Fortinet Product Quick Guide

Ahmad Arafat
Senior Security Engineer, Middle East

June 6, 2014
1
Content

FortiGate/FortiWiFi FortiMail
FortiAP FortiWeb
FortiSwitch FortiSandbox
FortiClient FortiDB
FortiToken FortiADC/AscenLink
FortiAnalyzer FortiCache
FortiManager FortiDNS
FortiSandbox
FortiAuthenticator
FortiDDoS

2
 FortiGate/FortiWiFi

3
 FortiGate: Integrated Architecture

FortiGuard
Threat Research & Security Updates
FortiAP FortiSwitch FortiToke FortiClient
n

Networking Security Extensions

FORTIGATE

L2/L3 features Firewall VPN IPS

Virtual Systems App Control AV/ATP WiFi/Switch Controller
Traffic Shaping WAN Opt. Web Filtering DLP Endpoint Management
High Availability IPv6 Explicit Proxy Token Server

FortiOS

FortiASIC(s)

FortiManager FortiAnalyzer
Centralized Device Centralized Log &
Management Reporting
APIs Integration Syslog/SNMP

4
Anatomy of a FortiGate

FortiCare Fortinet Premium Services

Standard and extended hardware, Enhanced SLAs and TAM
software and support packages

Fortinet Prof. and Consultation Services

8x5Enhanced:8x5Support,ReturnandReplace,
FirmwareUpgrades
Design and Implementation

24x7Comprehensive: 24x7Support,Advanced Certification & Customized Courses

HardwareReplacement(NBD),FirmwareUpgrades
In-depth Training Sessions

5
Anatomy of a FortiGate

FortiGate Hardware Appliance FortiGate Virtual Appliance

Purposed built high performance systems UTM solution for Cloud environment
Acceleration chips
Wired and Wireless Connectivity

Content Network Security

Processor Processor Processor

6
Anatomy of a FortiGate

FortiOS Operating Systems

WebUI, CLI
Proprietary OS, eliminates vulnerabilities & Dashboard &
SNMP
Syslogging
issues associated with common OSes Monitoring
Statistics
Harden and small footprint for security &
efficiency In-box
Runs on flash, more reliable Email Alerts
Reporting *
Nearly common feature set across all
platform
Content
* Default with 10 VDOMs* Archives
SFLOW

* Available on selected models.

7
Anatomy of a FortiGate

Features & Capabilities

Available by default, no requirement for hidden charges and software upgrades
HA: A-A, A-P, Virtual
cluster, weighted

IPv6 FW + UTM
Firewall VPN IPS App. Ctrl AntiVirus Web Filter
Routing Protocols

Wireless Controller

Server LB
AntiSpam DLP NAC Vuln Mgmt Traffic Shaping WAN opt.

8
Anatomy of a FortiGate
FortiGuard AntiVirus Service
FortiGuardNGFWService
FortiGuardWeb FilteringService
FortiGuard Antispam Service
9
FortiGuard Subscription Services
Deliver real-time Automated Updates
Industry Leading Threat Response
Time
Comprehensive Threat Library
24x7x365 Operations
Power by Fortinet in-house Global
Threat Research Team
 FortiGate Appliance by Segments

MSSP

Carrier
Data Center /
Cloud

Enterprise

(Branch) (Branch) (Branch) (Campus) (Campus)
Distributed
Enterprise

SMB

Model 20-90 100 200 300-800 1000 3000 5000

Series Series Series Series Series Series Series
Product
Entry Level Mid Range High End
Range
*Key PoE, High
High 10 GE, Chassis &
Hardware Switch, PoE, High Density GE Density
Density GE 40 GE Blades
Features WiFi GE, 10 GE

10 * May be available as hardware variants

FortiGate Small Business Devices

Security Appliances For Small/Home Offices & Small

Branch Offices

High performance, feature-rich multi-

threat security for Branch Offices,
SoHo and telecommuters

Primary Benefits:
FG/FWF-30D FG/FWF-60D High speed Firewall and IPSec VPN
Series Series performance
High Speed Application Control
Accelerated IPS/AV performance
On board storage for WAN
Optimization, local reporting and
archiving
FG/FWF-90D Integrated WiFi on certain models
FG-100D Series
Series

