Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1CONFIDENTIAL.© Copyright Fortinet Inc. All rights reserved.
WHAT’S NEW ON FORTIOS 6.0MAR 2018
2CONFIDENTIAL.
SECURITY FABRIC
Automation
Security Rating Improvements
New solution and service Integration
Multi-Cloud Support Enhancements
MANAGEABILITY NETWORKING SECURITY
Business-aware Segmentation
Enhanced monitoring and reporting
SD-WAN Improvements
VPN Configuration Enhancements
FORTIOS 6.0 OVERVIEW
HIGHLIGHTS
Threat Protection Enhancements
NGFW and Web FilteringImprovements
3CONFIDENTIAL.
SECTION TITLE
A CLOSER LOOK ATSECURITY FABRIC …
4CONFIDENTIAL.
SECURITY FABRIC
AUTOMATION
Automated workflows (stitches) using triggers to deliver appropriate actions » Easy creation using wizards» Covers components within a security fabric
Notification Quarantine APICall
AUTOMATION ENGINE ACTIONSTRIGGERS
SystemStatus
ThreatEvents
IOCDetection
ConfigChange
5CONFIDENTIAL.
SECURITY FABRIC
AUTOMATION
Wizard that assist admin to easily setup automation via predefined components
STITCHES
6CONFIDENTIAL.
SECURITY FABRIC
AUTOMATION
Automatically quarantine compromised hosts via StitchOption to do so using FortiClient via
EMS or connection via FortiSwitchand FortiAP
QUARANTINE
7CONFIDENTIAL.
SECURITY FABRIC
AUTOMATION
New iOS Push notification via FortiExplorer
NOTIFICATIONS
8CONFIDENTIAL.
FORTIGUARDSERVICE
Audit DB provided as a update service»OS independent»Timely updates
EXPAND RATING RULES
Adding more security best practices items to rating such as
»password security »login attempt thresholds»encourage two factor authentication
SECURITY FABRIC
SECURITY RATING IMPROVEMENTSAUTOMATED
REPORTS
Automated – runs on the background periodically, in addition to on-demand
Receive daily / on-demand reports
9CONFIDENTIAL.
SECURITY RATING RANKING
SECURITY FABRIC
SECURITY RATING IMPROVEMENTS
Benchmark against peers»Rank against similar organizations
in term of size and industry by percentile
Present trending graph»By retrieving historical data from
FAZ (in patch release)
10CONFIDENTIAL.
IOC SERVICEINTEGRATION
SECURITY FABRIC
NEW SOLUTION AND SERVICE INTEGRATION
Presenting IOC data from FAZ on FortiView and topology maps»Retrieve data and show affected
hosts on FortiGate»Allow admin to quarantine
affected hosts
11CONFIDENTIAL.
FABRIC CONNECTORS
Consolidated CLI/GUI and streamline SDN/cloud connector configuration workflows
Improves Openstack, ACI, NSX, AWS and Nuage connectors
DYNAMIC SDN ADDRESS OBJECTS
Using SDN connectors setup to retrieve dynamic objects Let admin select as address objects to be
used on firewall policies
SECURITY FABRIC
MULTI-CLOUD SUPPORT ENHANCEMENTS
Azure
CLOUD INITON AZURE
Enhance cloud-init support to be cloud native
Bootstrapping ability for Azure FortiGate VM
12CONFIDENTIAL.
FORTIVIEW WITH FORTICLOUD
Retrieve data from FortiCloud to be presented on FortiViewData will be for individual FortiGate, and not
fabric-wide for now
FORTIMAILINTEGRATION
FORTICACHEINTEGRATION
Adding and presenting FML as a node on Topology mapFortiMail stats on FOS dashboard widget
using REST API
Allow FortiGate to use FortiCache’s disk as local storage for caching instead of WCCP
SECURITY FABRIC
NEW SOLUTION AND SERVICE INTEGRATION
13CONFIDENTIAL.
