Inside forti os-v524-r5
-
Upload
lan-wan-solutions -
Category
Software
-
view
823 -
download
0
Transcript of Inside forti os-v524-r5
![Page 1: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/1.jpg)
© Copyright Fortinet Inc. All rights reserved.
Inside FortiOSVersione 5.2.4 – Mar 2015Lan & Wan Solutions – Soluzioni Informatiche per Reti Locali e Geografiche
![Page 2: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/2.jpg)
2
C O N T E N T
System Administration
Routing & Network Services
User Identity Device Identity End Point Control Firewall VPN IPS Application Contr
ol Antivirus Email Filter Web Filter DLP Vulnerability Scan
ning Wireless Controlle
r Traffic Shaping &
QoS Server Load balan
cing SSL Offloading an
d Inspection WAN Optimization Virtual Systems High Availability Log & Report IPv6 Others
![Page 3: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/3.jpg)
3
FortiOS 5.2 Feature Set
ATP OSS Support AAA Central Mgmt. Integrations
Configuration Visibility Log & Report Diagnostics Management
Anti-Malware IPS Application Control
WebFiltering Email Filtering
Firewall VPN DLP User & Device Identity SSL inspection Security Functions
Wireless Controller
Switch Controller
Endpoint Manager Token Server Vulnerability
Scanner Extensions
:::::::::: Virtual Domains :::::::::: Virtual SystemsRouting NAT/CGN WAN Link / Server LB Wan Optimization
Network FunctionsL2/Switching IPv6 QoS High Availability
NAT/Route Transparent Sniffer Operating Modes
LAN WiFi WAN Network Interface
Physical Appliance (+ASICS) Hypervisor Cloud Platform
* Features may varied by models
![Page 4: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/4.jpg)
4
FortiOS Features
![Page 5: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/5.jpg)
5
Overview System Administration
CLI Access – Console, Telnet & SSH GUI Access – Via Web Browsers Dashboard, Viewers & Widgets
Central Management FortiManager & FortiAnalyzer FortiCloud Web Service APIs NMS Integration – SNMP,
sFlow/NetFlow, Syslog Solution Partners - Tufin, Arcsight, etc Rapid Deployment - USB Auto-Install &
Scripts
Quick Setup Setup Wizards (1RU Models & below) FortiExplorer (Desktop & Mobile Client)
Simplifies Device ManagementSupports Enterprise Management
Systems & Architecture
FortiExplorer
Diagnostic Tools Packet Capture
V5.2
![Page 6: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/6.jpg)
6
Dashboard & Widgets
Quick look into system, threat and network status
Customizable Built-in CLI access
System Administration
Dashboard with Widgets
V5.2
![Page 7: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/7.jpg)
7
Powerful on-demand query tool that provides contextual results with drill down capabilities
Assists in network troubleshooting
Provides insights to optimizing networks
& productivity
Why a particular group of users is
having trouble using the cloud based ERP
system?
Acquires proactive security knowledge Supports proactive
security management
Is there an abnormality that
needs further investigation?
Identifies network and threat status Resolves threats and networking
problems quickly
Is my users abusing the network and
how so?
FortiViewer System Administration
V5.2
![Page 8: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/8.jpg)
8
FortiView System Administration
V5.2
Sort rows to display Top sessions
Setup query using Easy-to-use auto-complete filters
Examine real-time or historical data
Select row for drill down
![Page 9: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/9.jpg)
9
FortiView System Administration
V5.2.3
Summary of selected item
Selection of scope
Select row for drill down
Drill down panels Presents associated details based on different
scopes Further drill down to filtered Session Viewer
![Page 10: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/10.jpg)
10
FortiView
Session viewer (Real Time) Excellent Troubleshooting tool
System Administration
NAT’ed IP and Port Applications and their usage
Device & User Info
Concurrent Session & New session per sec
Geo IP Info
FortiGuard Encyclopedia Integration
V5.2
![Page 11: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/11.jpg)
11
FortiView
Session viewer (Historical) Presents timeline filtered session list
with details using log entries
System Administration
V5.2
Complete detail of selected session
Setup filter by clicking on cell
Mouse over device details
Move and configure field columns
![Page 12: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/12.jpg)
12
FortiView
Threat Weight Unique: Normalized threat level value x hit counts Scores can be sorted to reveal most critical items to investigate
More meaningful than other singular measurements
System Administration
V5.2
![Page 13: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/13.jpg)
13
Features With Local Storage Without Local Storage
Now 5 min 1 hr 24 hr * Now 5 min 1 hr 24 hr
Viewer – Sources ✔ ✔ ✔ ✔ ✔Viewer – Applications ✔ ✔ ✔ ✔ ✔Viewer – Cloud Application ✔ ✔ ✔ ✔ ✔Viewer – Destinations ✔ ✔ ✔ ✔ ✔Viewer – Websites ✔ ✔ ✔ ✔Viewer – Threats ✔ ✔ ✔Viewer – All Sessions ✔ ✔ ✔ ✔ ✔Viewer – System Events ✔ ✔ ✔Viewer – Admin Logins ✔ ✔ ✔Viewer – VPN ✔ ✔ ✔Viewer – FortiSandbox ✔ ✔ ✔Sniffer Mode Support (All Viewers) ✔ ✔ ✔
* Not available for desktop models with SSD
FortiView System Administration
V5.2.3
![Page 14: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/14.jpg)
14
Monitors
Real time status indicators In-box Over 20+ types Serves as
administrative & diagnostic tools
Also available on CLI and web service API (JSON)
System Administration
SYSTEMSDHCP MonitorLink Monitor
ROUTERRouting Monitor
FIREWALLPolicy MonitorLoad Balancing MonitorTraffic Shaping Monitor
UTMAV MonitorIntrusion MonitorWeb MonitorEmail MonitorArchive & Data Leak MonitorApplication MonitorFortiGuard Quota
VPNIPSEC MonitorSSL-VPN Monitor
USER & DEVICEFirewall MonitorBanned User MonitorFortiClient Monitor
WIFI CONTROLLERClient MonitorRogue-AP MonitorWireless Health MonitorLOG&REPORTLogging Monitor
V5.2
![Page 15: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/15.jpg)
15
Network Management
SNMP Support SNMP v1, v2c & 3 Traps MIBs
Fortinet proprietary MIBs standard RFC 1213 & 2665
MIBs
System Administration
V5.2
![Page 16: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/16.jpg)
16
Network Management
sFlow/NetFlow monitoring the traffic on the network to identify areas on the network
that may impact performance and throughput Agent is embedded in the FortiGate unit, sends the sampled traffic
to an external 3rd party Collector/Analyzer. Available on CLI only
System Administration
3rd Party sFlow Analyzer - sFlow Trend
V5.2
![Page 17: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/17.jpg)
17
Quick Setup
Feature Select Configure GUI elements according to desired deployment needs
using presets Allow further customizations by toggling the feature buttons
System Administration
![Page 18: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/18.jpg)
18
Features/Presets NGFW ATP WF NGFW+ATP UTM Full
UTMSecurity* Advanced Threat
Protection✔ ✔ ✔ ✔
NGFW (IPS) ✔ ✔ ✔NGFW (App Control) ✔ ✔ ✔ ✔Web Filter ✔ ✔ ✔ ✔ ✔Email Filter ✔DLP ✔Explicit Proxy ✔ ✔Endpoint Control ✔ ✔ ✔ ✔
Basic VPN, IPv6, WiFi Controller, Wanopt , etc Defaults settings depends on FGT models
Minor ICAP, VoiP, DNS DB, Multicast policy, etc
* Default settings
Quick Setup System Administration
V5.2
![Page 19: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/19.jpg)
19
Quick Setup
FortiExplorer Software Application for
Windows, Mac OS and iOS
Uses USB connection Quick Setup Wizard,
Direct GUI & CLI access without network setup
System Administration
V5.2
![Page 20: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/20.jpg)
20
FortiCloud
Hosted security management and log retention service Default reporting option for
Desktop Models Central web-based
management console to manage individual or aggregated FortiGate and FortiWiFi devices Configuration backup Scripting Remote Firmware upgrade
Access to hosted Sandbox results
System Administration
V5.2
![Page 21: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/21.jpg)
21
Diagnostic Tools
Sniffer packet capture on GUI Similar to CLI Sniffer setup
» Supports Filters» IPv6 & Non-IP Packets
Output as pcap file download Local Storage required
System Administration
![Page 22: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/22.jpg)
22
User Notification System Administration
Replacement Messages Supported on Proxy and some flow based UTM Customizable, can be assigned per VDOMs
V5.2
![Page 23: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/23.jpg)
23
User Notification
Fortinet Top Bar Notify users in real-time
» Blocked Applications» Denied Traffic» Quotas Status» FortiClient Alerts
Supported for IE, Firefox, Chrome, Safari
Appears on HTTP websites as embedded frame in the web browser
System Administration
![Page 24: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/24.jpg)
24
Overview Routing & Network Services
Routing Link Redundancy and load balancing Policy Routing Dynamic Routing Protocol Support: RIP,
BGP, OSPF, IS-IS Multicast Routing
Interface Features VLANs, 802.3ad port aggregation, STP,
port span, redundant interface, loopback, software switch, Security mode
Sniff/One-arm Mode
WAN Link USB modem FortiExtender Link Load Balancing
Robust L3 and L2 capabilities to facilitated vast variety of network design and setup requirements
Route Monitor
Network Services Free FortiGuard NTP, DDNS & DNS
service Content Routing – WCCP and ICAP
Support DHCP & DNS Server LLDP
V5.2
![Page 25: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/25.jpg)
25
Interfaces
Interface Configurations Support *various interface types:
» Physical: Ethernet and wireless» Virtual: VLANs, WiFi SSID, VDOM link» Group: Port aggregation group, redundant Interface, H/W & S/W Switches,
Virtual WAN Link, zone
Routing & Network Services
Color coded access methods
DHCP server info
Graphic presentation of interfaces
A variety of Interface types
* May not be available to all models
Interface members
V5.2
![Page 26: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/26.jpg)
26
Interfaces
Interface/Switch Modes
Routing & Network Services
* May not be available to all models
V5.2.1
The main difference is that for ”virtual hardware switch", it uses the underlying switch chip/driver to handle all of the switching directly, whereas virtual “software switch” needs to do that in the kernel (ie, higher in the stack, more CPU/memory intensive, etc). There are feature disparities which will be documented later.
