Fortinet安全解决方案无线安全网络

Securing the Public Cloud with FortinetIntroductionFast deployment, reduced costs, and efficient use of resources; these are just a fewof the reasons enterprises and information technology departments the world over are looking to Amazon Web Services. With a feature-rich offering and plenty of compute sizes and options, more and more of them are getting drawn to this world where the words agility and flexibility have new meaning.The Power of the Public CloudIt all started with the emergence of virtualization technology. Enterprises today are thrilled with the ability to share compute resources across various applications and assets within their organization. This has led to an IT revolution, vastly reducing both equipment costs and power consumption of data centers. While the power of this technology is clear, it still involves physically deploying these shared compute nodes, and as the data center grows, there is still significant time and effort that go into not just adding nodes to accommodate growing needs, but also handling all the networking and security requirements that come with this.With the ready availability of public cloud resources today, bringing up a new deployment or growing an existing one can be carried out at the click of a button.This flexibility and agility significantly reduces the time to market and greatly simplifiesmanaging of both high availability and scaling while affording universal accessibility.Protecting the Public CloudThe one caveat with using public clouds is that it providesa completely new attack surface with the potential to let in millions of new threats if not protected properly. For a public or hybrid cloud to be successful, it is essential to protect it with the same zeal that one would protect the data center and other key assets on-premise.Encrypted TransportWhen an enterprise needs to bring up a resource, the IT Department usually has the luxury of deploying it in the safety of a closed-off lab. Bringing up similar networks in AWS require protection from the get-go. While this might be as simple as deploying a private subnet, which will need to go through a protected gateway, the effectiveness of the protection afforded by this gateway is key. In effect, when working on such a setup, everything is remote. A good VPN service is a must to be able to protect this “remote access” traffic flowing over the Internet. Perimeter ProtectionMuch like the local data center, a public cloud deployment requires a solid layer of perimeter protection. While the AWS native firewall provides a good first layer of protection, it isnot sufficient. With support for a rich set of features and the capability to protect against a multitude of threats, it is essential for the perimeter firewall to provide quality protection with exceptional security effectiveness while keeping up with the performance requirements.Scalable ProtectionIt is also essential that the protection provided is extremely scalable and capable of both scaling up and scaling downwith load so as to reduce costs while capably servicing the application throughput.Application ProtectionWhile the fully functional NGFW is capable of protecting against many diverse threats, protecting application serversis a completely different paradigm. For instance, application servers need to be protected against attacks such as cross-site scripting, SQL injection, and DDoS. Email servers need to be protected against a different set of attack vectors, like anti-spam, malware attachments, and dangerous links in emails. It is essential to protect these services just as one would in a private data center.Effective SecurityWhen it comes to security effectiveness, there is no compromise. Even a small drop of .01% in the security effectiveness scales up to thousands of missed threats. It is therefore essential to pick a trusted and well-validated security product.The success of any organization’s public cloud strategy will to a large extent hinge on the effectiveness with which these assets are protected.Fortinet Security Fabric Extended to the Public CloudJust as Fortinet has a diverse portfolio of products meant to cover the entire attack surface on-premise, it also has a rich product offering that covers the various threat vectors to which any AWS deployment could be exposed.All these products receive the renowned FortiGuard updates and are able to provide third-party-validated and extremely effective security. With recommendations from NSS Labs and VB100 Comparatives, among others, Fortinet devices have unmatched third-party validation and provide industry-best protection in all areas.This portfolio includes the following devices:FortiGate VMMuch like any other network, a deployment based in the public cloud requires both perimeter protection and internal segmentation to protect the various resources hosted there. The FortiGate VM is an extremely agile, fully functional enterprise firewall. It uses the tried and tested FortiOS operating system and is capable of VPN, IPS, app control, web filtering, anti-malware, etc., much like its hardware counterparts. Itis kept up to date through the renowned FortiGuard Labs updates and protects against the latest threats. It is available in various instance sizes on AWS to support any and all sizes of deployments.FortiWeb VMWhile public cloud deployments are used for many different purposes, a majority of them include some form of application hosting. The servers’ hosting applications frequently can be threatened with various forms of attacks, including the targeting of specific web server vulnerabilities such as cross-site scripting attacks, DDoS attacks, etc. Built to protect the most valuable of application resources, the FortiWeb uses state-of-the-art technology with intelligence gathered from FortiGuard Labs to secure key resources.FortiMail VMOne of the common methods used to compromise networks is through preying upon unsuspecting and at times unintentionally careless end-users. This is done by sending forms of vulnerabilities, malware, and unsafe links through emails. While protecting email is a different paradigm than protecting traditional network security, successfully protecting against email attacks is a part of the solution and it needs to be used in tight coupling with network security. The FortiMail VM on AWS is able to protect any cloud-based email services, including protecting Office 365 on AWS-based networks. FortiManager VMTo effectively secure a network, it is essential to have visibility and capability to orchestrate the network in an automated fashion. This helps keep a closer watch on the networkwhile minimizing the likelihood of configuration missteps. The FortiManager is capable of managing large networks and can provide a single pane of glass to watch, manage, and control the entire Fortinet Fabric for both AWS-only and hybrid cloud scenarios.FortiAnalyzer VMFortiAnalyzer platforms integrate network logging, analytics, and reporting into a single system, delivering increased knowledge of security events throughout the network. The FortiAnalyzer VM minimizes the effort required to monitor and maintain acceptable use policies, and identifies attack patterns to help you fine-tune your policies. Available in a multitude of sizes, organizations of any size will benefit from centralized security event logging, forensic research, reporting, content archiving, data mining, and malicious file quarantining.While each of these products provides a different type of protection to have a well-protected network, it is essential to build a security fabric with these devices. Furthermore, with the ability to auto scale, the FortiGate and FortiWeb adapt to serve the requirements of the setup while keeping costs down. Further in this document, we will cover a few deployment scenarios and use cases for protecting your public cloud deployment using Fortinet Solutions.Protecting the Public Cloud DeploymentThe rest of this document details a few potential deployment scenarios for the public cloud.Protecting the PerimeterEasily deployed from AWS Marketplace in both bring-your-own-license (BYOL) and pay-as-you-go models, the FortiGate VM can be deployed as the gateway for your VPC. In this scenario, the AWS routing table is configured to use the FortiGate as the gateway for the inner subnet.Once configured, the FortiGate provides the perimeter protection for the AWS deployment.nn It provides advanced threat protection including IPS, firewall functionality, web filtering, app control, and anti-malwareprotection, to name a few.nn Capable of integration with FortiSandbox Cloud, theFortiGate VM provides third-party-recommended protection against zero-day/unknown threats.nn With support for both BYOL and pay-as-you-go models,the FortiGate and FortiWeb VM can either reuse existinglicenses or be deployed as needed with the option to payfor usage.Figure: Deployment with FortiGate Protecting AWS EC2 VM InstancesThe Hybrid Cloud DeploymentAs shown below, Fortinet is able to completely secure the entire hybrid cloud deployment. From providing perimeter protection in the public cloud and application security, to protection at the data center edge and east-west protection within thedata center, the Fortinet Security Fabric provides a completely secure end-to-end security solution.FortiManager and FortiAnalyzer are able to provide single-pane-of-glass visibility to make management and monitoring very simple and intuitive.Between auto scaling and a diverse instance-type support, Fortinet’s VMs are also able to suit all demands both in terms of traffic and high-availability requirements.Securing Communication to the Data Center Over VPNThe FortiGate can be deployed such that it acts as the VPN terminator on the AWS side. By doing this, the FortiGate firewall brings up a VPN tunnel to the private data center, setting up a highly secure hybrid cloud deployment.Once deployed, the FortiGate establishes an encrypted channelof communication between the AWS VPC and the data center.n n It supports an array of advanced encryption algorithms andis able to secure all communication between the VPC and the data center.n n By using FortiManager, the VPN configuration can bepushed to multiple FortiGates, completely automating the deployment of the VPN infrastructure.n n With ample choice as to the instance size in use, theFortiGate on AWS is able to scale to suit performance needs.Figure: Deployment with FortiGate as VPN GatewayFigure: Hybrid Cloud DeploymentHighly Available Public Cloud Data CenterIt is an AWS best practice to architect the setup housed in redundant availability zones (AZ) in each VPC. This ensures failover redundancy and maximum uptime in the event of any instance failure.In most active/passive high-availability (HA) setups on AWS, on failure, manual intervention is needed to switch over to the backup. Fortinet provides a truly automated HA solution to address this. In case of any failure, HA failover and reversion can be automatically triggered.Fortinet’s free Python script automates the process. The script monitors both active and passive firewalls. Should the primary firewall go down for any reason, it makes the appropriate API calls to automate the route table changes, thus ensuring maximum uptime.Alternately, Fortinet also supports the use of the AWS Elastic Load Balancer to automatically distribute the load acrossmultiple AZs. These methods also work with the FortiWeb Web Application Firewall.Efficient Use of Compute Using AWS Auto ScalingAWS Auto Scaling ensures you have the correct number of EC2 instances available to handle the load for your application.By creating collections of EC2 instances, called auto scaling groups, the user is able to specify a minimum and maximum number of instances in each auto scaling group.AWS Auto Scaling automatically ensures that your group never goes above/below this size. When there is a need, or in times of heavy use, additional instances will be automatically spun up to ensure that demands are met, while adhering to cost considerations and budget limits.With zero manual intervention, Fortinet devices are able to use AWS Auto Scaling to ensure the security posture scales up and down to match the EC2 instances. As new devices are spun up, they enforce the same security policies.Email Protection with FortiMail VMFortiMail VM is able to provide protection for any public cloud-hosted email servers as well as for Office 365. Easily deployed in the AWS VPC, the FortiMail VM is able to act either as the complete mail server or as a gateway to the mail server while inspecting any email sent to or from the email server. It is also able to:Apply Data Loss Prevention and Identity-Based Encryption – Detect sensitive information using defined data patterns and ensure secure delivery with no additional hardware or software to install, no user provisioning, and no recipient pre-enrollment.Prevent Phishing and Other Advanced Threats – Apply embedded URL inspection, top-rated anti-malware, andoptional sandbox integration to detect highly targeted attacks. Identify and Block Spamming Endpoints – Carriers and service providers prevent blacklisting of legitimate subscribers by identifying and blocking endpoints sending spam.Figure: Auto Scaling FortiGate ProtectionFigure: Automated High-Availability FortiGate Protecting AWS EC2 VM InstancesNo Per-User or Per-Mailbox Pricing – Complete, multi-layered antivirus, anti-spam, anti-spyware, and anti-phishing protection for an unlimited number of users. Greatly reduces TCO.Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in GLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne06560, Alpes-Maritimes, FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6513.3730LATIN AMERICA SALES OFFICE Paseo de la Reforma 412 piso 16Col. Juarez C.P . 06600 México D.F.Tel: 011-52-(55) 5524-8428Centralized Management and AnalyticsWith the option to be deployed in the cloud, FortiManager and FortiAnalyzer are able to provide a single point from which to control, manage, and monitor the entire deployment. It is fully capable of handling both public cloud and hybrid cloud use cases.The FortiManager is highly scalable and can supportdeployments of all sizes. It is able to orchestrate the entire network by pushing uniform policies across devices. It is also capable of orchestrating simple and complex VPNdeployments, greatly simplifying network management while ensuring the necessary security.It is also engineered to assist with policy and device auditing, and is able to prove compliance and track any deviations from required security policy.SummaryWith Fortinet as the security solution for their public clouddeployment, enterprises the world over are able to successfully transition from legacy “brick and mortar” data centers to both hybrid and fully public cloud deployments worry-free. For moreinformation, please visit https:///aws.。

