Inside FortiMail

Secure Email Gateway

July 2017

© Copyright Fortinet Inc. All rights reserved.

The Attack Surface Has Increased Dramatically
Today’s Security is Borderless
Mobile

 Network Endpoint

 Applications
Campus
 Data
NGFW
Data Center
 People
Branch DCFW
Office UTM

PoS
IoT

Internal External

2
Fortinet Security Fabric – Protecting from IoT to Cloud
Global Intelligence
Scale
Awareness
Client Security Alliance Partners
Security
Actionable IoT Cloud Security

Open

Fortinet
Security Fabric

Application
Secure LAN Access Security

Local
Intelligence
Secure WLAN Access
Network Security

3
 Email is *the* critical threat vector
Malware
• Targets unskilled users therefore
often volumetric attacks
• Use of social engineering
techniques to get users to open
email and execute malware
• Some zero day, mostly a numbers
game
* Source: Verizon 2016 Data Breach Investigations Report
Phishing
• Targets an interest group,
organization or individuals (spear
phishing) within the organization
• Customised content based on
user interests or role
• Often targeted at C-levels
(whaling)
• Zero day malware or social
engineering to divulge financial or
credential information
• 12% users click on malicious
attachments or links in such mails*
Email Based Threats
Compliance & Data Loss
• Sending of Personally Identifiable
Information (PII) via Email
• Sending of corporate confidential
information out of the organization
• Corporate espionage
• Failure to encrypt sensitive emails
• Failure to backup/save/archive
emails to comply with corporate
standards
• IRS – 7 years
• PCI – 1 year
• State depts – 3 years
• HIPPA – 6 years
4
It is just email. What’s the problem?

Lack of email security and management can lead to direct financial impact through fraud or indirect impact
through regulatory fines and negative PR.
5
 Protection from Email-based Threats
Primary Challenges Solution
Email common entry point for attackers FortiMail Email Security
 Spam, attachments, phishing  Inbound and outbound threat protection
 Targeted attacks  Data loss prevention and encryption
FortiSandbox  FortiSandbox integration
Compliance, privacy and data control
Users are major contributing factor to Advantages
risk  42 consecutive VBSpam awards
 44 VB100 awards
 Highest performance in industry

FortiMail

FortiGuard
Email Server

6
 FortiMail Overview

 Consolidated email security platform to prevent threats and data loss

in a single high performance appliance
» Top-rated threat prevention
» Integrated data loss protection and encryption
» Enterprise class/service provider management
» Advanced threat prevention integration with FortiSandbox
» FortiGuard Labs security services
» High performance physical and virtual appliances as well as cloud services
» Appliance based licensing rather than per mailbox*
» Advanced features such as IBE, DLP and archiving included in base license
Independent Validation

* FortiMail Cloud is licensed per mailbox

7
 Behavior-based Detection of the Unknown
“99% of malware hashes are seen for only 58 seconds or less. This reflects how quickly
hackers are modifying their code to avoid detection.” *

Threat Known Probably Might be Completely Somewhat Very Known

Good Good Good Unknown Suspicious Suspicious Bad
Continuum

Domain Safelists Outbreak Protection

Security User Safelists Header Analysis
Heuristics and Behavior Analysis
Technologies Newsletter Detection FortiSandbox Sender Reputation
Suspicious Newsletter
FortiGuard Antivirus
DKIM / SPF / DMARC
FortiGuard Anti-Spam
Greyware Scanning
FortiGuard URL Filtering

FortiGuard IP Reputation
* Source: Verizon 2016 Data Breach Investigations Report
8
Key Features

Anti-Spam/Anti-Phishing
 FortiGuard Reputation Databases
» Cloud database query to identify know spam IP
and content
 FortiGuard Antivirus, Anti-Spam and URL Filtering
 FortiGuard IP Reputation including Botnets
» Removes volumetric spam at low cost
 Advanced Filtering Techniques
» Detects new Spam campaigns using a variety of
dynamic techniques
 Header Analysis
 Dynamic Heuristics
 Behavior Analysis
 Sender Reputation
 Suspicious Newsletter
 DKIM / SPF / DMARC
 Greyware Scanning

