high performance ngfw extended - … this document contains confidential material proprietary to...

1 © Copyright 2013 Fortinet Inc. All rights reserved.

High Performance NGFW Extended

Enrique Millán

Country Manager Colombia

emillan@fortinet.com

2

This document contains confidential material proprietary to Fortinet, Inc.

This document and information and ideas herein may not be disclosed, copied, reproduced or

distributed to anyone outside Fortinet, Inc. without prior written consent of Fortinet, Inc.

This information is pre-release and forward looking and therefore is subject to change without

notice.

The purpose of this document is to provide a statement of the current direction of Fortinet’s

product strategy and product marketing efforts.

Please note that this Product Roadmap is neither intended to bind Fortinet to any particular

course of product marketing and development nor to constitute a part of the license agreement

or any contractual agreement with Fortinet or its subsidiaries or affiliates.

D I S C L A I M E R

3

FortiGuard

Competence

High Performance

Market

Agenda

4

Global Success with Diversified Products

Nine of Top 10 Global 100

Nine of Top 10 Global 100 Aerospace & Defense

Seven of Top 10 Global 100 Computer Services

Seven of Top 10 Global 100 Major Banks

Billings by Region Revenue by Segment

5

Global Customers

Top 10

Fortune

500

Top 10

Global 500

Banks

Top 5

Global

Carriers

6

Network Security Market - $11B Opportunity

UTM/NGFW UTM/NGFW

$13 Billion

$11 Billion

FW FW

$5.3B

$2.4B $2.6B

$2.7B

VPN VPN $786M $725M

IPS

IPS SWG

SWG

ATP

$2.1B

$1B

$750M

$1.9B

$1.2B

2012 2016 IDC Market Forecasts (except Advanced Threat Protection , which is a Fortinet estimate)

WOC $1B WOC $1B

Fortinet - Confidential

7

Analyst Perspectives

• No Consensus around Security Appliances Naming or Functionality

- Segmentation Gateways

- UTM for SMBs

- NGFW for Enterprises

- Enterprise Firewalls (NGFW)

- SMB Firewalls (UTM)

- Branch Office Firewalls

- Data Center Firewalls

- UTM - Integrated Security Appliance

8

• UTM • Standard network stateful firewall functions

• Remote access and site-to-site virtual private network (VPN) support

• Web security gateway functionality (anti-malware, URL and content

filtering)

• Network intrusion prevention focused on blocking attacks against

unpatched Windows PCs and servers

All UTM products contain other security capabilities, such as email security, Web

application firewalls or data loss prevention.

• NGFW The firewall market has evolved from simple stateful firewalls to NGFWs,

incorporating full-stack inspection to support intrusion prevention,

application-level inspection and granular policy control.

Gartner Definitions

9

NGFW Market Drivers

1. More and more reports point to

infected web sites or web applications

as the primary source of infection

(Application Control)

2. APTs require a new response

mechanism (“Sandboxing” Web

Filtering)

3. Advancements in processing power

and inspection engines… now offer

converged security to larger enterprises

(Consolidation). Source: Competitive Landscape: NGFW Appliance Market, WW, 2013. Gartner, 4/13.)

10

Features/Presets NGFW NGFW+

SWG

NGFW+

ATP

NGFW

(Extend)

Security FW/VPN ✔ ✔ ✔ ✔

IPS ✔ ✔ ✔ ✔

App Control ✔ ✔ ✔ ✔

Explicit Proxy ✔ ✔ ✔

Web Filter ✔ ✔ ✔

AntiVirus ✔ ✔ ✔

Sandbox ✔ ✔

Authentication* ✔

Email Filter

DLP

Endpoint Control

Vulnerability Scan

NGFW Security Capabilities

11

Additional Consideration…

Initiate a multi-year plan to improve

your organizations coverage of

encrypted traffic and start with

inbound and outbound web

traffic…decrypting SSL traffic on a

firewall implies a loss of 74% for

throughput.

Source: Security Leaders Must Address Threats from Rising SSL Traffic, Gartner,

12/13.)

