FortiGate

Antivirus
Firewall
Overview
Network Security
Fortinet Technologies

Network security can be viewed from three

perspectives:
 controlling access to the inside of the network
from outside the network
 controlling access to the outside of the network
from inside the network
 controlling access between networks

2
The Nature of the Threat Has Evolved…
Fortinet Technologies

3
Fueling an Explosion of Point “Solutions”
Fortinet Technologies

4
FortiGate Antivirus Firewall
Fortinet Technologies

Network-level Services
 Firewall
 Intrusion prevention and detection
 VPN
 Traffic shaping

Application-level Services
 Firewall
 Intrusion prevention and detection
 Virus protection
 Content filtering for web connections and email

5
Secure Installation, Configuration, and
Management
Fortinet Technologies

Secure management of your FortiGate unit can be

assured in a number of ways:
 IP/MAC binding
 HTTPS for browser connections
 SSH for command line connections (up to a
maximum of 5 connections)
 individual management accounts
 separate user names and passwords
 read-only
 write-only

6
Web-based Manager
Fortinet Technologies

 HTTP or HTTPS
 Web browser
 Windows
 Mac
 Linux
 Configure and monitor a FortiGate unit
 Configuration changes effective immediately
 Download, save, and restore configurations

7
Command Line Interface
Fortinet Technologies

 Serial port
 RS232
 Network
 Telnet
 SSH
 Same configuration capabilities as the web-based
manager
 Advanced configuration capabilities

8
Firewall
Fortinet Technologies

 set of related programs located at a network

gateway server
 protects the resources of a private network from
users on other networks

9
NAT/Route and Transparent Modes
Fortinet Technologies

NAT/Route mode
 the FortiGate unit is visible to the network
 all interfaces are on different subnets
 policies control communications through the unit
 the FortiGate unit acts as a gateway between
private and public networks
Transparent mode
 the FortiGate unit is invisible to the network
 policies control communications through the unit

10
NAT/Route Mode
Fortinet Technologies

Hide your internal addressing scheme behind a

firewall

11
Transparent Mode
Fortinet Technologies

The firewall acts as a bridge and requires an IP

address for management and updates
The FortiGate unit is invisible to the network

12
Firewall Problem!
Fortinet Technologies

13
Antivirus Protection
Fortinet Technologies

Antivirus protection falls under two categories:

 host-based
 a class of program that searches your hard drive or
floppy disks for any known or potential viruses
 network-based
 resides on a server and has certain traffic at the
gateway directed to it for antivirus scanning
Your FortiGate antivirus firewall identifies and blocks
viruses at the network’s edge

14
Web Content Filtering
Fortinet Technologies

Control network usage by blocking access to

 categories of web sites (URL, FortiGuard)
 particular web sites (URL)
 any page that contains banned words or phrases

Systems are policy-based

 can associate a user or group of users with a list
of prohibited URLs
 can block by time of day, keeping working hours
more productive
Script filter to block Java Applets, cookies, and
ActiveX
15
Spam Filtering
Fortinet Technologies

 Scans IMPA, POP3, and SMTP content

 Blocks
 IP addresses
 Email addresses
 MIME headers
 Banned words and phrases
 Checks RBL and ORDBL
 SMPT, POP3, IMAP
 Exempt lists to override block lists

16
Intrusion Prevention System (IPS)
Fortinet Technologies

 real-time network intrusion detection sensor

 attack signatures block more than 1400 attacks
 user-defined signatures
 configurable thresholds
 policy-based

17
Static Routing
Fortinet Technologies

 Configure routing to add static routes to control

the destination of traffic exiting the FortiGate unit
 Configure routes by adding destination IP
addresses and netmasks and adding gateways for
these destination addresses

18
Policy Routing
Fortinet Technologies

Policy routing extends the functions of destination

routing by routing traffic based on:
 destination address
 source address
 protocol, service type, or port range
 incoming interface
 IP address

Routing table independent

19
Routing Information Protocol (RIP)
Fortinet Technologies

 distance-vector routing protocol

 FortiGate implementation supports both RIP v1
(RFC 1058) and RIP v2 (RFC 2453)
 RIP
 uses hop count as its routing metric where each
network is usually counted as one hop
 network diameter is limited to 15 hops
 RIP v2
 enables RIP messages to carry more information
 supports simple authentication and subnet masks

20
VLANs
Fortinet Technologies

 Highly flexible, efficient network segmentation

 Supported on models 60 and higher
 IEEE 802.1Q
 Segregate devices logically instead of physically
by adding 802.1Q VLAN tags to all packets sent
and received by the devices
 A single FortiGate unit can provide security
services and control connections between multiple
security domains
 NAT/Route and Transparent modes

21
Virtual Domains
Fortinet Technologies

 ease of management
 lower costs – one system with multiple firewalls
 each virtual domain functions like a single
FortiGate unit
 exclusive firewall and routing services to multiple
networks
 traffic from each network is effectively separated
for every other network
 packets never cross virtual domain borders
 NAT/Route and Transparent modes

22
Virtual Private Networks (VPN)
Fortinet Technologies

 a private data network that uses the public

telecommunication infrastructure
 maintains privacy through the use of a tunneling
protocol and security procedures

23
VPN
Fortinet Technologies

The FortiGate unit supports the following types of

VPN:
 PPTP and L2TP
 IPSec
 NAT traversal
 DPD
 IPSec redundancy
 site-to-site tunnels
 Hub and spoke topology
 DHCP over IPSec

24
High Availability
Fortinet Technologies

 provides fail-over between two or more FortiGate

units
 provides fail-over between links
 achieved using redundant hardware
 matching FortiGate models running in NAT/Route
mode
 FortiGate units can be configured for either active-
passive (A-P) or active-active (A-A)
 supported on FortiGate models 60 and higher

25
Logging and Reporting
Fortinet Technologies

The FortiGate unit supports logging for various

categories of traffic and configuration changes
You can configure logging to report:
 traffic that connects to the firewall
 network services used
 traffic that was permitted by firewall policies
 traffic that was denied by firewall policies
 events such as configuration changes and other
management events, IPSec tunnel negotiation,
virus detection, attacks, and web page blocking
 attacks detected by the IPS
 virus incidents, intrusions, and firewall or VPN
events or violations to system administrators using
alert email 26
Updates and Support
Fortinet Technologies

 antivirus and anomaly definitions are updated

regularly
 your FortiGate unit can be configured to:
 accept push updates from the FortiResponse
Distribution Network (FDN)
 check the FDN regularly for updates following a
schedule

27
FortiProtect Bulletins
Fortinet Technologies

 emailed whenever updates are made to the

antivirus or IPS databases
 specifies the latest release numbers so you can
confirm your FortiGate unit is up to date
 distributed free of charge
 sign up at www.fortinet.com

28
Online Help
Fortinet Technologies

 Online help is available through the web-based

manager screens
 Access help through:
 contents
 index
 search

29
Documentation
Fortinet Technologies

In addition to online help, Fortinet offers a number of

publications to assist you in maximizing the
effectiveness of your FortiGate unit
Most of these publications are on the CD
accompanying your FortiGate unit

30