FORTINET SECURITY FABRIC

© Copyright Fortinet Inc. All rights reserved.

 Fortinet Overview
REVENUE 2016 UNITS SHIPPED EMPLOYEES PATENTS

$1.3B 3 Million 4,650 385

Units 2016 CUSTOMERS OFFICES CASH 2016

20%+ 300,000 100 $1.3B

Based on Q4 2016 Financials

2
Fortinet Shipped 25% of All Network Security Appliance’s in Q2 2016
Leader in Unit Shipments

160,000+ units

25%

20%

15% % of

10%

5%

0%
2009 2010 2011 2012 2013 2014 2015 Q2 2016
Cisco Fortinet

3
 70 % of Fortinet Shipments are to Enterprise or Service
Provider

Enterprise Campus
Data Center Small Business
Service Provider (Entry Level FortiGate’s)
(High End FortiGate’s)

41% 30%

29%

Small Enterprise
Based on Q4 2016 Financials
(Mid Range FortiGate’s)

4
The New Era of Hyperconnectivity

 Routers, switches,  Rise of mobility, cloud, IoT

traditional endpoints  Distributed applications, content,
 Centralized point-to-point users, devices
connectivity  Exponential data growth

5
Value of Data Requires a Whole New Approach to Security
NETWORK SECURITY EVOLUTION GENERATION 1

1995-2005 Connection
SOFTWARE
Stateful Firewall

6
Value of Data Requires a Whole New Approach to Security
NETWORK SECURITY EVOLUTION GENERATION 2

2005-2015 Content
SOFTWARE
NGFW/UTM

SECURITY PROCESSORS

7
Value of Data Requires a Whole New Approach to Security
NETWORK SECURITY EVOLUTION GENERATION 3

2015+ Borderless
SOFTWARE
Fabric Cloud Security

Infrastructure
Application Security

SECURITY PROCESSORS
Network Security

Access Security

FABRIC INFRASTRUCTURE
Client/IoT Security

8
 These Threats Have Moved Beyond The Application,
Content and User Level
Machine to
Fabric Generation 3
Machine Attacks
INFRASTRUCTURE
Advanced Advanced Threat
Targeted Attacks Protection
Performance Degradation

Malicious
Application Control
Apps

Malicious
Web Filter
Sites

Spam
Generation 2
Anti-spam
Botnets CONTENT
Viruses
Antivirus
& Spyware

Intrusion Layer 5-7:

IPS
& Worms Content & Application

Layer 3-4:
Firewall/VPN
Connection

Hardware Theft
Layer 1-2:
Lock & Key
Generation 1
Physical
CONNECTION

1980s Today

9
NSS Cyber Advanced Warning System
Validate your Security Product !
CAWS Alerts

11
12
NGFW Default (6 months)

13
NGFW Default +web reputation(6 months)

14
NGIPS Default (6 months)

15
 Advanced
Threat
Intelligence NOC/SOC

BROAD
POWERFUL
Client Cloud
AUTOMATED

Network

Access Application

Partner API

16
 Broad – The Fabric Gives You Complete Visibility, Coverage
and Flexibility Across The Entire Dynamic Attack Surface

Visibility Coverage Flexible/Open

Cloud Security

Application Security

Network Security

Access Security

Client/IoT Security

17
18
Broad – The Fabric Allows Flexible, Open Integration
of Other Security Partners

19
 Powerful – Increasing Performance Reduces The
Burden on Infrastructure

Security Processors Parallel Path Comprehensive

(SPU’s) Processing Range

Accelerates 1 Tbps
Network Traffic
High End

Accelerates
Content Inspection
Mid Range

Optimized
Performance for Entry
Entry Level Level

20
 Powerful – The Fastest Network Security Appliance’s
on the market

FortiGate 3980E > 1Tbps FW FortiGate 7060E > 100bps NGFW

More Less Less Less

Performance Latency Space Power

21
 Automated to Provide a Fast, Coordinated Response
to Threats

Global & Local Audit & Recommend Coordinated

Known Threats Demo_ISFW-Sales

FortiGuard
FP320C3X15002440
Demo_ISFW-Finance
ISFW-PRI 2.62 GB

Unknown Threats Demo_ISFW-ENG

FortiSandbox

22
Automated Security Audit and Recommendations

23
Improved Control

Security Fabric Audit

 Audits FortiGate configurations and device status detected in the fabric
» Report classifies severity to each issues and can be printed
 Provides recommendations to better secure the network
» In some instances, recommended config can be easily/accurately be implemented with
‘one-click’

