fortinet
DESCRIPTION
fortinet utm firewallTRANSCRIPT
![Page 1: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/1.jpg)
Fortinet Confidential
Affordable Hi-Class UTM
Ronnachit Bunchoo
Networks Consultant
IT Distribution Co., Ltd.
![Page 2: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/2.jpg)
Fortinet Confidential
We Pioneered a New Approach
2
The Fortinet SolutionTraditional Network Security Solutions
• Real-time, integrated security intelligence• ASIC-accelerated performance• Lower total cost of ownership• Easy to deploy / manage / use
• Stand-alone, non-integrated security • Mix of off the shelf systems and applications• Higher total cost of ownership• Difficult to deploy / manage / use
![Page 3: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/3.jpg)
Fortinet Confidential
UTM Surpassing Traditional Network Security
3
2008 2009 2010 2011 2012 2013
Firewall & VPNFirewall & VPN
UTMUTM
(-0.5%) CAGR
$2.2
$2.1
$ in billions
13.8% CAGR
$1.7
$3.2
Source: IDC “Worldwide Network Security 2008-2012 Forecast and 2007 Vendor Shares: Transitions – Appliances Are More Than Meets the Eye”
![Page 4: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/4.jpg)
Fortinet Confidential
Evolution of Firewall Security
Evolution of Firewall Security
4
Complete Protection
![Page 5: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/5.jpg)
Fortinet Confidential
FortiGate: Integrated Architecture
Purpose-Built Hardware
Specialized OS
FirewallFully Integrated Security & Networking Technologies
Hardened Platform
High Performance
Real-Time Protection
Traffic ShapingVPN
SSL Insp
DLP WAN Opt
FortiGuard™ Updates
WLAN Authentication
Support and Services FortiCare™ FortiGuard Labs
AV IPS Antispam
Web Filter
App Ctrl
• Purpose-built to deliver overlapping, complementary security
• Provides both flexibility & defense-in-depth capabilities
Load Balancing
![Page 6: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/6.jpg)
Fortinet Confidential6
Disruptive Technology Platform
ASICs accelerate FortiOS security and network functions
Enables faster performance against competitors
Multiple ASICs targeting key functions
Mature design across FortiASICs
Custom built operating system
Architected for security and networking demands
Leverages custom hardware platform
Mature OS - At version 4.0 MR2 today
![Page 7: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/7.jpg)
Fortinet Confidential
FortiASIC Specialized Processors
• FortiASIC Content Processor (CP) Series− Pattern-Match Acceleration− Encryption / Decryption (e.g. IPSec, SSL-TLS)
• FortiASIC Network Processor (NP) Series− Firewall Acceleration− IPSec VPN Acceleration
• FortiASIC Security Processor (SP) Series− Additional IPS Acceleration− Unicast , Multicast Acceleration
7
![Page 8: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/8.jpg)
Fortinet Confidential
Firewall
Policy Management•Section & Global View•Session Monitor & Widgets•Policy Objects, Object tagging & Coloring•Traffic counters
NAT•Static NAT, Dynamic NAT Support•Central NAT Table
Traffic Support•SCTP, GTP, ICMP•Session helpers & ALGs
Hardware Acceleration*•High performance across all packet size•Ultra-low latency
Innovative features that allows accurate and effective policy setup
Policy Table
*applicable to supported models
![Page 9: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/9.jpg)
Fortinet Confidential
Policy Management
FortiGate as Firewall•Rules = Security policies
− Beyond firewall functionality− Includes optional instructions, eg,
scan for viruses, detect hacker attacks, traffic shaping etc
•Control Traffic when they transverse through the device
− Interfaces, zones (group of interfaces), VLANs and SSIDs segments
Firewall
Policy
SRC DST SRV ACT
Profiles
AV IPS WF MF
DLP VM AppCltrEndpt
Cltr
![Page 10: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/10.jpg)
Fortinet Confidential
H/W Acceleration Firewall
CPUMemory
InterfacesInterfaces
1GE 1GE
Legacy Security Gateway Appliances
Packet Flow
CPUMemory
InterfacesInterfaces
1GE 1GE
FortiASIC NP
FortiGate Security Gateway Appliances
Low Latency Wire-Speed
throughput
![Page 11: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/11.jpg)
Fortinet Confidential
In-box AV functions
FortiGate as AV Gateway•Network based, no agents required on hosts•Can be proxied or flow based•Signature set options: Normal, Extended, Extreme or Flow*•File Quarantine if Local storage is available