精心整理Fortinet用户管理解决方案1. 概述用户认证用处广泛，单就FortiGate而言，就多处功能得使用用户认证，比如防火墙策略认证、IPSec VPN、SSL VPN、设备管理等。

FortiGate用户认证分为三种2.短信方式等。

双因子可以强化本地用户的安全特点。

如果采用动态令牌卡，需要将FortiToken注册于设备上。

FortiAuthenticator也可以设置本地用户，其特点在于完善的用户管理体系。

管理员可以建立和删除用户，用户可以采用自注册方式生成用户，用户名和密码可以通过邮件、短信等方式发送。

FortiAuthenticator可以强制用户在注册时，填写必要的选项。

用户自注册界面如下：FortiAuthenticator也可以对用户信息进行管理，强制用户密码有效期，用户可以自行修改密码等。

当用户遗忘密码时，可以自行恢复密码。

3. 访客管理如何●●●●●●管理员可以强制要求必填的信息●管理员可以设置账号有效期●账号可以通过邮件、短信和打印等方式进行发送。

4. RADIUS认证FortiGate可以充分发挥RADIUS服务器。

用户认证时，FortiGate转发用户名和密码到RADIUS服务器，如果RADIUS服务器能够认证该用户，则该用户可以成功认证，如果不能通过RADIUS认证，则FortiGate拒绝该用户。