9
Key Features
Take Action Based on Profiles
File discarded, option to Quarantine and event logged
Anti-Malware
 FortiGuard Anti-Malware (On-box) Outbreak detection
FortiGuard Data
» One-to-many signature matching (CPRL) Analytics
» Heuristic detection
» Code emulation & Behavioural analysis Behavioral Analysis

 Outbreak Protection (Cloud based)

» Real-time data analytics on every request to the
FortiGuard network to identify 0-day threat outbreaks in Code Emulation
minutes

 Active Threat Neutralization Decryption/unpacker System

» Strip active HTML content and attachments from emails to
neutralize potential threats
» Deliver neutralized version and forward original to archive Signature Match
(CPRL/Checksum)
host

 Decrypt Archives and PDFs

» Password list and body passwords File Sample

10
Key Features

Defending Against Emerging Threats

 Behavioural Analysis
» Fuzzy logic engine for FortiGuard signatures
» Is behaviour similar to recent signature based
detections?

 FortiGuard Outbreak Protection

» FortiGuard data analytics sees millions of emails
per hour from thousands of devices and is able to
identify new spam and malware threats in minutes.
» Suspicious attachments detected in known spam
are blocked until full evaluation by FortiGuard
Labs.

11
Key Features

FortiMail is Core to Fortinet’s Advanced Threat Protection Framework

Hand off :
High risk items
Known Threats FortiGate, FortiSandbox &
• Reduce Attack Surface FortiMail & everything that
• Inspect & Block Known Threats everything that analyzes
can enforce a behavior
security policy
Unknown Threats
• Identify Unknown Threats
• Assess Behavior & Identify Trends
Hand off : Hand off :
Response Security Ratings
• Identify scope updates & results
• Mitigate impact
FortiGuard teams and automation

FortiMail actively mitigates threats by queuing emails whilst waiting for a FortiSandbox result

12
 Key Features

FortiSandbox Threat Analysis * FortiMail

 On-Premise and Cloud options

(3) Risk rating returned,
 FortiMail queues email and submits files and Targeted Email message handled by policy
URLs to FortiSandbox for analysis
» AV Pre-filtering
» Cloud results lookup - is sample already known
(1) Attachment sent
bad to FortiSandbox
» Analyze objects in a virtual sandbox environment
» Callback detection – does sample try to call home
for instructions
» Assign and return a rating for the submission
(2) Object analyzed in
» FortiMail maintains a cache of FortiSandbox Sandbox environment
results

FortiSandbox

* Optional but a core part of an ATP solution

13
Key Features

Data Protection and Compliance

 Data Loss Prevention
» Preset HIPAA, GLBA, SOX, PCI dictionaries for easy compliance policy
creation
» File fingerprinting via manual upload and Windows Fileshare scanning
» Smart identifiers for high accuracy
 TLS & S/MIME Encryption
 Identity Based Encryption
» No additional license required
» No encryption key exchange,
minimal key management
 Per Mailbox Policy-based Archiving
» Sender/recipient, Subject/body/attachment filename keywords
» Archive to remote system
» Microsoft Exchange Journal Archiving
14
Key Features

Data Protection and Compliance

 Dynamic Adult Image Analysis
» 2.5 billion emails per day contain pornographic content (8% of total emails) *
» 70% of employees admit to viewing or sending adult-oriented personal e-
mail at work. *
» New service detects adult content in images using various patented
techniques allowing blocking or logging.

