FortiClient Solutions Endpoint Security Anytime, Anywhere October, 2011 1.1 FortiClient Solutions Endpoint Security Anytime, Anywhere

Remote Access & Your IT strategy The right connection for the right people Choice of VPNs: SSL for some, IPsec for others Choice of Features: Ability to retain 3rd party antimalware Meet regulatory and legal requirements Only devices meeting corporate policy are allowed to connect Improve network and application performance WAN Optimization for improved traffic efficiency

Fortinet Connected Network FortiAnalyzer FortiAuthenticator FortiManager FortiAP FortiSwitch FortiGate FortiClient FortiRAP FortiGate As Control Point - Enforcing network security - Provisioning/Managing other devices

Remote Access Architecture FortiGate FortiAuthenticator Server (Optional) FortiClient Premium w/IPSec VPN FortiManager (Optional) FortiGate FortiAnalyzer (Optional) X FortiToken Highlight range of solution Offer SSL or IPsec Ability to deny access to non-compliant devices Strong management and analysis tools Authentication solutions at head-end and at device level (FortiToken) FortiAuthenticator for simplified authentication over distributed FortiGates Android Client Non-Compliant Devices Can Be Denied Access FortiClient w/SSL VPN FortiGuard Services

Remote Access MSP/Cloud Architecture FortiGate FortiClient Premium w/IPSec VPN FortiGate VM FortiManager VM FortiToken FortiAnalyzer VM FortiGate Android Client X FortiClient w/SSL VPN FortiGuard Services

The FortiClient Family FortiClient Lite FortiClient SSL FortiClient Premium Windows OSX, Linux Mac Android Free to Use Included One time license per FortiGate Per Seat Antivirus SSL VPN IPSEC VPN Parental Control SSL VPN SSL VPN

* MacOS Client = IPsec VPN, SSL VPN and Two-Factor Authentication Only FortiClient Features IPsec VPN SSL VPN WAN Optimization Endpoint Control Two-Factor Authentication Simple client-to-site VPN policies for remote access. Accelerate application performance Lock down network access based on installed applications Secure web-based access for remote users Properly identify end users * MacOS Client = IPsec VPN, SSL VPN and Two-Factor Authentication Only

FortiClient Premium Additional Features Anti malware Centralized Management Web Filtering Firewall AntiSpam Detect and clean viruses, worms and other malicious software. Prevent unwanted email Manage complex user and group policies Control accessible web content Deny unwanted connections

FortiClient Secure Connectivity Solution Advantages Centralized Endpoint Enforcement All security scanning and enforcement performed by FortiGate No per seat licensing Unlimited FortiClient agents per FortiGate Support level inherited FortiClient support level inherited from associated FortiGate appliance Two Factor Authentication FortiToken, Email and SMS-based two factor authentication Choice of VPN: IPsec or SSL Provide right solution for range of end users Policy Compliance Denies access to devices running non-compliant applications Coexistence With Existing Antimalware Deployment No need to change existing end user solution SSL & IPsec VPN Two-Factor Authentication WAN Optimization Policy Compliance

FortiClient Premium Complete Endpoint Protection Advantages Complete protection Full feature set Per seat licensing Protect Against Latest Threats FortiGuard subscription included Antimalware included No need for expense of additional client Web Filtering Control web access Centralized Management Provisioning, Configuration, Update Management Firewall AntiSpam Centralized Management Web Filtering SSL & IPsec VPN Antimalware WAN Optimization Policy Compliance Two-Factor Authentication

FortiClient Framework: FortiGate Automated IPSec VPN Policy Server Two-factor Authentication Certificate Store Integration Client-to-Site WAN Optimization (Internal HDD) Minimize remote user download times Endpoint compliance awareness & enforcement Lock down network access based on organizational policy Check asset configuration including installed or running 3rd party application software Customize warning and blocked messages

FortiClient Framework: FortiGate/FortiAnalyzer FortiManager FortiAnalyzer Centralized Policy Management Provisioning Configuration Update Management Role Based Administration User privileges defined by management domains Improved Performance Local hosting of security updates Minimize web filtering response time Required for FortiClient Premium IPSec VPN Activity Reporting Logged from the FortiGate Username, IP addresses and Duration Tracking Top Sources, Destinations and Peers Endpoint Compliance Logs Compliant and Non-compliant devices Can be used with built-in correlation to notify staff of non-compliant devices

Remote Access: Pain Points Takes too long to embrace new trends. We need to reduce real estate costs. The auditors are coming next week. CxO IT Manager My IT budget was cut by 20%. Someone has a virus. Who’s doing what and where? Remote access solution has different problems that need solving…… IT Ops 200 more users this month?! Help desk calls are killing us.

