Fortinet Confidential October, 2011 1.1 FortiClient Solutions Endpoint Security Anytime, Anywhere

Fortinet Confidential

October, 20111.1

FortiClient SolutionsEndpoint SecurityAnytime, Anywhere


Remote Access & Your IT strategy

2

The right connection for the right people Choice of VPNs: SSL for some, IPsec for othersChoice of Features: Ability to retain 3rd party antimalware

Meet regulatory and legal requirementsOnly devices meeting corporate policy are allowed to connect

Improve network and application performanceWAN Optimization for improved traffic efficiency


Fortinet Connected Network

3

FortiClient

FortiAP FortiSwitch

FortiRAP

FortiGate

FortiAnalyzer FortiManagerFortiAuthenticator

FortiGate As Control Point - Enforcing network security- Provisioning/Managing other devices


Remote Access Architecture

FortiClient Premium

w/IPSec VPN FortiGate

FortiClient

w/SSL VPN

X

Non-Compliant Devices Can Be Denied Access

FortiManager (Optional)

FortiToken

FortiAnalyzer (Optional)

FortiAuthenticatorServer (Optional)

FortiGate

FortiGuard Services

Android Client


Remote Access MSP/Cloud Architecture

FortiClient Premium

w/IPSec VPN

FortiGate

FortiClient

w/SSL VPN

X

FortiToken

FortiGate

FortiGuard Services

FortiGate VM

Android Client

FortiManager VM

FortiAnalyzer VM


The FortiClient Family

FortiClient Lite

FortiClient SSL

FortiClient FortiClient FortiClient FortiClientPremium

Windows OSX, Linux Windows Mac Android Windows

Free to Use

Included One time license per FortiGate Per Seat

Antivirus

SSL VPN

IPSEC VPN

Parental Control

SSL VPN

SSL VPN


FortiClient Features

7

IPsec VPN

SSL VPN

WANOptimization

EndpointControl

Simple client-to-site VPN policies for remote access.

Secure web-based access for remote users

Accelerate application performance

Lock down network access based oninstalledapplications

Two-FactorAuthentication

Properlyidentifyend users

* MacOS Client = IPsec VPN, SSL VPN and Two-Factor Authentication Only


FortiClient PremiumAdditional Features

8

Antimalware

Web Filtering

AntiSpam Centralized Management

Detect and clean viruses, worms and other malicious software.

Control accessible web content

Prevent unwanted email

Manage complex user and group policies

Firewall

Deny unwanted connections


FortiClient Secure Connectivity Solution

SSL & IPsecVPN


WANOptimization

PolicyCompliance


FortiClient Premium Complete Endpoint Protection

SSL & IPsecVPN


WANOptimization

PolicyCompliance

Antimalware

Web Filtering

AntiSpam

Centralized Management

Firewall


FortiGate

FortiClient Framework:FortiGate

• Automated IPSec VPN Policy Server• Two-factor Authentication• Certificate Store Integration

• Client-to-Site WAN Optimization (Internal HDD)• Minimize remote user download times

• Endpoint compliance awareness & enforcement• Lock down network access based on organizational policy• Check asset configuration including installed or running 3rd

party application software• Customize warning and blocked messages


FortiManager

FortiClient Framework: FortiGate/FortiAnalyzer

• Centralized Policy Management• Provisioning• Configuration• Update Management

• Role Based Administration• User privileges defined by management

domains• Improved Performance• Local hosting of security updates• Minimize web filtering response time

• Required for FortiClient Premium

FortiAnalyzer

• IPSec VPN Activity Reporting• Logged from the FortiGate• Username, IP addresses and Duration

Tracking• Top Sources, Destinations and Peers

• Endpoint Compliance Logs• Logged from the FortiGate• Compliant and Non-compliant devices• Can be used with built-in correlation to

notify staff of non-compliant devices


Takes too long to embrace new trends.We need to reduce real estate costs.The auditors are coming next week.

Remote Access: Pain Points

My IT budget was cut by 20%.Someone has a virus.Who’s doing what and where?

200 more users this month?!Help desk calls are killing us.

