What’s New FortiOS 6.

2 / SD-WAN

Eduardo Louback / Kleython Kell

1
Agenda
• What’s New in FortiOS 6.2
• SD-WAN
• Coffee Break ( 10:30h )
• Labs
• Almoço ( 12:30 )
• SD-Branch
Secure Your Access Edge with FortiSwitch,
FortiAP, and Fortilink
• Labs
• Coffee Break ( 16:00h )
• Sorteio
2
Who ?

• Nome:
• Órgão:
• Função:
• Soluções Fortinet:

3
What’s New in FortiOS 6.2
Objectives

• Introduction: Solving Key Challenges

• Evolution of the Fabric
• Secure SD-WAN
• Multi-Cloud
• Fabric Expansion
• Open Ecosystem
• AI – Driven Security

4
Introduction
Solving Key Challenges
Key Customer Challenges
DIGITAL ATTACK SURFACE EXPANDING
• Dissolving perimeters
• Complexities of securing hybrid and multi-cloud environments as they
migrate workloads to Cloud
• IoT devices continue to grow

ADVANCED THREATS
• Focus on malware and breaches in isolation is not enough.

COMPLEXITY SLOWS DOWN OPERATIONS

• Too many tools and not enough resources.
• M&A and contractor access happens.
• Compliance is a MUST

6
Fortinet Solves Key Customer Challenges
BROAD visibility of the entire digital attack surface
• We cover entire digital attack surface with our extensive product range
• We also partner closely with some 70+ other Alliance Partners (open ecosystem)
• Manage and secure access and data through Intent-based Segmentation

INTEGRATED AI-driven breach prevention

• Security-driven Networking powered by industry’s only Security Processor (SPU) that can
run network and security ultra-fast and without compromise
• Fortiguard delivered prevention (certified technologies, intelligence, etc)
• Breach detection using leading-edge technologies integrated directly into Security Fabric

AUTOMATED operations, orchestration and response

• Holistic Security Fabric and single Pane of glass simplifies operations and compliance, and
enables faster decision and response
• Continuous compliance & risk assessment
• Automated workflow response and end-to-end orchestration
7
 Network Security

Fortinet Security Fabric Multi-Cloud Security

Network Device, Access, and

Operations Application Security

Open Ecosystem

Security Operations

Fabric Fabric
BROAD APIs Connectors

Visibility of the entire

digital attack surface

INTEGRATED Endpoint/Device
Protection
Multi-Cloud
Security
AI-driven breach prevention across Network
devices, networks, and applications Security

AUTOMATED Secure Application

Operations, orchestration, Access Security
and response

Security
Operations
Q1FY19 v1.4.4 8
Security Fabric Product Portfolio
Network Security Multi-Cloud Secure Endpoint/Device Application
Operations Operations Security Access Protection Security

Network
Security

FortiGate FortiManager FortiAnalyzer FortiGate VM FortiAP FortiClient FortiMail

FortiSandbox FortiCASB FortiSwitch FortiNAC FortiWeb

FortiSIEM FortiToken FortiADC

9
Introducing FortiOS 6.2 – 300 New features
Continued Evolution of The Security Fabric

New Cloud Based Orchestration and New and Enhanced Cloud New Fabric elements FortiADC, FortiToken,
1 2 3
Enhanced Routing Capabilities Integrations and Metering FortiCASB, FortiDDoS, FortiNAC and VDOM

Secure Fabric
Multi-Cloud Expansion
SD-WAN

New and Enhanced Cloud, SDN New Machine Learning and New Triggers and Actions for the Automation
4 and NAC Connectors
5 comprehensive intelligence for leading 6 Engine. Enhanced Security Ratings
protection

Open AI-driven Automation &

Ecosystem Security Orchestration

10
Secure SD-WAN
Evolution of the Fabric
Secure SD-WAN
Forward Error Correction

12
Forward Error Correction - FEC

• What it does:
• Allows for dynamic remediation of packet loss or erroneous
data caused by adverse WAN conditions

• How it does it:

• The sending FortiGate buffers the traffic, then generates and
sends redundant packets along with the original payload
through a VPN tunnel
• The receiving FortiGate buffers the incoming packets and
performs redundancy calculations based on the traffic
(payload + redundant packets) to ensure the integrity of the
original payload; recovering from packet loss or transmission
errors