Switch ports are individual physical interfaces
Switch ports can be created by grouping interfaces with “Virtual Hardware/Software Switch”
![Page 27: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/27.jpg)
27
Interfaces Routing & Network Services
* May not be available to all models
V5.2.1
Virtual VLAN Switch Emulation of a VLAN
switch Assigns ports to VLANs
and dedicated VLANs trucks
Allow users to extend number of available switch ports (with VLANs) by VLAN truck stacking
Interface Mode
External Switch
![Page 28: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/28.jpg)
28
Interfaces Routing & Network Services
* May not be available to all models
Switch Controller Similar to Wireless Controller Concept
» uses Fortlink Protocol – modified CAPWAP» With selected FortiSwitches only
Administrators can create VLANs on the Switch(es)» VLANs across switches can be managed and configured like a FortiGate
interface
Virtual Switch VLANs
FortiLink Connectivity
![Page 29: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/29.jpg)
29
Switch Controller Routing & Network Services
* May not be available to all models
Switch Controller SupportFortiGate
FG/FWF-60D/-POE ✔FG/FWF-90D/-POE ✔FG-100D Series ✔FG-200D Series ✔FG-600C/800C/1000C CLI enabled
FortiSwitch
FSW-28C ✔FSW-108D ✔FSW-124D/-POE ✔FSW-324B ✔FSW-348B ✔FSW-448B ✔FSW-224D ✔
V5.2.3
![Page 30: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/30.jpg)
30
Port Spanning
Also called ‘Port Mirroring’» Supported by 100D & 200D platforms» Ingress &/or Egress traffic from a single port in a switch group can be
copied to another port (in the same group)
Routing & Network Services
V5.2
![Page 31: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/31.jpg)
31
Link Load Balancing
Virtual WAN interface Interface group
» interfaces used will not appear for policy table
» Single interface to select in Policy
Defines link selections
Routing & Network Services
Virtual WAN
Interface
V5.2
![Page 32: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/32.jpg)
32
Link Load Balancing
Link Load Balancing Methods Only one is selectable Assign Interface members to Interface Group Per Interface Configurations
» Probe Server settings (for link failure detection)» Selection Definition – eg. Weight, Ratio etc
Routing & Network Services
Gateway selection based
on Source IP address
Gateway selection based on session ratio
assigned
Gateway selection based
on threshold bandwidth assigned
Source IP Based
(Hashed)Weighted
Round RobinSpill-over
Gateway selection based on Source and destination IP
address
Gateway selection based
on Traffic volume ratio
assigned
Source-Destination IP
Based
Measured-Volume Based
V5.2
![Page 33: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/33.jpg)
33
Link Load Balancing
Traffic Route Overrides Admin can assign specific
routings among the interface group based on certain or combination of criteria
Routing & Network Services
Uses TWAMP to determine each link’s quality -
Latency, Jitter. Select route to highest or lowest quality
link
Route based on defined protocol type and its service
port.
Route based on TOS settings
Link Quality Service Definition Type of Service (TOS)
V5.2
![Page 34: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/34.jpg)
34
Policy Based Routing
Features: Policy routes are applied before destination
routes Can be used to create multiple routes to the
Internet» Static load-sharing
Routing decision can be made from:» Source & Destination addresses» Protocol, service type, or port range» Incoming interface» ToS
Routing & Network Services
HTTP
Other Traffic
![Page 35: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/35.jpg)
35
WCCP Server
WCCP Client
WCCP
Features: Supports WCCPv1, WCCPv2 L2 and GRE Mode May operate either as Server of
Client (per VDOM) Uses Port 2048 Option for Authentication, GRE
Encapsulation6 CLI Commands
Routing & Network Services
![Page 36: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/36.jpg)
36
ICAP
Allow users to configure a list of ICAP servers that the FortiGate may utilized for various purposes
Useful for legacy firewall Migration
Features: Streaming content bypass
ICAP Server
Routing & Network Services
![Page 37: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/37.jpg)
37
Network Services
DHCP Service DHCP Relay and WINS
support DHCP server
» Multiple IP-pools for each interface» Exclude ranges and IPs» DHCP IP Reservation» DHCP Options support» MAC address reservation &
Access control
IPv6 DHCP DHCP Monitoring
Routing & Network Services
V5.2
![Page 38: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/38.jpg)
38
Network Services
DNS Service Integrated Basic DNS Server
» Per-Vdom support» in transparent and NAT/Route mode
Recursive DNS (split DNS) IPv6 DNS Dynamic DNS support
Routing & Network Services
![Page 39: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/39.jpg)
39
Network Services
DDNS Service FortiGuard DDNS Server
» Provided with valid Forticare contracts
» Ease of setup» Suitable for VPN deployment and
remote administration.
Routing & Network Services
![Page 40: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/40.jpg)
40
Network Services
FortiGuard NTP Service» Provided with valid Forticare
contracts» Alternatively, admin can choose 3rd
party Servers
NTP Server» Provide NTP services to connected
devices
Routing & Network Services
![Page 41: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/41.jpg)
41
Operation Modes
• Implementing access controls between different network segments
• Static, dynamic and policy based routing, WAN link redundancy & load balancing
• Implementing access controls on a network segment transparently
• Behaves like a switch• L2 switching protocols
support
• Monitoring network activities offline
• Behaves like a Sniffer
Transparent/BridgeNAT/Route Sniffer
Hybrid: Organization can implement various modes within a single FGT using VDOMs
![Page 42: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/42.jpg)
42
Sniffer Mode
One-arm Sniffer Offline Monitoring with Flow based UTM Works with Windows AD FSSO
Routing & Network Services
![Page 43: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/43.jpg)
43
3G/4G Interface Routing & Network Services
FortiExtender3G/4G(LTE)
Ethernet
FortiExtender As primary connection in “remote/lights-out” devices like ATM and
point of sale devices. As fail-over connection for network equipment that supports redundant
WANs. As remote antenna, which allows you to get the best 3G/4G signal
available by placing it in the best location for receiving the signal.
Extension device that works with FortiGate to provide 3G/4G Wireless WAN connection
V5.2
![Page 44: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/44.jpg)
44
3G/4G Interface
FortiExtender Setup Discovery – Auto or manual (for
routed networks) Similar to adding a FortiAP Device Authorization Comprehensive Modem
settings on GUI
Monitoring Signal and usage status
monitoring widget Diagnostic tools
» Ping, AT command
Routing & Network Services
V5.2
![Page 45: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/45.jpg)
45
Overview User Identity
Authentication Services Local User Database Remote Auth. services – LDAP, Radius &
TACACS+
Single Sign-on Windows AD, Novell eDirectory integration SSO with POP3/POP3S, Access Auth. &
FortiClient Citrix & Terminal Server Agent Dynamic Profile
PKI and Certificates X.509 certificates, SCEP support Certificate signing request (CSR) creation Auto-Renewal of Certificates before Expiry OCSP Support
Secures access to internal networks with user identification
User Monitor
2 Factor Authentication External 2FA support Integrated Token Server with Physical,
SMS & Soft Tokens
V5.2
![Page 46: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/46.jpg)
46
Auth. Services
FortiGate supports User Authentication for: User Identity based Firewall
Policies Client VPN (IPSEC, SSL) Network Access Administration Console (CLI, GUI)
User Identity
SSL VPN
FortiGate
Administrati
on
IPSEC
VPN
Network
Access
Identity-
based
Policies
* On limited Models
![Page 47: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/47.jpg)
47
Integrated 2FA
Extended Authentication Support Integrated solution using the FortiToken, Email or SMS side-channels Further extension using FortiAuthenticator
FortiToken Email SMS*
User Identity
* Requires FortiGuard SMS service
![Page 48: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/48.jpg)
48
Integrated 2FA User Identity
Eliminates requirement for additional physical device Low cost to deployment – low initial and operational costs Simple licensing, pricing and provisioning Operates with free mobile applications, available on iOS and
Android platforms Secure - Seeds are only on mobile device and FortiGate. 2 free units are available
FortiToken Mobile is a software token solution for the mobile devices, allowing users to generate secure and one-time passwords directly on the device wherever strong authentication is required.