管理员可以指定RADIUS认证的加密协议。

通过与Radius的配合，FortiGate可以实现多种功能，比如用户认证，VPN接向服作为但是需要在命令行下配置。

6. TACACS+TACACS+(Terminal Access Controller Access-Control System) 通常用于认证路由器、VPN和其他基于网络的设备。

FortiGate将用户名和密码转发给TACACS+服务器，服务器决定是否接受还是拒绝该请求该用户访问网络。

缺省的TACACS+端口号是TCP的49端口。

CASE STUDY“Riverside’s doctors and colleagues are continually impressed with our ability to quickly address the latest security challenges using Fortinet.”– Erik DevineChief Security OfficerR i vers i de HealthcareIntroductionHealthcare providers are migrating from large, independent stand-alone organizations to complex new ecosystems with Provider Organizations, affiliated physician groups, labs, and others involved in both the provisioning of care, and the collection of vast amounts of information from patients. Health Information Exchanges (HIEs) are evolving and more affordable transfer of clinical information and other types of data are increasing. Healthcare, as we know it, is changing quickly.Besides the changes in coverage and insurance, a variety of technology initiatives are mandated by new regulations. Healthcare providers will soon be required to provide communication and collaboration platforms that allow seamless integration among the various stakeholders. These changes in information flows, along withan explosion of digital content that needs to be stored and shared, are driving the need for a secure IT platform through which hospitals can support collaboration and information exchange. The network and IT security are now the core components of any healthcare organization.The move toward more patient-centric care and decentralized monitoring means providers, patients, and payers need to access information that originates outside the hospital setting. The trends toward personalized medicine, prevention, and wellness mean stakeholders need to connect information from various points within the healthcare value chain – from providers, laboratories, payers, and patients. At some point in the not too distant future, this will include informationon diet, purchases and training regimens, as well as results. The more this private DetailsCustomer Name:Riverside Healthcare Industry: HealthcareLocation: IllinoisBusiness Impactnn Unified protection across 17 facilities nn Centralized administrationand monitoringnn Removed throughput and bandwidth constraintsnn Facilitated secure, remote access for VPN-SSL users Deploymentnn FortiGatesnn FortiAnalyzernn FortiManagernn FortiMailnn FortiDDOSnnFortiAuthenticator Riverside Healthcareinformation is opened to outside entities, the greaterthe opportunity for malicious content to infiltrate these systems or for pertinent data to be leaked, intentionally or accidentally.There are healthcare systems that have embracedthese new changes. These organizations understandthe importance of security and have taken significantsteps to ensure that existing systems and campuses can communicate securely while keeping the patient and payee data secure. Riverside Healthcare is one of the organizations ahead of the curve. This paper will show how Riverside Healthcare is using Fortinet technologies to effectively defend the network, and the information residing on networked devices, from a wide variety of threats. Riverside HealthcareRiverside Healthcare is a fully integrated healthcare system serving the needs of patients throughout the counties of Kankakee, Iroquois, Will, Grundy, and beyond. Riverside Healthcare is composed of four separate entities: Riverside Medical Center is located in Kankakee, Illinois, and is part of Riverside HealthCare, a fully integrated healthcare system. Riverside Medical Center is a 312-bed hospital that provides a full scope of inpatient and outpatient care. Riverside is a nationally recognized, award-winning hospital with leading programs in heart care, cancer care, neurosurgery, and orthopedics. It is the area’s only Magnet®Recognized hospital and has been named a 100 Top Hospital seven times. Riverside also operates and supports 16 community, primary, and specialty health centers throughout the region.Riverside Senior Life Communities offer many optionsfor the area’s senior population. These include independent living communities, assisted living and state-of-the-art memory care/Alzheimer’s communities, skilled and intermediate care nursing, as well as rehabilitation services for short and long-term needs.Oakside Corporation operates the Riverside Health Fitness Center and also coordinates community counseling programs, pharmacy, health equipment sales and leasing, and home health care.Riverside Healthcare Foundation raises funds for the health system for use in facility construction and repair, new equipment acquisition, community health care education initiatives, and clinical research.Riverside Health Fitness Center is a 70,000-square-foot, medically based fitness center owned and operatedby Riverside Healthcare. This is a world-class center that reflects Riverside’s commitment to improving the health and fitness of the community.Challenges Faced by Riverside Healthcare There was a time where disruption was the key goal of hackers, and hospitals were not seen as valuable targets. Cyber criminals in 2016 are no longer interested in causing a nuisance, but use attacks for financial gain. Today a complete medical profile of a individual is worth 10 times that of just a credit card number, making hospitals’ data a highly coveted target. Ransomwear has become a rising threat to health care. The threats to healthcare organizations are more complex, and cyber criminals continue to improve their techniques. As threats become more malicious, IT administrators must address the challenges that come from malware entering the network. Unfortunately, there are numerous challenges today that make securing the network a daunting task.The Requirement to Have MoreOpen NetworksThe original model of network security was focused on protecting the network from the outside using firewalls and other traditional security devices. With the popularity of social media applications like Facebook and Twitter and the requirement to provide easy access to data to partners and patients, the potential for an accidental malware incident increases significantly. All it takes is a single click and malware can then exploit vulnerabilities in applications and download malicious programs, such as key loggers, to steal user names and passwords and private data. Unfortunately, the most common applications and file formats are the ones with the greatest chance of exploit.Increasing Interest in BYODChanges in the devices used by employees in the healthcare industry places the endpoint at greater risk. The use of mobile devices – tablets, laptops, and smartphones – is commonplace in the modern hospital, and the need to secure data from the Internet all the way to the endpointis the key concern today. Mobile employees can increase their productivity and improve patient care by allowing data entry remotely. Mobile connectivity is also a key strategy for many CIOs. CIOs are increasingly interested in implementing mobile applications and wireless connections withinhospitals. Security is a significant concern as these mobile devices connect to the network. The need to protect patient data residing on and being transmitted by these devices will increase in importance.Maintaining Compliance and RegulationsEmbracing new technologies to improve the quality, flow, and safety of patient information is a critical issue for hospitals. Government regulations such as the Health Insurance Portability and Accountability Act (HIPAA) andthe Health Information Technology for Economic and Clinical Health (HITECH) Act are helping to guide hospitals in the proper implementation of new technologies. HIPAA was created to guarantee patient protection and privacy. HITECH contains incentives related to healthcare technology and how information is flowed through an infrastructure.It contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. The adoption of electronic health records is expected to increase the amount of security required under HIPAA and increases the potential legal liability and fees for not remaining within compliance.Healthcare organizations are increasingly also subject to other regulatory requirements typically associated with other verticals – requirements such as the Payment Card Industry Data Security Standard (PCI DSS), various National Institute of Standards and Technology (NIST) guidelines, and guidelines from the Food and Drug Administration (FDA). Increasing Collaboration between Patients, Employees, and Outside NetworksAnother challenge within the healthcare industry results from the increased expectation of collaboration from patients, employees, and outside networks. Recent trends in healthcare have led to a proliferation of healthcare content, and modern healthcare depends upon the reliable, rapid, and secure exchange of this information throughout a large healthcare organization. The criticality of this information, and the fact that it needs to be available to different stakeholders throughout the hospital as well as to othersin the healthcare value chain outside the hospital, make a shared platform essential to effective hospital operations.To adhere to evidence-based medicine, information needs to be consolidated from diverse sources such as third-party databases, standard protocols, physician visits, medical imaging data, clinical trials, literature references, transcriptions, prescriptions written, etc. In addition, the information needs to be viewed and vetted by various individuals, including primary care physicians, specialty clinicians, administrative personnel, employers, financial services, and claims processors to collaborate to determine appropriate care protocols, medication administration,and standard operating procedures. There is a need fora collaborative workspace that can enable distributed individuals and teams to work together more efficiently and effectively toward enhancing their existing systems.In addition to increased information exchange between healthcare providers, there is also an increase in information exchange between hospitals and their patients. The shift toward more preventative care means ongoing monitoring and outreach to push information and treatment out to patients, and to bring information in from patients. Hospitals are using web-based platforms for these interactions, as well as expanding the content they are providing to patients prior to arrival at the hospital, during treatment, and asfollow-ups to various procedures or medications that havebeen provided.Security Without Compromiseat Riverside HealthcareThe role of the network in your business strategy is more important than ever, and ensuring it’s both fast and secure is critical to your success. Having the right security woven throughout your network can make the difference between running a smooth, safe network or being the latest security breach news headline.Fortinet is the only company with security solutions for network, endpoint, application, data center, cloud, and access designed to work together as an integrated and collaborative security fabric. This also means we are the only company that can truly provide you with a powerful, integrated end-to-end security solution across the entire attack surface along any point along the kill chain.Simply deploying security end to end is not enough. These solutions must work together to form a cooperative fabric, spanning the entire network, linking different security sensors and tools together to collect, coordinate, and respond to any potential threat. And it must do this wherever it occurs, in real time, with no network slowdownsAn Industry-Leading, Next-Generation FirewallFortinet firewall technology combines ASIC-accelerated stateful inspection with an arsenal of integrated application security engines to quickly identify and block complex threats.Intrusion PreventionFortinet IPS offers a wide range of features that can be used to monitor and block malicious network activity, including predefined and custom signatures, protocol decoders, out-of-band mode (or one-arm IPS mode), packet logging, and IPS sensors.Anti-malware/AntivirusFortinet antivirus technology combines advanced signature and heuristic detection engines to provide multi-layered, real-time protection against both new and evolving virus, spyware, and other types of malware attacks in web, email, and file transfer traffic. FortiASIC Content Processors, integrated into FortiGate and FortiWiFi products, accelerate both signature scanning and heuristics/anomaly detection for protection against viruses, while delivering performance that scales from entry-level appliances to multi-gigabit core network or data center platforms.Fortinet’s Security Fabric Includes All of the Key Capabilities Your Organization Needs for a Truly Complete Solution:Scalable: Protects the enterprise from IoT to the cloudSecure: Global and local threat intelligence and mitigation information is shared between products for faster protectionAware: The fabric behaves as a single entity regarding policy and logging, enabling end-to-end segmentation for better protection against advanced threatsActionable: Big data cloud systems correlate threat and network data to deliver real-time, actionable threat intelligenceOpen: Well-defined, open APIs allow leading technology partners to become part of the fabricThe Power to Secure ApplicationsNext to the availability of services, data is the next critical component for healthcare organizations. A loss of datacan mean a violation of compliance mandates, the lossof sensitive patient data, and most importantly, the lossof patient trust. Fortinet provides granular protection ofan organization’s most sensitive data through a variety of controls including:Application ControlWeb 2.0 applications, such as Facebook, Twitter, and Skype are increasing the volume and complexity of network traffic, and expose organizations to a new generation of web-based threats and malware. Fortinet Application Control leverages one of the largest application signature databases available – the FortiGuard Application Control Database. This allows for the control of more than 2,200 different web-based applications, software programs, network services, and network traffic protocols. FortiGuard Services deliver regularly scheduled updates to FortiGate consolidated security appliances, ensuring that Fortinet Application Control always has the latest signatures available.Fortinet provides extremely granular control around these applications. For any recognized application, Fortinet can control access to that application or behavior within the application (for example, chatting within Facebook) and can provide this granular control by user, group, time of day, and numerous other criteria.Data Loss PreventionData loss events continue to increase every year, resulting in fines, penalties, and loss of revenue for companies worldwide. Many data loss events are caused by trusted employees who frequently send sensitive data into untrusted zones, either intentionally or by accident. Fortinet DLP uses sophisticated pattern-matching techniques and user identity to detect and prevent unauthorized communication of sensitive information and files through the network perimeter. Fortinet DLP features include fingerprinting of document files and document file sources, multiple inspection modes (proxy and flow-based), enhanced pattern matching, and data archiving.The Power to BYODFinally, the mobile client itself is at risk from attack when off the home network. Fortinet secures mobile clients – laptops, smartphones, and tablets – protecting end users while they are travelling or simply working from outside the office. Fortinet has solutions aimed at the endpoint itself that allow for protection of mobile devices and encrypted communications from any location.Web Content FilteringIntegrated into all FortiGate and FortiWiFi appliances and FortiClient endpoint security agents, Fortinet Web Filtering technology gives the option to explicitly allow websites, or to pass web traffic uninspected both to and from known-good websites in order to accelerate traffic flows. Users can receive real-time updates from FortiGuard Web Filtering Services to determine the category and rating of a specific URL. You can also easily add websites or URLs to the local URL filtering list using both text and regular expressions.SSL and IPSEC VPNWith the number of threats accelerating, securecommunications between enterprise networks, businesses and partners, and corporations and mobile workers is now more important than ever. Data breaches, information leaks, and infected networks and systems are costing corporations and government agencies billions of dollars every year.“Fortinet has allowed me to address the latest compliance requirements and implement new IT services while lowering costs through consolidation.”– Eric DevineCSO, Riverside HealthEndpoint ProtectionThe Fortinet FortiClient endpoint security solutions provide anytime, anywhere endpoint security for network endpoints. When used in connection with FortiGate appliances,FortiClient provides a range of security features to protect the network and ensure policy compliance. Fortinet also has mobile One-Time Password applications available for both Android and iOS to provide strong authentication.ConclusionModern healthcare organizations like Riverside HealthCare are contending with a brave new world of requirements around regulatory compliance and openness. Providing security is not enough to enable these new complex environments. The security vendor must support an ever-changing set of requirements while providing continuous, user-level access controls.Fortinet’s breadth of products, constant security updates, and overall lowered TCO has allowed Riverside HealthCare to securely deliver cutting-edge IT services to its caregivers and patients while ensuring that all information stays secure. Fortinet’s ability to provide an end-to-end solution allows Riverside to focus on delivering new and innovative servicesinstead of worrying about its vulnerability to new attacks.Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, GLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne06560, Alpes-Maritimes, FranceTel +33 4 8987 0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6513.3730LATIN AMERICA SALES OFFICE Paseo de la Reforma 412 piso 16Col. Juarez C.P . 06600 México D.F.Tel: 011-52-(55) 5524-8428。