Antivirus
* Features subjected to FortiGate Models
![Page 12: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/12.jpg)
Fortinet Confidential
FortiGuard AV Service Antivirus
Fortinet
![Page 13: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/13.jpg)
Fortinet Confidential
Why firewall is not enough
http://www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers brou
ght forth upon this continent a new nation,
n liberty, and dedicated to the proposition that all
STATEFUL INSPECTION FIREWALL
Inspects packet headers Inspects packet headers only – i.e. looks at the only – i.e. looks at the
envelope, but not at envelope, but not at what’s contained insidewhat’s contained inside
Packet “headers” (TO, FROM, Packet “headers” (TO, FROM, TYPE OF DATA, etc.)TYPE OF DATA, etc.)
Packet “payload” (data)Packet “payload” (data)
DATA PACKETSDATA PACKETS
OKOKOK
Not ScannedNot Scanned
OK
Antivirus
![Page 14: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/14.jpg)
Fortinet Confidential
Flow-based (Stream-based) Inspection
http://www.freesurf.com/downloads/Gettysburg
ght forth upon this continent a new nation,
n liberty, and dedicated to the proposition that all
FLOW-BASED INSPECTION
Performs a packet-by-packet inspection of contentsPerforms a packet-by-packet inspection of contentsBut can easily miss complex attacks that span multiple packetsBut can easily miss complex attacks that span multiple packets
OKOK
OK
UndetectedUndetected
Four score and BAD CONTENT our forefathers brou!
• Fragmentation can hide malicious content
• True security relies on multiple security layers
Antivirus
![Page 15: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/15.jpg)
Fortinet Confidential
File-based (Complete Content) Inspection
FILE-BASED INSPECTION
1. Reassemble packets into content
!! !!
BAD CONTENT
BAD CONTENT
NASTY THINGS
NASTIER THINGS
DISALLOWED CONTENT
ATTACK SIGNATURES
http://www.freesurf.com/downloads/Gettysburg
Four score and BAD CONTENT our forefathers
brou ght forth upon this continent a new nation,
n liberty, and dedicated to the proposition that all
2. Compare against disallowed content and attack lists
Antivirus
![Page 16: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/16.jpg)
Fortinet Confidential
File-based Inspection Requires Enormous Processing Power
19901990 20002000
Email SpamEmail Spam
VirusesViruses
TrojansTrojans
WormsWorms
InappropriateInappropriateWeb ContentWeb Content
PR
OC
ES
SIN
G P
OW
ER
RE
QU
IRE
DP
RO
CE
SS
ING
PO
WE
R R
EQ
UIR
ED
Stateful inspectionStateful inspectionSimpleSimpleIntrusionsIntrusions
Denial of ServiceDenial of ServiceAttacksAttacks
Flow-Flow-basedbasedInspectionInspection
File-basedFile-basedInspectionInspection
19951995 TodayToday
Sophisticated Sophisticated ntrusionsntrusions
11
1010
100100
10001000
Antivirus
![Page 17: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/17.jpg)
Fortinet Confidential
Overview IPS
IPS Signatures•Over 7,000+ Signatures•Integrated FortiGuard IPS encyclopedia•Zero-day Threat Protection•Custom Signatures•Signature Filtering•User Quarantine•Packet Logging
DOS Protection•Rate based - set thresholds for various types of network operations
Deployment Options•Sniffer Mode•Bypass Interface & FortiBridge
Low latency, superior coverage and cost/performance integrated IPS
2012 NSS Security Value Map
![Page 18: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/18.jpg)
Fortinet Confidential
FortiGuard Service
Zero-Day Research• Reported over 153 vulnerabilities, 124 of which have been disclosed and fixed by the
appropriate vendor(s)
IPS
FortiGuard Center•FortiGuard Encyclopedia – detailed description of known threats•IPS Updates log (RSS Feed)•Vulnerability Advisories•Threat Monitor – Top attacks by geographic breakdowns
![Page 19: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/19.jpg)
Fortinet Confidential
IPS/IDS - Signature
19
>> Network <<
>> Content <<
• Signature Update
Automaticaly
IPS
![Page 20: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/20.jpg)
Fortinet Confidential
Performance IPS
FortiGate 3240C also beats all IPS competition with Lowest Latency
![Page 21: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/21.jpg)
Fortinet Confidential
Anti-SPAM
• FortiGuard Anti-SPAM
21
>> Network <<
>> Content <<
![Page 22: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/22.jpg)
Fortinet Confidential
Overview Web Filter