Remote Access: Key Benefits & Features CxO Improved policy compliance Scalability and reliability SSL Inspection Endpoint Control WAN Optimization Strong Authentication IT Manager Enforce policies on multiple levels (including encrypted traffic) - Cut bandwidth costs IT Ops Easily apply policies Enforce compliance Quickly provision users Minimize calls to help desk

Endpoint Security Challenges Emily, a financial trader, installed Skype on her company laptop to talk with family. Bill works for a Fortune 100 company and shares company details on Facebook. What Are You Going to Do? Emily – application policy checking via FortiClient Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance. Ed: Detect content with sensitive data Ed shared a company presentation via his personal Gmail account. Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.

Endpoint Security Challenges Emily, a financial trader, installed Skype on her company laptop to talk with family. Bill works for a Fortune 100 company and shares company details on Facebook. Endpoint Control Identity-Based Policies Ed shared a company presentation via his personal Gmail account. Jill is at Starbucks and needs to communicate and be protected as if she was at HQ. Emily – application policy checking via FortiClient Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance. Ed: Detect content with sensitive data Data Leak Protection Two-Factor Authentication VPN Tunneling WAN Optimization

Endpoint Control FortiGate Checks the Endpoint Third Party Software FortiClient installed and running? Antivirus configured and up to date? Third Party Software Installed, or not? Running, or not? Endpoint license is per FortiGate No per seat license requirement Create custom characteristic profiles to lock down network access based on organizational security endpoint compliance policies Profile can only be applied on the FortiGate at the firewall policy level as a sensor Endpoint Control can enforce access based on checking for Installed/running instance of FortiClient (including minimum version) Disabled critical FortiClient services (Firewall, Anti-Virus and/or Web Filtering) Anti-Virus Signatures Out-of-Date Installed and/or running 3rd party application software Absence or non-use of specific 3rd party application software Temporary access can be granted to non-compliant endpoints Endpoint authentication checking is located under User Monitor Firewall The username will be labeled as “forticlient_chk_only” Can not be used with a FortiGate load balance VIP entry Can be configured with a FortiGate VPN IPSec VPN (route-based), SSLVPN (tunnel mode)

Endpoint Application Database FortiGate Endpoint Control Application Database Downloaded from FortiGuard Distinct from the Application Detection database More than 5000 applications in 37 categories Anti Malware, Proxy Avoidance, P2P, etc List of current applications sent by FortiClient to the FortiGate FortiGate Endpoint Policy Verified and Enforced FortiClient displays status / error / reason

Communication Flow FortiClient initiates a connection towards the FortiGate with a HTTP request to a special FQDN Request includes end point application list FortiGate performs policy check Installed, running, not installed, not running Policy actions include block, allow, monitor, warn pingserver.fortinet.net FCSYSRPLY FCSYSREQ

No FortiGate Found FortiClient 4.3 requires FortiOS 4.0 MR3 Solution: FortiGate needs to be upgraded and the relevant Endpoint policies enabled

Non-Compliant End Point Warning Endpoint has been warned due to Firefox not being installed Solution: Install Firefox End user can click ‘Ignore warnings’

Non-Compliant End Point Banned Endpoint has been banned due to FileZilla server application being installed Solution: Device conforms to endpoint control policy FortiGate Administrator provides a temporary exemption via the end point monitor option

IPSec Configuration Simplified configuration steps on both client and FortiGate Matching default proposals to minimize configuration steps Advanced configurations can be created by editing the client configuration file XML formatted clear text file can be exported / imported FortiGate configuration can be changed via UI once ‘Create FortiClient VPN’ wizard has been used Can be combined with endpoint control Previous Automated Policy Server configuration not supported by FortiClient 4.3 This type of VPN is tunnel-mode only (policy-based or route-based) Included in the 32-bit/64-bit MSI distribution file for Windows-Based Systems Windows 2000 (32-bit only), Windows XP, Windows Vista, Windows 7 Windows 2003 Server, Windows 2008 Server VPN access point configuration/management is manual on the endpoint VPN access server configuration/management is on the FortiGate Automated IPSec VPN Policy Server One directional firewall policy per interface combination (within FortiGate) Endpoint compliance policies can generate warnings or be enforced A pre-shared key or digital X.509 certificates can be used to authenticate the identities of the two VPN peers (i.e. endpoint, VPN server)

Simplified Configuration FortiClient 4.3 MAC/OSX FortiClient 4.3 Windows FortiOS 4.0 MR3

Simplified User Interface

SSL Configuration Configuration has always been cleaner when compared to IPSec and the myriad of options Default port set at 10443, port 443 is more typically used for admin access – this can be changed As with IPSec the configuration file can be exported / imported Simplified web mode clients available for Android and iOS This type of VPN is tunnel-mode only (policy-based or route-based) Included in the 32-bit/64-bit MSI distribution file for Windows-Based Systems Windows 2000 (32-bit only), Windows XP, Windows Vista, Windows 7 Windows 2003 Server, Windows 2008 Server VPN access point configuration/management is manual on the endpoint VPN access server configuration/management is on the FortiGate Automated IPSec VPN Policy Server One directional firewall policy per interface combination (within FortiGate) Endpoint compliance policies can generate warnings or be enforced A pre-shared key or digital X.509 certificates can be used to authenticate the identities of the two VPN peers (i.e. endpoint, VPN server)