******UTM（统一威胁管理）安全解决方案神州数码有限公司2013年3月------------------------------------------------------------------------------------------------------------------------------------------第一章Fortinet UTM安全解决方案根据对网络安全现状及用户需求的分析，我们推荐Fortinet公司的UTM安全解决方案。

作为UTM安全设备的领导厂商，Fortinet公司的FortiGate安全平台通过动态威胁防御技术、高级启发式异常扫描引擎提供了无与伦比的功能和检测能力。

Fortinet公司的FortiGate提供以下功能和好处：●集成关键安全组件的状态检测防火墙。

●可实时更新病毒和攻击特征的网关防病毒。

●IDS和IPS预置1400个以上的攻击特征，并提供用户定制特征的机制。

●VPN（目前支持PPTP、L2TP和IPSec，SSL VPN也将很快推出）。

●反垃圾邮件具备多种用户自定义的阻挡机制，包括黑白名单和实时黑名单（RBL）等。

●Web内容过滤具有用户可定义的过滤器和全自动的FortiGuard过滤服务。

●带宽管理防止带宽滥用。

●用户认证，防止非授权的网络访问。

●动态威胁防御提供先进的威胁关联技术。

●ASIC加速提供比基于PC工控机的安全方案高出4-6倍的性能。

●加固的操作系统，不含第三方组件，保证了物理上的安全。

●完整的系列支持服务，包括日志和报告生成器、客户端安全组件。

1 网络构架FortiGate系列防火墙支持路由（NAT）模式、透明模式和混合模式三种工作模式。

可以很好的适应各种网络环境。

------------------------------------------------------------------------------------------------------------------------------------------1.1 路由（NAT）模式如果需要用FortiGate连接不同IP地址段，则将FortiGate置于路由工作模式。