![Page 49: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/49.jpg)
49
Integrated 2FA
Soft Token Provisioning
User Identity
SMS/EMAIL
• Admin assign the token based on serial number
• choose type of delivery to users
• Randomly generated activation code (Not visible to admin) is forwarded to users
• Admin acquire license and adds revealed registration code on FortiGate
• Upon successful verification, token serial numbers will be available for provisioning.
• User install the FortiToken mobile app and enter the code given to activate the soft token
![Page 50: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/50.jpg)
50
User Definition
Local User Creation Wizard Based Remote server user to local DB mapping
User Identity
V5.2
![Page 51: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/51.jpg)
51
SSO
User Identity Acquisitions Using both active and passive acquisition methods Reuse user login info for user Identity based policies
User Identity
External Radius Service
Windows AD, NTLM
Terminal Servers
= M.Jones = = S.Lim = = V.Baker == J.Jackson =
Captive Portal
Network Access
FortiClient
DMZ
DMZ
Novell eDirectory
POP3/POP3s
V5.2
![Page 52: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/52.jpg)
52
SSO
Active Acquisition : System Wide – Per VDOM
» WIN AD, NTLM, Radius, terminal server SSO
Passive Acquisition : Interface Based - physical or virtual
Interfaces» User Input on Captive Portal or other
prompts» Captive Portal exemption: per policy or
interface
User Identity
V5.2
![Page 53: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/53.jpg)
53
SSO
Single Sign-On with Windows AD Option to use inbuilt-in DC Polling Supports Windows AD usergroup policies or indivdual AD user Ability to allow access to an AD user only if he/she comes from
defined workstation (via CLI)
User Identity
![Page 54: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/54.jpg)
54
Polling Mode
SSO
Collection Modes for AD Domain Controller Agent
» Agents are installed on DCs to monitor & push login information to FortiGate
Polling» No agent is required on DC» Uses FortiGate local polling
agent» Option to run a collector
Agent on a server which polls the DCs
Domain Controller Agent Mode
User Identity
Domain Controller Agent
Polling
DC Requirement Agent is needed Agentless
Target Deployment
Large deployments; Remote DC Small Deployment
DHCP Tracking Yes No
Support for MAC terminals Limited May enable
WinSecLog
Implementation Complex Easy
Level of Confidence Capture all logons
Potential to miss logons if polling period
is too great
![Page 55: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/55.jpg)
55
SSO
Single Sign-On with NTLM is used when the MS Windows Active Directory (AD) domain
controller can not be contacted browser-based method of authentication Option for guest or users with unsupported browsers to bypass NTLM
on CLI
1
2
3
User attempts access to network and gets prompted by FortiGate for user credential
Credential information is provided by browser
FGT queries Windows AD
User Identity
![Page 56: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/56.jpg)
56
SSO
Single Sign-On with Terminal Servers Requires TS agent to be installed on terminal servers and FSSO
Collector on the network Supports Citrix and Windows Terminal Server.
1
User login to AD & open terminal session
Credential information is passed to FGT using TS agent via FSSO Collector
TS DC
2Collector
User Identity
![Page 57: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/57.jpg)
57
Radius Accounting message with attribute-value pair that refers to usergroup a user belongs, along with IP address info is forwarded to FortiGate
Users get authenticated by Radius Server (eg. access control)
SSO
Single Sign-On with Radius (RSSO) IPv6 Clients supported
User Identity
RADIUS 2FortiGate uses listening agent and maps info to its own context table. When a session enters, it looks up to the table to determine its action based on identity based policies configured
3
IP, usergroup_x
1
V5.2
![Page 58: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/58.jpg)
58
SSO
Single Sign-On with Network Access Supports various network access modes: captive portal, wireless
auth., 802.x Via FortiAP (per SSID), FortISwitch (per Vlans) & FortiGate interfaces
Users get authenticated for network entry
1FGT communicates with Auth. Servers for verification
2
FGT becomes aware of user and may apply Identity based policies
3
User Identity
![Page 59: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/59.jpg)
59
On-Net
Off-Net
SSO
SSO Mobility Agent Caches credentials, so that
information is passed to FortiGate seamlessly without user’s action
Eliminates the additional user identification prompt from FortiGate
Works on AD environment on both On-net & Off-net, also NTLM
User Identity
![Page 60: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/60.jpg)
60
Guest Access
Temporary user Provisioning & Access Allow non-IT staff to create Guest
account via web portal» Specialized admin-id for guest
access management
Assign Time quota, generate temp password,
Distribute guest credentials by printing, email or SMS
Batch guest users creation option
User Identity
![Page 61: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/61.jpg)
61
Contact Harvest
Email Harvesting Policy intercepting sessions until users provide an email address Useful in some areas to harvest email and provide free WiFi access
User Identity
![Page 62: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/62.jpg)
62
Overview Device Identity
Device Identification Device & OS Fingerprinting Device Classification & Management Contextual Device Information
Device Based Policies Policies using Device/Device Group
Identify device type to add into contextual information for better visibility
Enforce policies based on device types or devices
Allow organization to embrace BYOD environment securely
Device Group List
![Page 63: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/63.jpg)
63
Overview
Securing BYOD environment Identifying device/device types to apply appropriate policy
enforcements Additional control beyond traditional Windows AD environment
Device Identity
Identity Policies
Device Identification
Access Control Security Application
UTM Profiles
Awareness
AgentlessAgent based
![Page 64: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/64.jpg)
64
Identification Techniques Agentless
» TCP Fingerprinting» MAC address vendor codes» Network discovery protocols, DHCPv6
etc» Requires “direct” connectivity to
FortiGate
Agent Based» Uses FortiClient» Location & Infrastructure Independent
Device Identification Device Identity
INTERNETDMZ
FCFC
Agentless
with Agent
V5.2
![Page 65: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/65.jpg)
65
• Based on regularly updated device/OS signatures and MAC address vendor lists DB
• Automatic detection & categorization into predefined device groups
• Enabled per Device-based Policy
• Force detect device by HTTP communication (HTTP User-Agent)
• Email collection/ Endpoint compliance portal
• Agent captures systems information and relay to FortiGate, 100% Accurate
• Allow device identification on remote networks
TCP Fingerprinting, Network Discovery
& MAC Address Vendor Code
Captive Portal Endpoint Agent
Device Identification Device Identity
V5.2
![Page 66: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/66.jpg)
66
Additional device information detection Hostname: Internal DHCP server, traffic
scan Email address: Email collection Captive
portal Username: Authentication services or
“device-user-identification enable” which extracts info via traffic scanning (enable default)
Device Identification Device Identity
![Page 67: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/67.jpg)
67
Device Detection A webpage that should let the user send some traffic in order to detect the
device type No replacement message when successful, user have to reload the webpage If failed, a replacement message will be present
Email Collection Collect an email address as a means of identifying the device user When the email address has been verified, the device is added to the
Collected Emails device group
Endpoint Compliance Acts as a quarantine for devices that are not protected by FortiClient Provides links to obtain the FortiClient software
Device Captive Portals Device Identity
![Page 68: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/68.jpg)
68
Device Management Device Identity
Device Group Management
Manual add/edit Devices
StatusConnection Information
User Information
Device Definition
Multiple MAC address merge
![Page 69: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/69.jpg)
69
Device Management Device Identity
Device Groups
Device Group Drill-down
Predefined group for auto categorization
Manual defined Custom group
V5.2
![Page 70: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/70.jpg)
70
Visibility
Device contextual Information available on widgets, logs & reports
Device Identity
![Page 71: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/71.jpg)
71
Overview End Point Control
FortiClient Multi-OS support Support Posture Checking Support remote user and device
identification “Off-net” and Mobile Security Policy
Enforcement VPN & Security Setting Provision Custom Install and Rebranding Endpoint Logging
Ensures that workstation computers (endpoints) meet security requirements
Distribute Client Security & VPN Settings
Logs Client activities
FortiClient
V5.2
![Page 72: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/72.jpg)
72
FortiClient V5.2 End Point Control
Windows Mac OSX iOS AndroidIPSec VPN ✓ ✓ - ✓SSL VPN ✓ ✓ Web Mode Only ✓2FA ✓ ✓ ✓ ✓Anti-Virus ✓ ✓ - -
Web Filtering ✓ ✓ ✓ ✓WAN Optimization ✓ - - -
Registered for Central Management
Config Provisioning ✓ ✓ ✓ ✓Logging (to FMGR/FAZ) ✓ ✓ - -
Windows AD SSO Agent ✓ ✓ - -
Application Firewall ✓ ✓ - -
Vulnerability Scanning & Reporting ✓ ✓ - -
![Page 73: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/73.jpg)
73
Posture Checking
Enforcement Captive Portal Check for install and
running of FortiClient Replacement page with
download and installation instruction
End Point Control
V5.2
![Page 74: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/74.jpg)
74
Mobile Security End Point Control
INTERNET
LAN
OFF
ON
• FortiClient enrolls into the FortiGate and then receives its end point policy
• FortiClient uses last known security policies & VPN Configurations
Configuration Provisioning Provides consistent end point
security policies “on-net” and “off-net”
Reuse *Application Control & Web Filter Profiles
1
2
* Application control config for Windows and OS X only
![Page 75: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/75.jpg)
75
Mobile Security End Point Control
INTERNET
LAN
OFF
ON
• FortiGate informs FortiClient that it’s “on-net” using DHCP “cookies”
• FortiClient Doesn’t receive “on-net” information and activate “off-net” mode
On/off-net Properties FortiClient adopts separate “on-
net” and “off-net” configurations depending on locations.
