FortiOS™ 4.0 Software

FortiOS™ 4.0 Software
FortiOS™ 4.0 Software
Redefining Enterprise Network Security
Updated for FortiOS 4.0 MR3
FortiOS 4.0 Software — Redefining Enterprise Network Security
Today’s Security Challenges
Networks are faster than ever, carrying more information and rich content - as well as potentially malicious payloads. The
volume and sophistication of attacks have also increased, requiring more accurate detection methods and the ability to
block threats before they can do any damage. Simultaneously, cost-reduction programs are forcing IT departments to
consolidate network equipment and operating expenses wherever possible.
Fortinet Offers A Simple, Powerful Solution
FortiOS is a security-hardened, purpose-built operating system that is the software foundation of all FortiGate® consolidated
security platforms. FortiOS 4.0 software leverages the hardware acceleration provided by custom FortiASIC™ processors,
delivering the most comprehensive suite of IPv6-ready security and networking services available within a single device.
FortiGuard® Security Subscription Services ensure that FortiOS threat protections are always up to date, defending your
network against the latest, most sophisticated and dynamic attacks.
FortiOS 4.0 Security Features
Complete Security
Fortinet designed and built FortiOS 4.0 security services
from the ground up to deliver integrated performance
and effectiveness that standalone products simply cannot
match. The services work together as a system to provide
better visibility and mitigation of the latest network and
application threats, stopping attacks before theft and
damage can occur.
Enterprise-class Firewall - IPv6-Ready
Application Control
Integrated Intrusion Prevention
Identity-based Policy Enforcement
SSL-encrypted Traffic Inspection
VPN - IPSec and SSL
Antivirus / Antispyware
Data Loss Prevention (DLP)
Flow-based Inspection Options
Web Filtering
Endpoint Network Access Control (NAC)
Vulnerability Management
Monitoring, Logging and Reporting
WAN Optimization
Integrated Wireless Controller
VoIP Security
Centralized Management
Virtual Domains
High Availability
Layer 2/3 Routing Services
FortiGuard Security Updates
“A further disrupting factor is the rate of change
within enterprise networking — inexorably increasing
throughput, more Web-based applications, more complex
connections within applications, more complex data
centers and more data being presented to customers
means that firewalls have had to keep up with features
and performance to meet these changing needs”.
Greg Young and John Pescatore
Gartner Magic Quadrant for Enterprise Network Firewalls - March 2010.
Purpose-Built for Performance
FortiOS software enables high performance multi-threat
security by leveraging the hardware acceleration provided
by FortiASIC processors. This combination of custom
hardware and software gives you the best security and
performance possible from a single device.
Simplified Deployment and Management
FortiOS 4.0 software lowers costs and reduces IT staff
workloads. Centralized management and analysis ensure
consistent policy creation and enforcement while minimizing
deployment and configuration challenges. You gain the
flexibility of having a unified security policy at the device level
along with an appliance-based centralized management
platform for large deployments.
Unique Visibility and Control
Advanced security features such as Flow-based Inspection
and Wireless Controller capability allow you to monitor and
protect your network from endpoints to core, and from
remote offices to headquarters. FortiOS allows greater
traffic visibility and more consistent, granular control over
users, applications and sensitive data.
FortiOS 4.0 Software — Complete Content and Network Protection
Fortinet continues to increase the breadth and depth of security and networking services included in the FortiOS purposebuilt operating system. By adding new functionality and enhancing the performance of existing services, FortiOS software
continues to demonstrate why it remains the gold standard for multi-threat security. FortiOS 4.0 software includes many
advanced security and networking features, some of which are highlighted below:
Application Control
Application control enables you to define and enforce policies for thousands of applications running
on your network and endpoints. Newer Web-based applications such as Facebook, Skype, Twitter
and can be detected and controlled at a granular level, regardless of ports and
protocols used. Application classification and control is essential to manage the explosion of new
Internet-based technologies bombarding networks today.