24
Expanded Visibility

Aggregated Data
 Available on upstream FortiGate in the Security Fabric
» Display consolidated info gathered from all participating downstream FortiGates
 Upstream FortiGate is able to end session or quarantine endpoints belonging to
downstream FortiGates
» By send instructions to downstream FortiGates

25
 Security Fabric Score
The Security Fabric Score widget has been added to the
FortiGate Dashboard to give visibility into auditing trends. This
widget uses information from the Security Fabric Audit to
determine your score. Score can be positive or negative, with a
higher score representing a more secure network.

26
Intent-based Network Security, Powered by Fabric
AUTOMATICALLY TRANSLATE BUSINESS NEEDS TO
INFRASTRUCTURE POLICIES

Business Language Fabric Translation Apply to Fabric

“Add This Mobile Phone “Convert into Policies,

to This Application Ports, Connections…”
Securely”

27
THE FORTINET SECURITY FABRIC
REALIZED
FORTINET SECURITY FABRIC

Sandbox
DATA CENTER/PRIVATE CLOUD
Endpoint
Secure Access NGFW
Protection
Point

Virtual
Top-of-Rack Firewall

Switching SDN, Virtual Database

Firewall Protection
Internal Internal
Segmentation Segmentation FW
FW Web Servers Application
Delivery
Controller
IP Video
Web Application
Security
Firewall

Internal
PUBLIC CLOUD
CAMPUS Segmentation FW Email
Server

DCFW/
NGFW
Distributed Ent FW
Email
Security
Client Devices
Internal
Client Devices LTE Extension Segmentation
FW

DDoS Protection FortiCloud

Sandbox

BRANCH
OFFICE
OPERATIONS CENTER

29
FORTINET SECURITY FABRIC
ENTERPRISE
FIREWALL

Sandbox
DATA CENTER/PRIVATE CLOUD
Endpoint FortiGate
Secure Access
Protection NGFW
Point

Virtual
Top-of-Rack Firewall

Switching SDN, Virtual Database

Firewall Protection
FortiGate Internal FortiGate Internal
Segmentation FW Segmentation FW
Web Servers Application
Delivery
Controller
IP Video
Web Application
Security
Firewall

FortiGate Internal
PUBLIC CLOUD
CAMPUS Segmentation FW Email
Server

FortiGate
DCFW/
FortiGate/FortiWiFi NGFW
Distributed Ent FW Email
Security
Client Devices
FortiGate Internal
Client Devices LTE Extension Segmentation FW

FortiAnalyzer
DDoS Protection FortiCloud

Sandbox

FortiManager
BRANCH FortiSIEM
OFFICE
OPERATIONS CENTER

30
FORTINET SECURITY FABRIC
CLOUD SECURITY ENTERPRISE
FIREWALL

Sandbox
DATA CENTER/PRIVATE CLOUD
Endpoint FortiGate
Secure Access
Protection NGFW
Point

Fortinet
Top-of-Rack Virtual Firewall

Switching FortiGate VMX Database

SDN, Virtual Protection
FortiGate Internal FortiGate Internal Firewall
Segmentation FW Segmentation FW
Web Servers Application
Delivery
Controller
IP Video
Web Application
Security
Firewall

FortiGate Internal
PUBLIC CLOUD
CAMPUS Segmentation FW Email
Server

FortiGate
DCFW/
FortiGate/FortiWiFi NGFW
Distributed Ent FW Email
Security
Client Devices
FortiGate Internal
Client Devices LTE Extension Segmentation FW