“On-net” options include turning off local security features, enables client logging
“Off-net” options include turning on security features and enable VPN automatically.
1
2
* Application control config for Windows and OS X only
V5.2
![Page 76: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/76.jpg)
76
Mobile Security
Endpoint Profile For distributing Endpoint
Configurations Reuse UTM Profiles
» App Control» Web Filter
Provision Multiple VPN settings Multiple Endpoints may be
created and assigned to different Device Groups
End Point Control
V5.2
![Page 77: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/77.jpg)
77
FGT identify device/user upon successful Logon
Mobile Security
Endpoint Control Profiles Assignment Multiple profiles can be assigned to Device Groups/User
groups/Users
2
User logon using Authentication Service (eg.
AD, radius etc)1
Push corresponding EC profile to FortiClient
3
End Point Control
![Page 78: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/78.jpg)
78
Mobile Security End Point Control
Advanced Endpoint Profile Setting1. Setup and configure a sample client2. Export the setting and then import into FortiGate3. Distribute settings to other clients
1
2
3
![Page 79: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/79.jpg)
79
Overview Firewall
Policy Management Section & Global View IP, User & Device based Policies Policy Objects, Object tagging & Coloring Traffic counters
NAT Static NAT, Dynamic NAT Support Central NAT Table
Traffic Support SCTP, GTP, ICMP Session helpers & ALGs
Hardware Acceleration* High performance across all packet size Ultra-low latency
Innovative features that allows accurate and effective policy setup
Policy Table
*applicable to supported models
![Page 80: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/80.jpg)
80
Policy Table Firewall
Section View
Global View
V5.2
![Page 81: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/81.jpg)
81
Policy Table Firewall
Configurable column settings
Object Coloring
Policy counters
Smart object searchDrag-and-drop policy rearrangement or moving objects
Direct object/policy edit with right click
V5.2
![Page 82: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/82.jpg)
82
Identity based Policy
User Identity based Security Policies Assign access policy
and profiles to each User Groups or Users
Device Identity based Security Policies Assign access policy
and profiles to each Device Type or Device Group
User Group #1
User #1User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
Firewall
SRC #1
SRC #1
Device Group #1
Device Type #1Device Type #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
SRC #1
SRC #1
V5.2
![Page 83: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/83.jpg)
83
Policy Management
Policy Control Traffic when they
transverse through the device» Interfaces, zones (group of
interfaces), VLANs and SSIDs segments
Components» Firewall configuration» NAT settings, Traffic shaping
settings» Security instructions, eg, scan
for viruses, detect attacks, etc» Logging Options
Firewall
V5.2
![Page 84: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/84.jpg)
84
Policy Management
Source Types Merged policies (IP, User & Device) “AND” Operations if more than one type of source is used
AND AND
Firewall
V5.2
![Page 85: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/85.jpg)
85
User Group #1
User #1User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
DST #1
DST #2
IP #1
IP #1
-
Device Group #1
✔
✔
- -Service Port #2DST #1DST #2IP #1 - ✗
User #1User #2 -Service Port #2DST #3IP #3 Device Group #2 ✗User #1User #2 -Service Port #2DST #3IP #3 - ✔
Policies are matched top-down. The policy table may consist of different policy types.
Policy Management Firewall
V5.2
![Page 86: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/86.jpg)
86
Policy Objects
FortiGuard GeoIP DB Distributed as FortiGuard
Update, Requires Valid FortiCare Contract
Manual update required using CLI Command
GeoIP override is configurable Supports IPv6 addresses
Firewall
![Page 87: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/87.jpg)
87
Policy Objects
Intelligent Object Searching Initial implement on Firewall Address list Search by name, IP, wildcards, etc.
Firewall
![Page 88: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/88.jpg)
88
H/W Acceleration Firewall
Legacy Security Gateway Appliances
CPU CPU
FortiGate with FortiASIC
CPU offloadInitial session setup
Instruction download
Network Processor
![Page 89: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/89.jpg)
89
Overview VPN
IPSEC VPN Standard Based Protocol Support Policy and route based configurations Hub-and-Spoke, mesh VPN
architectures Redundant tunnels Spilt Tunneling Remote VPN with FortiClient VPN Wizard
SSL VPN Web and Tunnel Mode Customizable Portal with bookmarks Virtual Desktop & Host Check
Other VPN Features L2TP (Microsoft) & GRE Hardware Acceleration*
No Additional Licenses required Integrates with UTM functions
protects Internal resources against remote traffic
SSL VPN Portal
*applicable to supported models
V5.2
![Page 90: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/90.jpg)
90
Wizard
Step-by-step Guided IPSEC configurations
» Custom defined» Predefined Templates
Covers authentication & Network settings
» No need to create separate phase1 objects for different user groups as authorization is handled by Firewall policy
IPSEC VPN
V5.2
![Page 91: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/91.jpg)
91
Web Application Mode
• Support via Java Applets
• Limited application support: HTTP/HTTPS, FTP, SMB/CIFS, TELNET, SSH, VNC, RDP, Citrix
• Ease of use
Access Modes
Tunnel Mode
• Support via SSL VPN Client, requires download & install
• Unlimited L3 application support
SSL VPN
Port Forward Mode
• Support via Java Applets
• Extends applications supported by web application mode
• Does not need admin privilege to install and run
![Page 92: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/92.jpg)
92
SSL VPN Portal
Customized header, logo, themes and page layout
Customized Widgets
Tunnel Mode Widget
SSL VPN
Web Mode bookmarks
Session Stats and status
![Page 93: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/93.jpg)
93
SSL VPN Portal
User group based portal access
Ability for MSP to create and set different portal access without using VDOMs» URL path (i.e. suffix to bind to), Max concurrent users, Custom login page
Custom login profile selection on per SSL VPN usergroup policy
SSL VPN
https://sslvpn/customerA/ https://sslvpn/customerB/
![Page 94: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/94.jpg)
94
Virtual Desktop
CLI Command Available for Windows terminals only
SSL VPN
Application Control:• Controls which applications
users can run on their virtual desktop.
• By creating a list of either allowed or blocked applications which you then select when you configure the virtual desktop.
• Application Definitions is by MD5 Signatures
Host Check:• Enforces the client’s use of
antivirus or firewall software, • Offers predefined list which can be
edited• Customized applications can be
added with globally unique identifier (GUID)
• Windows patch check (on CLI only) allows admin to define the minimum Windows version and patch level allowed» Supports Windows 2000, XP,
Vista & 7
File Access:• Completely isolates the SSL VPN
session from the client computer’s desktop environment
• All data is encrypted, including • cached user credentials• browser history• cookies• temporary files and user files
created during the session. • When the SSL VPN session ends
normally, the files are deleted.