Antivirus / Antispyware
In addition to three proxy-based antivirus databases, FortiOS also includes a high-performance flowbased antivirus option. The flow-based option allows you to scan files of any size while maintaining
the highest levels of performance. In addition, flow-based inspection enables scanning of files within
compressed files to detect hidden threats. By providing you the flexibility to choose your antivirus
engine, you can balance your performance and security requirements for your environment.
Data Loss Prevention (DLP)
Fortinet DLP identifies sensitive information and blocks transmission to points outside of your network
perimeter. A sophisticated pattern-matching engine monitors traffic from multiple applications, such
as Web-based email and encrypted instant messaging, and provides audit trails to aid in policy
compliance. You can select from a wide range of configurable actions to log, block and archive data,
as well as ban or quarantine rogue users. Flow-based DLP options are also available.
Web Filtering
Inappropriate Web surfing and use of Web-based applications can result in lost productivity,
network congestion, malware infection and data loss. Web Filtering controls user access to Webbased applications such as instant messaging, peer-to-peer file sharing and streaming media, while
blocking phishing sites and blended network attacks. In addition, botnet command and control traffic
and fast flux file downloading can be blocked. Flow-based Web filtering options are available.
Wireless Controller
All FortiGate and FortiWiFi™ consolidated security platforms have an integrated wireless controller,
enabling centralized management of FortiAP™ secure access points and wireless LANs.
Unauthorized wireless traffic is blocked, while allowed traffic is subject to identity-aware multi-threat
security inspection. You can control network access, quickly update security policies, and identify
and suppress rogue access points - all from a single console.
WAN Optimization
Wide area network (WAN) optimization accelerates applications over your wide area links while
ensuring multi-threat security enforcement. FortiOS 4.0 software eliminates unnecessary and
malicious traffic and optimizes legitimate traffic by reducing the amount of information transmitted
between applications and servers. This improves performance of applications and network services
while reducing bandwidth requirements.
Fortinet firewall technology combines ASIC-accelerated stateful inspection with an arsenal of
integrated application security engines to quickly identify and block complex threats. FortiGate firewall
protection integrates with other key security features such as virtual private network (VPN), antivirus,
intrusion prevention, Web filtering, antispam and traffic shaping to deliver multi-layered security that
scales from small business appliances to multi-gigabit core network and data center platforms.
Intrusion Prevention
Intrusion prevention system (IPS) technology provides protection against current and emerging
network level threats. In addition to signature-based detection, we perform anomaly-based detection
whereby our system alerts users to traffic that fits a specific profile-matching the attack behavior. This
behavior is then analyzed by our threat research team to identify threats as they emerge and generate
new signatures that are incorporated into our FortiGuard services.
Fortinet virtual private network technology provides secure communications between multiple
networks and hosts using IPSec and SSL VPN protocols. Both services leverage custom FortiASIC
processors to accelerate encryption and decryption network traffic. Once the traffic has been
decrypted, multi-threat inspection including antivirus, intrusion prevention, and Web filtering can be
applied and enforced for all content.
Fortinet antispam technology offers a wealth of features to detect, tag, quarantine, and block
spam messages and malicious attachments generated by spambots and compromised systems.
FortiGate and FortiWiFi platforms and FortiClient endpoint security agents offer integrated antispam
functionality as part of their multi-layered protection, backed by the FortiGuard Antispam Service.
Fortinet’s Security Solution
Today’s organizations need more network protection than traditional firewalls can provide. Stand-alone security solutions
add complexity and cost without providing comprehensive protection.
FortiOS integrates many functions together into a single security platform, including firewall, VPN, application control,
intrusion prevention, and web filtering. Fortinet delivers complete content protection, which is more than simply identifying
applications and allowing or denying the traffic. It is application control coupled with identity-based policy enforcement of
all content.
Typical Adhoc Model
Numerous stand-alone security products
from different vendors are costly to deploy,
complex to manage, and degrade network
performance and reliability.
Simple & Cost Effective
Fortinet UTM Model
FortiGate UTM
Application Control ›
Antivirus ›
Next Generation Firewall ›
Web Filtering ›
AntiSpam ›
WAN Acceleration ›
Traffic Optimization ›
WiFi Controller ›
The Fortinet UTM Model
Fortinet’s fully integrated security
technologies offer increased
protection, improved performance,
reduced costs, and greater reliability.
