ICAP UTM feature

IPv6 NAT (NAT46, NAT64, NAT66, DNS64)

IPv6 + IPS Forwarding Policy

HA Session Pickup for IPv6

IPv6 Per-IP Traffic Shaper

IPv6 Policy Routing

IPv6 Explicit Proxy

IPv6 MIBs

Ipv6 DOS

V4.0

V4.1

V4.3 V5.0

IPv6

187

FortiSMS

International one-way SMS messaging service Covers 962 networks in 224

countries Based on global leading & proven

mobile messaging infrastructure (powered by Clickatell)

Usage Option for FortiToken Mobile

activation code delivery Option for Guest User credentials SMS-based 2FA Also works with FortiAuthenticator

SMS messages top-up Certificate License for 100

SMSes. Easy to add by scratching off to

reveal activation code (like prepaid cards)

Dashboard widget: amount indicator

FortiGuard Services

188

Contatta il nostro Ufficio Commerciale

Certified experts in Fortimail and email security

Certified experts in Fortiweb and web application firewall protection

Certified experts in FortiAp, FortiWifi and wireless security

Ufficio CommercialeTel. +39 049 8843198 DIGIT (5)[email protected]

www.lanewan.it

In questi anni di partnership con la casa madre, Lan & Wan Solutions ha ottenuto tutte le specializzazioni previste nei vari iter di certificazione, raggiungendo la qualifica di Partner Of Excellence.

Inside forti os-v524-r5

Software

Transcript of Inside forti os-v524-r5