11
FortiGate Small Business Devices: Comparison

FGT-30D FGT-60C FGT-60D FGT-90D FGT-100D

Firewall 800 / 800 / 800 1/1/1 2500 / 1000 / 200

1.5 /1.5 /1.5 Gbps 3.5 /3.5 /3.5 Gbps
(1518/512/64 byte UDP) Mbps Gbps Mbps

Concurrent Sessions 200,000 400,000 500,000 1.5 Mil 3 Mil

New Sessions/Sec 3,500 3,000 4,000 4,000 22,000

IPSec VPN 350 Mbps 70 Mbps 1 Gbps 1 Gbps 450 Mbps

IPS (HTTP) 150 Mbps 135 Mbps 200 Mbps 275 Mbps 950 Mbps

Antivirus (Proxy/Flow) 30 / 40 Mbps 20 / 40 Mbps 35 / 50 Mbps 35 / 65 Mbps 300 / 700 Mbps

Interfaces 20 x GE RJ45,
5 x GE RJ45 8 x GE RJ45 10 x GE RJ45 16 x GE RJ45
(LAN, WAN & DMZ) 2 x GE SFP

Storage - - - 32GB 32GB

WiFi, Ana.
Modem, Wifi + LENC, high port
Variants WiFi, PoE Ana. Modem, WiFi, PoE WiFi, PoE density, T1 port,
LENC, SFP, PoE
POE, ADSL

12
FortiGate Mid-Range Devices

Mid-Range Security Appliances For Mid-Size

Organizations & Large Enterprise Branch Offices

High performance multi-threat security

for medium-sized enterprises and
FGT-1500D branch offices of large enterprises.
Higher price/performance ratio and
FGT-1240B more interfaces than any products in
their class
FGT-1000C
Primary Benefits:
FGT-800C High speed Firewall and IPSec VPN
performance
FGT- High Speed Application Control
600C Accelerated IPS/AV performance
FGT- On board storage for WAN
300C Optimization, local reporting and
FGT-200D archiving*
Series
*FGT-200B requires optional HDD

13
FortiGate Mid Range Devices: Comparison

FGT-280D-
FGT-200D FGT-240D FGT-300C FG-600C FG-800C
POE
Firewall 3/3/3 4/4/4 4/4/4 8/8/8 16 / 16 /16 20 / 20 / 20
(1518/512/64 byte UDP) Gbps Gbps Gbps Gbps Gbps Gbps

Concurrent Sessions 1.4 Mil 3.2 Mil 3.2 Mil 2 Mil 3 Mil 7 Mil

New Sessions/Sec 77,000 77,000 77,000 50,000 70,000 190,000

IPSec VPN 1.3 Gbps 1.3 Gbps 1.3 Gbps 4.5 Gbps 8 Gbps 8 Gbps

IPS (HTTP) 1.7 Mbps 2.1 Gbps 2.1 Gbps 1.4 Gbps 3 Gbps 6 Gbps

600 / 1,100 600 / 1,100 600 / 1,100 200 / 550

Antivirus (Proxy/Flow) 1.3 /1.7 Gbps 1.7 / 2.1 Gbps
Mbps Mbps Mbps Mbps
2 x 10GE
54 x GE RJ45, 18x GE RJ45, SFP+,14 x GE
Interfaces 18 x GE RJ45, 42 x GE RJ45, 32 x GE PoE 4 x Shared RJ45,
10 x GE RJ45
(LAN, WAN & DMZ) 2 x GE SFP 2 x GE SFP RJ45, port pairs, 2 x 8 x Shared
4 x GE SFP bypass Pairs port pairs, 2 x
bypass Pairs
Storage 16 GB 32 GB 64 GB 16 GB 64 GB 64 GB
Variants - - - LENC DC, LENC -

14
FortiGate Mid Range Devices: Comparison

FG-1000C FG-1240B FG-1500D

Firewall 40-44 / 40-44 / 38-42
20 / 20 / 20 Gbps 80 / 80 / 55 Gbps
(1518/512/64 byte UDP) Gbps