FortiOS Security Services
ICSA Labs Certified (Enterprise Firewall)
NAT, PAT, Transparent (Bridge)
Routing Mode (RIP, OSPF, BGP, Multicast)
Policy-Based NAT
Virtual Domains (NAT/Transparent mode)
VLAN Tagging (802.1Q)
Group-based Authentication & Scheduling
SIP/H.323 /SCCP NAT Traversal
WINS Support
Explicit Proxy Support (Citrix/TS etc.)
VoIP Security (SIP Firewall / RTP Pinholing)
Granular Per-Policy Protection Profiles
Identity/Application-Based Policy
Vulnerability Management
IPv6 Support (NAT / Transparent mode)
ICSA Labs Certified (Gateway Antivirus)
Includes Antispyware and Worm Prevention
Major IM Protocols
Flow-Based Antivirus Scanning Mode
Automatic “Push” Content Updates
File Quarantine Support
Databases: Standard, Extended, Extreme, Flow
IPv6 Support
76 Unique Content Categories
FortiGuard Web Filtering Service Categorizes over 2
Billion Web pages
HTTP/HTTPS Filtering
Web Filtering Time-Based Quota
ICSA Labs Certified (IPSec/SSL-TLS)
URL/Keyword/Phrase Block
PPTP, IPSec, and L2TP + IPSec Support
URL/Category Exempt
SSL-VPN Concentrator (including iPhone client support) Blocks Java Applet, Cookies, Active X
DES, 3DES, and AES Encryption Support
MIME Content Header Filtering
SHA-1/MD5 Authentication
IPv6 Support
PPTP, L2TP, VPN Client Pass Through
Flow-based Web Filtering
Hub and Spoke VPN Support
IKE Certificate Authentication (v1 & v2)
Identify and Control Over 1400 Applications
IPSec NAT Traversal
Traffic-Shaping (Per Application)
Automatic IPSec Configuration
Facebook Application and Category Control
Dead Peer Detection
Differential Services Support Per-Application
RSA SecurID Support
Control Popular Apps Regardless of Port/Protocol:
SSL Single Sign-On Bookmarks
SSL Two-Factor Authentication
ICQ Gnutella BitTorrentMySpace
LDAP Group Authentication (SSL)
WinNY Skype eDonkey Facebook
ICSA Labs Certified (NIPS)
Protection From Over 3000 Threats
Protocol Anomaly Support
Custom Signature Support
Automatic Attack Database Update
IPv6 Support
Identification and Control of Sensitive Data in Motion
Built-in Pattern Database
RegEx-based Matching Engine for Customized Patterns
Configurable Actions (block/log)
Customized Patterns
Supports IM, HTTP/HTTPS, and More
Many Popular File Types Supported
International Character Sets Supported
Document Fingerprinting
Flow-Based DLP Scanning Mode
Real-Time Blacklist/Open Relay Database Server
MIME Header Check
Keyword/Phrase Filtering
IP Address Blacklist/Exempt List
Automatic Real-Time Updates From FortiGuard Network
Monitor & Control Hosts Running FortiClient Endpoint
Vulnerability Scanning of Network Nodes
FortiOS Networking Services
Multiple WAN Link Support
PPPoE Support
DHCP Client/Server
Policy-Based Routing
Dynamic Routing for IPv4 (RIP, OSPF, IS-IS, BGP, &
Multicast protocols)
Dynamic Routing for IPv6 (RIP, OSPF, & BGP)
Multi-Zone Support
Route Between Zones
Route Between Virtual LANs (VLANs)
Multi-Link Aggregation (802.3ad)
IPv6 Support (Firewall, DNS, Transparent Mode, SIP,
Dynamic Routing, Admin Access, Management)
VRRP and Link Failure Control
sFlow Client
Policy-based Traffic Shaping
Application-based and Per-IP Traffic Shaping
Differentiated Services (DiffServ) Support
Guarantee/Max/Priority Bandwidth
Shaping via Accounting, Traffic Quotas
Separate Firewall/Routing Domains
Separate Administrative Domains
Separate VLAN Interfaces
10 VDOM License Std. (more can be added)
Web Server Caching TCP Multiplexing
HTTPS Offloading
WCCP Support
Active-Active, Active-Passive
Stateful Failover (FW and VPN)
Device Failure Detection and Notification
Link Status Monitor
Link failover
Server Load Balancing
Bi-Directional / Gateway to Client/Gateway
Integrated Caching and Protocol Optimization
Requires a FortiGate device with Hard Drive