URL Filtering•URL, web content, MIME Filtering•Time usage Quota•Transparent Safe Search•Policy Objects, Object tagging & Coloring•Local Rating & Category•User override option
Proxy Avoidance Prevention•Proxy Service Site blocking•Language translation & Cache blocking•Rate site by IP addresses•Application Control – Proxy avoidance category•IPS proxy behavior detection
…
Web Filtering Block Page
![Page 23: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/23.jpg)
Fortinet Confidential23
Web Content Filtering – HTTP, HTTPs
>> Network <<
>> Content <<
Web Filter
![Page 24: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/24.jpg)
Fortinet Confidential
Web Content Filtering - Manual
24
Web Filter
![Page 25: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/25.jpg)
Fortinet Confidential
Overview Application Control
Application Control Sensors•Over 2,400+ Signatures, 19 Categories•Advanced IM control•Application Control Traffic Shaping•SSH Inspection•Custom Signatures
More flexible and fine-grained policy control
Increased security
Deeper visibility into network traffic
FortiGuard Application library
![Page 26: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/26.jpg)
Fortinet Confidential
Application Sensor
Ease of use•Select applications using filters or search by application names
Flexibility•Applies different profiles to users, IP, IP range and subnets and their respective destinations on the security policies.
Application Control
![Page 27: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/27.jpg)
Fortinet Confidential
What is port “80” inside
27
Application Control
![Page 28: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/28.jpg)
Fortinet Confidential
Facebook Control Application Control
Facebook Like Facebook Chat Facebook Post Facebook Apps
![Page 29: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/29.jpg)
Fortinet Confidential29
![Page 30: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/30.jpg)
Fortinet Confidential
User based Policy
User Identity based Security Policies•Assign access policy and profiles to each User Groups or Users•Users/Members of user groups can be define locally or integrate with external services•Result: Each user/usergroup will be assigned with respective access list and UTM Profiles
Policy
SRC
User Group #1
User #1User #2
UTM Profile #1
UTM Profile #2
Service Port #1
Service Port #2
User Identity
DST #1
DST #2
![Page 31: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/31.jpg)
Fortinet Confidential
Single Sign-On with NTLM•is used when the MS Windows Active Directory (AD) domain controller can not be contacted•browser-based method of authentication•Option for guest or users with unsupported browsers to bypass NTLM on CLI
11
22
33
User attempts access to network and gets prompted by FortiGate for user credential
User attempts access to network and gets prompted by FortiGate for user credential
Credential information is provided by browserCredential information is provided by browser
FGT queries Windows ADFGT queries Windows AD
SSO User Identity
![Page 32: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/32.jpg)
Fortinet Confidential
Radius Accounting message with attribute-value pair that refers to usergroup a user belongs, along with IP address info is forwarded to FortiGate
Radius Accounting message with attribute-value pair that refers to usergroup a user belongs, along with IP address info is forwarded to FortiGate
Users get authenticated by Radius Server (eg. access control)
Users get authenticated by Radius Server (eg. access control)
RSSO User Identity
Single Sign-On with Radius (RSSO)
22FortiGate uses listening agent and maps info to its own context table. When a session enters, it looks up to the table to determine its action based on identity based policies configured
FortiGate uses listening agent and maps info to its own context table. When a session enters, it looks up to the table to determine its action based on identity based policies configured
33
IP, usergroup_xIP, usergroup_x
11
![Page 33: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/33.jpg)
Fortinet Confidential
Guest Access
Temporary user Provisioning & Access•Allow non-IT staff to create Guest account via web portal
− Specialized admin-id for guest access management
•Assign Time quota, generate temp password,•Distribute guest credentials by printing, email or SMS•Batch guest users creation option
