Presentation is loading. Please wait.

Presentation is loading. Please wait.

FortiClient Solutions Endpoint Security Anytime, Anywhere

Published byTiffany Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "FortiClient Solutions Endpoint Security Anytime, Anywhere"— Presentation transcript:

1 FortiClient Solutions Endpoint Security Anytime, Anywhere
October, 2011 1.1 FortiClient Solutions Endpoint Security Anytime, Anywhere

2 Remote Access & Your IT strategy
The right connection for the right people Choice of VPNs: SSL for some, IPsec for others Choice of Features: Ability to retain 3rd party antimalware Meet regulatory and legal requirements Only devices meeting corporate policy are allowed to connect Improve network and application performance WAN Optimization for improved traffic efficiency

3 Fortinet Connected Network
FortiAnalyzer FortiAuthenticator FortiManager FortiAP FortiSwitch FortiGate FortiClient FortiRAP FortiGate As Control Point - Enforcing network security - Provisioning/Managing other devices

4 Remote Access Architecture
FortiGate FortiAuthenticator Server (Optional) FortiClient Premium w/IPSec VPN FortiManager (Optional) FortiGate FortiAnalyzer (Optional) X FortiToken Highlight range of solution Offer SSL or IPsec Ability to deny access to non-compliant devices Strong management and analysis tools Authentication solutions at head-end and at device level (FortiToken) FortiAuthenticator for simplified authentication over distributed FortiGates Android Client Non-Compliant Devices Can Be Denied Access FortiClient w/SSL VPN FortiGuard Services

5 Remote Access MSP/Cloud Architecture
FortiGate FortiClient Premium w/IPSec VPN FortiGate VM FortiManager VM FortiToken FortiAnalyzer VM FortiGate Android Client X FortiClient w/SSL VPN FortiGuard Services

6 The FortiClient Family
FortiClient Lite FortiClient SSL FortiClient Premium Windows OSX, Linux Mac Android Free to Use Included One time license per FortiGate Per Seat Antivirus SSL VPN IPSEC VPN Parental Control SSL VPN SSL VPN

7 * MacOS Client = IPsec VPN, SSL VPN and Two-Factor Authentication Only
FortiClient Features IPsec VPN SSL VPN WAN Optimization Endpoint Control Two-Factor Authentication Simple client-to-site VPN policies for remote access. Accelerate application performance Lock down network access based on installed applications Secure web-based access for remote users Properly identify end users * MacOS Client = IPsec VPN, SSL VPN and Two-Factor Authentication Only

8 FortiClient Premium Additional Features
Anti malware Centralized Management Web Filtering Firewall AntiSpam Detect and clean viruses, worms and other malicious software. Prevent unwanted Manage complex user and group policies Control accessible web content Deny unwanted connections

9 FortiClient Secure Connectivity Solution
Advantages Centralized Endpoint Enforcement All security scanning and enforcement performed by FortiGate No per seat licensing Unlimited FortiClient agents per FortiGate Support level inherited FortiClient support level inherited from associated FortiGate appliance Two Factor Authentication FortiToken, and SMS-based two factor authentication Choice of VPN: IPsec or SSL Provide right solution for range of end users Policy Compliance Denies access to devices running non-compliant applications Coexistence With Existing Antimalware Deployment No need to change existing end user solution SSL & IPsec VPN Two-Factor Authentication WAN Optimization Policy Compliance

10 FortiClient Premium Complete Endpoint Protection
Advantages Complete protection Full feature set Per seat licensing Protect Against Latest Threats FortiGuard subscription included Antimalware included No need for expense of additional client Web Filtering Control web access Centralized Management Provisioning, Configuration, Update Management Firewall AntiSpam Centralized Management Web Filtering SSL & IPsec VPN Antimalware WAN Optimization Policy Compliance Two-Factor Authentication

