FortiGate FortiGate Antivirus Antivirus FirewallFirewall
OverviewOverview
2
Fortinet Technologies
Network Security
Network security can be viewed from three perspectives:
controlling access to the inside of the network from outside the network
controlling access to the outside of the network from inside the network
controlling access between networks
3
Fortinet Technologies
The Nature of the Threat Has Evolved…
4
Fortinet Technologies
Fueling an Explosion of Point “Solutions”
5
Fortinet Technologies
FortiGate Antivirus Firewall
Network-level Services Firewall Intrusion prevention and detection VPN Traffic shaping
Application-level Services Firewall Intrusion prevention and detection Virus protection Content filtering for web connections and email
6
Fortinet Technologies
Secure Installation, Configuration, and Management
Secure management of your FortiGate unit can be assured in a number of ways:
IP/MAC binding HTTPS for browser connections SSH for command line connections (up to a
maximum of 5 connections) individual management accounts
separate user names and passwords read-only write-only
7
Fortinet Technologies
Web-based Manager
HTTP or HTTPS Web browser
Windows Mac Linux
Configure and monitor a FortiGate unit Configuration changes effective immediately Download, save, and restore configurations
8
Fortinet Technologies
Command Line Interface
Serial port RS232
Network Telnet SSH
Same configuration capabilities as the web-based manager
Advanced configuration capabilities
9
Fortinet Technologies
Firewall
set of related programs located at a network gateway server
protects the resources of a private network from users on other networks
10
Fortinet Technologies
NAT/Route and Transparent Modes
NAT/Route mode the FortiGate unit is visible to the network all interfaces are on different subnets policies control communications through the unit the FortiGate unit acts as a gateway between
private and public networks
Transparent mode the FortiGate unit is invisible to the network policies control communications through the unit
11
Fortinet Technologies
NAT/Route Mode
Hide your internal addressing scheme behind a firewall
12
Fortinet Technologies
Transparent Mode
The firewall acts as a bridge and requires an IP address for management and updates
The FortiGate unit is invisible to the network
13
Fortinet Technologies
Firewall Problem!
14
Fortinet Technologies
Antivirus Protection
Antivirus protection falls under two categories: host-based
a class of program that searches your hard drive or floppy disks for any known or potential viruses
network-based resides on a server and has certain traffic at the
gateway directed to it for antivirus scanning
Your FortiGate antivirus firewall identifies and blocks viruses at the network’s edge
15
Fortinet Technologies
Web Content Filtering
Control network usage by blocking access to categories of web sites (URL, FortiGuard) particular web sites (URL) any page that contains banned words or phrases
Systems are policy-based can associate a user or group of users with a list
of prohibited URLs can block by time of day, keeping working hours
more productive
Script filter to block Java Applets, cookies, and ActiveX
16
Fortinet Technologies
Spam Filtering
Scans IMPA, POP3, and SMTP content Blocks
IP addresses Email addresses MIME headers Banned words and phrases
Checks RBL and ORDBL SMPT, POP3, IMAP
Exempt lists to override block lists
17
Fortinet Technologies
Intrusion Prevention System (IPS)
real-time network intrusion detection sensor attack signatures block more than 1400 attacks user-defined signatures configurable thresholds policy-based
18
Fortinet Technologies
Static Routing
Configure routing to add static routes to control the destination of traffic exiting the FortiGate unit
Configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses
19
Fortinet Technologies
Policy Routing
Policy routing extends the functions of destination routing by routing traffic based on:
destination address source address protocol, service type, or port range incoming interface IP address
Routing table independent
20
Fortinet Technologies
Routing Information Protocol (RIP)
distance-vector routing protocol FortiGate implementation supports both RIP v1
(RFC 1058) and RIP v2 (RFC 2453) RIP
uses hop count as its routing metric where each network is usually counted as one hop
network diameter is limited to 15 hops
RIP v2 enables RIP messages to carry more information supports simple authentication and subnet masks
21
Fortinet Technologies
VLANs
Highly flexible, efficient network segmentation Supported on models 60 and higher IEEE 802.1Q Segregate devices logically instead of physically
by adding 802.1Q VLAN tags to all packets sent and received by the devices
A single FortiGate unit can provide security services and control connections between multiple security domains
NAT/Route and Transparent modes
22
Fortinet Technologies
Virtual Domains
ease of management lower costs – one system with multiple firewalls each virtual domain functions like a single
FortiGate unit exclusive firewall and routing services to multiple
networks traffic from each network is effectively separated
for every other network packets never cross virtual domain borders NAT/Route and Transparent modes
23
Fortinet Technologies
Virtual Private Networks (VPN)
a private data network that uses the public telecommunication infrastructure
maintains privacy through the use of a tunneling protocol and security procedures
24
Fortinet Technologies
VPN
The FortiGate unit supports the following types of VPN:
PPTP and L2TP IPSec
NAT traversal DPD
IPSec redundancy site-to-site tunnels
Hub and spoke topology DHCP over IPSec
25
Fortinet Technologies
High Availability
provides fail-over between two or more FortiGate units
provides fail-over between links achieved using redundant hardware
matching FortiGate models running in NAT/Route mode
FortiGate units can be configured for either active-passive (A-P) or active-active (A-A)
supported on FortiGate models 60 and higher
26
Fortinet Technologies
Logging and Reporting
The FortiGate unit supports logging for various categories of traffic and configuration changes
You can configure logging to report: traffic that connects to the firewall network services used traffic that was permitted by firewall policies traffic that was denied by firewall policies events such as configuration changes and other
management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking
attacks detected by the IPS virus incidents, intrusions, and firewall or VPN
events or violations to system administrators using alert email
27
Fortinet Technologies
Updates and Support
antivirus and anomaly definitions are updated regularly
your FortiGate unit can be configured to: accept push updates from the FortiResponse
Distribution Network (FDN) check the FDN regularly for updates following a
schedule
28
Fortinet Technologies
FortiProtect Bulletins
emailed whenever updates are made to the antivirus or IPS databases
specifies the latest release numbers so you can confirm your FortiGate unit is up to date
distributed free of charge sign up at www.fortinet.com
29
Fortinet Technologies
Online Help
Online help is available through the web-based manager screens
Access help through: contents index search
30
Fortinet Technologies
Documentation
In addition to online help, Fortinet offers a number of publications to assist you in maximizing the effectiveness of your FortiGate unit
Most of these publications are on the CD accompanying your FortiGate unit