» Protect Brand and Company Reputation

» Provide a duty of care to your employees, prevent hostile working
environments and avoid sexual harassment lawsuits
» Stop offensive content from being archived

* Source: NFO Worldwide

15
Key Features

Quarantine, End User Digest, Junkmail/Newsletter Folders

 Central quarantine
» Easy administration
» Can be consolidated
across devices

 Self-service personal quarantine digest

» Sender and subject
» Release or delete links

 Automatic tagging and delivery

 Newsletter and junk categories
» Client filters to appropriate folder

16
 Deployment Options

Flexible Deployment Options

Wide range of appliances Virtual Appliances Public Cloud FortiMail Cloud

IaaS

17
Deployment Options

Multiple Deployment Scenarios

Gateway Mode
• Most common deployment scenario
•Mail is delivered to FortiMail, scrubbed of threats and forwarded to
destination mailserver

Transparent Mode
• Deployed as a bump in the wire. No configuration changes required
to the email infrastructure.
•Commonly utilised in the ISP and Carrier environment.

Server Mode
• FortiMail acts as a full mailserver providing POP3, IMAP, Webmail
and calendaring in addition to security functions.

18
Deployment Options

High Availability and Scalability Options

Active-Passive Cluster
• Two-devices, full failover protection
•Heartbeat and Service Monitoring
•Full mailbox, archive, quarantine, log and queue synchronization

Config Only HA
•Linear scalability suitable for the largest ISPs and Carriers
•Centralized quarantine, management and IBE
•Enables DR and geographic redundancy
•Load balanced option using FortiiADC or third party load balancer

19
Deployment Options

The move to the Office365

 Office365 is a compelling argument
» Microsoft have made the move to Office365 a
compelling story – simplicity, low TCO, OPEX
costs only……
» Built in anti-malware and anti-spam not always
adequate….. Even with Exchange Online
Protection.
» Encryption and DLP features in Office 365 are
lacking

 Solution
» FortiMail can be deployed alongside Office 365 in
the Microsoft Azure Cloud for enhanced security
and content protection.

20
Case Studies
Case Study: Utility

Organization and Challenge

 National energy provider with 40K users Head Office
 Existing McAfee solution needed 12+ servers, as well
external Trend AV servers
 Per user licensing expensive

Why We Won
 Better price/performance and features INTERNET
 Fully unified single vendor solution
 VBSPAM and VB100 reports

Who We Beat
 Replaced McAfee, beat Cisco

What They Bought

Group Companies
 Upsell from FG-3600C
 7 x FML-3000D, 5 Year Bundles

22
Case Study: Higher Education

Organization and Challenge

 Community College, 34,000 students
 Targeted Emails were getting through, systems were
compromised and used to send spam
 College gets blacklisted, Emails are rejected by recipients,
admins spend months resolving
Who We Beat
 Replaced Cisco IronPort
“FortiMail support has been excellent, and it is clear
there is continuous
R&D behind the product to keep it current with all the
new threats out there. I recommend it to anyone
experiencing declining effectiveness or poor support
with their current solution.

Why We Won
 Effective at catching targeted Emails “Since we deployed FortiMail, we have had no
compromised accounts, and have been able to give
 Easy to install and manage
more attention to programs that impact student
 Continued roadmap innovation
outcomes.”

What They Bought

 2x FortiMail VM04
 24x7 Support

23
Case Study: Financial Services
Organization and Challenge
 Electronic payment manufacturer/processor DATA CENTER
 Ensure compliance with PCI and, more importantly,
FortiSandbox
increase data protection

FortiMail
Who We Beat FortiGate

 Replaced Symantec Mail Security

FortiAnalyzer

Why We Won Headquarters

 Delivered a complete and integrated solution, not just INTERNET
compliance checkbox
» Network IPS, AV, App Control
» Email threat protection
» Additional sandboxing
» Compliance Reporting

What They Bought OTHER SITES

 2x FortiMail 1000D, 2x FortiGate 800C
 1 FortiSandbox 1000D, 1 FAZ 300D
24
Case Study: Fuel Services
Organization and Challenge DATA CENTER
 Fuel services company with thousands of locations in
hundreds of countries
FortiMail
 Increase defenses against sophisticated attacks, including FortiSandbox

