© Copyright Fortinet Inc. All rights reserved.
Protect and Manage with FortiGate, FortiManager, & FortiClient
Q1 2017 Presented By: Luke Worrall, Fortinet Channel SE
2
Fortinet: Global Network Security Leader Mission
Fortinet’s mission is to deliver the most innovative, highest
performance network security fabric to secure and simplify your IT
infrastructure. We are a leading global provider of network security
appliances and software for carriers, data centers, enterprises and
distributed offices.
3
Fortinet: Global Network Security Leader Highlights: 2000 - present
4,650
EMPLOYEES WORLDWIDE
100+ OFFICES
ACROSS
THE GLOBE
358 PATENTS
292 IN
PROCESS
ISSUED
2.8m SHIPPED
SECURITY
DEVICES
300K CUSTOMERS
$1bn REVENUE
IN EXCESS OF
$1.3bn
IN CASH
30% YEAR ON YEAR
GROWTH
2000 BY KEN XIE
FOUNDED IN
HEADQUARTERED IN
SUNNYVALE
CALIFORNIA
Advanced Threat
Intelligence
Access
Client Cloud
Partner API
NOC/SOC
Network
Application BROAD
POWERFUL
AUTOMATED
The Fortinet Security Fabric
is the vision that delivers on
the promise of Security
without Compromise:
5
Description Fortinet Check Point Cisco Palo Alto Networks Juniper FireEye
NSS - Firewall NGFW Recommended Recommended Recomm. & Neutral Neutral Neutral x
NSS - Firewall DC Recommended x x x x x
NSS - Breach Detection Recommended x 2 Recommended Neutral Recomm. & Caution x Neutral
NSS - WAF Recommended x x x x x
NSS – Next Gen IPS Recommended x Recommended Neutral x x
NSS - Data Center IPS Recommended x x Recommended Recommended x
BreakingPoint Resiliency Record High - 95 x x Poor - 53 x x
ICSA ATD (Sandbox) ✔ ✔ x ✔ x x
ICSA Network Firewall ✔ ✔ x ✔ ✔ x
ICSA Network IPS ✔ ✔ x x x x
ICSA Antivirus ✔ x x x x x
ICSA WAF ✔ x x x x x
VB 100 ✔ Caution x x x x
AV Comparative ✔ x x x x x
Common Criteria ✔ ✔ ✔ ✔ ✔ ✔
FIPS ✔ ✔ ✔ ✔ ✔ ✔
UNH USGv6/IPv6 ✔ ✔ ✔ ✔ ✔ x
Unparalleled 3rd Party Certification
6
CPU Only Vendors vs SPU Driven Fortinet Approach
Parallel Path Processing (PPP)
Packet
Processing
Content
Inspection
Policy
Management
CPU Only
Policy Management
Packet Processing
Deep Inspection
More Performance
Less Latency
Less Power
Less Space
CPU
Optimized
SoC
The Fortinet CP9 SPU
8
The Fortinet CP9 SPU : Ready for SSL Inspection
SSL Boost
Pattern Matching Engine - offload
Suite B Cryptographic Support
CP8 CP9 Intel Xeon
VPN Performance
C9 Xeon
Power Consumption
15x More Efficient and Faster vs Intel !!!