FORTICLIENT EMS REQUIREMENT OPTION
Client will be deemed compliant if it’s managed by one of the indicated EMS servers
Allows add up to three EMS servers [CLI]
WIRELESS USER QUARANTINE
Allow administrator to quarantine wireless users via IOC charts, logs and FortiView with Integrated FortiAPsA remediation VLAN is created by default with
policies are left for administrators to defineSimilar to existing FortiLink (FortiSwitch)
capabilities
SECURITY FABRIC
NEW SOLUTION AND SERVICE INTEGRATION
14CONFIDENTIAL.
SECTION TITLE
A CLOSER LOOK ATMANAGEABILITY ...
15CONFIDENTIAL.
Define tagging requirements for organizationAdd tags to interfaces, address
objects and devicesFacilitate audit reporting such as
PCI on FAZ or searching of objects
MANAGEABILITY
BUSINESS-AWARE SEGMENTATIONASSET
TAGGING
16CONFIDENTIAL.
New report templates for management /C-level and auditors with FAZ
MANAGEABILITY
ENHANCED MONITORING & REPORTING SPECIALIZED
REPORTS
17CONFIDENTIAL.
Additional monitoring widgets on FAZ
MANAGEABILITY
ENHANCED MONITORING & REPORTING EXPAND
MONITORING WIDGETS
18CONFIDENTIAL.
NETWORK ASSISTEDDEVICE DETECTION
Using FortiSwitch as detection source since some devices may not be visible to FortiGate
MANAGEABILITY
MOREDESTINATION NAME
RESOLUTION
Aids clearer presentation of destination objects and aggregation of related IPs with domainsReplace reverse DNS lookup with ISDB
mapping for destination data»Better resolution with less DNS traffic
GLOBAL SECURITY PROFILES
Profiles that can be shared across VDOMs
The name for any global profile must start with "g-" for identification
available as read-only for VDOM-level administrators and can only be edited or deleted from within the global settings
19CONFIDENTIAL.
SECTION TITLE
A CLOSER LOOK ATNETWORKING …
20CONFIDENTIAL.
Redesigned UI to better incorporate multiple SLA monitoring into link selectionAbility to select links based on
prioritized SLAs or certain link quality metrics, and fail-back to desired link once SLA is stabilized
NETWORKING
SD-WAN IMPROVEMENTS MULTI-PATH
INTELLIGENCE
21CONFIDENTIAL.
NETWORKING
SD-WAN IMPROVEMENTS Path Selection Strategy Best Quality Min. Quality (SLA)
Recommended Use Case Administrators who prefer simplistic path selection, relying on preferred quality criteria
Administrators who desire granular threshold configurations per applications
22CONFIDENTIAL.
WAN Path Controller is able to route traffic using Application Control DB (with over 3,000 signatures), in addition to ISDBOnce identified via application
control, subsequent matching sessions are identified when seen next time on first packet
NETWORKING
SD-WAN IMPROVEMENTS APPLICATION AWARENESS
23CONFIDENTIAL.
DYNAMIC ROUTING AND IPV6 SUPPORT
Set up dynamic routing using route maps under SD-WAN configurations [beta 1 – CLI]ping6 is supported for Link monitor [beta 3 –
CLI] IPv6 Objects support include source
address, source user and group, dstaddress. [beta 3 – CLI]
SD-WANTRAFFIC SHAPING
Capability to setup traffic shaping profile by defining the percentage of interface bandwidth for each classified traffic and then bind to interfacesTraffic Shaping policy may use ISDB as
destination entryAvailable as CLI
NETWORKING
SD-WAN IMPROVEMENTS DSCP
SUPPORT
Allow DSCP match in SD-WAN rules
DSCP tagging of forwarded packets based on identified applications
24CONFIDENTIAL.
NETWORKING
VPN CONFIGURATION ENHANCEMENTS
Allows multiple sites of Fortigateto configure hub-and-spoke VPN with the help of FortiCloud on the backend.Can be implemented with
FortiManager backup mode as another option
CLOUD-ASSISTED ONE-CLICK VPN
25CONFIDENTIAL.