12

Focus Areas

13

SSL Performance

2Gbps

10Gbps

FortiOS 5.2 FortiOS 5.0

CP8

IPS Engine 3.0

Harnesses the power of the FortiASIC-CP8

Figures shown apply to FortiGate-3600C

Faster

14

Register

FortiGate linked to FortiSandbox

Deep AV Scan & Real Time

• 96% RAP before Sandbox

• No need to Sandbox if caught

FortiSandbox

Cloud Check

Real time check on

latest malware rating

Full Sandbox

Catch anything not

caught by signature

detection

Forensics

Behavior Report

Downloaded & Dropped Files

Recursively Scanned

Integrated ATP Evolution Derek Manky

15

Register

FortiGate linked to FortiSandbox

Deep AV Scan & Real Time

• 96% RAP before Sandbox

• No need to Sandbox if caught

FortiSandbox

Cloud Check

Real time check on

latest malware rating

Full Sandbox

Catch anything not

caught by signature

detection

Forensics

Behavior Report

Downloaded & Dropped Files

Recursively Scanned

Integrated ATP Evolution Derek Manky

16

Single Policy

Multiple Source decision process – Merges IP, User and Device Policies

Single Policy to Answer Where, Who and What

BYOD

Specific access based on device type (limit, block)

Captive Portal

Single Sign On

Nework Access for Users, Devices and Apps Robin Liao

AND AND

17

Building a bigger FortiGate

Extended Management

For remote device management ‘wired access point’

Manage Only Connection

Scalability, increases the number of FortiSwitches that can be managed

Encrypted FortiLink

Allows for wide area network connectivity for remotely sited switches

Internet

FortiLink

18

NSS Labs – Third Party Validation

• 100% Overall Protection » Stability & Reliability

» Firewall Enforcement

» Security Effectiveness

• Lowest TCO » $2 / Protected Mbps

• Lowest Latency » 5 μs latency 64 byte packets

• Top 2 vendors

• 96% Overall Protection

• Passed 100% Evasion

Tests

• 6.25 Gbps IPS

performance

• Ultra low latency

• 96% Overall Protection

• Passed 100% Evasion

Tests

https://cms.myfortinet.com/share/page/site/ProductPortal/documentLibra

ry#path=%252fCompetitive%252f0-

Fortinet%252fNSS%2520Labs%2520Reports

FortiGate 800C FortiGate 3240C FortiGate 3600C

Fortinet Earned Triple Recommend Rating in the Latest NSS Labs Tests

19

NSS Labs – Third Party Validation

20

Fortinet Advantage: Performance

Gbps Mbps Firewall

VPN NGFW UTM

Policy Security

Fortinet - Confidential

21

Fortinet Advantage: Simplified

Web

Filtering

AV Firewall

VPN

Router

Internet

IPS/App

Switch

Advanced

Threat

Protection

(Sandbox)

Internet

FortiGate

Data Center Firewall

Next Generation Firewall

Unified Threat Management

Point Products Consolidated Solution

Fortinet - Confidential

22

Firewall Solutions

Cloud/Carrier

Branch Office

Enterprise Campus

Distributed Enterprise

Data Center

INTERNET

Remote End Points

Edge or Core Firewall (NGFW)

Branch Firewall (NGFW)

Client Firewall

(VPN)

Unified

Threat

Management (UTM)

Data Center Firewall (Core, Perimeter, VM)

Carrier Firewall Platform

Fortinet - Confidential

23

Two Types of Competitors

Software

Based

Network

Based

•Missing New

Functions (NGFW)

•Old, Slow & No

Focus

•Limited

multifunction

Performance

•Not Scalable for

SMB or Telco

24

Deployment Scenarios

MSSP/ Carrier

Data Center

Enterprise Core

Distributed Enterprise

SMB

FortiGate 5000 Series

FortiGate 1000/ 3000 Series

FortiGate 20-100

PA 4000/ 5000 Series

PA 2000/ 3000 Series

PA 200/ 500

FortiGate 200-800

PA 7050

26

FortiGate 3700D vs. PA 5060

$100K

$168.5K

160Gbps

110Gbps

100Mpps

60Mpps 30M

13M

FortiGate 3700D PA 5060

Price Firewall Packet Per Second (Mpps) Sessions

40G Ports

$130K

20Gbps 15Mpps 4Mbps

Fortinet has 8X FW Performance

30

Products have Poor Performance

MSSP/ Carrier

Data Center

Enterprise Core

Distributed Enterprise

SMB

FGT 5000

Series

FGT 3000

Series

FGT/FW 20-100

Series

FGT 1000

Series

FGT 200 - 800

Series

Check Point 600 – 2200

Series

Check Point 4000

Series

Check Point 12000

Series

Check Point 21000

Series

Check Point 61000

Series

Check Point 13500

31

FortiGate 3700D vs. Checkpoint 21700

Twice the Performance – Half the Price

$100K

$168.5K 160Gbps

110Gbps 100Mpps

60Mpps

30M 13M

FortiGate 3700D Check Point 21700 w/ SAM

Price Firewall Packet Per Second (Mpps) Sessions

40G Ports

33

Products are Confusing & Lack Features

MSSP/ Carrier

Data Center

Enterprise Core

Distributed Enterprise

SMB

FGT 5000

Series

FGT 3000

Series

FGT/FW 20-100

Series

FGT 1000

Series

FGT 200 - 800

Series

Cisco ASA 5585-X

Series

Cisco ASA 5500-X

Series

Cisco ASA 5505

Sourcefire

3D8000 Series

34

FortiGate 3700D vs Cisco ASA 5585-X SSP20

Fortinet has 16X Performance

40G Ports

$100K

$115K

160Gbps

10Gbps

44M

1M

300K

50K 23 Gbps

2 Gbps

FortiGate 3700D Cisco ASA 5585-SSP20 (FW/IPS)