FortiAnalyzer
DDoS Protection FortiCloud

Sandbox

FortiManager
BRANCH FortiSIEM
OFFICE
OPERATIONS CENTER

31
FORTINET SECURITY FABRIC
ADVANCED THREAT CLOUD SECURITY ENTERPRISE
PROTECTION FIREWALL

FortiSandbox

DATA CENTER/PRIVATE CLOUD

FortiClient FortiGate
Secure Access
NGFW
Point

Fortinet
Top-of-Rack Virtual Firewall

Switching FortiGate VMX Database

SDN, Virtual Protection
FortiGate Internal FortiGate Internal Firewall
Segmentation FW Segmentation FW
Web Servers Application
Delivery
Controller
FortiWeb
IP Video
Web Application
Security
Firewall

FortiGate Internal
PUBLIC CLOUD
CAMPUS Segmentation FW Email
Server
FortiCloud Sandboxing
FortiGate
DCFW/
FortiGate/FortiWiFi NGFW
Distributed Ent FW FortiMail
FortiClient Email Security
FortiGate Internal
FortiClient LTE Extension Segmentation FW

FortiAnalyzer
DDoS Protection FortiCloud

FortiSandbox

FortiManager
BRANCH FortiSIEM
OFFICE
OPERATIONS CENTER

32
FORTINET SECURITY FABRIC
APPLICATION ADVANCED THREAT CLOUD SECURITY ENTERPRISE
SECURITY PROTECTION FIREWALL

FortiSandbox

DATA CENTER/PRIVATE CLOUD

FortiClient FortiGate
Secure Access
NGFW
Point

Fortinet
Top-of-Rack Virtual Firewall

Switching FortiGate VMX FortiDB

SDN, Virtual Database
FortiGate Internal FortiGate Internal Firewall Protection
Segmentation FW Segmentation FW FortiADC
Web Servers Application
Delivery
Controller
FortiWeb
IP Video
Web Application
Security
Firewall

FortiGate Internal
PUBLIC CLOUD
CAMPUS Segmentation FW Email
Server
FortiCloud Sandboxing
FortiGate
DCFW/
FortiGate/FortiWiFi NGFW
Distributed Ent FW FortiMail
FortiClient Email Security
FortiGate Internal
FortiClient LTE Extension Segmentation FW

FortiAnalyzer
FortiDDoS Protection FortiCloud

FortiSandbox

FortiManager
BRANCH FortiSIEM
OFFICE
OPERATIONS CENTER

33
FORTINET SECURITY FABRIC
SECURE ACCESS APPLICATION ADVANCED THREAT CLOUD SECURITY ENTERPRISE
SECURITY PROTECTION FIREWALL

FortiSandbox

DATA CENTER/PRIVATE CLOUD

FortiClient FortiGate
Secure Access
NGFW
Point

Fortinet
Top-of-Rack Virtual Firewall

FortiSwitch FortiGate VMX FortiDB

Switching SDN, Virtual Database
FortiGate Internal FortiGate Internal Firewall Protection
Segmentation FW Segmentation FW FortiADC
Web Servers Application
Delivery
Controller
FortiWeb
IP Video
Web Application
Security
Firewall
FortiSwitch
Switching FortiGate Internal
PUBLIC CLOUD
CAMPUS Segmentation FW Email
Server
FortiCloud AP Management

FortiCloud Sandboxing
FortiGate
DCFW/
FortiGate/FortiWiFi NGFW
Distributed Ent FW FortiMail
FortiClient Email Security
FortiGate Internal
FortiClient FortiExtender Segmentation FW
LTE Extension
FortiAnalyzer
FortiDDoS Protection FortiCloud

FortiSandbox

FortiManager
BRANCH FortiSIEM
OFFICE
OPERATIONS CENTER

34
 Security Fabric Secured by FortiGuard

Firewall

VPN

Application Control

IPS

NEW App Control Antivirus Anti-spam Web Filtering

Anti-malware

WAN Acceleration

Mobile IPS Web App Database Data Leakage Protection

Security
Wi-Fi Controller

Advanced Threat Protection

Web Vulnerability IP
Filtering Management Reputation

35
How to Reduce Costs and Complexity in
Distributed Enterprise Environments with SD-WAN

© Copyright Fortinet Inc. All rights reserved.