Secure Remote Access for Y our Workforce at ScaleSOLUTION BRIEFExecutive SummaryOrganizations face a number of different potential emergency situations, such as illness, flood, hurricanes, and power outages. Implementing a business continuityplan is essential to ensuring that the organization is capable of maintaining operations in the face of adversity and preparing for potential disasters.An important consideration for organizations developing a business continuity plan is that the organization may not be capable of sustaining normal operations onsite. The ability to support employees working remotely is essential to ensuring both business continuity and security. Fortinet solutions offer an integrated solutionto support telework. FortiGate next-generation firewalls (NGFWs) have built-in support for IPsec virtual private networks (VPNs), enabling remote workers to connect securely to the company network. With endpoint protection, providedby FortiClient, and multi-factor authentication (MFA) with FortiAuthenticator, organizations can securely support remote work and maintain business continuity. The ability to securely support a remote workforce is an essential component of any organization’s business continuity and disaster recovery plan. An organization may be incapable of sustaining normal operations onsite, due to a power outageor similar event, or illness or flooding may make it unsafe for employees to travel onsite.In these scenarios, an organization must be capable of supporting secure, remote connectivity to the corporate network. For over 400,000 Fortinet customers, their existing technology deployment already contains this functionality. FortiGate NGFWs have integrated support for IPsec VPNs, enabling secure connectivity for employees working from alternate work sites.Remote work decreases employee unproductive time by an average of 27%.1Remote employees work an average of 16.8 more days per year than onsite employees.285% of employees claimthat they reach maximum productivity when workingremotely.3Allowing remote work increased employee retention in 95% oforganizations.4Securing the Remote Workforce with FortiGate NGFWsThe IPsec and SSL VPNs integrated into every FortiGate NGFW offer an extremely flexible deployment model. Remote workers can either take advantage of a clientless experience or gain access to additional features through a thick client built into the FortiClient endpoint security solution. Power users and super users would benefit from deploying a FortiAP or a FortiGate NGFW for additional capabilities.Fortinet solutions are designed to be easy to use from initial purchase through end of life. FortiGate NGFWs and FortiAP wireless access points include zero-touch deployment functionality. Appliances deployed at remote sites can be pre-configured before they ship, allowing for automatic set up onsite, which ensures business continuity and support for telework.The Fortinet Security Fabric takes advantage of a common Fortinet operating system and an open application programming interface (API) environment to create a broad, integrated, and automated security architecture. With the Fortinet SecurityFabric, all of an organization’s devices, including those deployed remotely to support telework, can be monitored and managed from a single pane of glass. From a FortiGate NGFW or a FortiManager centralized management platform deployed at the headquarters environment, the security team can achieve full visibility into all connected devices, regardless of their deployment situation.In the event of a natural disaster or other event that disrupts normal business operations, an organization must be capable of rapidly transitioning to a fully remote workforce. Table 1 shows the number of concurrent VPN users that each model of the FortiGate NGFW can support.Beyond offering encryption of data in transit, via a VPN, Fortinet solutions offer a number of other features that can help an organization to secure its remote workforce. These features include:n Multifactor authentication. FortiToken and FortiAuthenticator enable dual factor authentication of remote employees.n Data loss prevention (DLP). FortiGate and FortiWiFi provide DLP functionality for remote workers, which is essential forteleworking executives with frequent access to sensitive company data.n Advanced threat protection. FortiSandbox offers analysis of malware and other suspicious content within a sandboxedenvironment before it reaches its destination.n Wireless connectivity. FortiAPs provide secure wireless access at remote work locations with full integration andconfiguration management in a single pane of glass.n Telephony. FortiFone is a secure, voice over IP (VoIP) telephony solution, whose traffic is secured, managed, and monitoredby a FortiGate NGFW. Available in soft client and several hardware options.Table 1: Number of concurrent VPN connections supported by various models of FortiGate NGFWs.Use Cases for Fortinet Products Supporting Remote WorkNot every employee in an organization requires the same level of access to company resources when working remotely. Fortinet provides tailored telework solutions for every remote worker:1. Basic teleworker.The basic teleworker only requires access to email, internet, teleconferencing, limited file sharing, andfunction-specific capabilities (finance, HR, etc.) from their remote work site. This includes access to Software-as-a-Service (SaaS) applications in the cloud, such as Microsoft Office 365, as well as a secure connection to the corporate network.Basic teleworkers can connect to the organization using FortiClient integrated VPN client software and verify their identity with FortiToken for multifactor authentication. Note that power users and super users would revert to the basic teleworker profile when they roam from their remote work location.Figure 1: Notional Fortinet solution deployment for basic teleworker.2. Power user . Power users are employees that require a higher level of access to corporate resources while working from aremote location. This may include the ability to operate in multiple, parallel IT environments and includes employees such as system administrators, IT support technicians, and emergency personnel.For these power users, deployment of a FortiAP access point at their alternate work site provides the level of access and security that they require. This enables secure wireless connectivity with a secure tunnel to the corporate network. FortiAPs can be deployed with zero-touch provisioning (ZTP) and will be managed by the FortiGate NGFWs in the office. Should a corporate phone need to be deployed, it can simply plug into the FortiAP for connectivity back to the main office.Figure 2: Notional Fortinet solution deployment for power user.3. Super user. A super user is an employee that requires advanced access to confidential corporate resources, even whenworking from an alternate office location. They frequently processe extremely sensitive and confidential information. This employee profile includes administrators with privileged system access, support technicians, key partners aligned to the continuity plan, emergency personnel, and executive management.For these super users, their alternate work site should be configured as an alternate office location. While they require the same solutions as basic telecommuters and power users, they also require additional functionality. FortiAP can be integrated with a FortiGate NGFW or FortiWiFi appliance for secure wireless connectivity with built-in DLP. FortiFone provides soft client or hardware versions of telephony VoIP that is managed and secured via onsite FortiGate NGFWs or a FortiManager centralized management platform deployed at the headquarters location.Super UserSupporting a Remote WorkforceFortinet solutions are easily deployed to remote work locations. However, an organization also requires resources onsite or in the cloud to securely support teleworkers.Many organizations already have these resources in place as they are part of their existing security architecture. A FortiGate NGFW provides a NGFW capable of inspecting encrypted and plaintext traffic at enterprise scale with minimal performance impacts. However, it also includes an integrated VPN gateway that acts as an endpoint for encrypted connections to teleworkers.The FortiGate NGFW also includes integration with common IT infrastructure, including corporate director services, such as Microsoft Active Directory (AD), and MFA and single sign-on (SSO) solutions. FortiAuthenticator provides a single, centralized integration point for authentication solutions and supports third-party solutions as well as FortiToken, which offers hard, soft, email, and mobile token options.When managing a remote and distributed workforce, centralized security visibility and management are essential. All Fortinet solutions can be integrated via the Fortinet Security Fabric. This enables the organization’s security team to achieve single-pane-of-glass visibility and control using FortiManager, perform log aggregation and security analytics with FortiAnalyzer, and rapidly detect and respond to potential threats using FortiSIEM.Achieve Full Security Integration with Fortinet SolutionsThe Fortinet Security Fabric enables seamless integration of an organization’s remote workforce. All Fortinet solutions are connected via the Fortinet Security Fabric, enabling single-pane-of-glass visibility, configuration, and monitoring. A number of Fabric Connectors, an open API environment, DevOps community support, and a large extended Security Fabric ecosystem enable integration with over 250 third-party solutions as well.This is essential when an organization is preparing a business continuity plan, since the company may be forced to transition over to a fully remote workforce with little or no notice. Single-pane-of-glass visibility and management of an organization’s security architecture ensures that support for telecommuting does not jeopardize an organization’s cybersecurity.The following solutions are part of the Fortinet Security Fabric and support secure telework:n FortiClient. FortiClient strengthens endpoint security through integrated visibility, control, and proactive defense andenables organizations to discover, monitor, and assess endpoint risks in real time.n FortiGate. FortiGate NGFWs utilize purpose-built cybersecurity processors to deliver top-rated protection, end-to-endvisibility and centralized control, as well as high-performance inspection of clear-texted and encrypted traffic.n FortiWiFi. FortiWiFi wireless gateways combine the security benefits of FortiGate NGFWs with a wireless access point,providing an integrated network and security solution for teleworkers.n FortiFone. FortiFone provides unified voice communications with VoIP connectivity that is secured and managed viaFortiGate NGFWs. The FortiFone soft client interface allows users to make or receive calls, access voicemail, check call history, and search the organization’s directory right from a mobile device. Multiple hardware options are available.n FortiToken. FortiToken confirms the identity of users by adding a second factor to the authentication process throughphysical or mobile application based tokens.n FortiAuthenticator. FortiAuthenticator provides centralized authentication services including SSO services, certificatemanagement, and guest management.n FortiAP. FortiAP delivers secure, wireless access to distributed enterprises and remote workers and can be easily managedfrom a FortiGate NGFW or via the cloud.n FortiManager. FortiManager provides single-pane-of-glass management and policy controls across the extendedenterprise for insight into networkwide, traffic-based threats. This includes features to contain advanced attacks as well as scalability to manage up to 10,000 Fortinet devices.n FortiAnalyzer. FortiAnalyzer provides analytics-powered cybersecurity and log management to enable improved threatdetection and breach prevention.n FortiSandbox. Fortinet sandboxing solutions offer a powerful combination of advanced detection, automated mitigation,actionable insight, and flexible deployment to stop targeted attacks and subsequent data loss. Available as a cloud service that is included in most FortiGuard subscriptions.A Secure Foundation Ensures Business ContinuityPreparing for business continuity and disaster recovery is vital for any organization. An important component of this is the ability to support a mostly or fully remote workforce with little or no notice.When developing business continuity plans, it is essential to ensure that the organization has the resources in place to secure this remote workforce. Fortinet solutions are easily deployable and configurable and enable an organization to maintain full security, visibility, and control regardless of their deployment environment.1 “The Benefits of Working From Home,” Airtasker, September 9, 2019.2 Ibid.3 Abdullahi Muhammed, “Here’s Why Remote Workers Are More Productive Than In-House Teams,” Forbes, May 21, 2019.4 Ibid. Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.April 21, 2021 7:00 PM。