FortiOS Management Services
Telnet / Secure Command Shell (SSH), and
Command Line Interface (CLI)
Role-Based Administration
Multi-language Support: English, Japanese, Korean,
Spanish, Chinese (Simplified & Traditional), French
Multiple Administrators and User Levels
System Software Rollback
Configurable Password Policy
Customizable Dashboard Widgets (Web UI)
Central Management via FortiManager (optional)
Network Vulnerability Scanning
Graphical Report Scheduling Support
Graphical Real-Time and Historical Monitoring
Local and Remote Syslog/WELF server logging
SNMP Support
Email Notification of Events
VPN Tunnel Monitor
Optional FortiAnalyzer Logging (including per-VDOM)
Optional FortiGuard Analysis and Management
Note: The list above is comprehensive and may contain FortiOS features which are not available on all FortiGate
appliances. Consult FortiGate system documentation to determine feature availability.
Local Database
Windows Active Directory (AD) Integration (w/ FSAE)
External RADIUS/LDAP/TACACS+ Integration
Xauth over RADIUS for IPSEC VPN
RSA SecurID Support
LDAP Group Support
FortiToken Support
Unified WiFi and Access Point Management
Automatic Provisioning of APs
On-wire Detection and Blocking of Rogue APs
Virtual APs with Different SSIDs
Multiple Authentication Methods
Fortinet Advantages
Consolidated,Comprehensive Security
Consolidated security technologies enable higher throughput and lower latency, with greater visibility and control over
users, applications, and data.
Hardware-Accelerated Performance
Custom FortiASIC processors accelerate the processing-intensive tasks required to secure networks in today’s sophisticated
threat environment.
Global Threat Research and Support
FortiGuard® Labs threat research and FortiCare™ support teams deliver the 24/7 real-time protection and support you
need to stay ahead of a constantly evolving threat landscape and an ever-changing networking environment.
Rigorous 3rd Party Certifications
Fortinet is the only unified threat management vendor to earn certifications across all core security technologies. These
independent certifications demonstrate our ability to consolidate multiple security technologies into a single device while
still meeting the highest standards of performance and accuracy.
Fortinet Certifications
FortiGuard® Security Subscription Services deliver dynamic, automated updates for Fortinet products. The Fortinet Global Security
Research Team creates these updates to ensure up-to-date protection against sophisticated threats. Subscriptions include antivirus, intrusion
prevention, web filtering, antispam, vulnerability management, web application firewall, and database security services.
FortiCare™ Support Services provide global support for all Fortinet products and services. FortiCare support enables your Fortinet products
to perform optimally. Support plans start with 8x5 Enhanced Support with hardware return for replacement or 24x7 Comprehensive Support with
advanced replacement. Options include Premium Support, Premium RMA, and Professional Services. All hardware products include a 1-year
limited hardware warranty and 90-day limited software warranty.
Fortinet Incorporated
1090 Kifer Road, Sunnyvale, CA 94086 USA
Tel +1.408.235.7700
Fax +1.408.235.7737
Fortinet Incorporated
120 rue Albert Caquot
06560, Sophia Antipolis, France
Tel +33.4.8987.0510
Fax +33.4.8987.0501
Fortinet Incorporated
300 Beach Road #20-01
The Concourse, Singapore 199555
Tel +65-6513-3734
Fax +65-6295-0015
Copyright© 2011 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of
their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing
herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants
that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF