Professional Documents
Culture Documents
Worldwide Network Security Appliance Shipments Worldwide Data Center Firewall Unit Share
500,000 30%
25%
400,000 w/o Sourcefire
Cisco
20%
300,000
Cisco
15%
200,000
Check Point
10%
Fortinet Confidential 3
Advanced Threats – Perimeter Security Not Enough
50%
NEARLY 50% OPEN
E-MAILS AND CLICK ON
PHISHING LINKS WITHIN
THE FIRST HOUR
60%
IN 60% OF CASES,
ATTACKERS ARE ABLE
TO COMPROMISE AN
ORGANIZATION
WITHIN MINUTES
Typical Duration from Breach to Cleanup:
6-7 Months
Fortinet Confidential 4
From Detection to Containment: Micro-Segmentation
Fortinet Confidential 5
FortiGate-VMX with VMware NSX
Deterrents with Traditional Approaches
Fortinet Confidential 7
A Software-Defined Approach to Security for SDDC
• Security service delivery, agility, and speed
• Centralized policy management with distributed enforcement
• Interoperabilty between best-of-breed security and infrastructure without requiring
backend integration by customer
Physical
& Virtual
Security
Appliances
FortiMail FortiGate FortiSandbox FortiManager FortiAnalyzer FortiWeb FortiADC
vSphere NSX
Fortinet Confidential 8
NSX Security
Distributed Firewall
Fortinet Confidential 9
NSX Platform Extensibility
NSX is the platform for adding additional security services
Add Fortinet advanced security services to your micro-segmentation deployment for greater security
Apply the SDDC operational model to your advanced security products
Adapt to changing security conditions in the data center by enabling security solutions to share intelligence
1 2 3
Fortinet Confidential 10
Fortinet FortiGate-VMX
Purpose-built security solution with VMware NSX for SDDC
» VMware-validated for NSX interoperability
Full next-generation, advanced-security functional solution in one platform
» Intrusion prevention
» Application control
» Antivirus
» URL filtering
» Anti-malware
Backed by FortiOS™ policy configuration and FortiGuard™ for real-time
intelligence updates
Proven multi-tenant capabilities using virtual domains (VDOM)
» MSSP
» Large enterprises
Fortinet Confidential 11
NSX Makes Micro-segmentation Operationally Feasible
FortiGate-VMX can be leveraged for workload isolation, segmentation, and advanced security services
Traffic will be redirected through the FortiGate-VMX based
on applied policy • Transparent service insertion and
chaining
Group B Group A Group C
• Automatic scale-out protection
based on workload security profile
Fortinet Confidential 12
FortiGate-VMX – VMware Platform Prerequisites
VMware Components:
» vCenter Server Standard v5.5 Update 2 or later, v6.0
» vSphere Enterprise Plus license level v5.5 Update 2 or later, v6.0
» NSX Manager v6.1.3, v6.1.4
Third-Party Component:
» Web server
VMware Technologies:
» ESXi host cluster enabled with DRS
» Distributed Switch (management traffic can traverse legacy
vSwitch)
» vSphere Web Client required for NSX Manager add-on
VMware Configurations:
» Agent VM Setting required to be set on each ESXi host in cluster
(for larger environments; this can also be set during Service
Deployment)
Fortinet Confidential 13
FortiGate-VMX Components
Fortinet Components:
» FortiGate-VMX Service Manager v5.4 – centralized
manager and license repository
» FortiGate-VMX Security Node v5.4 – enforcement
virtual appliance deployed on each ESXi host in
cluster
Fortinet Configurations:
» No “real” maximum for amount of FortiGate-VMX
Security Nodes that can be deployed/managed by
FortiGate-VMX Service Manager
» QA’d to hundreds of FortiGate-VMX Security Nodes
Fortinet Confidential 14
FortiGate-VMX Solution Interaction/Workflow