Phishing passing their Cisco IronPort email security

Cisco
Ironport

Who We Beat FortiGate

 FireEye, sit behind incumbent Ironport

Headquarters
WAN
Why We Won
 FortiMail integration with FortiSandbox- blocks threats
missed by IronPort
 FortiSandbox integration with FortiGate- simplifies and
reduces cost of solution
Logistics Offices
What They Bought
 1x FortiMail 1000D, 1x FortiSandbox 3000D
 Extends existing FortiGates

25
Case Study: Government Contractor
FortiMail Secure Email Gateway

Organization and Challenge

 Enterprise-class (thousands of employees, multiple offices)
government contractor Data Center Disaster Recovery
 Saw a competitor fall prey to targeted attack and go out of
business as a result

Who We Beat FortiMail

FortiMail FortiSandbox
FortiSandbox
 FireEye, Cisco

Why We Won WAN

 Strong detection, on par with FireEye

 Superior ROI of an integrated security solution (FortiMail,
FortiSandbox, FortiGate)

What They Bought

Headquarters, Local Offices
 3x FortiMail 1000D (HA and DR)
 2x FortiSandbox 1000D (Primary and DR)
 FortiGate in next phase
26
Case Study: Insurance Provider
Organization and Challenge
Data Center
 Diversified insurance provider with 6000 employees and FortiAManager FortiAnalyzer

agents
 Upgrading datacenter to 40Gbps, also concerned about FortiSandbox
security and availability FortiMail

Who We Beat Symantec

Mail Gateway

 FireEye, McAfee
FortiGate

Why We Won
FortiiDDoS

 FortiMail integration with FortiSandbox- to catch the threats

Symantec was missing Headquarters
INTERNET
 FortiSandbox integration with FortiGate- for visibility into
traffic and automated updates
 Complete, plug and play solution

What They Bought

 2x FortiMail 3000D, 2x FortiSandbox 3000D, 2x FortiDDoS
 Extends Existing FortiGate infrastructure Local Offices
27
Case Study: Internet Service Provider
Organization and Challenge
 ISP providing connectivity services to mobile, home and
business users.
 No control over the endpoints leading to IP blacklisting

INTERNET

Who We Beat
 Cisco Ironport
Policy routing
Port 25
Why We Won
 FortiMail Outbound Blacklisting protection
ISP Core
 Scalability and no per mailbox licensing (millions of
subscribers)
Network WAN

 100% Transparent to the client

 Subscriber awareness

What They Bought

 8 x FortiMail 3000D, 2 x FortiAnalyzer 3000D
Mobile Residential Business

28
 Product Line
FML-VM32
FML-3200E

FML Cloud
Performance & Scalability

FML-3000E

FML-1000D
FML-VM16

FML-VM08
FML-400E

FML-200E FML-VM04

FML-60D FML-VM02
FML-VM01
FML-VM00

Email Routing
3.6K 80k 157k 680k 1.5M 1.8M
(Msgs/hr)*
AS+AV Perf.
2.7K 61k 126k 500k 1.3M 1.5M
(Msgs/hr)*
Recommended Mid/Large Large Enterprise, ISP, Large Enterprise, ISP,
Demo/Home Small Office Mid Enterprise
for Enterprise Carrier, University Carrier, University
*Note: Performance numbers are for physical appliances only.
29
 Comparative Position

Capability
Fortinet ProofPoint Cisco Symantec Microsoft
Transparent Mode P P X X X
Gateway Mode P P P P X
Server mode P X X X P
Physical Appliance P P P P X
Virtual Appliance P P P P P
Cloud Appliance (Azure) P X X X X
Managed Service P P P P P
Fully inclusive IBE P X X X X
VBSpam validated P X X X X

30
 Comparative Position

Capability
“High End” Models Fortinet ProofPoint Cisco Microsoft
IDC Marketplace Report Leaders Major Players Leader Not rated

Highly effective P P X X
anti-spam

Top independently rated anti- P X X X

phishing/anti-
malware/sandboxing

In-house threat expertise P X X P

(OEM’s Anti-Malware) (OEM’s Anti-Malware)

Deployment options Transparent, gateway, server Gateway Gateway Server

Appliance Options Hardware, VM, Cloud, SaaS Hardware, VM, SaaS Hardware, VM, SaaS Software, SaaS
(different products)

Price Affordable, Expensive, Expensive, Included in many

all-in-one licensing per feature, per feature, MSFT Licenses
per user per user

31
Why FortiMail?
 Fortinet provide an end-to-end portfolio of sandbox
integrated solutions with simple licensing model
 FortiMail is proven best of breed for anti-spam, antivirus
and sandboxing
» 99.997% Spam catch rate / 0% False Positives
 IDC MarketScape “Leaders”
 FIPS 140-2 and Common Criteria NDPP Certified
 Fortinet are leading the market for advanced email
threat prevention

https://www.virusbulletin.com/uploads/pdf/magazine/2016/201605-vbspam-comparative.pdf 32
Additional Resources

Secure Email Gateway

 Independent Test Results

» Virus Bulletin VBSpam - VB Web Site
» Virus Bulletin VB100 AV Test - VB Web Site
» AV Comparatives Anti-phishing Test Results
» NSS Labs Breach Detection Test Results
» IDC Name FortiMail as Email Security Leader Blog & Report
 Fortinet Papers
» Prevent Ransomware with Fortinet Security Fabric – Solution Brief
» Secure Email Gateway – Sandbox Solution Brief
» Why do you need Sandboxing - Solution Brief
» Targeted Email Attack Threat Brief
 Fortinet Demos
» FortiMail Online Demo
» FortiSandbox Online Demo
33
MSSP Specific Deployments
Managed Email Services
 Objectives
» Offer attractive services at competitive price (competing with Office365, Google etc)
» Maximize service profitability, minimize CAPEX and OPEX

 Technical challenges
» Architecture and high level of performances
» MTA flexibility – To adapt any network/mail environment
» Multi-tenancy (virtualization) – To adapt any customer requirement, independently from each other
(per customer settings)
» Mass provisioning
 Simplify customer provisioning
 Easily scale configuration for multiple thousands of customers
» Offering what the customer needs – a diversity of services
» Delegate administration tasks to customers
 Tiered administration and role-based management

36
Managed Email Services

Service Options

 Scenario 1: Clean pipe (hosted MX)

» Mail server is located at the customer site, FortiMail at the MSSP site
» FortiMail in relay mode delivers clean mail flow to multiple remote mail servers

 Scenario 2: Clean mailbox (hosted mail server)

» Customer mail server & FortiMail are located at the MSSP site
» FortiMail cleans mail flow and relay traffic to local backend mail servers

 Scenario 3: Hosted Server Mode FortiMail (no backend Exchange/Zimbra at all)

» All-in-one Secure Email Platform requiring no backend groupware server
» SMTP, POP3, IMAP, Secure Webmail access, Calendaring, Global/Personal Address Books (WebDav
and CalDav Compliant); Public/resource calendaring as well

37
MSSP – In the cloud – Clean Pipe

Scenario 1 OUTGOING
MAIL

 MSSP delivers clean mail flow

» Hosted customer MX to receive & filter
RELAY
incoming mail (FortiMail) MODE

» Mail servers are located at customer premises

INCOMING
MAIL

PROTECTION OF MULTIPLE
CUSTOMER DOMAINS ON A
SHARED APPLIANCE

38
MSSP – In the cloud – Clean Mailbox

Scenario 2 OUTGOING
MAIL

 MSSP delivers clean mailboxes RELAY OR

TRANSPARENT
» Hosted customer MX MODE

 To redirect mail flow to MSSP datacenter

& allow inbound filtering
» Hosted mailbox (third-party mail server)