![Page 95: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/95.jpg)
95
Single Sign-on
Available on Admin defined Web-Mode HTTP/HTTPS bookmarks
Allow user to log into the SSL VPN without having to enter any more credentials to visit preconfigured website
2 Modes:» Automatic - Use user’s SSL
VPN credentials for login» Static - Fill in the login
credentials as defined by specified field name
SSL VPN
![Page 96: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/96.jpg)
96
Overview IPS
IPS Signatures Over 7,000+ Signatures Integrated FortiGuard IPS encyclopedia Zero-day Threat Protection & Research Custom Signatures Rate based Signatures Signature Filtering User Quarantine, Packet Logging
DOS Protection Rate based - set thresholds for various
types of network operations
Deployment Options Sniffer Mode Bypass Interface & FortiBridge Low latency, superior coverage
and cost/performance integrated IPS
2012 NSS Security Value Map
V5.2
![Page 97: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/97.jpg)
97
IPS Sensor
Regular IPS Signatures Protect against
» Known Vulnerability & Zero day exploits
» Protocol abnormalities
Details Pop-Up linked to FortiGuard IPS encyclopedia
Filtered by
IPS
Severity OSProtocol Applicatio
ns
Target (Client/Server)
V5.2
![Page 98: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/98.jpg)
98
Rate Based Signatures Brute force protection by blocking subsequent requests when
threshold (incident per defined sec.) is reached» Definable block duration» Various tracking methods
IPS Sensor IPS
V5.2
![Page 99: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/99.jpg)
99
FortiGuard Service
Outstanding Detection Rate 100% resistance to evasions, 97.9%
Detection rate (NSS Test 2011)
Vigorous Benchmark Testing Tested on over 4 different tools Weekly Determine & Improve effectiveness of a
security device to detect network vulnerabilities
IPS
![Page 100: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/100.jpg)
100
FortiGuard Service
FortiGuard Center FortiGuard Encyclopedia – detailed description of known threats IPS Updates log (RSS Feed) Vulnerability Advisories Threat Monitor – Top attacks by geographic breakdowns
Zero-Day Research• Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the
appropriate vendor(s)
IPS
![Page 101: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/101.jpg)
101
Performance IPS
Latency (μs)
0 20 40 60 80 100 120 140 160
NSS IPS Latency (July 2012)
Check Point 12600 Stonesoft 1302 Juniper IDP 8000 Sourcefire 3D8120 Sourcefire 3D8260 Sourcefire 3D8250
SonicWALL SuperMassive IBM GX7800 PA 5020 HP/TippingPoint 6100N McAfee M-8000 FortiGate 3240C
FortiGate 3240C also beats all IPS competition with Lowest Latency
![Page 102: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/102.jpg)
102
Packet Logging
Forensic Tool Packet Capture triggered IPS
signatures Can be saved as pcap file for
forensic studies Can be either log to disk,
FortiAnalyzer or FortiCloud
IPS
![Page 103: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/103.jpg)
103
User Quarantine
Intelligently blocks attackers from launching further attack» Most attacks are conducted via several steps. Eg. port scan, followed by more
targeted hacking activities
Free up IPS resources since traffic is now stopped by firewall. Manually or set expiry time to remove from banned list
User Quarantine
Attackers IP Address
Antivirus IPS DLP
Duration
Endpoint Control
IPS
V5.2
![Page 104: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/104.jpg)
104
Advanced Features IPS
V5.2
NGIPS Contextual Awareness
» Correlate with related information such as users & applications
Automation» Automated impact assessment for quick policy tuning with FortiView» Network behavior analysis using Threat Score
![Page 105: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/105.jpg)
105
DOS Sensors
DOS Protection Detects and mitigate traffic that is is part of a DoS attack Applied as DOS Policies prior of Firewall Policies Rate based: set thresholds for various types of network operations Sensor list can be updated only when the firmware image is upgraded on the
unit.
TCP UDP ICMP
Packet Rate to a Destination IP TCP_SYN_FLOOD UDP_FLOOD ICMP_FLOOD
Packet Rate from a Source IP TCP_PORT_SCAN UDP_SCAN ICMP_SWEEP
# of Concurrent Sessions to a Destination IP TCP_DST_SESS UDP_DST_SESS ICMP_DST_SESS
# of Concurrent Sessions From a Source IP TCP_SRC_SESS UDP_SRC_SESS ICMP_SRC_SESS
IPS
![Page 106: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/106.jpg)
106
Overview Application Control
Application Control Sensors Over 3,300+ Signatures, 19 Categories User notifications using FortiBar or HTTP
replacement message Granular Controls for popular apps Cloud Apps. visibility Application Control Traffic Shaping SPDY protocol support SSH Inspection Custom Signatures
More flexible and fine-grained policy control
Increased securityDeeper visibility into network
traffic
FortiGuard Application library
V5.2
![Page 107: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/107.jpg)
107
App Signatures
App List Application signatures
can be filtered by Category, Technology, Popularity and Risk level.
It is useful for override setting and FortiView search
Application Control
V5.2
![Page 108: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/108.jpg)
108
App Signatures
5-point-risk levels Each application signature is assigned with a risk level to assist administrator in
understanding their threat status on logs and FortiView.
Application Control
Risk Level Description Example
Critical Applications that are used to conceal activity to evade detection. Tor, SpyBoss
HighApplications that can cause data leakage, or prone to vulnerabilities or downloading
malware.
Remote Desktop, File Sharing, P2P
Medium Applications that can be misused VoIP, Instant Messaging, File Storage, WebEx, Gmail
Elevated Applications are used for personal communications or can lower productivity.
Gaming, Facebook, Youtube
Low Business Related Applications or other harmless applications. Windows Updates
V5.2
![Page 109: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/109.jpg)
109
App Signatures
Custom Signatures Creates signatures and
assign to their categories
Application Control
V5.2
![Page 110: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/110.jpg)
110
Application Sensor
Ease of use Applies actions to
various categories» Allow, Block, Monitor, reset,
traffic shaping
Create overrides that exempts from category settings
Flexibility Applies different profiles
to users, devices and/or IPs and their respective destinations on the security policies.
Application Control
V5.2
![Page 111: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/111.jpg)
111
Application Control
Granular Controls Granular control popular Facebook and other online app usage Facebook app pages can also be controlled via Web Filtering categories and
custom signatures
Application Control
V5.2
![Page 112: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/112.jpg)
112
Application Control
SPDY Protocol Support Open networking protocol developed primarily at Google for transporting web
content, similar to HTTP» to reduce web page load latency and improve web security
Supported by most browsers
Application Control
V5.2
![Page 113: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/113.jpg)
113
Application Control
Deep Application Visibility Capture details of popular online
applications» Cloud-based file storage and video
sites» Logins to popular apps/sites» Via web browsers
Info extracted includes» (upload/download) filenames » video titles played, » user ID when login is detected
Application Control
V5.2.1
![Page 114: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/114.jpg)
114
SSH Inspection
As part of SSL/SSH Inspection Profile
Uses SSH proxy to intercept the SSH key exchange and content
After inspection, the session is re-encrypted and forwarded to the recipient
Application Control
![Page 115: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/115.jpg)
115
Overview Antivirus
AntiMalware Proxy and Flow based AV Filename & File Type filtering Heuristic AV Engine File Analysis with Cloud-based or on-
premise sandboxing AV Databases options File Quarantine
Anti-Botnet Application Control Category Botnet IP Blacklist Database
Protect internal network devices against malware and other malicious codes
AV Configuration
![Page 116: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/116.jpg)
116
Technologies
SignaturesSignatures
• Detects and blocks known malware and some variants
• Highly accurate, low false positives
• Requires up-to-date signature updates
• 3rd party validated
Behavioral Evaluation
• Detects and blocks malware based on scoring system of known malicious behaviors or characteristics
• Can be used to flag out suspicious files for further analysis
File Analysis
• Detects zero-day threats by executing codes on emulators to determine malicious activities.
• Resource intensive, performance and latency impact
Antivirus
![Page 117: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/117.jpg)
117
Technologies
Application Control• Detects and blocks nearly 50 active
botnets • Botnet network activities by
examining traffic• Prevents zombies from data leaks
or communicates for instructions
Botnet IP Reputation DB• Detects and blocks known Botnet
C&C Communication by matching against Botnet command blacklisted IPs
• Stops dial back by infected zombies.
Antivirus
![Page 118: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/118.jpg)
118
In-box AV functions
FortiGate as AV Gateway Network based, no agents required on hosts Can be proxied or flow based Signature set options: Normal, Extended or Extreme File Quarantine if Local storage is available
Antivirus
![Page 119: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/119.jpg)
119
NORMAL• list of currently active threats• recently added by the Fortinet Antivirus team• detected by the FortiGuard network • the wild list database.
EXTENDED• older and recently active threats (already dropped by wild list) .
EXTREME• remaining detection signatures for all threats • zoo entries, and historical curiosities such as old DOS based viruses.