9
Content Processor Comparison
CP8 CP9 (New) Intel Xeon
E5*
Cost $ 7 < $14 $880
Power
Consumption 3.5 W 7 W 95 W
Gate Count
(Transistors) ~ 60 Million ~ 150 Millions 2270 Millions
Technology 90 nm 40 nm 32 nm
Content Processor Advantage: ✔ Superior Cost/Performance
✔ Energy Efficient
CPU
GPU FPGA SPU
10
The Fortinet CP9 SPU
10
44
7
CP 9 CP 8 CPU
SSL VPN (Gbps)
10
20
6
IPS (Gbps)
8
100
13
SSL (Connections/000s Second)
CPU Numbers based on Intel E5 -2640 V2 (8 Core 2Ghz)
Setting the Benchmark Higher
11
Comparing Our SoC SPUs
SoC1 SoC2 SoC3
Firewall v4 1 Gbps 1.5 Gbps 3 Gbps
Firewall v6 No fast path No fast path 3 Gbps
IPSec VPN 70 Mbps 1 Gbps 1.5 Gbps
IPS Up to 135 Mbps Up to 275 Mbps 1.4 Gbps
Session Rate Up to 3 K Up to 5 K Up to 30K
Concurrent Host Memory Host Memory Host Memory
GRE - - -
CAPWAP/ Syn Proxy - - -
12
FortiGate/FortiWiFi
13
Security Services and Technologies
App Control Antivirus Anti-spam
IPS Web App Database
Web
Filtering
Vulnerability
Management
IP
Reputation
Mobile
Security
NEW
Firewall
VPN
Application Control
IPS
Web Filtering
Anti-malware
WAN Acceleration
Data Leakage Protection
Wi-Fi Controller
Advanced Threat Protection
14
The FortiGuard Minute
Per Minute
21,000 Spam emails intercepted
470,000 Network Intrusion Attempts resisted
95,000 Malware programs neutralized
160,000 Malicious Website accesses blocked
32,000 Botnet C&C attempts thwarted
43 million Website categorization requests
Per Week
46 million New & updated spam rules
1,000 Intrusion prevention rules
108 million New & updated AV definitions
1.4 million New URL ratings
8,000 Hours of threat research globally
Total Database
190 Terabytes of threat samples
18,000 Intrusion Prevention rules
5,800 Application Control rules
250 million Rated websites in 78 categories
312 Zero-day threats discovered
Based on Q2 2016 data
Image: threatmap.FortiGuard.com
15
ENTRY LEVEL
30- 90 SERIES
MID RANGE
100-900 SERIES
HIGH END
1000-3000 SERIES
Distributed Enterprise
SMB »SOC Based
»FW Throughput ~ 4 Gbits/s
»NGFW Throughput ~ 400 Mbit/s
»Ports 1Ge
ENTERPRISE FIREWALL
FortiGate - Network Security Appliance
CHASSIS
5000 & 7000
NGFW
Branch Office »NP + CP Based
»FW Throughput ~ 50 Gbits/s
»NGFW Throughput ~ 5 Gbit/s
»Ports 1Ge 10Ge
Data Center
NGFW »Multiple NP + CP Based
»FW Throughput ~ 300 Gbits/s
»NGFW Throughput ~ 30Gbit/s
»Ports 10Ge, 40Ge & 100Ge
Carrier
Data Center »Blade NP + CP Based
»FW Throughput ~ 1Tbps
»NGFW Throughput ~ 100Gbit/s
»Ports 10, 40 & 100G
16
FortiGate Virtual Appliance Series
FG-VM
Primary Benefits:
✔ Increased visibility and security within virtualized infrastructure
better protect critical resources
✔ Ability to manage virtual appliances and physical appliances from
a single pane of glass management platform reduces TCO
✔ Comprehensive Hypervisor support
✔ Feature-rich security and virtual networking support facilitate
wide deployment and requirement options
Agile Security for Virtual Environments
VMware
ESXi
Citrix
Xen Xen KVM MS
Hyper-V
Amazon
AWS
MS
Azure
17
a/b/g/n /ac
New SoC3 SPU based FortiGate 60E Series
3 Gbps Firewall throughput
1.3 Million Concurrent Sessions
30,000 New Sessions/Sec
200 100 10
Small Business / Remote Office
Recommended up-to 50 Devices
① 2 x GE RJ45 WAN Ports
② 1 x GE RJ45 DMZ Port
③ 7 x GE RJ45 Ports
④ WiFi Variant: 802.11a/b/g/n/ac
Yes
350 Mbps IPS Throughput
250 Mbps NGFW Throughput
180 Mbps Threat Protection Throughput
SOC3
18
New SoC3 SPU based FortiGate 80E Series
4 Gbps Firewall throughput
1.3 Million Concurrent Sessions