User Identity
![Page 34: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/34.jpg)
Fortinet Confidential
Overview Device Identity
Device Identification•Device & OS Fingerprinting•Device Classification & Management•Contextual Device Information
Device Based Policies•Policies using Device/Device Group
Identify device type to add into contextual information for better visibility
Enforce policies based on device types or devices
Allow organization to embrace BYOD environment securely
Device Group List
![Page 35: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/35.jpg)
Fortinet Confidential
Device Identification Device Identity
INTERNETDMZ
FC
FC
Agentless
with Agent
![Page 36: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/36.jpg)
Fortinet Confidential
Device Management Device Identity
Device Group Management
Manual add/edit Devices
Status
Connection Information
User Information
Device Definition
Multiple MAC address merge
![Page 37: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/37.jpg)
Fortinet Confidential
Traffic Status System Administration
Traffic History Widget•Illustrates traffic usage statistics over time – by sessions or volume•Support drill-down at specific time•Rely on traffic logs on Local Storage
![Page 38: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/38.jpg)
Fortinet Confidential
Threat Status System Administration
![Page 39: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/39.jpg)
Fortinet Confidential
Network Management
sFlow•monitoring the traffic on the network to identify areas on the network that may impact performance and throughput•sFlow Agent is embedded in the FortiGate unit, sends the sampled traffic to an external 3rd party sFlow Collector/Analyzer. •Available on CLI only
System Administration
3rd Party sFlow Analyzer - sFlow Trend
![Page 40: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/40.jpg)
Fortinet Confidential
Overview Routing & Network Services
Routing•Link Redundancy and load balancing•Policy Routing•Dynamic Routing Protocol Support: RIP, BGP, OSPF, IS-IS•Multicast Routing
Interface Features•VLANs, 802.3ad port aggregation, STP, redundant interface, loopback, hardware & Software switch, Security Modes•Sniff/One-arm Mode
Network Services•Content Routing – WCCP and ICAP Support•DHCP & DNS Server
Robust L3 and L2 capabilities to facilitated vast variety of network design and setup requirements
Route Monitor
FortiGuard Network Services•Free NTP, DDNS & DNS service
![Page 41: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/41.jpg)
Fortinet Confidential
Link Redundancy
ECMP •Source IP Based (Hash)•Weight-based
− Next-hop based on gateway weight
•Spillover, Usage-based− Next-hop based on traffic to gateway
Routing & Network Services
ECMPECMP
![Page 42: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/42.jpg)
Fortinet Confidential
Policy Based Routing
Features:•Policy routes are applied before destination routes•Can be used to create multiple routes to the Internet
− Static load-sharing
•Routing decision can be made from:− Source addresses− Protocol, service type, or port range− Incoming interface− ToS
Routing & Network Services
HTTPHTTP
Other TrafficOther Traffic
![Page 43: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/43.jpg)
Fortinet Confidential
WCCP ServerWCCP Server
WCCP ClientWCCP Client
WCCP
Features:•Supports WCCPv1, WCCPv2•L2 and GRE Mode•May operate either as Server of Client (per VDOM)•Uses Port 2048•Option for Authentication, GRE Encapsulation6•CLI Commands
Routing & Network Services
![Page 44: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/44.jpg)
Fortinet Confidential
Network Services
DHCP Service•DHCP Relay and WINS support•DHCP server
− Multiple IP-pools for each interface− Exclude ranges and IPs− DHCP IP Reservation− DHCP Options support
•IPv6 DHCP•DHCP Monitoring
Routing & Network Services
![Page 45: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/45.jpg)
Fortinet Confidential
Network Services
DNS Service•Integrated Basic DNS Server
− Per-Vdom support− in transparent and NAT/Route mode
•Recursive DNS (split DNS)•IPv6 DNS•Dynamic DNS support
Routing & Network Services
![Page 46: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/46.jpg)
Fortinet Confidential
Network Services
DDNS Service•FortiGuard DDNS Server
− Provided with valid Forticare contracts− Ease of setup− Suitable for VPN deployment and remote
administration.