Concurrent Sessions 7 Mil 5 Mil 12 Mil

New Sessions/Sec 190,000 120,000 250,000

IPSec VPN 8 Gbps 16-18.5 Gbps 50 Gbps

IPS (HTTP) 6 Gbps 5-8 Gbps 11 Gbps

Antivirus (Proxy/Flow) 1.7 / 2.1 Gbps 1.2 / 1.6 Gbps 4.3 / 13 Gbps

2 x 10GE SFP+,14 x GE
8x 10GE SPF+,
Interfaces RJ45, 16 x GE RJ45,
16x GE SFP,
(LAN, WAN & DMZ) 8 x Shared port pairs, 2 x 24 x GE SFP
18x GE RJ45
bypass Pairs
Storage 128 GB 64 GB, 384 GB opt. 240 GB
Variants DC DC -

15
FortiGate-1500D

1 2x GE RJ45 Management Ports

2 16x GE SFP Slots
1 2 3 4
3 16x GE RJ45 Ports
4 8x 10GE SPF+ Slots

Hardware Performance
Firewall Throughput (1518/512/64) 80 / 80 / 55 Gbps IPS Throughput 11 Gbps
Antivirus Throughput (Proxy Based / Flow
Firewall Latency 3 s 4.3 / 13 Gbps
Based)
Concurrent Sessions 12 Mil Virtual Domains (Default / Max) 10/250
New Sessions/Sec 250,000 Max Number of FortiAPs (Total/Tunnel) 4096 / 1024
Firewall Policies 100,000 Max Number of FortiTokens 5,000
IPSec VPN Throughput 50 Gbps Client-to-Gateway IPSec VPN Tunnels 50,000
Concurrent SSL-VPN Users (Recommended
SSL-VPN Throughput 4 Gbps 10,000
Max)

16
FortiGate 3000 Series

Security Appliances For Large Enterprises &

Managed Service Providers

Ideal for securing traditional high-

bandwidth networks, as well as virtualized,
or cloud-based infrastructures.
Higher price/performance ratio and more
FG-3240C interfaces than any products in their class

Primary Benefits:
FG-3600C Rich feature set for protecting next generation
networks, including integrated IPS, application
control, user-based policies, and endpoint
FG-3700D policy enforcement
On-board storage for WAN Optimization, local
reporting and archiving
Integration with FortiManager and
FG-3950B FortiAnalyzer simplifies management,
reporting and analysis for up to thousands of
Fortinet devices

17
FortiGate 3000 Series: Comparison

FG3040/
FG-3240C FG-3600C FG-3700D FG-3950B
FG3140B
40 / 40 / 40
Firewall 160 / 160 /110 20-120 / 20-120 /
58 / 55 / 43 40 / 40 /40 Gbps 60 / 60 /60 Gbps
(1518/512/64 byte UDP) Gbps 20-120 Gbps
Gbps

Concurrent Sessions 5 Mil 10 Mil 28 Mil 44 Mil 20 Mil

250,000
New Sessions/Sec 200,000 200,000 235,000 300,000
300,000*

IPSec VPN 17 / 22 Gbps 17 Gbps 25 Gbps 100 Gbps 8 50.5 Gbps

IPS (HTTP) 6 / 8.4 Gbps 8 Gbps 14 Gbps 23 Gbps 20 Gbps

Antivirus (Proxy/Flow) 2.3 / 4.5 Gbps 2.6 / 9 Gbps 5.8 / 18 Gbps 7.5 / 18 Gbps 4 / 15 Gbps

4 x 40GE QSFP+,
8 x 10GE SFP+, 20 x 10-GE SFP+
12 x 10GE SFP+ 12 x 10GE SFP+ 2 x 10GE SFP+
10 x GE SFP, 2 x /GE SFP Slots, 8 x
Interfaces 16 x GE SFP, 2 x 16 x GE SFP, 2 x 4 x GE SFP, 2 x
GE RJ45 / + 2 ultra-low latency
GE RJ45 GE RJ45 GE RJ45 (base)
10GE SFP+ 10 GE SFP+ slots,
2 x GE RJ45
64 GB, 256 GB
Storage 64 GB 128 GB 960 GB 256 GB
opt.
Variants DC, LENC DC, LENC DC - DC, LENC