Price Firewall Sessions Connection Per Second IPS

35

Products are Falling Way Behind

MSSP/ Carrier

Data Center

Enterprise Core

Distributed Enterprise

SMB

SRX 5000

Series

SRX 3000

Series

FGT 5000

Series

FGT 3000

Series

FGT/FW 20-100

Series

FGT 1000

Series

FGT 200 - 800

Series

SRX 1000

Series

SRX 100-650

Series

36

FortiGate 3700D vs. Juniper SRX 3400

Twice the Performance – Half the Price

$100K

$168.5K

160Gbps

110Gbps

100Mpps

60Mpps

30M

13M

FortiGate 3700D Juniper SRX 3400

Price Firewall Packet Per Second (Mpps) Sessions

40G Ports

38

Rack Space & Performance vs. Competitors

• 560 Gbps firewall

• 630 Mpps

• 280M sessions

• Price $900K

Juniper SRX 5800

Fortinet

FortiGate-5140B

VS.

Check Point 61000 Cisco Catalyst

6500 w/ ASA SM Palo Alto PA 7050

Perf

orm

an

ce

S

es

sio

n

Cap

ac

ity

Pack

et

Per

Seco

nd

• 150 Gbps firewall

• 15 Mpps

• 20M sessions

• 200 Gbps firewall

• 50 Mpps

• 70M sessions

• 80 Gbps firewall

• 20 Mpps

• 40M sessions

• 120 Gbps firewall

• 105 Mpps

• 24M sessions

5 x $1.4M = $7M 3 x $1.267M = $3.8M 7 x $550K = $3.8M 5 x $1.253M = $6.3M

7 x $1.4M = $9.8M 2 x $1.267M = $2.5M

42 x $1.4M = $58.8M 13 x $1.267M = $16.4M

6 x $1.253 = $7.5M 3 x $550K = $1.6M

32 x $550K = $17.6 M

Source: Competitors’ US/North America Price Lists 2013

12 x $1.253 = $15M

39

Feature & Certification Comparison

No One Comes Close

Fortinet - Confidential

40

FortiGuard Services

FORTIGUARD ANTIVIRUS SERVICE

FORTIGUARD ANTISPAM

SECURITY SERVICE

FORTIGUARD WEB

SECURITY SERVICE

FORTIGUARD DATABASE

SECURITY SERVICE

FORTIGUARD IP REPUTATION

SERVICE

FORTIGUARD VULNERABILITY

MANAGEMENT SERVICE

FORTIGUARD WEB

FILTERING SERVICE

FORTIGUARD INTRUSION

PREVENTION SERVICE

FORTIGUARD APPLICATION

CONTROL SERVICE

What is FortiGuard?

Threat Landscape Update & Strategy

41

Spam e-mails intercepted

Malware programs neutralized

Network intrusion attempts resisted

Attempts to access malicious websites blocked

Botnet command and control attempts thwarted

Website categorization requests

3,100 Application

control signatures

75 Terabytes Of Threat Samples

12,500 Vulnerability

management signatures

250 Million Rated websites in

78 categories

1000 Web application firewall

attack signatures

70 Intrusion prevention signatures

8,000 Hours of research in labs around the globe

235,000 New and updated antivirus definitions

66 Million New and updated antispam signatures

725,000 URL ratings for web filtering

Threat Intelligence and Response

42

High End

FortiGate-5000 &

3000 Series

FortiMail

FortiWeb FortiDB

FortiScan

FortiSwitch

FortiBridge

FortiAuthenticator FortiClient

FortiDDoS

FortiBalancer

FortiDNS

FortiCache

FortiVoice FortiAnalyzer FortiManager

FortiCamera

Coyote Point

End-to-End Security Solutions

Mid Range

FortiGate-1000

to 100 Series

Desktop

FortiGate/FortiWiFi-90 to

20 Series

FortiAP

FortiToken

FortiADC

FortiSandbox FortiCloud

43

44

Let’s Grow your Businesses Together!