Trends in Enterprises – Key Drivers for WAN Transormation

SaaS Applications
On average, companies have
30+ applications running via the
Cloud
Increasing Cyber-Threats
Increasing malwares and botnets per
organizations – Fortinet Thrat Landscape
Business Traffic Report
Growing 30% every year

Mobile IoT SSL Traffic Growth

35B devices, mostly
No control of endpoints headless attaching 50% of total traffic is
to the network encrypted
(BYOD)

37
 I hate my WAN : SD-WAN to the Rescue

Traditional WAN Architecture has become suboptimal

Enterprise WANs are mired in complexity and cost

Improve performance for all applications including cloud

Secure connectivity with the ability to integrate networking

By the end of 2019, 30% of enterprises will use SD-WAN technology in all
their branches, up from less than 1 % today - Gartner

38
Fortinet – SD-WAN Deployment Models
FortiGate Enterprise Firewall FortiHypervisor Eco-System

Fortinet 3rd Party 3rd Party

VNF VNF VNF

FortiHypervisor

FortiGate
 #1 Market share in distributed enterprise
 SPU acceleration for high performance
 Consolidated networking and security
 Expanded SD-WAN as part of FOS 5.6
FortiHypervisor
 FortiGate SPU with KVM Hypervisor
 FortiGate VM for security and SSL
 Supports fabric ready SD-WAN partners

39
FortiGate Enterprise Firewall
SD-WAN Deployment Summary
Accelerated Entry/Mid-range FortiGate Enable
Secured SD-WAN at Branch and Campus
FortiGate 30 – 90 Series FortiGate 100 – 900 Series

Content
System Processor
on a Chip CPU
Network
Processor

FortiGate 80E Series with High IPsec VPN and SSL Performance FortiGate 100E & 200E Series with High Threat Protection and SSL Performance

Entry-level FortiGate Optimized for Mid-range FortiGate Optimized for NGFW

Branch Office & SD-WAN at the Campus

41
 SD-WAN Requirements - Multiple Links and VPN

 Support for various Transport types – Flexibility Hybrid Cloud Data Center

 Support for Industry’s most secure Encryption Algorithms – Security HQ/Datacenter

 Industry’s best IPSec Throughput – Powerful

Public Cloud

SaaS

Distributed Edge/Branch Office

42
 SDWAN Requirements – Effective WAN Utilization
 Supports various link path controller algorithms for effective WAN utilization
 Dynamic Cloud Application Database for Cloud applications

Public Cloud

SDWAN Virtual Link

SaaS

HQ/Datacenter

Distributed Edge/Branch Office

43
 SDWAN Requirements – Link Quality Measurement
 Dynamic Routing based on Link quality measurements
 Maintain High availability of Business critical applications
 Best effort for low priority applications through low cost links Public Cloud

SDWAN Virtual Link

SaaS

Latency = 25 ms
Jitter = 1 ms
Packet Loss = 0 %
BW = 200 Mbps HQ/Datacenter

Distributed Edge/Branch Office

44
Deep Application Visibility for non-encrypted and SSL traffic
 Deep Application Visibility for maintaining High SLA for Critical Applications
 SSL Inspection for Visibility into Encrypted Applications
Public Cloud

SDWAN Virtual Link

Over 3000 Supported Applications

Supports Mandated SSL Ciphers

SaaS

HQ/Datacenter

Distributed Edge/Branch Office

45
 SDWAN Requirements – QoS/Priority for Voice Traffic
 DSCP Support for SIP and low latency Applications
 Smart Routing and quick failover to provide high SLA
 No Call Drop Failover for over 20000 simultaneous SIP Calls Public Cloud