30,000 New Sessions/Sec
200 100 32
Small Business / Remote Office
Recommended up-to 50 Devices
① 12 x GE RJ45 WAN Ports
② 2 x GE RJ45 DMZ Port
③ 2 x GE RJ45 Shared Media Ports
Yes
450 Mbps IPS Throughput
360 Mbps NGFW Throughput
250 Mbps Threat Protection Throughput
a/b/g/n /ac
SOC3
19
New SoC3 based RPS supported FortiGate 100E
7.4 Gbps Firewall throughput
2 Million Concurrent Sessions
30,000 New Sessions/Sec
600 1000 64
SMB / Remote Office
Recommended for 150 Devices
Yes
500 Mbps IPS Throughput
360 Mbps NGFW Throughput
250 Mbps Threat Protection Throughput
① 14x GE RJ45 Ports
② 2x GE RJ45 DMZ Ports
③ 2x GE RJ45 HA Ports
④ 2x GE RJ45 WAN Ports
⑤ 2x GE RJ45/SFP Shared ports
⑥ Supports Redundant Power Supply
SOC3
20
NGFW Refresh – CP9 SPU based New FortiGate 200E
① 16x GE RJ45 Ports
② 4x GE SFP
③ Supports Redundant Power Supply
20 Gbps FW Throughput
Maximize Threat Protection
6 Gbps IPS Throughput
1.8 Gbps NGFW Throughput
FortiGate 200D vs 200E Performance
NGFW Threat Prevention SSL Inspection
2
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
Gb
ps
(E
nt
Mix
Tra
ffic
)
21
FortiManager
22
Administrative Domains (ADOMs) • Enables the primary ‘admin’ to create Virtual Management Domains
containing devices for other administrators to monitor and manage
Hierarchical Objects & Policy Management • Create Global Objects and Policies
• Assign to ADOM or groups of ADOMS
• Create device configuration templates to quickly configure a new Fortinet
appliance
Web Portal SDK • JSON-based API allows MSSPs to offer administrative web portals to
customers
Introducing FortiManager
* Capabilities varied by Models
Locally Hosted Security Content • Allows administrators better control over security content updates and
provides improved response time for rating databases.
• Run a local copy of AV, IPS, URL, A/S signature databases.*
Tools that effectively manage any size Fortinet security
infrastructure, from a few to thousands of appliances
23
What is FortiManager?
Minimizes both initial costs & ongoing operating expenses for
large deployments
Reduces WAN usage with Local FortiGuard cache server
Centralizes Device Management for many Fortinet products
» Device provisioning
» Monitoring
» Logging and reporting
24
Key Features
Configuration revision control and tracking
Centralized Management
Administrative Domains
Local FortiGuard service provisioning
Firmware management
Scripting
Logging and reporting
25
What’s New in FortiManager 5.4?
New GUI
» Updated, flat look & feel
» Simplified navigation
» Consolidated w/ FOS 5.4
New Central Management Modules
» Wireless APs (FortiAPs)
» Endpoints (FortiClient)
» WAN Link Loadbalancing (WLB)
VPN
» New VPN wizards, GUI
» Centralized SSL VPN
User Management
» Centralized FSSO
» Central LDAP integration
Large Deployments
» Service licensing & VDOMs
» Object clean-up tools
(unused, duplicate, etc.)
» New options for dedicated FortiGuard
Server (tuned for dedicated function)
26
FortiManager Functions
Device Manager
Policy & Objects
AP Manager
FortiClient Manager
VPN Manager
FortiGuard
Settings
27
Policy & Objects
Customize Policy Packages
Create Objects that can be shared
Copy or clone packages
28
AP Manager
AP Manager can be used to configure and assign profiles to one
or more FortiAP devices.
You can configure multiple profiles that can be assigned to
multiple devices
29
FortiClient Manager
FortiClient Manager is used to configure FortiGate interfaces and
assign FortiClient profile packages to one or more FortiGate
devices or VDOMs.