AV Signature DB Antivirus
![Page 120: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/120.jpg)
120
AntivirusAV Engine
Code Emulator Lightweight
Emulators» Good against VM
evasion
OS-Independent file analysis, all file type» Java Scripts, Flash,
Best against Malware Injections via (compromised) web 2.0 applications
Signature Match(CPRL/Checksum)
File Sample
Decryption/unpacking System
Code EmulatorBehavior Analysis
SuspiciousForward to cloud-based FortiGuard AV service
PassNo Further Action
FortiGate AV Engine 2.0
BlockedFile discarded, option to
Quarantine and event logged
V5.2
![Page 121: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/121.jpg)
121
In-box AV functions Antivirus
Proxy Based Flow Based
External Sandboxing • FortiCloud
Sandbox• FortiSandbox
• FortiCloud Sandbox
• FortiSandbox
Anti-Bot • FortiGuard Botnet Servers Black List
• FortiGuard Botnet Servers Black List
Protocols Supported
• HTTP/HTTPS• SMTP/SMTPS• POP3/POP3S• IMAP/IMAPS,• MAPI• FTP/SFTP• NNTP (CLI)
• HTTP/HTTPS• SMTP/SMTPS• POP3/POP3S• IMAP/IMAPS• FTP/SFTP• NNTP
Replacement message • All supported Protocols
• Limited to HTTP/HTTPS
V5.2
![Page 122: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/122.jpg)
122
FortiGuard AV Service Antivirus
Fortinet
![Page 123: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/123.jpg)
123
File Analysis
Integration with FortiSandbox/ FortiCloud Sandbox Automated submission all files or when file is flagged as suspicious
by AV engine Summary report is available on FortiGate dashboard
Antivirus
FortiCloud Sandbox/ FortiSandbox
Suspicious files and related logs are uploaded
1Scan results are available
on FortiCloud Portal
2
Summary results are displayed on FortiGate’s
Widget
3
V5.2
![Page 124: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/124.jpg)
124
File Analysis
FortiSandbox Cloud Integration FortiSandbox Viewer View detailed analysis Manual source
quarantine
Antivirus
V5.2.3
![Page 125: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/125.jpg)
125
Overview Email Filter
Antispam Supports SMTP, STMPS, IMAP, POP3,
IMAPS and POP3S FortiGuard AS Filtering: RLB, SURLB,
checksum Phishing URL detection HELO DNS lookup Manual BWL
Content Filtering Banned words, scoring method
Detects and remove spam emails to prevent malicious activities from occurring
Email Filter Profile
![Page 126: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/126.jpg)
126
Antispam
FortiGate as Antispam Gateway Tag subject or discard when spam is detected Uses both local and FortiGuard DB to detect spams Also detects phishing URLs on Emails
Email Filter
![Page 127: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/127.jpg)
127
Spam Filters Email Filter
Checksum Check
URL Check
Banned Word
(body)
IP BWL(receiv
ed header)
Banned word
(Subject)
Return Email DNS Check
MIME HeaderEmail Address
BWL Check
DNSBL/ORDBLHELO DNS lookup
IP CheckIP BWL
Last Hop IP
Email Header Email ContentSMTP/SMTPS
Checksum Check
URL Check
Banned Word(body)
Banned word(Subject)
MIME HeaderEmail address BWL
Check
Email Header
Email ContentIMAP, IMAPS, POP3, POP3S
Order of Spam Filters
IP BWL(receiv
ed header)
FortiGuard ServiceLocal FilterLocal Filter, CLI only
![Page 128: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/128.jpg)
128
Overview Web Filter
URL Filtering URL, web content, MIME Filtering Time usage Quota Transparent Safe Search Policy Objects, Object tagging & Coloring Local Rating & Category User override option
Proxy Avoidance Prevention Proxy Service Site blocking Language translation & Cache blocking Rate site by IP addresses Application Control – Proxy avoidance
category IPS proxy behavior detection
…
Web Filtering Block Page
![Page 129: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/129.jpg)
129
FortiGuard Service Web Filter
• 78 Categories in 6 Groups• Over 250 million URLs rated• 70 Languages• 40-80 Billion queries per week
• 40K URLs get automatically rated daily• 96% of all queried websites are rated
More Accurate
Less Wrongly Rated
More Coverage
![Page 130: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/130.jpg)
130
Safe Search Web Filter
Advantages over client’s browser configuration:✔ Easy to provision – no need to “touch” clients✔ Prevents safe search avoidance
User does a search from portal
1
FortiGate transparently inserts Safe-Search parameter to the query
2Search engines response with Safe-Search results
3
![Page 131: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/131.jpg)
131
Google Access
Restrict by Domain• Allows a workplace to restrict Google access to only their corporate
accounts.» Proxy WF only» Deep inspection required
Web Filter
V5.2
![Page 132: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/132.jpg)
132
Manual URL Filter Web Filter
URL Definition• Static, regular expression or wildcard
HTTP-Referrer• Allows websites to be blocked/allowed except when clicking a link on
another website
V5.2
![Page 133: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/133.jpg)
133
Proxy Avoidance
Blocking known sites that:» Provide listing of HTTP Proxy services» Provide Proxy Avoidance techniques & Instructions, software downloads etc» (Language) Translate websites
Identify and rates redirected websites» Cache & Translation sites
Rate sites by IP addresses
Web Filter
![Page 134: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/134.jpg)
134
Proxy Avoidance Web Filter
Defense-in-Depth
Category = Proxy
Application Control
http_proxy_activity
IPS Signature
• Prevents Proxy Avoidance further …» Application Control stops Proxy Avoidance applications» IPS signature detects and block “zero-day” proxy activities
![Page 135: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/135.jpg)
135
Inspection Modes Web Filter
Proxy Based Flow Based DNS BasedHardware Acceleration No No NoHTTPS Deep-Scan- Active-X, Cookie & Java
Applet Filters- Other advance filtering
options
Yes No No
Safe SearchInject Safe
Search Parameters
Blocks non-safe search request No
Replacement Message Yes Yes Redirect
Concurrent Sessions Based on max proxy sessions Very High Very High
Asymmetric Traffic Support No Yes. HTTP only Yes. HTTP only
Category actions All Auth & Warning not supported
Auth & Warning not supported
V5.2
![Page 136: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/136.jpg)
136
Overview DLP
DLP Sensor Document Fingerprinting File name, type & size Filter Encrypted file/message Filter Watermark Filter Sample profiles: SSN, credit card
number, etc detection
Content Archive Archive Email, FTP, HTTP, IM, and
session control content
protects intellectual property from internal mishandling
Prevents sensitive information from transmitting to unauthorized networks
DLP Sensor Filter
![Page 137: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/137.jpg)
137
Data leakage can be intentional or unintentional result of human/software error, it is often the result of specific, targeted actions, sometimes by trusted insiders, which leads to the loss of sensitive information.
Overview DLP
Data at RestScanning of content storage repositories, to identify where sensitive data exists
Data at MotionIntercepting and inspecting traffic which is traversing the network, to identify potentially sensitive data
Endpoint solutions that monitor endpoint system activity and identify sensitive data
Data in Use
DLP solutions typically have 3 main components
![Page 138: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/138.jpg)
138
DLP Sensor
DLP Actions (per-rules) Log (Full Content Archive
or Summary) Block Quarantine User, IP or
Interface
DLP Rule Filters Finger Print File size, type Regular Expression Encrypted
File Type Supported Text file PDF MS Word
DLP
Can either be proxy or flow based Host a set of DLP rules A DLP Sensor is applied to protection profile
![Page 139: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/139.jpg)
139
Overview Vulnerability Scanning
Vulnerability Management Asset Discovery & OS Detection Manual or scheduled scans Results visible on monitor, logs and
reports Links to FortiGuard Threat Encyclopedia
for details & remediation advice
FortiAnalyzer Integration Report correlation
Protect network assets (servers and workstations) by scanning them for security weaknesses
Facilitate Proactive patching against known vulnerabilities
Vulnerability Scan report
![Page 140: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/140.jpg)
140
Overview Wireless
Integrated Wireless Controller Based on CAPWAP RFC standards Support up to 1024 APs per controller QoS Support
Wireless Security Wireless IDS WPA/WPA2-Personal and WPA/WPA2-
Enterprise (802.11i), Captive portal modes
Rogue AP monitoring and suppression
Wireless Deployment FortiPlanner Automatic Radio Resource Provisioning Fast Roaming Wireless Mesh & Bridging AP Loadbalancing Secures wireless access with
integrated wireless Controller Implements PCI requirements
AP Profile
![Page 141: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/141.jpg)
141
Overview
Unified Secured Access Integrated WLAN management with security gateway Shared authentication services & access policies
Wireless Access
Wired Access Remote
Access
DIGITAL ASSET • Content Inspection• Attack Mitigation
• User Identification• Access Control
Wireless
![Page 142: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/142.jpg)
142
Thin AP
CAPWAP Standard based Protocol for
Control and provisioning of wireless access points
Fast Roaming* Users in a multi-AP network,
can move from one AP coverage area to another without impair most wireless traffic and applications.
Wireless
Floor
Wiring Closet
Aggregation
FortiGate Controller Data CenterC
AP
WA
P
Thin AP architecture tunnels all traffic to the FortiGate
Controller for added security and ease of management
* Only in L2 networks
![Page 143: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/143.jpg)
143
Captive Portal• Web browsing intercept user login
User Access
FortiGate Wireless Controller supports:
WPA Personal (PSK)• Wireless access using pre-shared keys
WPA-Enterprise (802.1x)• More secure access with individual user logins
Wireless
![Page 144: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/144.jpg)
144
Wireless Security
Rogue AP Identification by 'On Wire Scan’ Auto distinguish unknown AP’s (aka neighbors) from unknown AP’s that are
on the retail network (rogue) By correlating packets seen on the wireless side with packets seen on the
wired side. An event log is generated when an rogue AP is detected
Wireless
![Page 145: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/145.jpg)
145
Wireless Security
Rogue AP Suppression By sending excessive reset signal to the rogue
AP, so client cannot be connected to Rogue AP. If a client joins a rogue AP, send deauthentication message to that client.