CxO

ITManager

IT Ops


Remote Access: Key Benefits & Features

- Improved policy compliance

- Scalability and reliability

- Enforce policies on multiple levels (including encrypted traffic)

- Cut bandwidth costs

- Easily apply policies- Enforce compliance- Quickly provision users- Minimize calls to help

desk

– SSL Inspection

– Endpoint Control

– WAN Optimization

– Strong Authentication

CxO

ITManager

IT Ops


Endpoint Security Challenges

15

Emily, a financial trader, installed Skype on her company laptop to talk with family.

Bill works for a Fortune 100 company and shares company details on Facebook.

Ed shared a company presentation via his personal Gmail account.

Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.

What Are You Going to Do?


Endpoint Security Challenges

16

Emily, a financial trader, installed Skype on her company laptop to talk with family.

Bill works for a Fortune 100 company and shares company details on Facebook.

Ed shared a company presentation via his personal Gmail account.

Jill is at Starbucks and needs to communicate and be protected as if she was at HQ.

Data Leak Protection

Endpoint Control

Identity-Based Policies

- Two-Factor Authentication

- VPN Tunneling- WAN Optimization


• FortiGate Checks the Endpoint• FortiClient installed and running?

• Antivirus configured and up to date?

• Third Party Software• Installed, or not?

• Running, or not?

• Endpoint license is per FortiGate• No per seat license requirement

Endpoint Control


Endpoint Application Database

• FortiGate Endpoint Control Application Database• Downloaded from FortiGuard

• Distinct from the Application Detection database

• More than 5000 applications in 37 categories• Anti Malware, Proxy Avoidance, P2P, etc

• List of current applications sent by FortiClient to the FortiGate

• FortiGate Endpoint Policy Verified and Enforced

• FortiClient displays status / error / reason


Communication Flow

• FortiClient initiates a connection towards theFortiGate with a HTTP request to a special FQDN

• Request includes end point application list

• FortiGate performs policy check• Installed, running, not installed, not running

• Policy actions include block, allow, monitor, warn

FCSYSREQ

FCSYSRPLY

pingserver.fortinet.net


• FortiClient 4.3 requiresFortiOS 4.0 MR3

• Solution:• FortiGate needs to be

upgraded and the relevantEndpoint policies enabled

No FortiGate Found


• Endpoint has been warneddue to Firefox not beinginstalled

• Solution:• Install Firefox• End user can click

‘Ignore warnings’

Non-Compliant End Point Warning


• Endpoint has been banneddue to FileZilla server application being installed

• Solution:• Device conforms to

endpoint control policy• FortiGate Administrator

provides a temporary exemption via the end point monitor option

Non-Compliant End Point Banned


• Simplified configuration steps on bothclient and FortiGate

• Matching default proposals to minimizeconfiguration steps

• Advanced configurations can be created by editingthe client configuration file• XML formatted clear text file can be exported / imported• FortiGate configuration can be changed via UI

once ‘Create FortiClient VPN’ wizard hasbeen used

• Can be combined with endpoint control

• Previous Automated Policy Server configuration not supported by FortiClient 4.3

IPSec Configuration

Fortinet Confidential24

Simplified Configuration

FortiClient 4.3 MAC/OSX

FortiClient 4.3 Windows

FortiOS 4.0 MR3


Simplified User Interface


• Configuration has always been cleaner whencompared to IPSec and the myriad of options

• Default port set at 10443, port 443 is more typicallyused for admin access – this can be changed

• As with IPSec the configuration file can be exported / imported

• Simplified web mode clients available for Android and iOS

SSL Configuration


SSL VPN Configuration and Usage


• Improving application performance

• Requires a suitably configured FortiGate• Current support for CIFS, FTP, HTTP, MAPI

and general TCP

• Byte caching always available• Web caching requires a passive rule

• Protection features take precedence over optimization• Dual VDOM approach can combine UTM and optimization

Wan Optimization


Two Step configuration!