11 FortiClient Framework: FortiGate
Automated IPSec VPN Policy Server Two-factor Authentication Certificate Store Integration Client-to-Site WAN Optimization (Internal HDD) Minimize remote user download times Endpoint compliance awareness & enforcement Lock down network access based on organizational policy Check asset configuration including installed or running 3rd party application software Customize warning and blocked messages

12 FortiClient Framework: FortiGate/FortiAnalyzer
FortiManager FortiAnalyzer Centralized Policy Management Provisioning Configuration Update Management Role Based Administration User privileges defined by management domains Improved Performance Local hosting of security updates Minimize web filtering response time Required for FortiClient Premium IPSec VPN Activity Reporting Logged from the FortiGate Username, IP addresses and Duration Tracking Top Sources, Destinations and Peers Endpoint Compliance Logs Compliant and Non-compliant devices Can be used with built-in correlation to notify staff of non-compliant devices

13 Remote Access: Pain Points
Takes too long to embrace new trends. We need to reduce real estate costs. The auditors are coming next week. CxO IT Manager My IT budget was cut by 20%. Someone has a virus. Who’s doing what and where? Remote access solution has different problems that need solving…… IT Ops 200 more users this month?! Help desk calls are killing us.

14 Remote Access: Key Benefits & Features
CxO Improved policy compliance Scalability and reliability SSL Inspection Endpoint Control WAN Optimization Strong Authentication IT Manager Enforce policies on multiple levels (including encrypted traffic) - Cut bandwidth costs IT Ops Easily apply policies Enforce compliance Quickly provision users Minimize calls to help desk

15 Endpoint Security Challenges
Emily, a financial trader, installed Skype on her company laptop to talk with family. Bill works for a Fortune 100 company and shares company details on Facebook. What Are You Going to Do? Emily – application policy checking via FortiClient Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance. Ed: Detect content with sensitive data Ed shared a company presentation via his personal Gmail account. Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.

16 Endpoint Security Challenges
Emily, a financial trader, installed Skype on her company laptop to talk with family. Bill works for a Fortune 100 company and shares company details on Facebook. Endpoint Control Identity-Based Policies Ed shared a company presentation via his personal Gmail account. Jill is at Starbucks and needs to communicate and be protected as if she was at HQ. Emily – application policy checking via FortiClient Bill: Identity-based policies + DLP, app control. Bill (the CFO) might authorized to post to the Corporate Facebook page while others might not Jill: Setting up a VPN – with 2 factor authentication and WAN optimization for improved app performance. Ed: Detect content with sensitive data Data Leak Protection Two-Factor Authentication VPN Tunneling WAN Optimization

17 Endpoint Control FortiGate Checks the Endpoint Third Party Software
FortiClient installed and running? Antivirus configured and up to date? Third Party Software Installed, or not? Running, or not? Endpoint license is per FortiGate No per seat license requirement Create custom characteristic profiles to lock down network access based on organizational security endpoint compliance policies Profile can only be applied on the FortiGate at the firewall policy level as a sensor Endpoint Control can enforce access based on checking for Installed/running instance of FortiClient (including minimum version) Disabled critical FortiClient services (Firewall, Anti-Virus and/or Web Filtering) Anti-Virus Signatures Out-of-Date Installed and/or running 3rd party application software Absence or non-use of specific 3rd party application software Temporary access can be granted to non-compliant endpoints Endpoint authentication checking is located under User Monitor Firewall The username will be labeled as “forticlient_chk_only” Can not be used with a FortiGate load balance VIP entry Can be configured with a FortiGate VPN IPSec VPN (route-based), SSLVPN (tunnel mode)

18 Endpoint Application Database
FortiGate Endpoint Control Application Database Downloaded from FortiGuard Distinct from the Application Detection database More than 5000 applications in 37 categories Anti Malware, Proxy Avoidance, P2P, etc List of current applications sent by FortiClient to the FortiGate FortiGate Endpoint Policy Verified and Enforced FortiClient displays status / error / reason