18 * With XH0 module

FortiGate-3700D

1 2 x GE RJ45 Management Ports

2 4 x 40GE QSFP Slots

3 20 x 10GE SFP+/GE SFP Slots

4 8 ultra-low latency 10GE SFP+ Slots

1 2 3 4

Hardware Performance
Firewall Throughput (1518/512/64) 160/160/110 Gbps IPS Throughput 23 Gbps
Antivirus Throughput (Proxy Based / Flow
Firewall Latency 2 s 7.5/18 Gbps
Based)
Concurrent Sessions 44 Mil Virtual Domains (Default / Max) 10/500
New Sessions/Sec 300,000 Max Number of FortiAPs (Total/Tunnel) 4096 / 1024
Firewall Policies 100,000 Max Number of FortiTokens 5,000
IPSec VPN Throughput 100 Gbps Client-to-Gateway IPSec VPN Tunnels 64,000
Concurrent SSL-VPN Users (Recommended
SSL-VPN Throughput 6 Gbps 30,000
Max)

19
FortiGate 5000 Series

Security Appliances For Very Large Enterprises &

Managed Service Provides

Chassis-based platforms offer maximum performance,

reliability, and scalability for high-speed service provider,
large enterprise or telecommunications carrier networks.
Fastest chassis-based firewall in the industry
Flexibility enables protection of complex, multi-tenant cloud-
based security-as-a-service and infrastructure-as-a-service
environments.

Primary Benefits:
Native 10GE support for high speed requirements
ATCA-compliant architecture delivers carrier-grade
performance, reliability, availability and serviceability
Chassis support two, six, or fourteen FortiGate-5000
series blades, allowing customization and scaling
FG-5140B

20
FortiGate-VM

FG-VM00 FG-VM01 FG-VM02 FG-VM04 FG-VM08

vCPU (Min / Max) 1/1 1/1 1/2 1/4 1/8

Network Interface (Min

2/10 2/10 2/10 2/10 2/10
/Max)

Memory (Min / Max) 512 MB / 512 MB 512 MB / 1 GB 512 MB / 3 GB 512 MB / 4 GB 512 MB / 12 GB

Storage Support
30 GB / 2TB 30 GB / 2TB 30 GB / 2TB 30 GB / 2TB 30 GB / 2TB
(Min/Max)

Max FortiAP 32 256 512 512 1,024

VDOM (Default/Max) 1/1 10 / 10 10 / 25 10 / 50 10/ 250

21 VMware ESX/ESXi 3.5/4.0/4.1/5.0, Citrix XenServer 5.6 SP2/6.0, Open Source Xen 3.4.3 / 4.1
 FortiSandbox

22
Introducing FortiSandbox

Defense against APTs & Unknown Threats

Advanced Threat Protection solution designed to identify and help customers thwart the highly
targeted and tailored attacks that increasingly bypass traditional defenses and lurk within
networks.

Advanced Threat Protection

Multi-layered filtering with Code Emulator,
AV engine, Cloud query and Virtual OS
sandbox 4 Latest AV Signature Update
Handles multiple file types, includes files
that are encrypted or obfuscated
Examine files from various protocols,
included those that uses SSL encryption

Flexible Operation Modes 3 Malicious

Receives file sample using integration
with FortiGate/FortiMail, sniffer mode and Analysis
manual file uploads output
Capture files from remote locations using
deployed FortiGates ?
Monitoring and Reporting 2
1 File Submission Centralized File Analysis
Detailed analysis reports and real-time
monitoring and alerting

23
 FortiWeb

24
Introducing FortiWeb

Web Application Security

Web application firewall to protect, balance, and accelerate web applications.

Web Application Firewall Web Application

Aids in PCI DSS 6.6 compliance Servers
Protection against OWASP Top 10
Application layer DDoS protection
Auto Learn security profiles
Geo IP data analysis and security

Web Vulnerability Scanner

FortiWeb
Scans, analyzes and detects web
application vulnerabilities

Application Delivery SQL Injection, XSS

Assures availability and accelerates
performance of critical web applications

25
 FortiMail

26
Introducing FortiMail

Messaging Security
Advanced antispam and antivirus filtering capabilities, with extensive quarantine
and archiving capabilities.