Routing & Network Services
![Page 47: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/47.jpg)
Fortinet Confidential
Wireless LAN Overview
![Page 48: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/48.jpg)
Fortinet Confidential
Ubiquitous Access Unified Access Layer
DIGITAL ASSET • Content Inspection• Attack Mitigation
• User Identification• Access Control
![Page 49: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/49.jpg)
Fortinet Confidential
Fortinet Secure WLAN Approach
Corporate Wi-Fi
Captive Portal, 802.1x—Radius /shared key
Assign users and devices to their role
Examine wireless traffic to remove threats
Apply policy to users and applications
Identify applications and destinations
Report on policy violations, application usage, destinations and PCI DSS
Ensure business traffic has priority
No additional licenses needed
![Page 50: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/50.jpg)
Fortinet Confidential
Thick vs. Thin Fortinet APs
FortiAP
![Page 51: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/51.jpg)
Fortinet Confidential
FortiAP – Simple and Secure
• Traffic flows to controller• Increased control• No trunking• No VLAN management• No Layer-3 roaming, just fast
Layer-2 switching• No need to re-DHCP
• Controller Redundancy
VLANs
![Page 52: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/52.jpg)
Fortinet Confidential
Fortinet 802.11n AP family
FAP-221BFAP-222B
FAP-210B
FAP-320B
FAP-223B
FAP-112B
FAP-28C
FAP-14C
FAP-11C
![Page 53: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/53.jpg)
Fortinet Confidential
FortiGate + FortiAP = Unified Access Layer
FortiGate
Wi-Fi Controller
Switch
FirewallAntivirusAntispamWAN OptimizationWeb FilteringApplication ControlIntrusion PreventionVPN
Single Management System
Lower cost of acquisition Lower cost of ownershipImproves security provisioning
Overlay Wireless Management system
FortiAP
![Page 54: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/54.jpg)
Fortinet Confidential
Problem: Poor Business Application Performance
Client #1 Client #2
Priority App
Non-Priority App
Non-Priority App
YouTube
WebEx
• Clients and applications on wireless networks compete with each other for shared bandwidth
• 802.11e, Wireless Multimedia Extensions (WME) doesn't solve this problem, as Business applications like Remote Desktop, VNC, Webex, etc. are not be prioritized differently
![Page 55: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/55.jpg)
Fortinet Confidential
Solution: Fortinet Application Control
Application Control uses Layer-7 inspection to ensures bandwidth guarantees are provided for business critical applications
Fortinet Application Control Sensors•Over 2,400+ Signatures, 16 Categories•Advanced IM & P2P control•Application Control Traffic Shaping•SSL Content Inspection
Client #1 Client #2
High Priority App
Priority App
Non-Priority App
Non-Priority App
Priority App
Youtube
Webex
![Page 56: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/56.jpg)
Fortinet Confidential
WIDS
Wireless Intrusion Detection System•WiFi protocol & RF level attack detection•Detection includes attacks & vulnerabilities such as:
» Weak WEP Encryption Usage» Null SSID Probes» Deauth Broadcasts» Various Management , EAP, Auth & Beacon floods
![Page 57: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/57.jpg)
Fortinet Confidential
24/7 “on-wire” Rogue AP Detection & Suppression
Rogue AP Detection» Determines whether an AP is indeed a Rogue device
connected to your physical wired LAN network
Rogue AP suppression» ‘DeAuthentication Frames’ are sent to render
