fortinet confidential october, 2011 1.1 forticlient solutions endpoint security anytime, anywhere
TRANSCRIPT
Fortinet Confidential
October, 20111.1
FortiClient SolutionsEndpoint SecurityAnytime, Anywhere
Fortinet Confidential
Remote Access & Your IT strategy
2
The right connection for the right people Choice of VPNs: SSL for some, IPsec for othersChoice of Features: Ability to retain 3rd party antimalware
Meet regulatory and legal requirementsOnly devices meeting corporate policy are allowed to connect
Improve network and application performanceWAN Optimization for improved traffic efficiency
Fortinet Confidential
Fortinet Connected Network
3
FortiClient
FortiAP FortiSwitch
FortiRAP
FortiGate
FortiAnalyzer FortiManagerFortiAuthenticator
FortiGate As Control Point - Enforcing network security- Provisioning/Managing other devices
Fortinet Confidential
Remote Access Architecture
FortiClient Premium
w/IPSec VPN FortiGate
FortiClient
w/SSL VPN
X
Non-Compliant Devices Can Be Denied Access
FortiManager (Optional)
FortiToken
FortiAnalyzer (Optional)
FortiAuthenticatorServer (Optional)
FortiGate
FortiGuard Services
Android Client
Fortinet Confidential
Remote Access MSP/Cloud Architecture
FortiClient Premium
w/IPSec VPN
FortiGate
FortiClient
w/SSL VPN
X
FortiToken
FortiGate
FortiGuard Services
FortiGate VM
Android Client
FortiManager VM
FortiAnalyzer VM
Fortinet Confidential
The FortiClient Family
FortiClient Lite
FortiClient SSL
FortiClient FortiClient FortiClient FortiClientPremium
Windows OSX, Linux Windows Mac Android Windows
Free to Use
Included One time license per FortiGate Per Seat
Antivirus
SSL VPN
IPSEC VPN
Parental Control
SSL VPN
SSL VPN
Fortinet Confidential
FortiClient Features
7
IPsec VPN
SSL VPN
WANOptimization
EndpointControl
Simple client-to-site VPN policies for remote access.
Secure web-based access for remote users
Accelerate application performance
Lock down network access based oninstalledapplications
Two-FactorAuthentication
Properlyidentifyend users
* MacOS Client = IPsec VPN, SSL VPN and Two-Factor Authentication Only
Fortinet Confidential
FortiClient PremiumAdditional Features
8
Antimalware
Web Filtering
AntiSpam Centralized Management
Detect and clean viruses, worms and other malicious software.
Control accessible web content
Prevent unwanted email
Manage complex user and group policies
Firewall
Deny unwanted connections
Fortinet Confidential
FortiClient Secure Connectivity Solution
SSL & IPsecVPN
Two-FactorAuthentication
WANOptimization
PolicyCompliance
Fortinet Confidential
FortiClient Premium Complete Endpoint Protection
SSL & IPsecVPN
Two-FactorAuthentication
WANOptimization
PolicyCompliance
Antimalware
Web Filtering
AntiSpam
Centralized Management
Firewall
Fortinet Confidential
FortiGate
FortiClient Framework:FortiGate
• Automated IPSec VPN Policy Server• Two-factor Authentication• Certificate Store Integration
• Client-to-Site WAN Optimization (Internal HDD)• Minimize remote user download times
• Endpoint compliance awareness & enforcement• Lock down network access based on organizational policy• Check asset configuration including installed or running 3rd
party application software• Customize warning and blocked messages
Fortinet Confidential
FortiManager
FortiClient Framework: FortiGate/FortiAnalyzer
• Centralized Policy Management• Provisioning• Configuration• Update Management
• Role Based Administration• User privileges defined by management
domains• Improved Performance• Local hosting of security updates• Minimize web filtering response time
• Required for FortiClient Premium
FortiAnalyzer
• IPSec VPN Activity Reporting• Logged from the FortiGate• Username, IP addresses and Duration
Tracking• Top Sources, Destinations and Peers
• Endpoint Compliance Logs• Logged from the FortiGate• Compliant and Non-compliant devices• Can be used with built-in correlation to
notify staff of non-compliant devices
Fortinet Confidential
Takes too long to embrace new trends.We need to reduce real estate costs.The auditors are coming next week.