SSL VPN Configuration and Usage

Wan Optimization Improving application performance Requires a suitably configured FortiGate Current support for CIFS, FTP, HTTP, MAPI and general TCP Byte caching always available Web caching requires a passive rule Protection features take precedence over optimization Dual VDOM approach can combine UTM and optimization This type of VPN is tunnel-mode only (policy-based or route-based) Included in the 32-bit/64-bit MSI distribution file for Windows-Based Systems Windows 2000 (32-bit only), Windows XP, Windows Vista, Windows 7 Windows 2003 Server, Windows 2008 Server VPN access point configuration/management is manual on the endpoint VPN access server configuration/management is on the FortiGate Automated IPSec VPN Policy Server One directional firewall policy per interface combination (within FortiGate) Endpoint compliance policies can generate warnings or be enforced A pre-shared key or digital X.509 certificates can be used to authenticate the identities of the two VPN peers (i.e. endpoint, VPN server)

Two Step configuration!

FortiToken One Time Password Support, introduced with FortiOS 4.0 MR3 Token entry based on pop up challenge or simply concatenate with password Seed distribution / registration via FortiGuard

FortiGate Authentication Server Used in case of single FortiGate unit deployed for VPN Authentication Sever functionality built-in to FortiGate 4.3 and above at no additional cost No additional hardware or software to purchase and maintain and support Token management specific to instance of FortiGate Unit (or HA pair) Option to integrate with existing AD/LDAP directory Deploys in minutes Zero Maintenance FortiGate FortiToken provides Two-Factor Authentication natively with FortiGate for: FortiGate Web Admin Captive Web Portal IPSEC VPN SSL VPN

FortiAuthenticator: Key Areas of Functionality Direct User Authentication Certificate Management Server Directory Synchronisation RADIUS LDAP Authentication LDAP Directory Service Two Factor Authentication FortiToken Certificates X.509 Certificate management server PKCS#11 Certificate Token Management Certificate Revocation Integrated Fortinet Single Sign On Server Authentication Extension (FSAE) polling Synchronises user authentication state between multiple domain controllers and FortiGate appliances 32

FortiAuthenticator Authentication Server Extends the FortiGate/Token two-factor authentication feature Compatible with FortiToken Full function stand-alone RADIUS/LDAP server Authentication to VPN/Firewall/Switch / Router / Server Self-service Password reset portal x.509 Certificate Authority Certificate based two factor authentication Certificate revocation FortiToken and FortiAuthenticator provide Two-Factor Authentication for: Multiple FortiGate devices Pre 4.3 FortiGate devices Fortinet product range Third-party switches, routers, VPN etc More users than supported by FortiGate

FortiClient Ordering SKUs and Pricing Showing Select FortiGate Models FortiClient SKU US List Price FortiGate-60C FCC-00060-LIC $101.15 FortiGate-80C FCC-00080-LIC $152.15 FortiGate-110C FCC-00113-LIC $339.15 FortiGate-200B FCC-00202-LIC $509.15 FortiGate-310B FCC-00312-LIC $1,019.15 FortiGate-620B FCC-00620-LIC $2,209.15 FortiGate-800 FCC-00800-LIC $1,189.15 FortiGate-1240B FCC-01240-LIC $3,399.15 FortiGate-3040B FCC-03040-LIC $6,799.15 FortiGate-3600 FCC-03600-LIC $5,099.15 FortiGate-3950B FCC-03951-LIC $13,599.15 FortiGate-5001A-DW FCC-50011-LIC $8,669.15 FortiGate-5005FA2 FCC-05005-LIC $10,369.15 Unlimited Clients Per FortiGate – One Time License

FortiClient Premium Ordering SKUs and Pricing Number of Clients FortiClient SKU US List Price (1 Year) 1 FHS1-15-C1001-154-02-DD $53.90 2-9 FHS2-15-C1001-154-02-DD $49.50 10-24 FHS3-15-C1001-154-02-DD $33.17 25-99 FHS4-15-C1001-154-02-DD $21.88 100-249 FHS5-15-C1001-154-02-DD $17.50 250-499 FHS6-15-C1001-154-02-DD $13.99 500-999 FHS7-15-C1001-154-02-DD $11.19 1000-2499 FHT1-15-C1001-154-02-DD $10.07 2500-4999 FHT2-15-C1001-154-02-DD $9.05 5000-9999 FHT3-15-C1001-154-02-DD $8.59 10000-24999 FHT4-15-C1001-154-02-DD $8.15 25000-49999 FHT5-15-C1001-154-02-DD $7.73 50000-99999 FHT6-15-C1001-154-02-DD $6.95 100000+ FHT7-15-C1001-154-02-DD $6.14 2 and 3 Year Prices Also Available

Thank You!