FortiToken

• One Time Password Support, introducedwith FortiOS 4.0 MR3

• FortiToken-200

• Token entry based on pop up challengeor simply concatenate with password

• Seed distribution / registration via FortiGuard


FortiGate

• Used in case of single FortiGate unit deployed for VPN

• Authentication Sever functionality built-in to FortiGate 4.3 and above at no additional cost

• No additional hardware or software to

purchase and maintain and support

• Token management specific to instance of FortiGate Unit (or HA pair)

• Option to integrate with existing AD/LDAP directory

• Deploys in minutes

• Zero Maintenance

• FortiToken provides Two-Factor Authentication natively with FortiGate for:

• FortiGate Web Admin • Captive Web Portal• IPSEC VPN• SSL VPN

FortiGate Authentication Server


Direct UserAuthentication

Directory Synchronisation

Certificate Management Server

• RADIUS

• LDAP Authentication

• LDAP Directory Service

• Two Factor Authentication

• FortiToken

• Certificates

• Integrated FortinetSingle Sign On Server AuthenticationExtension (FSAE) polling

• Synchronises user authentication state between multiple domain controllers and FortiGate appliances

• X.509 Certificate management server

• PKCS#11 Certificate Token Management

• Certificate Revocation

FortiAuthenticator: Key Areas of Functionality


• FortiToken and FortiAuthenticator provide Two-Factor Authentication for:

• Multiple FortiGate devices• Pre 4.3 FortiGate devices• Fortinet product range• Third-party switches, routers, VPN etc• More users than supported by FortiGate

• Extends the FortiGate/Token two-factor authentication feature

• Compatible with FortiToken

• Full function stand-alone RADIUS/LDAP server

• Authentication to VPN/Firewall/Switch / Router / Server

• Self-service Password reset portal

• x.509 Certificate Authority• Certificate based two factor

authentication

• Certificate revocation

FortiAuthenticator Authentication Server


FortiClient Ordering SKUs and PricingShowing Select FortiGate Models

FortiGate Model FortiClient SKU US List Price

FortiGate-60C FCC-00060-LIC $101.15

FortiGate-80C FCC-00080-LIC $152.15 FortiGate-110C FCC-00113-LIC

$339.15 FortiGate-200B FCC-00202-LIC

$509.15 FortiGate-310B FCC-00312-LIC

$1,019.15 FortiGate-620B FCC-00620-LIC

$2,209.15 FortiGate-800 FCC-00800-LIC $1,189.15 FortiGate-1240B FCC-01240-LIC

$3,399.15 FortiGate-3040B FCC-03040-LIC $6,799.15 FortiGate-3600 FCC-03600-LIC $5,099.15 FortiGate-3950B FCC-03951-LIC $13,599.15 FortiGate-5001A-DW FCC-50011-LIC

$8,669.15 FortiGate-5005FA2 FCC-05005-LIC $10,369.15

34

Unlimited Clients Per FortiGate – One Time License


FortiClient Premium Ordering SKUs and Pricing

Number of Clients FortiClient SKU US List Price (1 Year)

1 FHS1-15-C1001-154-02-DD $53.90

2-9 FHS2-15-C1001-154-02-DD $49.50

10-24 FHS3-15-C1001-154-02-DD $33.17

25-99 FHS4-15-C1001-154-02-DD $21.88

100-249 FHS5-15-C1001-154-02-DD $17.50

250-499 FHS6-15-C1001-154-02-DD $13.99

500-999 FHS7-15-C1001-154-02-DD $11.19

1000-2499 FHT1-15-C1001-154-02-DD $10.07

2500-4999 FHT2-15-C1001-154-02-DD $9.05

5000-9999 FHT3-15-C1001-154-02-DD $8.59

10000-24999 FHT4-15-C1001-154-02-DD $8.15

25000-49999 FHT5-15-C1001-154-02-DD $7.73

50000-99999 FHT6-15-C1001-154-02-DD $6.95

100000+ FHT7-15-C1001-154-02-DD $6.14

35

2 and 3 Year Prices Also Available


Thank You!

Documents

Fortinet Confidential October, 2011 1.1 FortiClient Solutions Endpoint Security Anytime, Anywhere