IPV6ENHANCEMENTS
IPv6 captive portal support
IPv6 FQDN firewall addresses
IPv6 ISIS routing support
IPv6 Wildcard addresses
DHCPv6 server prefix delegation
IPv6 DFD and VRRP
NATIMPROVEMENTS
Central SNAT policies now include a comment field
Port Block Allocation timeout is configurable
NAT 46 IP Pools
Support VIP and IP Pool in VRRP
NETWORKING
MORE …
IPv6
EMAC-VLANSUPPORT
allow adding multiple Layer 2 addresses (or Ethernet MAC addresses) to a single physical interface.
26CONFIDENTIAL.
SECTION TITLE
A CLOSER LOOK ATSECURITY…
27CONFIDENTIAL.
SECURITY
THREAT PROTECTION ENHANCEMENTS
Additional layer of protection targeted at newly emerged malwares to stop quick virus outbreaks
because it usually takes at least a few hours for a signatures to be developed and pusheduses real-time checksums DB of
newly detected threats
FORTIGUARD VIRUS OUTBREAK
PREVENTION
User's FGT/FMLSubmit samples to FortiCloud
FortiCloudSubmit samples toSandbox cluster (backend)
Sandbox cluster feedbacksscanning results to FortiCloud
FortiCloud returnsSandbox scan resultsback to FGT/FML AMER / EMEA
Data Center
www.forticloud.com
FortiGate/FortiMail
Average Delays of 1 minute
Result is returned Immediately for the Submitted hash
DataCenter
Headquarters
Branches
28CONFIDENTIAL.
SECURITY
THREAT PROTECTION ENHANCEMENTS
AV Engine to do the document re-write - remove all active contents in real time, pass to user, and then the original file is sent to sandbox for inspectionSupports PDF and some MS office files
FORTIGUARD CONTENT DISARM & RECONSTRUCTION
AV Engine
Sandbox
?
29CONFIDENTIAL.
SECURITY
THREAT PROTECTION ENHANCEMENTSVirus Outbreak Prevention Content Disarm and Reconstruction
AV Operation Mode Proxy and Flow Proxy Mode Only
Subscription RequiredFortiSandbox Cloud (plus FortiGuard CDR
and Virus Outbreak Protection service)or Enterprise Protection Bundle
FortiSandbox Cloud (plus FortiGuard CDR and Virus Outbreak Protection service)
or Enterprise Protection Bundle
FortiSandbox Requirement - Appliance if File Destination = FortiSandbox
30CONFIDENTIAL.
FortiSandbox Cloud (plus FortiGuard CDR* and Virus Outbreak Protection* service) ✔
FortiGuard Anti-Spam ✔ ✔
FortiGuard Web Filtering ✔ ✔
FortiGuard Antivirus + Botnet + Mobile AV Service ✔ ✔ ✔
FortiGuard IPS Service ✔ ✔ ✔
FortiCare + FortiGuard App Control Service ✔ ✔ ✔
Bundles Threat Protection UTM Enterprise
Protection
SECURITY
NEW BUNDLING
* Available when running FortiOS 6.0 and above
31CONFIDENTIAL.
SECURITY
NGFW AND WEB FILTERING IMPROVEMENTSEXTERNAL WEB
FILTER BLACKLIST
Enable use of multiple external blacklists for blocking URLs [beta 2 – CLI]
Blacklists are text files that are in a plain text format, where each line contains a single URL to be blocked.
File can be 10MB or 128,000 lines of text, whichever is most restrictive
APPLICATION GROUP FOR NGFW POLICIES
Ability to create application group, in addition to existing application and application category as NGFW policy objects
To achieve desired outcomes that may not be possible due to default conflicting rules.Offer users to choose which app rules get
matched first, like a firewall policy table via CLIUsing IPS engine 3.428 and above (applicable
to 5.2-5.6 as well)
APP-CONTROL RULESSEQUENCING
32CONFIDENTIAL.
SECTION TITLE
A CLOSER LOOK ATOTHER FEATURES…