IntroductionVirtualization is generally the first step when business paces from traditional data center onto the cloud migration journey. Cloud by definition is a pool of API resources that can be rapidly provisioned or released through cloud service providers’ APIs for enabling ubiquitous, elastic, scalable, on-demand access to a shared pool of configurable compute, networking, and storage resources. The nature of “software-defined” everything in the cloud makes it easier to implement with great privileges and yet come even greatresponsibility for security implementation. Cloud migration is not a one-way street, and it’s very common to see hybrid cloud deployments based on business workloads coexisting in the enterprise both on premise and at hosted cloud providers.Securing Your Public and Hybrid CloudScale and Segment Cloud Security on DemandFortinet Cloud Security enables organizations to securely and elastically scale protection to their private, public, and hybrid cloud infrastructure and workloads, and to segment both within the cloud andbetween endpoints, enterprisenetworks, and the cloud.FIGURE 1: SECURITY FOR THE CLOUDSecurity Paradigm ShiftUnlike an organization independently building a data center infrastructure, cloud-based infrastructure as a service (IaaS) is built and aggregated through pools of resources and is designed to be elastic to scale with organizational demand. The leasing and subscription model changes how security is designed and implemented, as cloud consumption transitions from traditional CAPEX to OPEX in the public cloud. The security paradigm shifted from protecting a big-perimeterFIGURE 2: SECURITY PARADIGM SHIFTEDwalled garden to micro-segmented security control of business workloads. IT infrastructure becomes shifted from end-to-end complete data center ownership to owning just enough for the workload to operate in the cloud. IT architecture becomes shifted from static approaches to elastic capacity with on-demand metering consumption. This paradigm shift applies to both cloud ingress/egress (northbound-southbound) and lateral (eastbound-westbound) network traffic flow.According to Gartner’s strategic planning assumptions on “How to Make Cloud IaaS More Secure Than Your Data Center”:n n Through 2020, workloads that exploit public cloud IaaScapabilities to improve security protection will suffer at least 60% fewer security incidents than those in traditional data centers.n n Through 2020, 95% of cloud security failures will be thecustomer’s fault.n n Through 2020, 99% of vulnerabilities exploited will continueto be ones known of by security and IT professionals for atleast one year.As the cloud IaaS technology continues to evolve and mature, the majority of the security responsibility falls on how thebusiness secures and governs the applications and data on cloud IaaS.Well-defined Roles in Securing the Public CloudFor securing the public cloud, it is imperative to follow the “Shared Responsibility” model as espoused by industry groups like the Cloud Security Alliance (CSA) and providers including Amazon AWS and Microsoft Azure. These can be divided into two components — Security OF the Cloud and Security IN the Cloud .Security OF the Cloud comprises what the cloud provider, such as AWS and Azure, will provide. This represents literally all data center components for the cloud IaaS.FIGURE 3: SHARED RESPONSIBILITY - REDUCE SECURITY COST + MAINTAIN FLEXIBILITY , ACCESS, AND CONTROLSecurity IN the Cloud comprises what cloud tenants are responsible for implementing with their security solutions.Legacy security technologies coming into the cloud are still using appliance-based solutions, host-based agents, and manual audits. To achieve a truly consistent security posture in the cloud, businesses need to make the new mentality shift to move critical data away from the monolithic host-centric security model and start leveraging components available from public cloud-based web services. Rather than simply acquiring standalone security appliance that introduce security management challenges, they should instead consider cloud security solutions with centralized management and visibility across all deployment nodes. Point solutions today withoutextensions into cloud APIs are due to fail when they hit the point of scaling elastically in the cloud.Fortinet Security Solutions for Public CloudsCloud deployment is not meant to replicate what it’s done in the traditional data center. Fortinet has purposefully built cloud appliances for Amazon Web Services (AWS) CloudFormation or Microsoft Azure Resource Manager (ARM) templates to take advantage of cloud API-driven functionalities.The Fortinet Security Fabric-ready APIs fully support AWS and Azure and help extend the security intelligence across the cloud. Fortinet further embraces AWS Auto Scaling web services to provide better capacity planning through automation.With a global presence across all regions in public clouds,Fortinet further helps customers and partners meet their security goal of providing applications and data close to their geographical user bases. Geopolitical compliance can be further provided through Fortinet FortiOS intelligence and reporting.Fortinet Security Fabric for the CloudThe Fortinet Security Fabric extends Fortinet’s cloud securitysolutions across the entire enterprise attack surface.Virtualization is a core component of the security fabric that enables applications and data to be delivered efficiently in an on-demand manner through software-defined orchestration. Business workloads can be replicated and automated through preconfigured templates to increase agility and high availability.It is also critical to have single-pane-of-glass management and to own the control plane over cloud resource abstraction, so that businesses can embrace this new dynamic, automated, services-oriented architecture and improve control and visibility in varying cloud deployments.FIGURE 4: FORTINET SECURITY FABRIC FOR CLOUD SECURITYFortinet supports on-demand hourly and annual metering subscriptions in the cloud marketplace, as well as bring your own license (BYOL) for perpetual consumption. As clouds are driven by the need to reduce CAPEX and OPEX expenditures. Fortinet provides the broadest set of service-driven portfolios that can be deployed in micro-segmented clouds without compromising holistic security intelligence.The key principles of cloud security implementation in the Fortinet Security Fabric are:n n Scalable – high-performance firewalls and network securityappliances that scale from IoT to branch offices to the enterprise campus to the hybrid cloudn n Aware – integrated with underlying cloud infrastructure tobe aware of dynamic changes in the cloud environment and to provide seamless protectionn n Secure – micro-segmentation and internal segmentation inthe hybrid cloud extended with end-to-end segmentation across the entire attack surfacen n Actionable – integrated into SIEM and other analytics inprivate and public clouds, with the ability to orchestrate changes to FortiGate and other Fortinet security policy/posture automatically in response to incidents and eventsn n Open – built on an extensible platform with programmaticAPIs (REST and JSON) and other interfaces to integrate with hypervisors, SDN controllers, cloud management, orchestration tools, and software-defined data center and cloudHybrid IT InfrastructureA hybrid cloud that mixes on-premise data centers/private clouds with public clouds requires rigorous management. Fortinet helps organizations build a cohesive securityinfrastructure that is easy to deploy, manage, and extend. Using the fabric-ready API framework, Fortinet seamlessly integrates orchestration and automation to work across the mixed cloud environments. This increased agility, flexible consumption, and automation help DevOps teams own the control plane and respond to changes in the cloud environment more efficiently. Fortinet helps maintain consistency in security posture across clouds with a familiar look and feel in tools and resources. By extending the data center with consistent management,organizations can get enterprise-grade performance and security in the data center and in the cloud, as well as meet changing business needs with greater flexibility and capacity on demand.FortiGate Security PlatformThe FortiGate family of physical and virtual security appliances provides the foundation for securing private and public cloud environments. High-end physical FortiGate appliances provide highly scalable north-south data center firewall and network security protection at the edge or core of the private cloud. Virtual FortiGate appliances provide north-south protection for public clouds, as well as east-west segmentation within and across the hybrid cloud.All FortiGate physical and virtual security appliances share a common FortiOS firmware with consolidated multi-function security, from firewall to intrusion prevention to next-genfirewall to anti-malware to web filtering, and more, and receive consistent FortiGuard threat and content updates fromFortinet’s fully in-house FortiGuard Labs threat research team.Fortinet Virtual AppliancesIn addition to the flagship FortiGate platform, nearly a dozen other Fortinet security and networking solutions are available, not just as physical appliances but also as virtual appliances,from web application security to sandboxing to analytics to application delivery, for deployment in private and public cloud environments.Agile Software-Defined SecurityFortinet’s Security Fabric for the clouds enables orchestration and automation of both physical and virtual FortiGate security appliances in the hybrid cloud. Through a rich set of RESTful and other programmatic APIs, FortiGate appliances can be tightly orchestrated and automated with leading software-defined cloud platforms.Orchestration in the Public CloudFortiGate security solutions are tightly orchestrated with leading public clouds like AWS and Azure to provide on-demand provisioning, pay-as-you-go pricing, elastic auto-scaling, and unified security analytics that enhance protection and visibility in the public cloud environment.Single-Pane-of-Glass Visibility and ControlA workload should have the same secure and compliant posture regardless of whether it is running in a private cloud or public cloud, or whether it may migrate from one to another in a hybrid strategy. Fortinet’s central management solutions, including FortiManager and FortiAnalyzer, provide a single consolidated view of security policies, governance reporting, and event monitoring regardless of physical, virtual, or cloud infrastructure, and across private, public, and hybrid clouds.ConclusionRapid enterprise adoption of private and public clouds is driving the evolution of cloud security. Agile and elastic cloud security solutions need to fundamentally scale protection and segmentation within and across cloud environments. Fortinet’s FortiGate security platform and cloud security solutions secure private, public, and hybrid clouds, and extend protection seamlessly via the Fortinet Security Fabric across the entire enterprise from IoT to data center to cloud.Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other resultsmay vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, GLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne06560, Alpes-Maritimes, FranceTel +33 4 8987 0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6513.3730LATIN AMERICA SALES OFFICE Paseo de la Reforma 412 piso 16Col. Juarez C.P . 06600 México D.F.Tel: 011-52-(55) 5524-8428。