SDWAN Virtual Link

SaaS

HQ/Datacenter

Distributed Edge/Branch Office

46
Topology Visibility and Link Utilization

Physical Logical Now 5M 1H 24H 7D

Public Cloud
Sandbox Analytics

500MB

AWSFW.1
Internet

NGFW.1 ISFW.1 Switch.1

50MB

Switch.2 300MB
ACI.1 ISFW.2

Private Cloud

New Devices and Link Utilizations New Historic Trending

New Aggregate FortiGate View New Downstream Device Quarantine

47
Centralized Management for SD-WAN is Critical

security events Management Unified policies

ad-hoc analytics
device settings
console alerts

co-relation engine SD-WAN Devices firmware updates

49
Expanded Visibility

Topology Views  Improved endpoint contextual info

 New visual elements added  Ability to remote login to downstream FortiGates
» FortiGates in HA setup  Adds ‘Threat’ and ‘Vulnerability’ filters
» FortiAPs  Search bar
» Fabric components

50
Expanded Visibility

Endpoint Vulnerability View

 Endpoints covered in the Security Fabric are ranked by their FortiClient
Vulnerability score
» Visible on ‘Endpoint Vulnerability’ and Topology views
» Score is calculated using weights on severity
» Supports drill-in for details

51
Secure Access Enhancements

Switch Controller
 FortiSwitch firmware upgrade
 Web Interface support
» user-port Link Aggregation Groups
» configure DHCP blocking, STP and Loop Guard on Managed FortiSwitch ports
 IGMP Snooping config
 Adding preauthorized FortiSwitches

52
Secure Access Enhancements

Host Quarantine with FortiSwitch

 Contain problematic host at port level
 Ability to manually quarantine host at FortiSwitch to a quarantine VLAN
» By MAC address, implement across all FSWs

53
Secure Access Enhancements

FortiSwitch Security Policies

 Ability to select policies per port
» Allow multiple 8021x security policies
created
» Move 802.1 x control from VLAN to port
 Support for client-less devices via mac-
auth-bypass/EAP pass-through
 Configure specific timeouts
 Guest-VLAN configuration

54
 Integrated Advanced Threat Protection for Network, Email, Web
and Endpoint
• Integrated with FortiGate, FortiMail,
FortiSandbox FortiWeb and FortiClient and non-Fortinet
Advanced Threat Detection security components to cover the entire
attack surface
Firewall SEG WAF EPP • Automated response of new unknown
threats via intelligence sharing
• Top rated based on independent 3rd party
tests to address the latest, sophisticated
threats
Automate the identification and response to ransomware,
Advanced phishing, and targeted attacks that can result in
Threat downtime, breaches, regulatory penalties and more,
Protection across network, mail, web and endpoint.
Appliance Virtual Cloud

FortiSandbox
55
Fabric Integrated FortiSandbox Deployment

• Antivirus
• IP Reputation/Botnet
• Web Filter
• Emerging Threats

FortiGuard

56
FortiManager – Single Pane Of Glass
Key Features
1. Enterprise Class Management

FortiManager
• Clean, modern look & feel
• Similar navigation to FortiGate
• Fewer clicks = faster enforcement

2. Full Control of Your Network

• End to End Fortinet devices supported
• Single pane of glass for extended enterprise
• Consolidated devices = easier to manage

3. Integrated VPN GUI

• VPN Manager
For more Selectorcheck FUSE or the P&S archives
information,
• Coming up : Map based VPN connections

57
Network Security Expert (NSE) Program

Step Level Objective

NSE 1 Develop a foundational understanding of network security concepts.

Sales and
Develop the knowledge and skills necessary to sell key Fortinet Business
NSE 2
solutions. (For Fortinet employees and partners only) Personnel
NSE 3 Develop the knowledge and skills to sell Fortinet products. (For
Sales Associate Fortinet employees and partners only)

NSE 4 Develop the knowledge and skills to configure and maintain a

Professional FortiGate Enterprise Firewall.
NSE 5 Develop a detailed understanding of how to implement network
Analyst security management and analytics.
4 Technical
NSE 6 Develop an understanding of enhanced security technologies
Specialist beyond the firewall. Personnel
NSE 7
Demonstrate a deep understanding of the key Fortinet Solutions
Architect
NSE 8 Demonstrate the ability to design, configure, install and troubleshoot
Expert a comprehensive network security solution in a live environment.

58
There are no Limits to our Opportunity

BROAD
POWERFUL
AUTOMATED

59