Specialized messaging security

system Mail
Advanced, bi-directional filtering prevents Servers
spread of spam, viruses, phishing, worms,
and spyware

Flexible deployment options FortiMail

Transparent, Gateway, and Server modes
that adapts to organizational needs and
budget

Identity based encryption

Secure, encrypted communication

Email archiving
On-box archiving facilitates policy and
regulatory compliance requirements

27
 FortiDB

28
Introducing FortiDB

Database Security and Compliance

Database Activity Monitoring and Vulnerability Assessment solution that allows quick and easy
implementation of internal IT control frameworks for database activity monitoring, IT audit and
regulatory compliance

Database Activity Monitoring (DAM)

Real-time monitoring of key users and FortiDB
critical transactions
User Activity Base lining
Block database attacks in real time

Vulnerability Assessment
Sensitive data discovery in databases Deployment options:
Vulnerability scanning with remediation Sniffer, Native Audit and Agents
advice

Policy Driven Controls Database Servers

Automated process of establishing IT
controls

Database Audit and Compliance

For compliance and forensics analysis
purpose

29
 FortiDDOS

30
Introducing FortiDDoS

Hardware Accelerated DDoS Defense

Intent Based Protection

Rate Based Detection

High performance protection using
ASIC ISP 1 Web Hosting Center
Self Learning Baseline FortiDDoS
Ease Maintenance
Maintain appropriate protection
dynamically

Signature Free Defense

Firewall
Hardware based protection

Inline Full Transparent Mode

ISP 2
No MAC address changes
Legitimate Traffic
Granular Protection Malicious Traffic
Multiple thresholds to detect subtle
changes and provide rapid mitigation

31
 FortiAuthenticator

32
Introducing FortiAuthenticator

Authentication Server
Identity Management, User Access Control and multi-factor
identification

Authentication and Authorization

RADIUS, LDAP, 802.1X

Two Factor Authentication

FortiToken
Tokenless, via SMS and email

Certificate Management
X.509 Certificate Signing, Certificate FortiToken
Revocation
Remote Device / Unattended Issuing CA
Authentication

Fortinet Single Sign on

Active Directory Polling
RADIUS Integration
LDAP FortiAuthenticator
User Database

33
 FortiToken

34
Introducing FortiToken

2 factor Authentication Token

Oath Compliant Time Based Hardware One Time Password Token

Supports Strong Authentication

IPSEC VPN
SSL VPN
Administrative Login
Captive Web Portal
802.1x Authentication
Web Application Access
SSO

Authentication Platforms
FortiGate (FOS4.3 and later)
FortiAuthenticator (FAC 1.4 and later)

Secure Seed Delivery Options

Online Via FortiGuard
Encrypted file on CD (FTK-200S)
In-house Seed Provisioning Tool (special
order)

35
 FortiAP

36
 FortiAP Family

FAP-320C
3x3:3 802.11ac
Resiliency and
Versatility Dual Radio
FAP-320B
Dual Band
FAP-223B
FAP-222B
FAP-221B
2x2:2
Performance FAP-221C 802.11ac
Single Radio

FAP-28C FAP-210B

1x1:1 FAP-14C
FAP-112B
Value FAP-11C

Remote Outdoor Indoor

37
 FortiSwitch

38
Introducing FortiSwitch

Access level Gigabit Switches with with ease of use

and low cost of ownership

FSW-28C
Outstanding price, performance, and scalability
FSW-80-POE to organizations with diverse operational needs.

Primary Benefits:
FSW-124B-POE
High Port Density
Integrated Power Over Ethernet
FSW-224B-POE
Connect Access Points, Peripherals,
Cameras, Phones
FSW-324-POE Create an integrated, secure network

FSW-348B

FSW-448B

39
 FortiClient

40
Introducing FortiClient

Endpoint Security & Control

Comprehensive end-point protection & security enforcement

Multifunctional Host Security

Flexibility in deployment
Fully integrated features, reduce
needs for multiple client solutions

End Point Control

Enforce compliance and security
policies on mobile hosts

Centralized Logging and

Reporting
Via FortiGate for enterprise
requirements

41
FortiClient V5

Windows New
Mac in
OSX 4.0 MR3
iOS Android
IPSec VPN -
SSL VPN Web Mode Only
2FA
Anti-Virus - -
Web Filtering
WAN Optimization - - -
Registered for Central Management
Config Provisioning
Logging (to FMGR/FAZ) - -
Windows AD SSO Agent - -
Application Firewall - -
Vulnerability Scanning &
- -
Reporting
Custom Install - -