Automatically Block the MAC address of that Rogue AP in the Firewall Policy
Feature is only available when there is at least one radio dedicated to Rogue AP detection
Wireless
FWF-80C doesn’t support rogue suppression*
![Page 146: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/146.jpg)
146
Deployment Features
Full Mesh
Wireless
![Page 147: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/147.jpg)
147
WirelessDeployment Features
Local Bridge allows the AP to be centrally
managed without backhauling the traffic to the wireless controller
bridge an SSID to local port at the FortiGate using a softswitch configuration
Allows spilt tunnel to internet
![Page 148: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/148.jpg)
148
WirelessDeployment Features
AP Load Balancing Used in high density
deployments, such as conferences, to prevent all clients connecting to the same AP
Two methods:» Signal clients to connect to another
AP » Signal clients to connect to another
frequency
![Page 149: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/149.jpg)
149
Monitoring
Wireless Dashboard an easy visual for determining
the health of the network’s wireless infrastructure
Widgets:» AP Status» Client Count over Time» Top Client Per-AP (2.4 Ghz)» Top Client Per-AP (5 Ghz)» Top Wireless Interference (2.4 Ghz)» Top Wireless Interference (5 Ghz)» Login Failures Information
Wireless
![Page 150: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/150.jpg)
150
Monitoring
Spectrum Analysis Illustrates signal interference as
detected by a particular FortiAP
Also point out Top APs and their SSIDs that are interfering with a particular FortiAP
Wireless
V5.2
![Page 151: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/151.jpg)
151
FortiAPs Family Wireless
3x3:3Resiliency and
Versatility Dual RadioDual
Band
2x2:2Performance
Single Radio
1x1:1Value
Remote Outdoor Indoor
FAP-221/223C
FAP-222B
FAP-210B
FAP-320B
FAP-112DFAP-112B
FAP-28C
FAP-14C
FAP-11C
FAP-320C802.11ac
FAP-222C
FAP-25D
FAP-21D
FAP-224D
802.11ac
802.11acFAP-321C
802.11ac
FAP-221/223B
FAP-24D
![Page 152: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/152.jpg)
152
FortiPlanner
Wireless Planning Tool• For pre-sales step to determine how many FortiAPs the customer
needs to purchase Wireless site survey upgrade available (>50 APs, site survey)
Download from:http://www.fortinet.com/wireless/
Wireless
Key Features: Import floor plans Structure drawing Manual or auto AP placing Placement Analysis Dynamic- Heatmap Generate Site and inventory
reports
![Page 153: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/153.jpg)
153
FortiPlanner Wireless
Dynamic Heatmap Real-time polling of
FortiGate Wireless Controller
Display current number of clients, channel, TX power
Helps to spot Coverage holes and failed AP
![Page 154: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/154.jpg)
154
Overview Traffic Shaping & QoS
Bandwidth Control Options: Shared policy shaping, per-IP
shaping & application Control shaping Max. & Guaranteed Bandwidth Max. Concurrent Connections per IP
QoS Traffic prioritization Type of Service (TOS), Class of Service
(COS) & Differentiated Services (DiffServ) Support
Protects Critical traffic from overwhelmed by other traffic
Managed bandwidth usage by traffic type and applications
Prioritized time sensitive traffic such as VoIP & streaming videos
Per IP and shared Traffic Shapers
V5.2
![Page 155: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/155.jpg)
155
Traffic Shaper
Shared Traffic Shaper bandwidth management by
security policies » Per policy » all policies
Maximum and guaranteed bandwidth
Traffic priority Assign DSCP value for other
device use Also used by Application
Control
Guaranteed BandwidthMaximum Bandwidth
Traffic priority DSCP value
Traffic Shaping & QoS
![Page 156: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/156.jpg)
156
Traffic Shaper
Per-IP Traffic Shaper enables admin to limit the
behavior of every member of a policy to avoid one user from using all the available bandwidth
Maximum bandwidth & Concurrent Connections
Assign Forward and reverse DSCP value for other device use
Traffic Shaping & QoS
Guaranteed BandwidthMaximum Concurrent Sessions
Guaranteed BandwidthMaximum Concurrent Sessions
Guaranteed BandwidthMaximum Concurrent Sessions
![Page 157: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/157.jpg)
157
Overview Server Load Balancing
Load Balancing Methods: static, round-robin, etc Persistence: Cookie, SSL session ID,
host Probes & Health Checks: TCP, HTTP,
ICMP PING SSL Offloading HTTP Multiplexing
Integrated server load balancing features with security applied
Maintains secured and high availability to application delivery
Load balance cluster status viewer
![Page 158: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/158.jpg)
158
Overview
FortiGate intercept the incoming traffic and share it across the available servers
» Clients connects to Virtual Server published» Loadbalancer distributes traffic to cluster of Real Servers with desired Load
balancing & Persistence methods» Health Checks are performed to monitor the availabilities of real servers.
Virtual Server
Real Server
Extensions SSL Offload Network Security( Firewall, AV, IPS, DLP)
Load Balancing Methods
Service Type(HTTP, HTTP, IMAPS,POP3S,SMTPS, SSL, TCP, UDP, IP)
Monitors(TCP, HTTP, ICMP PING)
Persistence(cookie, SSL Session ID)
Server Load Balancing
![Page 159: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/159.jpg)
159
LB Methods Server Load Balancing
Method Description Source IP Hash
Statically spread evenly across all real servers.
Round Robin Directs new requests to the next real server, and treats all real servers as equals
Weighted Higher weight value receive a larger percentage of connections.
First Alive Always directs sessions to the first alive real server, not distributed
Least RTT Directs sessions to the real server with the least round trip time, determined by a Ping health check monitor
Least Session
Directs requests to the real server that has the least number of current connections.
HTTP Host Using the host’s HTTP header to guide the connection to the correct real server
![Page 160: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/160.jpg)
160
Overview SSL Offloading & Inspection
SSL Offloading SSL Offloading for WANOPT & reverse
web caching SSL Offloading for SLB
SSL Inspection Facilitate UTM on SSL encrypted
applications “SSL Cert Inspection” and “Full SSL
Inspection” modes
Intercept and proxy SSL encrypted Traffic for UTM for more security
SSL offloading from web servers to economical secure web access offering
SSL Inspection Option
V5.2
![Page 161: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/161.jpg)
161
Overview
SSL Inspection Exemptions Allows admin to build exclusion list using
» Web Categories with defaults» (Destination) Address Object - FQDN or IP addresses
Applicable to both “SSL Cert Inspection” and “Full SSL Inspection” modes
SSL Offloading & Inspection
V5.2
![Page 162: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/162.jpg)
162
Overview WAN Optimization
WAN Optimization Protocol Optimization & byte Caching FortiClient Support
Web Caching Forward & reverse proxy
Explicit Proxy Proxy chaining PAC file distribution
Integrated WANOPT network services with security capabilities
Improve user experience and bandwidth efficiency
Resolves complexities, management and cost of involving additional WANOPT devices
WANOPT Monitors
![Page 163: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/163.jpg)
163
WANOPT Tunneling
Supports various network topologies such as inline and out-of-path design
Supports multi-peers including FortiClient Can be used in both transparent or NAT/Route Mode, virtualized per
VDOM
WAN
WAN Optimization
Peers
Authentication group
![Page 164: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/164.jpg)
164
Web Caching
Reducing bandwidth usage with fewer request and response across WAN
Reducing server load as it has to serve fewer requests
Perceived latency since data is obtained from local unit
Forward Proxy INTERNET
ReverseProxy
WAN Optimization
![Page 165: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/165.jpg)
165
Explicit Proxy
Proxy HTTP/HTTPS & FTP Session from web browsers
Distribute proxy auto-config (PAC) Supports SOCKS sessions from
browsers (CLI Command) Virtualized per VDOM Proxy Chaining with forward server
load balancing support User authentication Transparent Explicit Proxy option
using IP reflect
Allows users web traffic to explicitly proxied via FortiGate, providing secured restrictive Internet access policies.