INCOMING
MAIL
 FortiMail in relay or transparent mode
» In transparent mode there is no need to
modify the MX records of the customer
PROTECTION OF MULTIPLE
domains CUSTOMER DOMAINS ON A
SHARED APPLIANCE
» Common requirement to prevent IP Blacklisting
in a carrier/ISP environment

39
Key Features

Service Provider Optimised

 MSSP Service Framework
» GUI White Labelling for admin and user interfaces
» Multi Domain support with per domain quotas
» Mass provisioning methods for lower OPEX
» Delegated administration
» User self service Domain A

» REST API for integration with MSSP automation,

Domain B
provisioning and billing systems
Domain C

Domain D

40
Key Features

Incoming Mail Flow Outgoing Mail Flow

 ACLs  ACLs
 TLS enforcement  TLS/IBE encryption enforcement
 Rate limiting  Rate limiting
 Routing  Routing
 Queuing  Queuing
 Antispoofing  MSA server
» Outgoing SMTP server for MUAs
 AV-AS & Content filtering
 Server offload
 Quarantine
» Authentication enforcement
 Logs & reports » Mail routing for outgoing MUA sessions

 Archive  AV/AS/Corporate outgoing filtering

 Quarantine
 Logs & reports
 Archive
41
Multi-tenant architecture
• Individual settings for customers
• Virtualization of services on a shared equipment
» Each domain has its own dedicated mail environment and settings
» As if hosted on a dedicated appliance

• Parameters can be set individually for each domain:

 Inbound IP to receive mail
 Destination MTA for mail delivery
 Source IP for mail delivery
 Recipient verification method
 SMTP greetings
 Disclaimers
 Maximum message size
 Outbound header removal
 User quarantine report & schedule
 Default webmail language
 Filtering policies and actions
 Encryption policies
 Authentication protocol and server
 Report configuration*
42
Multi-tenant architecture

 FortiMail is able to receive mail sent to a virtual IP (= virtual host)

 Virtual hosts are defined individually for each domain
 A domain can have a multiple virtual hosts (pool)

43
Multi-tenant architecture
Employee Domain Hosted Domain Clean Pipe Domain

44
Multi-tenant architecture - Domain policies
 Per domain protection policies:
» Antispam, antivirus, content, encryption
 Per domain authentication policies:
» SMTP authentication server
» Webmail authentication server
 Per domain resource allocation:
» Rate of new connections for each source IP
» Concurrent connections for each source IP
» Number of concurrent connections addressed to a customer domain

45
Multi-tenant architecture - Domain policies
RESOURCE ALLOCATION
BASED ON THE
DESTINATION VIRTUAL IPS

DOMAIN INDIVIDUAL PROTECTION INDIVIDUAL

POLICIES PROFILES & FILTERING AUTHENTICATION METHOD
ACTIONS (SMTP AUTH & WEBMAIL)

46
Multi-tenant architecture – Administration
 Tiered administration
» Admin accounts can be defined on a per domain basis
» Delegation of management on a per domain basis

 Role-based management
» Different roles can be assigned to admin accounts:
 Policy management and domain settings
 Quarantine
 BWL
 Report* configuration and log access*

47
Multi-tenant architecture – Role-based management

 Per domain login accounts

 Per domain access rights
» policy, BWL, quarantine, log*, reports*

ASSIGN A DOMAIN TO AN
ADMIN ACCOUNT

ASSIGN A
MANAGEMENT
PROFILE TO ADMIN
ACCOUNT

48
Access management profiles – Customization

CREATE AND CUSTOMIZE

DIFFERENT TYPE OF
ADMIN PRIVILEGES

DEFINE FOR TYPE

OF SETTINGS THE
ACCESS LEVEL

49
Mass Provisioning – Scenario 1

 Scenario 1 characteristics: each domain is

hosted on a different mail server
 FortiMail can fetch customer information
from the customer database:
CUSTOMER
» Domain name, mail server IP, DATABASE
antispam/antivirus policies
 No provisioning is required on FortiMail
» Operation and maintenance tasks are
minimized INCOMING
MAIL