Remote Access: Pain Points
My IT budget was cut by 20%.Someone has a virus.Who’s doing what and where?
200 more users this month?!Help desk calls are killing us.
CxO
ITManager
IT Ops
Fortinet Confidential
Remote Access: Key Benefits & Features
- Improved policy compliance
- Scalability and reliability
- Enforce policies on multiple levels (including encrypted traffic)
- Cut bandwidth costs
- Easily apply policies- Enforce compliance- Quickly provision users- Minimize calls to help
desk
– SSL Inspection
– Endpoint Control
– WAN Optimization
– Strong Authentication
CxO
ITManager
IT Ops
Fortinet Confidential
Endpoint Security Challenges
15
Emily, a financial trader, installed Skype on her company laptop to talk with family.
Bill works for a Fortune 100 company and shares company details on Facebook.
Ed shared a company presentation via his personal Gmail account.
Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.
What Are You Going to Do?
Fortinet Confidential
Endpoint Security Challenges
16
Emily, a financial trader, installed Skype on her company laptop to talk with family.
Bill works for a Fortune 100 company and shares company details on Facebook.
Ed shared a company presentation via his personal Gmail account.
Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.
Data Leak Protection
Endpoint Control
Identity-Based Policies
- Two-Factor Authentication
- VPN Tunneling- WAN Optimization
Fortinet Confidential
• FortiGate Checks the Endpoint• FortiClient installed and running?
• Antivirus configured and up to date?
• Third Party Software• Installed, or not?
• Running, or not?
• Endpoint license is per FortiGate• No per seat license requirement
Endpoint Control
Fortinet Confidential
Endpoint Application Database
• FortiGate Endpoint Control Application Database• Downloaded from FortiGuard
• Distinct from the Application Detection database
• More than 5000 applications in 37 categories• Anti Malware, Proxy Avoidance, P2P, etc
• List of current applications sent by FortiClient to the FortiGate
• FortiGate Endpoint Policy Verified and Enforced
• FortiClient displays status / error / reason
Fortinet Confidential
Communication Flow
• FortiClient initiates a connection towards theFortiGate with a HTTP request to a special FQDN
• Request includes end point application list
• FortiGate performs policy check• Installed, running, not installed, not running
• Policy actions include block, allow, monitor, warn
FCSYSREQ
FCSYSRPLY
pingserver.fortinet.net
Fortinet Confidential
• FortiClient 4.3 requiresFortiOS 4.0 MR3
• Solution:• FortiGate needs to be
upgraded and the relevantEndpoint policies enabled
No FortiGate Found
Fortinet Confidential
• Endpoint has been warneddue to Firefox not beinginstalled
• Solution:• Install Firefox• End user can click
‘Ignore warnings’
Non-Compliant End Point Warning
Fortinet Confidential
• Endpoint has been banneddue to FileZilla server application being installed
• Solution:• Device conforms to
endpoint control policy• FortiGate Administrator
provides a temporary exemption via the end point monitor option
Non-Compliant End Point Banned
Fortinet Confidential
• Simplified configuration steps on bothclient and FortiGate
• Matching default proposals to minimizeconfiguration steps
• Advanced configurations can be created by editingthe client configuration file• XML formatted clear text file can be exported / imported• FortiGate configuration can be changed via UI
once ‘Create FortiClient VPN’ wizard hasbeen used
• Can be combined with endpoint control
• Previous Automated Policy Server configuration not supported by FortiClient 4.3
IPSec Configuration
Fortinet Confidential24
Simplified Configuration
FortiClient 4.3 MAC/OSX
FortiClient 4.3 Windows
FortiOS 4.0 MR3
Fortinet Confidential25
Simplified User Interface
Fortinet Confidential
• Configuration has always been cleaner whencompared to IPSec and the myriad of options
• Default port set at 10443, port 443 is more typicallyused for admin access – this can be changed
• As with IPSec the configuration file can be exported / imported
• Simplified web mode clients available for Android and iOS
SSL Configuration
Fortinet Confidential27
SSL VPN Configuration and Usage
Fortinet Confidential
• Improving application performance
• Requires a suitably configured FortiGate• Current support for CIFS, FTP, HTTP, MAPI
and general TCP
• Byte caching always available• Web caching requires a passive rule
• Protection features take precedence over optimization• Dual VDOM approach can combine UTM and optimization
Wan Optimization
Fortinet Confidential29
Two Step configuration!