WAN Optimization
Features:
V5.2
![Page 166: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/166.jpg)
166
Overview Virtual Systems
Virtual Domains Global and per-VDOM settings VDOM administrator Resource allocation VDOM Licensing VDOM Logging
FortiGate Virtual Appliance FortiOS in Virtual Environment
Provides multiple logical entities in a single physical unit
Out-of-the box Multi-tenant & department solution
Saving in physical Space & Power
VDOM Configuration
![Page 167: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/167.jpg)
167
Virtual Domains
Global System
VDOM_1
Virtual Systems
VDOM_2 VDOM_N…Management
HA FortiGuard
Global System
![Page 168: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/168.jpg)
168
VDOM Admin
Virtual domains can be managed using either one common administrator or multiple separate administrators for each VDOM
Administrators assigned the super_admin profile can manage all VDOMs on the FortiGate device» Can also create other administrator
accounts and assign them to VDOMs
Virtual Systems
![Page 169: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/169.jpg)
169
MGMT VDOM
Management traffic leaves through management VDOM
Management VDOM Should have access to Internet or FMGR
Default management VDOM is root
Virtual Systems
DNS, NTP
External Logging
FortiGuard
Alert Emails
SNMP traps
Quarantine
rootManagement
![Page 170: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/170.jpg)
170
Resource Allocation
Managing Resources Customize the resources allocated to
each VDOM to ensure the proper level of service is maintained on each VDOM
Global Resources Viewer allows admin to view available resources as total
Virtual Systems
![Page 171: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/171.jpg)
171
Resource Allocation
Per Vdom System Resources Display system stats for each VDOM
» CPU usage, memory usage, concurrent sessions & new session per sec
Meant as good guidance, not completely accurate No CPU/Memory limiting capabilities
Virtual Systems
V5.2
![Page 172: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/172.jpg)
172
VDOM Links
Linking VDOMs Using two virtual interfaces, each on a different VDOM, and they are linked
together to connect those two VDOMs without using additional physical interfaces
Inter-VDOM links can be created with both VDOMs in different operating modes (but not when both are in transparent mode)
Virtual Systems
VDOM_1 VDOM_EXT VDOM_2
![Page 173: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/173.jpg)
173
Virtual Appliance Virtual Systems
Supports a variety of hypervisors for private and public cloud infrastructure
Consistent management platform and GUI, similar to physical FortiGate
Virtual Appliance
VMware Citrix Open Source Amazon Microsoft
vSphere v4.0/4.1
vSphere v5.0
vSphere v5.1
vSphere v5.5
XenServer
v5.6 SP2
XenServer v6.0
Xen KVM AWS Hyper-V 2008 R2
Hyper-V 2012
FortiGate-VM ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔*
V5.2
![Page 174: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/174.jpg)
174
Overview High Availability
FortiGate Clustering Protocol Active-Passive, Active-Active, Virtual
Clusters Redundant heartbeat interfaces HA Reserved Management Interface
Deployment options HA with Link Aggregation Full mesh HA Geographically dispersed HA TCP Session Sync VRRP FG5000 Chassis based clustering
HA Configuration
Failover Manual, Session, link & remote link
failover Subsecond Failover
V5.2
![Page 175: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/175.jpg)
175
HA Technologies High Availability
SignaturesFortiGate Clustering
Protocol (FGCP)
• Enhanced reliability via device failover, link failover and remote link failover
• Increased performance via active-active HA load balancing
• uses a virtual MAC/single IP address per network segment
FortiGate Session Life Support
Protocol (FGSP)
• For supporting asymmetric traffic and support scenarios with load-balancers and routers distributing sessions across multiple appliances
• does not have a heartbeat mechanism to detect unit failure, each FG operates by itself with config and session sync
Virtual Router Redundancy
Protocol (VRRP)
• RFC standard based, allow 3rd party device integration
• Resource intensive, performance and latency impact
![Page 176: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/176.jpg)
176
Synchronization Information synchronized by
default» Configuration » Routing tables» IPsec VPN SA» DHCP server address lease
database Session failover (aka session
pickup) not enabled by default
Session failover synchronizes» TCP (IPv4/v6)» UDP, ICMP» SIP» IPsec VPN sessions
Information not synchronized» UTM sessions» Explicit Web Proxy» ARP table» Multicast» SSL VPN sessions
High AvailabilityFGCP
![Page 177: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/177.jpg)
177
Virtual Clusters
Similar concept to loadsharing Can operate in A-A or A-P mode Available when VDOMs is
enabled 2 Virtual clusters can be created
with as many VDOMs available
assigned to them Inter-VDOM links must be entirely
within one virtual cluster.
FORTIGATE-01 FORTIGATE-02
VDOM 2VDOM 2
VDOM 3 VDOM 3
VDOM 1 VDOM 1
V.Cl
uste
r 1
V.Cl
uste
r 2
High Availability
![Page 178: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/178.jpg)
178
Failover
Device & Link Failover Failover can be triggered when the
master/primary units fails or links connecting it
Remote Link Failover Uses ping servers on the primary unit to test
connectivity with IP addresses of network devices that is not directly connected
May be multiple interfaces and/or multiple IPs on an monitor interface
Subsecond Failover Normally achievable for a cluster of two units
operating in Transparent mode with only two interfaces connected to the network
High Availability
![Page 179: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/179.jpg)
179
Event Monitoring
• Quick visual & on current HA status, resource usage and threat situation• HA Logs details related activities, state and status changes
High Availability
![Page 180: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/180.jpg)
180
Overview Log & Report
Logging Traffic, UTM & Event Logging MAC address logs External Syslogging Multiple device logging Alert Email
Meeting Compliance requirements
Analysis toolsNotifies key events
Report Customization Panel
Reporting In-box or external Reporting Report Customization FortiManager/FortiAnalyzer Integration
![Page 181: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/181.jpg)
181
Log Structure Log & Report
V5.2.3
Forward Traffic
Local Traffic
Sniffer Traffic
System
Router
VPN
User
WiFi
Antivirus
Web Filter
Application Control
Intrusion Protection
Email Filter
DLP
SYSTEM
TRAFFIC SECURITY
Detailed Logging Strong admin audit trails Unique log association between traffic and security logs Threat weight scoring on security logs
Endpoint
HA
![Page 182: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/182.jpg)
182
Log Viewer Log & Report
Log detail Viewer
Pictograms
Log Filter
Tabs to associated Security Logs
V5.2
![Page 183: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/183.jpg)
183
Default Reports
On-box Reporting Local storage required Scheduled or On-demand Email delivery option PDF output
Log & Report
V5.2.3
UTM Security Analysis Report Bandwidth & Applications Web Usage Emails Threats VPN Usage Admin & System events
![Page 184: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/184.jpg)
184
GUI level Report Layout & design Chart selection
CLI level Create dataset and chart with SQL
query
Log & ReportCustomization
![Page 185: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/185.jpg)
185
Overview IPv6
IPv6 Networking & Routing IPv6 Coexistence Support VDOM and administration Support Hardware acceleration Dynamic & static routing Bandwidth Management DHCP and DNS
IPv6 UTM Supports major UTM functionalities
Adopts IPv6 ready network quickly & easily
Comprehensive protection on IPv6 traffic
USGv6 CORE
Ipv6 Traffic Logs
![Page 186: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/186.jpg)
186
IPv6 Feature Matrix
IPS interface policies for IPv6
IPv6 static routes
IPv6 firewall addresses & groups
IPv6 firewall policies
IPSEC VPN with IPv6 addressing
IPv6 over IPv4 tunneling
IPv6 DNS
IPv6 Transparent mode
IPv6 administrative access
IPv6 dynamic routing using RIPng, BGP, or OSPF protocols OSPF protocols
UTM features support IPv6 traffic - AV scanning, URL filtering using FortiGuard rating
SSL VPN Web Mode IPv6
IPv6 Session Display
IPv6 Firewall Auth
DHCP6
IPv6 firewall acceleration
IPv6 support for SNMP
IPv6 support for DLP sensor, VoIP and ICAP UTM feature
IPv6 NAT (NAT46, NAT64, NAT66, DNS64)
IPv6 + IPS Forwarding Policy
HA Session Pickup for IPv6
IPv6 Per-IP Traffic Shaper
IPv6 Policy Routing
IPv6 Explicit Proxy
IPv6 MIBs
Ipv6 DOS
V4.0
V4.1
V4.3 V5.0
IPv6
![Page 187: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/187.jpg)
187
FortiSMS
International one-way SMS messaging service Covers 962 networks in 224
countries Based on global leading & proven
mobile messaging infrastructure (powered by Clickatell)
Usage Option for FortiToken Mobile
activation code delivery Option for Guest User credentials SMS-based 2FA Also works with FortiAuthenticator
SMS messages top-up Certificate License for 100
SMSes. Easy to add by scratching off to
reveal activation code (like prepaid cards)
Dashboard widget: amount indicator
FortiGuard Services
![Page 188: Inside forti os-v524-r5](https://reader036.fdocuments.net/reader036/viewer/2022092622/587743471a28ab342e8b7507/html5/thumbnails/188.jpg)
188
Contatta il nostro Ufficio Commerciale
Certified experts in Fortimail and email security
Certified experts in Fortiweb and web application firewall protection
Certified experts in FortiAp, FortiWifi and wireless security
Ufficio CommercialeTel. +39 049 8843198 DIGIT (5)[email protected]
www.lanewan.it
In questi anni di partnership con la casa madre, Lan & Wan Solutions ha ottenuto tutte le specializzazioni previste nei vari iter di certificazione, raggiungendo la qualifica di Partner Of Excellence.