FortiGate

Antivirus
Firewall
Overview
Network Security
Fortinet Technologies

Network security can be viewed from three

perspectives:
controlling access to the inside of the network
from outside the network
controlling access to the outside of the network
from inside the network
controlling access between networks

2
The Nature of the Threat Has Evolved
Fortinet Technologies

3
Fueling an Explosion of Point Solutions
Fortinet Technologies

4
FortiGate Antivirus Firewall
Fortinet Technologies

Network-level Services
Firewall
Intrusion prevention and detection
VPN
Traffic shaping
Application-level Services
Firewall
Intrusion prevention and detection
Virus protection
Content filtering for web connections and email

5
Secure Installation, Configuration, and
Management
Fortinet Technologies

Secure management of your FortiGate unit can be

assured in a number of ways:
IP/MAC binding
HTTPS for browser connections
SSH for command line connections (up to a
maximum of 5 connections)
individual management accounts
separate user names and passwords
read-only
write-only

6
Web-based Manager
Fortinet Technologies

HTTP or HTTPS
Web browser
Windows
Mac
Linux
Configure and monitor a FortiGate unit
Configuration changes effective immediately
Download, save, and restore configurations

7
Command Line Interface
Fortinet Technologies

Serial port
RS232
Network
Telnet
SSH
Same configuration capabilities as the web-based
manager
Advanced configuration capabilities

8
Firewall
Fortinet Technologies

set of related programs located at a network

gateway server
protects the resources of a private network from
users on other networks

9
NAT/Route and Transparent Modes
Fortinet Technologies

NAT/Route mode
the FortiGate unit is visible to the network
all interfaces are on different subnets
policies control communications through the unit
the FortiGate unit acts as a gateway between
private and public networks
Transparent mode
the FortiGate unit is invisible to the network
policies control communications through the unit

10
NAT/Route Mode
Fortinet Technologies

Hide your internal addressing scheme behind a

firewall

11
Transparent Mode
Fortinet Technologies

The firewall acts as a bridge and requires an IP

address for management and updates
The FortiGate unit is invisible to the network

12
Firewall Problem!
Fortinet Technologies

13
Antivirus Protection
Fortinet Technologies

Antivirus protection falls under two categories:

host-based
a class of program that searches your hard drive or
floppy disks for any known or potential viruses
network-based
resides on a server and has certain traffic at the
gateway directed to it for antivirus scanning
Your FortiGate antivirus firewall identifies and blocks
viruses at the networks edge

14
Web Content Filtering
Fortinet Technologies

Control network usage by blocking access to

categories of web sites (URL, FortiGuard)
particular web sites (URL)
any page that contains banned words or phrases
Systems are policy-based
can associate a user or group of users with a list
of prohibited URLs
can block by time of day, keeping working hours
more productive
Script filter to block Java Applets, cookies, and
ActiveX
15
Spam Filtering
Fortinet Technologies

Scans IMPA, POP3, and SMTP content

Blocks
IP addresses
Email addresses
MIME headers
Banned words and phrases
Checks RBL and ORDBL
SMPT, POP3, IMAP
Exempt lists to override block lists

16
Intrusion Prevention System (IPS)
Fortinet Technologies

real-time network intrusion detection sensor

attack signatures block more than 1400 attacks
user-defined signatures
configurable thresholds
policy-based

17
Static Routing
Fortinet Technologies

Configure routing to add static routes to control

the destination of traffic exiting the FortiGate unit
Configure routes by adding destination IP
addresses and netmasks and adding gateways for
these destination addresses

18
Policy Routing
Fortinet Technologies

Policy routing extends the functions of destination

routing by routing traffic based on:
destination address
source address
protocol, service type, or port range
incoming interface
IP address
Routing table independent

19
Routing Information Protocol (RIP)
Fortinet Technologies

distance-vector routing protocol

FortiGate implementation supports both RIP v1
(RFC 1058) and RIP v2 (RFC 2453)
RIP
uses hop count as its routing metric where each
network is usually counted as one hop
network diameter is limited to 15 hops
RIP v2
enables RIP messages to carry more information
supports simple authentication and subnet masks

20
VLANs
Fortinet Technologies

Highly flexible, efficient network segmentation

Supported on models 60 and higher
IEEE 802.1Q
Segregate devices logically instead of physically
by adding 802.1Q VLAN tags to all packets sent
and received by the devices
A single FortiGate unit can provide security
services and control connections between multiple
security domains
NAT/Route and Transparent modes

21
Virtual Domains
Fortinet Technologies

ease of management
lower costs one system with multiple firewalls
each virtual domain functions like a single
FortiGate unit
exclusive firewall and routing services to multiple
networks
traffic from each network is effectively separated
for every other network
packets never cross virtual domain borders
NAT/Route and Transparent modes

22
Virtual Private Networks (VPN)
Fortinet Technologies

a private data network that uses the public

telecommunication infrastructure
maintains privacy through the use of a tunneling
protocol and security procedures

23
VPN
Fortinet Technologies

The FortiGate unit supports the following types of

VPN:
PPTP and L2TP
IPSec
NAT traversal
DPD
IPSec redundancy
site-to-site tunnels
Hub and spoke topology
DHCP over IPSec

24
High Availability
Fortinet Technologies

provides fail-over between two or more FortiGate

units
provides fail-over between links
achieved using redundant hardware
matching FortiGate models running in NAT/Route mode
FortiGate units can be configured for either active-
passive (A-P) or active-active (A-A)
supported on FortiGate models 60 and higher

25
Logging and Reporting
Fortinet Technologies

The FortiGate unit supports logging for various

categories of traffic and configuration changes
You can configure logging to report:
traffic that connects to the firewall
network services used
traffic that was permitted by firewall policies
traffic that was denied by firewall policies
events such as configuration changes and other
management events, IPSec tunnel negotiation,
virus detection, attacks, and web page blocking
attacks detected by the IPS
virus incidents, intrusions, and firewall or VPN
events or violations to system administrators using
alert email 26
Updates and Support
Fortinet Technologies

antivirus and anomaly definitions are updated

regularly
your FortiGate unit can be configured to:
accept push updates from the FortiResponse
Distribution Network (FDN)
check the FDN regularly for updates following a
schedule

27
FortiProtect Bulletins
Fortinet Technologies

emailed whenever updates are made to the

antivirus or IPS databases
specifies the latest release numbers so you can
confirm your FortiGate unit is up to date
distributed free of charge
sign up at www.fortinet.com

28
Online Help
Fortinet Technologies

Online help is available through the web-based

manager screens
Access help through:
contents
index
search

29
Documentation
Fortinet Technologies

In addition to online help, Fortinet offers a number of

publications to assist you in maximizing the
effectiveness of your FortiGate unit
Most of these publications are on the CD
accompanying your FortiGate unit

30