• Use Cases:
• FEC can be used to increase the reliability of WAN traffic sent
through an overlay VPN tunnel established over a broadband
Internet link
• Can also be used to increase the Quality of Experience (QoE)
of voice or video traffic that are pinned to specific overlay
tunnels

13
Secure SD-WAN
WAN Path Remediation using FEC

Packet loss
Jitter Buffer
or error in
transmission
A A
B X

Reconstruct
C C
D D

Redundant Packets
Overlay Tunnel

A B C D A B C D
Original Payload Original Payload Recovered
Sending FortiGate Receiving FortiGate

14
 1

Secure SD-WAN Secure

SD-WAN
Quality of Service(QoS)

Interface-based
Traffic Shaping

 Create Shaping Groups and then assign

allocation by percentage of interface
bandwidth on a Shaping profile

15
Secure SD-WAN
Load Balancing Per-Rule

16
Secure SD-WAN
Dual VPN

• Purpose
• Simplify VPN

• Function
• Shortcut – VPN wizard
• Multiple interfaces

• Use Case
• Speed up Dual VPNs
• Simple Deployments

17
Multi-Cloud
Evolution of the Fabric
 2

Multi-Cloud Multi-Cloud
Native Cloud Connectors

Active-Passive Topology and

HA CVE Integration

Azure
Autoscaling and Security Center
HA Betw. Zones Integration

Para-
Virtualization

HA between ADs

19
Fabric Expansion
Evolution of the Fabric
 3

Fabric Expansion Fabric

Expansion

Fortinet Product Fabric Integration

Fortinet Product
Fabric Integration

FortiMail FortiWeb FortiADC FortiWLC FortiDDoS

• Admin to register to a device by

entering the IP & credentials
under Fabric setting
• Telemetry info from the device
will be capture via standardize
APIs and presented within
FortiOS
Topology Map Dashboard Widgets

21
 3

Fabric Expansion Fabric

Expansion

Split-task VDOM Mode

Split-task
VDOM Mode Security Fabric Network
Communicate with Configure policies
the fabric via mgmt. and other UTM
interface(s), these features
interfaces cannot
pass traffic

Management VDOM Traffic VDOM

• When enabled, 2 VDOMs will be available,
one for management only (root vdom) and
another for traffic
• Supports VM-v SKUs
• Initial support for Security Fabric (limited use
case)
• SF in this case is handled as 1 logical FG

22
 3

Fabric Expansion Fabric

Expansion

Endpoint Tagging

Endpoint Compliance with

Dynamic User Objects 2

EMS tag users

according to their status

• Functionality replaces previous endpoint FortiClient

compliance profiles continuously 3
• Requires EMS to tag clients accordingly and provide
pass information to FGT in real time. (similar telemetry info to Policy match based
to FSSO concept) EMS dynamic user groups
created using EMS tags
• Discontinue the need for endpoint licenses
for FortiGate

23
 3

Fabric Expansion Fabric

Expansion

IoT & OT Mac Address Objects

MAC Address
Objects

• Mac Address or Range objects can be

use on various IPv4 policies

• For Route/NAT mode, Mac address

can be used as source only. In
Transparent or Virtual Wire modes, it
can be source or destination.

24
Open Ecosystem
Evolution of the Fabric
 4

Open Ecosystem Open

Ecosystem
Cloud and SDN Connectors

Cloud and SDN Connectors

• Increase number of connectors to public

clouds and SDN components
• Multiple fabric connectors of any type to can
be defined
• Cloud Connectors will be able to query filters
automatically

26
 Extended Fabric Connectors

• Support Multiple Instances of All SDN

Connector Types

• External Dynamic Block List for Hashes

• External Dynamic Block List

Authentication Support

• New SDN Connectors - Kubernetes,

OpenStack

• Filter Lookup Improvement for SDN

Connectors

27
AI – Driven Security
Evolution of the Fabric
 5

AI – Driven Security AI-driven

Security
New Intelligence Feeds

Threat Feeds Connectors

Address
• Extends existing external list Remote Remote Virus
integration with new list types and object on
category on category on Outbreak
usages firewall policy
DNS filter web filter Prevention
/ Domain
• supports username/password profile profile on AV profile
authentication while retrieving from Filter
external DB

Authentication Option
29
External Block List – File Hashes

30
 Flow-based Web Filter

Extended Flow-based Web Filter Support

Flow-based web filtering support has been

extended to allow for the following options:

• Authenticate: Require authentication for

specific website categories.