42 Based on latest editions

Introducing FortiToken Mobile

2 factor Authentication Token on Mobile Devices

Oath Compliant Time Based Hardware One Time Password Soft Token

Highly Secure
Pin Protected App
Device Binding
Brute Force Protection
Dynamic Seed Generation
Encrypted Seed Storage

Authentication Platforms
FortiGate (FOS5.0 Beta 5 and later)
FortiAuthenticator (FAC 1.4 and
later)

Broad Device Support

iOS (iPhone, iPad, iPod Touch)
Android
BlackBerry (TBD)

43
 FortiADC & AscenLink

44
Introducing FortiADC & AscenLink

Application Delivery Controllers & Link LB

Optimize the availability, user experience, performance and scalability of mobile,
cloud and enterprise application delivery from anywhere-to-anywhere.

Application Availability
Layer 2/3/4 and 7 load balancing
techniques
Application session persistence
Proxy and transparent modes
Global Server Load Balancing (GSLB) for
geographic resilience Web Application
Link Load Balancing Servers

Application Acceleration
TCP Optimization
Memory based content caching
Data compression
SSL Offload and acceleration

Application Interoperability
Implementation Guides for Microsoft
Exchange, Lync, SAP etc.

45
 FortiCache

46
Introducing FortiCache

Web Caching Appliance

Reduce the cost and impact of downloaded content, while increasing performance
and end-user satisfaction by improving the speed of access

Web Content Caching

High performance content caching
Explicit or Transparent proxy cache
FortiGuard Web Filtering

Video Caching
Broad CDN Support
Detects same video ID when content
comes from different CDN hosts
Supports seek forwards and backwards in
video, detectd preceding adverts

WN Optimization
Bandwidth optimisation across congested
WAN Links
Interoperates with FortiGate

47
 FortiDNS

48
Introducing FortiDNS

Secure Caching DNS Server

Robust caching DNS server that improves security and performance

Secure Caching DNS

High performance caching DNS server
with focus on DNS Security
Randomised Transaction ID
UDP Source Port Randomization
Case Query Randomisation FortiDNS
Active spoofing detection switches
user to TCP when under threat.
Discard unsolicited answers
Limit per user resources (queries per
second) to prevent DoS
Monitor top users and blacklist
Futureproof with support for DNSSEC and
IPv6

DHCP Server
High performance DHCP server with
resource friendly high availability

49
 FortiAnalyzer

50
Introducing FortiAnalyzer

Centralized Reporting & Analysis

Logging, reporting and analysis from multiple Fortinet devices

Aggregated Logging
Singular View of all Fortinet Devices
Built-in Content Archiving
Malicious File Quarantine

Centralized Reporting
Predefined Summary & Device Reports
Hundreds of Customizable Charts & Graphs

Analysis & Event Correlation

Vulnerability Assessment
Network & Log Analysis

Scalable Solution
Hardware and VM Versions Available
Collector/Analyzer Modes for Large Deployments
High Performance Logs/Sec Processing
Support for Internal or External SQL Databases

51
 FortiManager

52
 Introducing FortiManager

Centralized Management
Tools that effectively manage any size Fortinet security infrastructure, from a few
to thousands of appliances

Administrative Domains (ADOMs) Locally Hosted Security Content

Enables the primary admin to create Virtual Allows administrators better control over security
Management Domains containing devices for other content updates and provides improved response
administrators to monitor and manage time for rating databases.
Run a local copy of AV, IPS, URL, A/S signature
Hierarchical Objects & Policy Management databases.*
Create Global Objects and Policies
Assign to ADOM or groups of ADOMS
Create device configuration templates to quickly
configure a new Fortinet appliance

Web Portal SDK

JSON-based API allows MSSPs to offer
administrative web portals to customers

* Capabilities varied by Models

53
 Other Information

54
 Virtual Appliance Platforms

Virtual Appliance VMware Citrix Open Source Amazon Microsoft

Xen Xen
vSphere vSphere vSphere vSphere Hyper-V Hyper-V
Server Server Xen KVM AWS
v4.0 v4.1 v5.0 v5.1 2008 R2 2012
v5.6 SP2 v6.0

FortiGate-VM

FortiManager-VM

FortiAnalyzer-VM

FortiWeb-VM

FortiMail-VM

FortiAuthenticator-

VM

FortiADC-VM

FortiCache-VM

55