50
Mass Provisioning – Scenario 2

 Required FortiMail configuration

1. The mail server is defined DOMAIN SETTINGS
ARE SHARED
2. A list of hosted domains is added to it WITHIN A GROUP

3. A single policy is defined and applies to

all domains hosted
 Eventually different group of domains are
created to match different policies and class Gold
Silver
of services Bronze
INCOMING
» Bronze, silver, gold MAIL

 Configuration is simplified: ONLY ONE POLICY

FOR EACH GROUP
» it is not required to define each domain
individually

51
Configuration scalability, scenario 1 – LDAP domains
 When FortiMail receives a mail for an unknown domain It queries LDAP to:
» determine if the recipient domain is listed (i.e: if it is an internal domain to protect)
» retrieve the server IP for mail delivery

 FortiMail binds the domain to a template domain to inherit:

» Domain settings: recipient verification method, virtual host, etc.
» Domain policies: antispam, antivirus, content, authentication

52
LDAP domains – Benefit for scenario 1 and 2
 LDAP is used as the central repository for domain and policies
» New customer enrollment does not require to change FortiMail settings
» Operation and maintenance tasks are minimized
 The LDAP server may connect to another backend database if customer provisioning is not
performed on LDAP:
» i.e: LDAP connector is used to query a backend SQL database
» This allows to interface FortiMail with other provisioning databases
 User provisioning is done only once – during customer registration
 No duplicate management efforts

 Benefit:
» Manage 40k domains on one appliance and do not configure any customer domain
» Split mail processing into multiple appliances but still centrally manage configuration

53
 MSSP service class – Examples
Scenario Clean pipe (#1) Hosted (#2)
Service class Bronze Silver Gold Bronze Silver Gold
Customer
Enterprise size Small Medium Large Small Medium Large
Custom
Number of users <500 500< >5000 >5000 <500 500< >5000 >5000
Template remote.bronze remote.silver remote.gold hosted.bronze hosted.silver hosted.gold
Recipient verification Customer MTA Central LDAP
Domain settings
Custom disclaimers ✗ ✗ ✗ ✗ ✗ ✗ ✓
Virtual host IP-bronze IP-silver IP-gold IP-bronze IP-silver IP-gold
Custom
Resource allocation Session profile Low Medium Large Low Medium Large
MTA ✗ ✓ ✓ ✓ ✓ ✓ ✓
Outbound relay
Roaming users ✗ ✗ ✓ ✓ ✓ ✓ ✓
Antivirus ✓ ✓ ✓ ✓ ✓ ✓ ✓
Antispam ✓ ✓ ✓ ✓ ✓ ✓ ✓
Filtering services
Content ✗ ✗ ✓ ✗ ✗ ✓ ✓
Quarantine ✗ ✓ ✓ ✗ ✓ ✓ ✓
Encryption ✗ ✓ ✓ ✗ ✓ ✓ ✓
Advanced services
Archive ✗ ✗ ✓ ✗ ✗ ✓ ✓
Quarantine (webmail) ✗ ✓ ✓ ✗ ✓ ✓ ✓
Authentication Secure mail (webmail) ✗ ✓ ✓ ✗ ✓ ✓ ✓
SMTP (roaming users) ✗ ✗ ✓ ✓ ✓ ✓ ✓
Domain and policies ✗ ✗ ✗ ✗ ✗ ✗ ✓
Administration Quarantine ✗ ✗ ✗ ✗ ✗ ✗ ✓
Delegation BWL ✗ ✗ ✗ ✗ ✗ ✗ ✓
Log*, report* ✗ ✗ ✗ ✗ ✗ ✗ ✓