unauthorized Rogue AP’s unusable by clients
![Page 58: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/58.jpg)
Fortinet Confidential
WAN
Headquarters
Internet
• Bridges WiFi trafic to FortiAP Ethernet port
• No u-turn to HQ to access local network
• Resiliency in case of WAN failure
WAN
Remote AP with Local Bridging
![Page 59: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/59.jpg)
Fortinet Confidential
Remote Telecommuter / Road Warrior
Headquarters
• Data is encrypted
Internet
• Automatic connection to HQ
• Multiple devices can share WiFi
![Page 60: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/60.jpg)
Fortinet Confidential
High Density Features
• AP Handoff• Frequency Handoff (Band Steering)• Auto TX Power Control
![Page 61: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/61.jpg)
Fortinet Confidential
Automatic Radio Resource Provisioning
CH 1 CH 6CH 11
• Channel Assignment» Automatically assigns non-
overlapping channels» Selects channels with least
noise and interference» Reduces chatter between
APs
• Auto TX Power » Changes radio
transmission power settings automatically
![Page 62: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/62.jpg)
Fortinet Confidential
Automatic Radio Resource Provisioning
CH 1CH 6CH 11
• Channel Assignment» Automatically assigns non-
overlapping channels» Selects channels with least
noise and interference» Reduces chatter between
APs
• Auto TX Power » Changes radio
transmission power settings automatically
![Page 63: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/63.jpg)
Fortinet Confidential
Automatic Radio Resource Provisioning
CH 1CH 6CH 11
• Interference Avoidance» Microwave ovens, cordless
phones, baby monitors, etc. all emit RF interference
» FortiAPs frequently sample RF spectrum for sources of interference
» Changes channel and TX power to avoid RF interference impacting Wireless LAN
![Page 64: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/64.jpg)
Fortinet Confidential
Beamforming: FAP-221B/FAP-223B/FAP-320B
• Radio “beams” add at the device to enhances the signal and link-rate
TR S
W
TX
RX
BB/MAC TX TR
SW
RX
TX
RX
Radio
Radio
Radio
TR S
W
![Page 65: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/65.jpg)
Fortinet Confidential
Wireless Mesh
• Dynamic Multi-hop Mesh with resiliency• Point-to-point / Multipoint Bridging
![Page 66: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/66.jpg)
Fortinet Confidential
Building to building bridging
5Ghz (40Mhz wide) 300Mbps Max rate
Wired PC
2.4Ghz (20Mhz wide)150Mbps max rate
Capwap tunnel
Note: only one of the radios can be used for Mesh, user selectableExternal N type directional antennas supported
![Page 67: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/67.jpg)
Fortinet Confidential
BYOD – Device Identification and Policy
Identification•Device•User•Application
Policies•Enforcement on Device/User/App
![Page 68: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/68.jpg)
Fortinet Confidential
Granular Visibility and Control Applications
![Page 69: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/69.jpg)
Fortinet Confidential
Guest Access to Secure Wireless LAN
• Temporary user Provisioning & Access− Allow non-IT staff to create Guest account via
web portal− Assign time quota− Generate temporary password− Distribute guest credentials:
▪ Print▪ Email ▪ SMS
− Batch guest users creation option
• Enables Guest Access to the Secure WLAN via a Captive Portal.
![Page 70: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/70.jpg)
Fortinet Confidential
Questions?