Fortinet用户管理解决方案1. 概述用户认证用处广泛，单就FortiGate而言，就多处功能得使用用户认证，比如防火墙策略认证、IPSec VPN、SSL VPN、设备管理等。

FortiGate用户认证分为三种基本类型：认证用户的密码型、认证主机和终端的证书型，在密码外附属其他安全策略的双因子型的。

用户是通过密码来确定身份的，但是网络资源通常是以用户组的方式授权的。

也就是说任何用户要访问该资源时，需要通过密码来证明自己属于授权的用户组。

如上图所示，FortiGate-FortiAuthenticator解决方案涵盖了多种应用，无线接入、有线接入、VPN接入等用户管理系统。

在下面方案中，我们将阐述不同认证体系，以及其与FortiGate和FortiAuthenticator关系。

2. 本地用户本地用户是配置于FortiGate上的用户名，密码可以存储与FortiGate本身，也可以取自认证服务器。

取自认证服务器时，认证服务器上的用户名必须和FortiGate上配置的用户名相匹配，密码是来自认证服务器的。

本地用户也可以采用双因子认证。

双因子认证可以动态令牌卡、邮件发送密码、短信方式等。

双因子可以强化本地用户的安全特点。

如果采用动态令牌卡，需要将FortiT oken注册于设备上。

FortiAuthenticator也可以设置本地用户，其特点在于完善的用户管理体系。

管理员可以建立和删除用户，用户可以采用自注册方式生成用户，用户名和密码可以通过邮件、短信等方式发送。

FortiAuthenticator可以强制用户在注册时，填写必要的选项。

用户自注册界面如下：FortiAuthenticator也可以对用户信息进行管理，强制用户密码有效期，用户可以自行修改密码等。

当用户遗忘密码时，可以自行恢复密码。

3. 访客管理企业经常有访客来访，往往希望有线或者无线的接入internet和企业网络。

如何为访客授权和管理是网络灵活性和安全性的一个重要方面。

Fortinet顾客管理处理方案1. 概述顾客认证用处广泛，单就FortiGate而言，就多处功能得使用顾客认证，例如防火墙方略认证、IPSec VPN、SSL VPN、设备管理等。

