FortiGateAntivirusFirewallOverview

2 Fortinet Technologies Network Security Network security can be viewed from three perspectives: t controlling access to the inside of the network from outside the network t controlling access to the outside of the network from inside the network t controlling access between networks

3 Fortinet Technologies The Nature of the Threat Has Evolved…

4 Fortinet Technologies Fueling an Explosion of Point “Solutions”

5 Fortinet Technologies FortiGate Antivirus Firewall Network-level Services t Firewall t Intrusion prevention and detection t VPN t Traffic shaping Application-level Services t Firewall t Intrusion prevention and detection t Virus protection t Content filtering for web connections and

6 Fortinet Technologies Secure Installation, Configuration, and Management Secure management of your FortiGate unit can be assured in a number of ways: t IP/MAC binding t HTTPS for browser connections t SSH for command line connections (up to a maximum of 5 connections) t individual management accounts t separate user names and passwords t read-only t write-only

7 Fortinet Technologies Web-based Manager t HTTP or HTTPS t Web browser t Windows t Mac t Linux t Configure and monitor a FortiGate unit t Configuration changes effective immediately t Download, save, and restore configurations

8 Fortinet Technologies Command Line Interface t Serial port t RS232 t Network t Telnet t SSH t Same configuration capabilities as the web-based manager t Advanced configuration capabilities

9 Fortinet Technologies Firewall t set of related programs located at a network gateway server t protects the resources of a private network from users on other networks

10 Fortinet Technologies NAT/Route and Transparent Modes NAT/Route mode t the FortiGate unit is visible to the network t all interfaces are on different subnets t policies control communications through the unit t the FortiGate unit acts as a gateway between private and public networks Transparent mode t the FortiGate unit is invisible to the network t policies control communications through the unit

11 Fortinet Technologies NAT/Route Mode Hide your internal addressing scheme behind a firewall

12 Fortinet Technologies Transparent Mode The firewall acts as a bridge and requires an IP address for management and updates The FortiGate unit is invisible to the network

13 Fortinet Technologies Firewall Problem!

14 Fortinet Technologies Antivirus Protection Antivirus protection falls under two categories: t host-based t a class of program that searches your hard drive or floppy disks for any known or potential viruses t network-based t resides on a server and has certain traffic at the gateway directed to it for antivirus scanning Your FortiGate antivirus firewall identifies and blocks viruses at the network’s edge

15 Fortinet Technologies Web Content Filtering Control network usage by blocking access to t categories of web sites (URL, FortiGuard) t particular web sites (URL) t any page that contains banned words or phrases Systems are policy-based t can associate a user or group of users with a list of prohibited URLs t can block by time of day, keeping working hours more productive Script filter to block Java Applets, cookies, and ActiveX

16 Fortinet Technologies Spam Filtering t Scans IMPA, POP3, and SMTP content t Blocks t IP addresses t addresses t MIME headers t Banned words and phrases t Checks RBL and ORDBL t SMPT, POP3, IMAP t Exempt lists to override block lists

17 Fortinet Technologies Intrusion Prevention System (IPS) t real-time network intrusion detection sensor t attack signatures block more than 1400 attacks t user-defined signatures t configurable thresholds t policy-based

18 Fortinet Technologies Static Routing t Configure routing to add static routes to control the destination of traffic exiting the FortiGate unit t Configure routes by adding destination IP addresses and netmasks and adding gateways for these destination addresses

19 Fortinet Technologies Policy Routing Policy routing extends the functions of destination routing by routing traffic based on: t destination address t source address t protocol, service type, or port range t incoming interface t IP address Routing table independent

20 Fortinet Technologies Routing Information Protocol (RIP) t distance-vector routing protocol t FortiGate implementation supports both RIP v1 (RFC 1058) and RIP v2 (RFC 2453) t RIP t uses hop count as its routing metric where each network is usually counted as one hop t network diameter is limited to 15 hops t RIP v2 t enables RIP messages to carry more information t supports simple authentication and subnet masks

21 Fortinet Technologies VLANs t Highly flexible, efficient network segmentation t Supported on models 60 and higher t IEEE 802.1Q t Segregate devices logically instead of physically by adding 802.1Q VLAN tags to all packets sent and received by the devices t A single FortiGate unit can provide security services and control connections between multiple security domains t NAT/Route and Transparent modes

22 Fortinet Technologies Virtual Domains t ease of management t lower costs – one system with multiple firewalls t each virtual domain functions like a single FortiGate unit t exclusive firewall and routing services to multiple networks t traffic from each network is effectively separated for every other network t packets never cross virtual domain borders t NAT/Route and Transparent modes

23 Fortinet Technologies Virtual Private Networks (VPN) t a private data network that uses the public telecommunication infrastructure t maintains privacy through the use of a tunneling protocol and security procedures

24 Fortinet Technologies VPN The FortiGate unit supports the following types of VPN: t PPTP and L2TP t IPSec t NAT traversal t DPD t IPSec redundancy t site-to-site tunnels t Hub and spoke topology t DHCP over IPSec

25 Fortinet Technologies High Availability t provides fail-over between two or more FortiGate units t provides fail-over between links t achieved using redundant hardware t matching FortiGate models running in NAT/Route mode t FortiGate units can be configured for either active- passive (A-P) or active-active (A-A) t supported on FortiGate models 60 and higher

26 Fortinet Technologies Logging and Reporting The FortiGate unit supports logging for various categories of traffic and configuration changes You can configure logging to report: t traffic that connects to the firewall t network services used t traffic that was permitted by firewall policies t traffic that was denied by firewall policies t events such as configuration changes and other management events, IPSec tunnel negotiation, virus detection, attacks, and web page blocking t attacks detected by the IPS t virus incidents, intrusions, and firewall or VPN events or violations to system administrators using alert

27 Fortinet Technologies Updates and Support t antivirus and anomaly definitions are updated regularly t your FortiGate unit can be configured to: t accept push updates from the FortiResponse Distribution Network (FDN) t check the FDN regularly for updates following a schedule

28 Fortinet Technologies FortiProtect Bulletins t ed whenever updates are made to the antivirus or IPS databases t specifies the latest release numbers so you can confirm your FortiGate unit is up to date t distributed free of charge t sign up at

29 Fortinet Technologies Online Help t Online help is available through the web-based manager screens t Access help through: t contents t index t search

30 Fortinet Technologies Documentation In addition to online help, Fortinet offers a number of publications to assist you in maximizing the effectiveness of your FortiGate unit Most of these publications are on the CD accompanying your FortiGate unit