![Page 71: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/71.jpg)
Fortinet Confidential
Security Gateway Comparison
72
Partner Supplied Internally Developed Not available
![Page 72: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/72.jpg)
Fortinet Confidential
Certifications on the Security Gateway
73
Some products are certifiedPassed Certification not conducted
![Page 73: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/73.jpg)
Fortinet Confidential74
UTM Market Leadership Across the Board
(1) IDC Quarterly Appliance Tracker, June 2009 (based on revenues)
(2) Gartner, Inc., “1H09 MultiFunction Firewall Magic Quadrant” by G. Young and A. Hils, June X, 2009.
(3) 2007 Frost & Sullivan Award for “Market Leadership in UTM” and “Global Competitive Strategy Leadership of the Year"
Source
Fortinet is the leading vendor in the UTM security appliance market.
“
“
Fortinet is a “Leader” in Gartner’s Multi-Function Firewall Segment
Fortinet Named ONLY “Market Leader” in Frost & Sullivan World UTM Report
![Page 74: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/74.jpg)
Fortinet Confidential
NSS Labs 2013 Firewall Security Value Map (SVM)
• The FortiGate-800c was rated by NSS Labs at 9.7 Gbps out of the 20 Gbps claimed by the vendor.1 The 800c scored 100% for Stability, 100% for Evasion, 100% for Leakage, and 100% in the central management review. All of which resulted in a TCO of $4 per protected megabit, and 100% for security and management effectiveness.
• Firewall Security Value Map− 100% Security Effectiveness
− $4 TCO per protected Mbps▪ Juniper, Check Point, Stonesoft 4X+ TCO
• Firewall Comparative Analysis Report− Detailed competitive analysis
![Page 75: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/75.jpg)
Fortinet Confidential
Best Protected Throughput and Maximum Security
76
Price per Protected - Mbps
2013 Firewall Security Value Map
En
terp
rise M
an
ag
em
en
t &
Secu
rity
Eff
ecti
ven
ess
Firewall SVM
0%
10%
30%
40%
50%
60%
70%
80%
90%
$1$2
$4
$8
$16
$32
$64
$128
$256
100%
Average
Avera
ge
Fortinet FortiGate 800CJuniper SRX 550
Palo Alto Network PA-5020Dell /SonicWALL E4500
Barracuda F800
Netgear UTM9S
WatchGuard XTM 1050
Cyberoam CR2500i NG
Check Point 12600
Stonesoft 1301
Netsaq 800C
$512$1024$2048$4096$8192
Sophos UTM 425
![Page 76: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/76.jpg)
Fortinet Confidential
Predictable Performance for all packet size
• Fortinet’s Fortigate 800c was the only device to demonstrate anything close to line rate capacity with packet sizes from 1514 bytes all the way down to 64 bytes. In addition, it was the only device to consistently demonstrate latency of less than 10 microseconds.
• The competitors cannot compete with our predictable performance.
![Page 77: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/77.jpg)
Fortinet Confidential
Latency μs (64 byte packets)
![Page 78: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/78.jpg)
Fortinet Confidential
Security & Performance
• The Chart depicts the relationship between protection and performance. Further up indicates better security effectiveness, and further to the right indicates higher throughput.
![Page 79: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/79.jpg)
Fortinet Confidential
BreakingPoint Resiliency Score
Others Not Pass
Fortigate เป็�น Firewall หน��งในสอง ที่��ที่ดสอบผ่�าน BreakPoint Firestorm CTM5 ซึ่��งเป็�นชุ�ดที่ดสอบสมรรถนะที่��ยอมร�บที่��วโลก แสดงให"เห#นว�า Fortigate คื%อ Firewall ที่��ที่&างานได"เร#วที่��ส�ดในโลก
![Page 80: Fortinet](https://reader035.vdocuments.mx/reader035/viewer/2022062712/563dba6e550346aa9aa58f9c/html5/thumbnails/80.jpg)
Fortinet Confidential
Thank you
81