19 Communication Flow FortiClient initiates a connection towards the FortiGate with a HTTP request to a special FQDN Request includes end point application list FortiGate performs policy check Installed, running, not installed, not running Policy actions include block, allow, monitor, warn pingserver.fortinet.net FCSYSRPLY FCSYSREQ

20 No FortiGate Found FortiClient 4.3 requires FortiOS 4.0 MR3 Solution:
FortiGate needs to be upgraded and the relevant Endpoint policies enabled

21 Non-Compliant End Point Warning
Endpoint has been warned due to Firefox not being installed Solution: Install Firefox End user can click ‘Ignore warnings’

22 Non-Compliant End Point Banned
Endpoint has been banned due to FileZilla server application being installed Solution: Device conforms to endpoint control policy FortiGate Administrator provides a temporary exemption via the end point monitor option

23 IPSec Configuration Simplified configuration steps on both client and FortiGate Matching default proposals to minimize configuration steps Advanced configurations can be created by editing the client configuration file XML formatted clear text file can be exported / imported FortiGate configuration can be changed via UI once ‘Create FortiClient VPN’ wizard has been used Can be combined with endpoint control Previous Automated Policy Server configuration not supported by FortiClient 4.3 This type of VPN is tunnel-mode only (policy-based or route-based) Included in the 32-bit/64-bit MSI distribution file for Windows-Based Systems Windows 2000 (32-bit only), Windows XP, Windows Vista, Windows 7 Windows 2003 Server, Windows 2008 Server VPN access point configuration/management is manual on the endpoint VPN access server configuration/management is on the FortiGate Automated IPSec VPN Policy Server One directional firewall policy per interface combination (within FortiGate) Endpoint compliance policies can generate warnings or be enforced A pre-shared key or digital X.509 certificates can be used to authenticate the identities of the two VPN peers (i.e. endpoint, VPN server)

24 Simplified Configuration
FortiClient 4.3 MAC/OSX FortiClient 4.3 Windows FortiOS 4.0 MR3

25 Simplified User Interface

26 SSL Configuration Configuration has always been cleaner when compared to IPSec and the myriad of options Default port set at 10443, port 443 is more typically used for admin access – this can be changed As with IPSec the configuration file can be exported / imported Simplified web mode clients available for Android and iOS This type of VPN is tunnel-mode only (policy-based or route-based) Included in the 32-bit/64-bit MSI distribution file for Windows-Based Systems Windows 2000 (32-bit only), Windows XP, Windows Vista, Windows 7 Windows 2003 Server, Windows 2008 Server VPN access point configuration/management is manual on the endpoint VPN access server configuration/management is on the FortiGate Automated IPSec VPN Policy Server One directional firewall policy per interface combination (within FortiGate) Endpoint compliance policies can generate warnings or be enforced A pre-shared key or digital X.509 certificates can be used to authenticate the identities of the two VPN peers (i.e. endpoint, VPN server)

27 SSL VPN Configuration and Usage

28 Wan Optimization Improving application performance
Requires a suitably configured FortiGate Current support for CIFS, FTP, HTTP, MAPI and general TCP Byte caching always available Web caching requires a passive rule Protection features take precedence over optimization Dual VDOM approach can combine UTM and optimization This type of VPN is tunnel-mode only (policy-based or route-based) Included in the 32-bit/64-bit MSI distribution file for Windows-Based Systems Windows 2000 (32-bit only), Windows XP, Windows Vista, Windows 7 Windows 2003 Server, Windows 2008 Server VPN access point configuration/management is manual on the endpoint VPN access server configuration/management is on the FortiGate Automated IPSec VPN Policy Server One directional firewall policy per interface combination (within FortiGate) Endpoint compliance policies can generate warnings or be enforced A pre-shared key or digital X.509 certificates can be used to authenticate the identities of the two VPN peers (i.e. endpoint, VPN server)