Profile packages are installed to devices when you install
configurations to the devices
30
VPN Manager
You can use VPN Manager to create and monitor full-meshed,
star, and dial-up IPsec VPN communities.
IPsec VPN communities are also sometimes called
VPN topologies.
You can also use the VPN Manager to create and monitor Secure
Sockets Layer (SSL) virtual private networks (VPN). You can also
create and manage SSL VPN portal profiles
31
FortiManager Models
Physical
» Models are based on multiple scalability factors
Hardware form factor
Total interfaces and types
Storage capacity
Hot swappable hard drives
Redundant hot-swap power supplies
Virtual Machine (VM)
» VmWare ESX/ESXi, Microsoft Hyper-V, and Amazon Web Services
» Stackable License Model
32
FortiManager Series
FMG-200D FMG-300D FMG-300E FMG-400E FMG-1000D
Max. Devices 30 300 100 300 1,000
Max. ADOMs 30 300 100 300 1,000
Interfaces 4x GE RJ45 4x GE RJ45 4x GE RJ45 2x GE RJ45 6x GE RJ45, 2x SFP
Storage capacity 1x 1TB 2x 2TB 4x 3TB 8x 3TB 4x 2TB
FMG-2000E FMG-3000F FMG-3900E FMG-4000E
Max. Devices 1,200 4,000 10,000 4,000
Max. ADOMs 1,200 4,000 10,000 4,000
Interfaces 4x GE RJ45, 2x SFP+ 4x GE RJ45, 2x SFP+ 2x GE, 2x GE SFP+ 4x GE RJ45, 2x SFP
Storage capacity 12x 3TB 16x 3TB 15x 1TB 8x 2TB
33
FortiManager-VM Series
Max. Devices 10 +10 +100 +1,000 +5,000 Unlimited
Max. ADOMs
(default/Max) 10 +10 +100 +1,000 +5,000 Unlimited
Max. Web Portals 10 +10 +100 +1,000 +5,000 Unlimited
Max. Portal Users 10 +10 +100 +1,000 +5,000 Unlimited
GB Logs/day 1 2 5 10 25 50
Max. Virtual NICs
(Min/Max) 1 / 4
Storage capacity
(Min/Max) 80 GB / 16 TB
34
FortiClient
35
Introducing FortiClient
FortiClient is a unified endpoint protection platform that integrates into the overall
security architecture, automates threat protection and provides secure remote access
i.e. VPN, in a small and lightweight package supporting a multitude of devices (PC, Mac,
Linux, Chromebook, Apple and Android) either on- or off-premise.
36
Unified Endpoint Security Platform
S ecurity Fabric Integration
Endpoint awareness, compliance, and enforcement by sharing
telemetry with Fortinet’s Security Fabric architecture
A dvanced Threat Protection
Automated prevention of known and unknown threats through built-
in, host-based security and integration with FortiSandbox
S ecure Remote Access and Mobility
Authorized and secured external access to corporate assets via VPN with
native two-factor authentication coupled with single sign on (SSO)
37
Security Fabric Integration S
Fortinet
Security Fabric
Block non-compliant devices Real-time prevention of cyber threats
Aware
Secure
Actionable
Scalable
Open
Fortinet
Security Fabric
? X X
38
Advanced Threat Protection A
Real-time Host
Protection
Updates Every
Hour
Scheduled
Scanning
Antivirus
Network Activity
Detection
Application
Categories
Individual
Application
Granularity
Cloud based URL
rating
Safe Search Option
Exclusion List
Up-to-date
Applications
Automated
Patching
Scheduled
Scanning
Application
Firewall Web Filter Vulnerability
Scanning
Prevent Malware Reduce Attack Surface Prevent Drive-by
download Prevent Exploit
“Fortinet rarely misses
a VB100 comparative,
and a strong record of
passes,
complemented by a
steady improvement in
detection over the last
couple of years, have
put it well up with the
leaders… ”
39
Advanced Threat Protection Use-case: Prevent Drive-by-Downloads
?