54
Template Policies

55
Configuration performance

 Simplicity of the configuration that easily config domain

edit domain1.com
scales up to multiple times 40,000 domains config domain-setting
set host 192.168.1.200
on a single appliance set recipient-verification ldap
set recipient-verification-profile LDAP
 Other tools available to optimize mass set webmail-language default
end
provisioning
1. Clustering to simplify management of
multiple units into a single entity config policy recipient
edit 1
2. FULLY scriptable CLI -> allow to easily set recipient-name *
set sender-name *
integrate with any provisioning portal set sender-domain *
set profile-antispam advanced
set profile-antivirus antivirus
set profile-auth-type ldap
set profile-auth-ldap LDAP
set auth-access-options web smtp-auth
next

56
Service Opportunities – Identity Based Encryption
 Available on any FortiMail appliance (small to high-end)
» Does not require any specific new hardware

 Does not require a licence nor specific service subscription

» Available regardless of the number of secure email clients (recipients or senders)

 Identity Based Encryption – A unique combination of

» Usability – Protect data but make it easily available
» No end-user training, no user provisioning, no prerequisite on recipient side
» And low TCO – Provide cost-effective encryption service
» Minimal CAPEX: no licences & no dedicated hardware
» Minimal OPEX: zero maintenance

57
Service Opportunities – Identity Based Encryption
 A message is encrypted according to defined policies
» Policy-based encryption are defined using IP addresses, email addresses, domain names, keywords in
subject line, headers or mail content, etc.
 The recipient receives the message and can decrypt it regardless of his/her environment
» Identity Based Encryption is clientless
 No need for software/plugin to read a Secure Email
 Interoperability with any email client (Lotus Notes, Outlook, Thunderbird, Webmail such as Gmail, Yahoo, Hotmail,
etc.)
» Messages an be read at any location through a browser-based interface
 A browser-based method allows recipients to decrypt and read the secure message

58
Identity Based Encryption – Pull method

③ ENCRYPTED MAIL IS
STORED ON FORTIMAIL
IN A SECURE MAILBOX
④ A NOTIFICATION EMAIL IS SENT
TO THE RECIPIENT WHICH
INCLUDES A WEB LINK

② MAIL MATCHES AN
ENCRYPTION
POLICY
4

① MAIL IS SENT BY
EMAIL CLIENT 3
6
7

⑤ RECIPIENT ACCESSES
MTA
THE EMBEDDED URL
⑥ RECIPIENT IS
1 REGISTERED &
AUTHENTICATED

⑦ MESSAGE IS DISPLAYED
TROUGH A WEBMAIL 5
INTERFACE

59
Identity Based Encryption – Push method

③ MESSAGE IS
ENCRYPTED IN
HTML FORMAT
④ A NOTIFICATION IS SENT TO
THE RECIPIENT WITH THE HTML
PAYLOAD AS ATTACHEMENT

② MAIL MATCHES AN
ENCRYPTION
POLICY
4

① MAIL IS SENT BY 3
EMAIL CLIENT
6
7

⑤ RECIPIENT OPENS THE

MTA
ATTACHEMENT
⑥ RECIPIENT IS
1 REGISTERED &
AUTHENTICATED

⑦ MESSAGE IS DISPLAYED
TROUGH A SECURE 5
WEBMAIL INTERFACE

60
Key properties to answer MSSP objectives

Attractive customer services @ competitive price with maximized ROI

 Robustness and performance  Future proof
» Technology controlled by Fortinet » Long term durability
 From A to Z  No third-party agreements
 Optimized architecture with proprietary MTA &
 Additional value-added features
AV/AS engines
 Encryption, antispam, antivirus, DLP, archiving
» Single mail screening in real-time at connection etc.
time
 No disk queueing, no disk i/o  FortiMail can be deployed identically across
 Real-time scanning and relaying multiple form factors
» On prem appliances
 No mailbox licencing » Virtual and cloud based appliances
» Predictable cost & low capex » Hybrid virtual appliance - FortiHypervisor
» Managed service

61