29 Two Step configuration!

30 FortiToken One Time Password Support, introduced with FortiOS 4.0 MR3
Token entry based on pop up challenge or simply concatenate with password Seed distribution / registration via FortiGuard

31 FortiGate Authentication Server
Used in case of single FortiGate unit deployed for VPN Authentication Sever functionality built-in to FortiGate 4.3 and above at no additional cost No additional hardware or software to purchase and maintain and support Token management specific to instance of FortiGate Unit (or HA pair) Option to integrate with existing AD/LDAP directory Deploys in minutes Zero Maintenance FortiGate FortiToken provides Two-Factor Authentication natively with FortiGate for: FortiGate Web Admin Captive Web Portal IPSEC VPN SSL VPN

32 FortiAuthenticator: Key Areas of Functionality
Direct User Authentication Certificate Management Server Directory Synchronisation RADIUS LDAP Authentication LDAP Directory Service Two Factor Authentication FortiToken Certificates X.509 Certificate management server PKCS#11 Certificate Token Management Certificate Revocation Integrated Fortinet Single Sign On Server Authentication Extension (FSAE) polling Synchronises user authentication state between multiple domain controllers and FortiGate appliances 32

33 FortiAuthenticator Authentication Server
Extends the FortiGate/Token two-factor authentication feature Compatible with FortiToken Full function stand-alone RADIUS/LDAP server Authentication to VPN/Firewall/Switch / Router / Server Self-service Password reset portal x.509 Certificate Authority Certificate based two factor authentication Certificate revocation FortiToken and FortiAuthenticator provide Two-Factor Authentication for: Multiple FortiGate devices Pre 4.3 FortiGate devices Fortinet product range Third-party switches, routers, VPN etc More users than supported by FortiGate

34 FortiClient Ordering SKUs and Pricing Showing Select FortiGate Models
FortiClient SKU US List Price FortiGate-60C FCC LIC $101.15 FortiGate-80C FCC LIC $152.15 FortiGate-110C FCC LIC $339.15 FortiGate-200B FCC LIC $509.15 FortiGate-310B FCC LIC $1,019.15 FortiGate-620B FCC LIC $2,209.15 FortiGate-800 FCC LIC $1,189.15 FortiGate-1240B FCC LIC $3,399.15 FortiGate-3040B FCC LIC $6,799.15 FortiGate-3600 FCC LIC $5,099.15 FortiGate-3950B FCC LIC $13,599.15 FortiGate-5001A-DW FCC LIC $8,669.15 FortiGate-5005FA2 FCC LIC $10,369.15 Unlimited Clients Per FortiGate – One Time License

35 FortiClient Premium Ordering SKUs and Pricing
Number of Clients FortiClient SKU US List Price (1 Year) 1 FHS1-15-C DD $53.90 2-9 FHS2-15-C DD $49.50 10-24 FHS3-15-C DD $33.17 25-99 FHS4-15-C DD $21.88 FHS5-15-C DD $17.50 FHS6-15-C DD $13.99 FHS7-15-C DD $11.19 FHT1-15-C DD $10.07 FHT2-15-C DD $9.05 FHT3-15-C DD $8.59 FHT4-15-C DD $8.15 FHT5-15-C DD $7.73 FHT6-15-C DD $6.95 FHT7-15-C DD $6.14 2 and 3 Year Prices Also Available

36 Thank You!

Download ppt "FortiClient Solutions Endpoint Security Anytime, Anywhere"

Similar presentations

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
The Natural way for Secure Mobile Email v.1.4 www.AGATSolutions.com.

The Natural way for Secure Mobile v.1.4
Simon Garcia Jaramillo Network Administrator ATS Automation Tooling Systems.

Simon Garcia Jaramillo Network Administrator ATS Automation Tooling Systems.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Check Point Software SSL VPN Solutions Technical Overview Thorsten Schuberth Technical.
Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
Security Guidelines and Management

Security Guidelines and Management
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Similar presentations

Ads by Google