Antivirus
Web Filter
Application
Firewall
Vulnerability
Scanning
X P
Antivirus
Web Filter
Application
Firewall
Vulnerability
Scanning
? X
A
40
Advanced Threat Protection Use-case: Prevent Known and Unknown Malware
DOC
XLS
Antivirus
Web Filter
Application
Firewall
Vulnerability
Scanning
PDF X Updates
Antivirus
Web Filter
Application
Firewall
Vulnerability
Scanning
Automated
Patching
Application Vendor
DOC X PDF X
PDF X Dynamic
Signature
Submit
Object
FortiSandbox
Antivirus
Web Filter
Application
Firewall
Vulnerability
Scanning
A
41
Secure Remote Access and Mobility S
Finance Intranet
Finance
Admin
Use-case #3: SSL/IPSec VPN with 2FA
and SSO
SSO
Finance Database
FortiGate
Use-case #1: SSL/IPSec VPN
VPN
Internet
Use-case #2: SSL/IPSec VPN with 2FA
FortiToken
FortiAuthtenticator
LDAP/
Active
Directory
42
FortiClient Deployment
VPN
DataCenter
Headquarters Cafe Branch
FortiClient
FortiClient
EMS FortiGate FortiGate
43
Provision
Enterprise Management
System (EMS)
Deploy, provision and
manage FortiClient
Integrate with LDAP and
other enterprise systems
Real-Time Monitoring
Remote Scan +
Quarantine
Scale to hundreds of
thousands of devices
FortiClient Portfolio FortiClient Management with EMS
FortiClient EMS
Transformation
Management
44
FortiGate
View Endpoint
Status/Topology
Enforce Endpoint
Compliance
Endpoint Quarantine
FortiClient Portfolio FortiClient Compliance and Telemetry with FortiGate
FortiClient EMS
Awareness/Enforcement
Fortinet
Security Fabric
Ready
FortiGate
Transformation
Register
Monitor and apply
Actions
45
Summary
Next generation endpoint security requirements to
defending against tomorrow’s attack:
Unified platform
Integrated with the Security Architecture
Automated in protecting against known and unknown threats
Product Matrix and Sizing Sheet
47
Key pointers
Product Matrix is released monthly
Product datasheet is available upon product release
Sizing sheet is released quarterly
Price sheet is released quarterly
These documents are available in the partner portal
48
Fortigate Product Matrix Review
49
FortiGate Sizing Sheet
50
FortiGate Pricing Model – Update on Enterprise Bundle
Platform (FortiGate)
Services (FortiGuard)
Support (FortiCare)
Term
Deployment Mode Edge, Internal Segmentation, Data Center,
Branch and Virtual
# Ports and Speed 100G, 40G, 10G, 1G, Wi-Fi, 4G/LTE
8 x 5 Support 15% of HW price
24 x 7 Support 25% of HW price
Advanced & Professional
Services
1 year Annual discount:
2 years 6% off/yr
3 years 10% off/yr
4 years 12.5% off/yr
5 years 14% off/yr
&
UTM Bundle (IPS/AC, AV, WF, AS) Individual
Services (IPS/AC, AV, WF,
AS, ATP, MS)
20% of HW price
each
OR
8 x 5 Support
55% of HW
price
24 x 7 Support
65% of HW
price
360° Support 35% of HW price
OR & OR
Enterprise Bundle (UTM + ATP + MobileSec
+ Botnet IP/Domain)
360°
Support 75% of HW
price
8 x 5 Support
80% of HW
price
24 x 7 Support
90% of HW
price
360°
Support 90% of HW
price
OR
OR
51
Fortigate Licensing
52
SKU Description
FG-60E-BDL-XXX-DD
FortiGate
Bundle
Model
Symbolizes
either UTM Or
Enterprise for
(8x5 or 24x7)
Number years
licensed