• Warn: Display a warning message but allow

users to continue to the website.

• Override: Allow users with valid credentials

to override their web filter profile.

31
 Inspection Mode Per Policy

In this version, in NGFW Mode, the Inspection Mode

is moved to per-policy, enabling more flexible setup
for different policies.

32
SD-WAN

• Describe SD-WAN
• Understand the need for Secure SD-WAN
• View Use Cases and Success Stories

33
 Traditional WAN
• Used to extend computer networks to
HQ/Datacenter
connect remote branch offices to data
Public Cloud centers
• Expensive Circuit costs
SaaS
• Fixed circuits
• Long lead time
• Proprietary hardware
• Difficult to expand
• Branch traffic hauled back to HQ

Branch Office

34
The WAN is Complex and Needs Transformation

70% Of Customers mentioned that existing WAN is slow and expensive

Security is “MUST”

60+ SaaS Applications Enterprises are adopting with Digital Transformation

90%
Of SD-WAN vendors do
no provide security. With
direct internet access,
security becomes critical
at every branch

90% Of vendors don’t provide in-built NGFW security with WAN solutions

35
Gartner: Security is Biggest WAN Concern

72% of Customers reported

that Security is the top concern
during WAN initiatives

58% of Customers reported

performance as a concern

47% of Customers reported

Gartner Survey Analysis: Address Security and Digital Concerns to Maintain Rapid SD-WAN Growth, Naresh Singh, 12 November 2018
cost as a concern
Gartner does not endorse any vendor, product or service depicted in its research publications, and
does not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner's research
organization and should not be construed as statements of fact. Gartner disclaims all warranties,
expressed or implied, with respect to this research, including any warranties of merchantability or
fitness for a particular purpose.
36
 Enter SD-WAN
 software-defined WAN
HQ/Datacenter
Public Cloud  simplifies the management and
operation of a WAN by decoupling
SaaS (separating) the networking hardware
from its control mechanism.
 allow companies to build higher-
performance WANs using lower-cost and
commercially available internet access
 Transport-agnostic

Branch Office

37
FortiGate Secure SD-WAN

Data-Center

Internet
Multi-Cloud

Branch

SaaS

Improves Security
Reduce WAN Cost Business Application First
Posture

40
Configure SD-WAN
 Enable SD-WAN
Networking > SD-WAN
• Select the interfaces that will become members
of the SD-WAN, and provide a gateway for that
interface. NEW
• Physical Interfaces that are referenced by any
other configuration element (for example, routes
or policies) will not appear on this list NEW

• New in 6.2: easily create IPSEC VPN

• New in 6.2: optionally provide a cost for that
interface which will be used by the rules
• View utilization of each member based on
Bandwidth, Volume, and Sessions
• only one SD-WAN interface per VDOM

42
Performance SLA

Link Health Monitor

NEW
SLA Targets

Link Status Parameters

43
Performance SLA - Link Health Monitor
Available Protocols via CLI:
ping PING link monitor
http HTTP-GET link monitor
tcp-echo TCP echo link monitor
udp-echo UDP echo link monitor
TWAMP Two-Way Active Measurement
Protocol

• Status Check is renamed Performance

SLA

• You can use two servers to test the

quality of a link

• You can specify which SD-WAN members

this SLA applies to

44
SD-WAN Rules
• Rules can match traffic based on:
• Source IP address, destination IP address, or
port number
• Internet services database (ISDB) address
object
• Users or user groups
• Type of service (ToS)

NEW
• Allow you to route traffic through the
member interfaces that best suites your
needs

45
FortiOS / SD-Wan Quiz

https://kahoot.it
Labs
Student Access
<Fast Track> Session

https://use.cloudshare.com/Class/Class/2sz61
Student Name: <student email>
Passphrase: Fortinet1!
Student Access
• Classroom URL and Password provided from Instructor Email

51
Student Access
• Launch FortiFIED Application

52
Jumpbox Desktop
 FortiFIED Interactive
Lab Guide
• Application Banner
• Objectives List
• Display Tabs
• Rich Text
• Answer Choice
• Submit/Continue
• Status Bar
• Scale Text Slider
• Resize Display Bar

53