FortiGate-VMX Service
Manager
security cluster
vDistributed Switch
VMware Kernel VMware Kernel
Fortinet Confidential 15
FortiGate-VMX and NSX Manager Setup
Fortinet Confidential 16
NSX Security Groups
Configuring NSX Dynamic Security Groups
» Log in to NSX Manager
» Home -> Networking & Security -> Service
Composer -> Security Groups
» Security Group entities may consist of 14 options:
Fortinet Confidential 17
NSX Security Group Definition and Usage
Service Groups created on
NSX Manager automatically
get sent to the FortiGate-VMX
and are available for Policy
Creation
Server SG
Fortinet Confidential 18
Policy Creation
Created policy based on Security Group
Distributed Virtual
Switch
Internal External
19
Demo - Configuration & Deployment
Fortinet Confidential 20
Benefit: Auto-Scale Protection for Elastic Workloads
Fortinet Confidential 21
Benefit: Internal Segmentation Firewall (ISFW)
Extend East-West Micro-Segmentation Across Data Center, Campus, and Cloud
SG3
SG2
SG1
NSX Manager
FortiGate-VMX
External Security Node FortiGate Service Manager
Private
Hypervisor
Cloud
Internal
ISFW
Fortinet Confidential 22
Advanced Use Cases
Patented Technology – Virtual Domains (VDOM)
VDOM 1
VDOM 2
VDOM 3
versatile configuration and
administration
Each VDOM acts as an
independent, logical FortiGate
VDOM’s can be defined across all
FortiGate appliances—physical,
virtual, and VMX editions
All FortiOS security and networking
capabilities are encapsulated
Common in telco and service
provider data centers for managed Customer A Customer B Customer C
services
Fortinet Confidential 24
Utilizing Fortinet Virtual Domains (VDOMs) with VMware NSX
Web
• Fortinet Patented Virtual
Services Domain Technology
A1 B1 C1
NSX Manager • Only Security Vendor to
FortiGate-VMX support complete network
Security Node
FortiGate Service Manager segmentation including
Hypervisor
Administrative Segmentation
Fortinet Confidential 26
Use Case: Tenant, Function Segmentation with VDOMs
Security
Group A
NSX VDOM (on by default): NGFW, IPS, URL Filtering, Antivirus, etc. • Fortinet Patented Virtual
Domain Technology
• Only Security Vendor to
VDOM1: VDOM 2: VDOM 4: VDOM 5: support Virtual Segmentation
NGFW URL Filtering Antivirus Anti-spam
by Function for Security.
Security
Group B
Fortinet Confidential 27
Demo – Advanced VDOM Use Case Configuration
Any Common-SG
AV
SSL
WEB
IPS
Security Policies for
sales-VDOM
Security
Source Destination
Profiles
PRX
Fortinet Confidential 28
About Fortinet
FortiGate
Scalable Network Security Platform from Branch, to Data Center, to Cloud
Multi Multi-
Core Core
SoC NP CP CPU NP CP CPU
DCFW/CCFW
3000 Series
Personality,
Performance, ISFW
& Scalability
5000 Series VM Series
1000 Series
300-900
NGFW & CFW &
30-90 100-200
Series Series
Series
NGIPS VMFW
UTM
Virtual
Product Range Entry Level Mid-Range High-End
Appliances
Fortinet Confidential 30
NSS Labs Validated Performance and Protection
Fortinet Consistently “Recommended” for Performance, Security Effectiveness, TCO
NGFW X-axis = TCO per protected Mbps, “Value” Y-axis = Security Effectiveness
Upper right quadrant = “Recommended” Lower left quadrant = “Caution” Other quadrants “Neutral”
Competitor B
Competitor B
Breach Detection
Competitor C
Competitor A
Next Generation IPS
Competitor A
Fortinet Confidential 31
The Fortinet + VMware Advantage
• Improved performance
sitting between hypervisor
and workload
• Faster deployment through
FAST NSX automation
Fortinet Confidential 32
Where to start projects? Where to get started
A tangible place to get the most bang per buck The things you need to do…