Fortinet Confidential30
FortiToken
• One Time Password Support, introducedwith FortiOS 4.0 MR3
• FortiToken-200
• Token entry based on pop up challengeor simply concatenate with password
• Seed distribution / registration via FortiGuard
Fortinet Confidential
FortiGate
• Used in case of single FortiGate unit deployed for VPN
• Authentication Sever functionality built-in to FortiGate 4.3 and above at no additional cost
• No additional hardware or software to
purchase and maintain and support
• Token management specific to instance of FortiGate Unit (or HA pair)
• Option to integrate with existing AD/LDAP directory
• Deploys in minutes
• Zero Maintenance
• FortiToken provides Two-Factor Authentication natively with FortiGate for:
• FortiGate Web Admin • Captive Web Portal• IPSEC VPN• SSL VPN
FortiGate Authentication Server
Fortinet Confidential
Direct UserAuthentication
Directory Synchronisation
Certificate Management Server
• RADIUS
• LDAP Authentication
• LDAP Directory Service
• Two Factor Authentication
• FortiToken
• Certificates
• Integrated FortinetSingle Sign On Server AuthenticationExtension (FSAE) polling
• Synchronises user authentication state between multiple domain controllers and FortiGate appliances
• X.509 Certificate management server
• PKCS#11 Certificate Token Management
• Certificate Revocation
FortiAuthenticator: Key Areas of Functionality
Fortinet Confidential
• FortiToken and FortiAuthenticator provide Two-Factor Authentication for:
• Multiple FortiGate devices• Pre 4.3 FortiGate devices• Fortinet product range• Third-party switches, routers, VPN etc• More users than supported by FortiGate
• Extends the FortiGate/Token two-factor authentication feature
• Compatible with FortiToken
• Full function stand-alone RADIUS/LDAP server
• Authentication to VPN/Firewall/Switch / Router / Server
• Self-service Password reset portal
• x.509 Certificate Authority• Certificate based two factor
authentication
• Certificate revocation
FortiAuthenticator Authentication Server
Fortinet Confidential
FortiClient Ordering SKUs and PricingShowing Select FortiGate Models
FortiGate Model FortiClient SKU US List Price
FortiGate-60C FCC-00060-LIC $101.15
FortiGate-80C FCC-00080-LIC $152.15 FortiGate-110C FCC-00113-LIC
$339.15 FortiGate-200B FCC-00202-LIC
$509.15 FortiGate-310B FCC-00312-LIC
$1,019.15 FortiGate-620B FCC-00620-LIC
$2,209.15 FortiGate-800 FCC-00800-LIC $1,189.15 FortiGate-1240B FCC-01240-LIC
$3,399.15 FortiGate-3040B FCC-03040-LIC $6,799.15 FortiGate-3600 FCC-03600-LIC $5,099.15 FortiGate-3950B FCC-03951-LIC $13,599.15 FortiGate-5001A-DW FCC-50011-LIC
$8,669.15 FortiGate-5005FA2 FCC-05005-LIC $10,369.15
34
Unlimited Clients Per FortiGate – One Time License
Fortinet Confidential
FortiClient Premium Ordering SKUs and Pricing
Number of Clients FortiClient SKU US List Price (1 Year)
1 FHS1-15-C1001-154-02-DD $53.90
2-9 FHS2-15-C1001-154-02-DD $49.50
10-24 FHS3-15-C1001-154-02-DD $33.17
25-99 FHS4-15-C1001-154-02-DD $21.88
100-249 FHS5-15-C1001-154-02-DD $17.50
250-499 FHS6-15-C1001-154-02-DD $13.99
500-999 FHS7-15-C1001-154-02-DD $11.19
1000-2499 FHT1-15-C1001-154-02-DD $10.07
2500-4999 FHT2-15-C1001-154-02-DD $9.05
5000-9999 FHT3-15-C1001-154-02-DD $8.59
10000-24999 FHT4-15-C1001-154-02-DD $8.15
25000-49999 FHT5-15-C1001-154-02-DD $7.73
50000-99999 FHT6-15-C1001-154-02-DD $6.95
100000+ FHT7-15-C1001-154-02-DD $6.14
35
2 and 3 Year Prices Also Available
Fortinet Confidential
Thank You!