FortiGate顾客认证分为三种基本类型：认证顾客旳密码型、认证主机和终端旳证书型，在密码外附属其他安全方略旳双因子型旳。

顾客是通过密码来确定身份旳，不过网络资源一般是以顾客组旳方式授权旳。

也就是说任何顾客要访问该资源时，需要通过密码来证明自己属于授权旳顾客组。

如上图所示，FortiGate-FortiAuthenticator处理方案涵盖了多种应用，无线接入、有线接入、VPN接入等顾客管理系统。

在下面方案中，我们将论述不一样认证体系，以及其与FortiGate和FortiAuthenticator关系。

2. 当地顾客当地顾客是配置于FortiGate上旳顾客名，密码可以存储与FortiGate自身，也可以取自认证服务器。

取自认证服务器时，认证服务器上旳顾客名必须和FortiGate上配置旳顾客名相匹配，密码是来自认证服务器旳。

当地顾客也可以采用双因子认证。

双因子认证可以动态令牌卡、邮件发送密码、短信方式等。

双因子可以强化当地顾客旳安全特点。

假如采用动态令牌卡，需要将FortiT oken注册于设备上。

FortiAuthenticator也可以设置当地顾客，其特点在于完善旳顾客管理体系。

管理员可以建立和删除顾客，顾客可以采用自注册方式生成顾客，顾客名和密码可以通过邮件、短信等方式发送。

FortiAuthenticator可以强制顾客在注册时，填写必要旳选项。

顾客自注册界面如下：FortiAuthenticator也可以对顾客信息进行管理，强制顾客密码有效期，顾客可以自行修改密码等。

当顾客遗忘密码时，可以自行恢复密码。

3. 访客管理企业常常有访客来访，往往但愿有线或者无线旳接入internet和企业网络。

怎样为访客授权和管理是网络灵活性和安全性旳一种重要方面。

Fortinet Dissolves OT Complexity Through Integration and AutomationExecutive OverviewThe convergence of information technology (IT) and operational technology (OT)has caused security deployments to become much more complex due to thebroad addition of isolated point security products. This complexity presents newopportunities for threats to exploit. The Fortinet Security Fabric offers networkoperations analysts purpose-built protection that simplifies infrastructure whileimproving OT defenses. The integrated Security Fabric architecture supportscomprehensive visibility and control across OT environments while streamliningburdensome tasks associated with compliance auditing and reporting.SOLUTION BRIEF You cannot protect what you cannot see. 82% of organizations are not able to identify all the devices connected to their network.1Convergence with IT Makes OT Environments More ComplexGreater connectivity with IT and growing OT infrastructural complexity put OT systems at greater risk from internet-based threats. However, security integration converts the complex deployment of disparate products into a cohesive defensive architecture that shares information in real time and provides instant contextual analysis of potential issues across the organization.This is where the Fortinet Security Fabric architecture is the linchpin, providing broad, integrated, and automated protection for OT environments. If a connected OT device exhibits suspicious behavior, the Security Fabric has both the coverage and the capabilities to quickly identify the problem along with the critical information and tools that network operations analysts need to quickly remedy the issue.The Security Fabric lays a foundation for unified visibility and control at the device level to help network operations teams understand their organizations’ overall security posture. It includes automated workflows for compliance auditing andreporting to reduce the burden on limited staff resources. Most importantly, Fortinet offers security that is purpose-built for OT—so that organizations can repel all orders of advanced threats without disturbing sensitive OT systems.End-to-End Visibility and Control for OT EnvironmentsThe foundation of the Fortinet Security Fabric includes FortiGate next-generation firewalls (NGFWs), secure switching in FortiSwitch (wired) and FortiAP (wireless), and FortiManager for transparency and centralized management of all devices deployed across the organization. These components provide the foundation of connected security across OT environments—while extending visibility and control via specialized Fabric-connected solutions. The following are some of the core capabilities:Access management for usersMulti-factor authentication makes the successful use of stolen credentials more difficult,2 and yet more than half of OT organizations currently lack this critical protection.3 FortiAuthenticator provides services that are key in creating effective security policy, strengthening security by ensuring only the right person at the right time can access the OT environment. FortiToken multi-factor authentication further helps enforce role-based access.It also supports third-party guest management for wired and wireless networkprotection. And with FortiInsight user and entity behavior analytics (UEBA),organizations can add additional user-level safeguards against insider threats bydetecting behavioral anomalies that might signal a threat.1SOLUTION BRIEF | Fortinet Dissolves OT Complexity Through Integration and AutomationCopyright © 2021 Fortinet, Inc. All rights reserved. Fortinet ®, FortiGate ®, FortiCare ® and FortiGuard ®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.June 21, 2021 2:36 PM391288-A-0-EN Intent-based segmentation controlsThe Fortinet Security Fabric also supports intent-based segmentation to controlboth east-west (lateral) and north-south (vertical) access to OT systems basedon defined business needs—who, what, and where. It uses firewall policies tohelp network operations analysts limit internal access to sensitive systems bycontinuously assessing the trust level of users and devices in OT environments.Device-level control and endpoint protectionThe Fortinet network access control (NAC) solution—FortiNAC —helps to protectdevices and systems in OT that may lack sufficient built-in security of their own.Compliance technologies that help better visualize risk are a top spending priority for enterprises—both over the next 12 months (57%) and within the next three years (51%).4These include Internet-of-Things (IoT)/Industrial-Internet-of-Things (IIoT) devices, programmable logic controllers (PLCs), as well as industrial control systems (ICS) and their supervisory control and data acquisition (SCADA) subset systems. In coordination with other Security Fabric components, FortiNAC helps secure highly distributed OT networks from threats by all devices on the network. With the latest release (version 8.6), FortiNAC can use all integrated FortiGate NGFWs as a traffic sensor and do passive identification and anomaly detection. Native integration between Fortinet intent-based segmentation and FortiNAC allows for business rules to be extended to device access controls.Automation and ComplianceCompliance management often involves manual processes done by multiple full-time staff over several months each year. An integrated OT security architecture enables automation in many areas—including compliance auditing and reporting.FortiAnalyzer automates compliance tracking and reporting of industry regulations and security standards, which is integrated at the network operations layer, for greater workflow efficiency. FortiAnalyzer natively provides the capability of evaluating the network environment against best practices to measure compliance risks. Network operations teams then apply and enforce controls on the network to protect against cyber threats. FortiAnalyzer offers an in-depth analysis of network operations to determine the scope of risk in the attack surface and then identify where immediate response is required. Prebuilt reporting tools provide easy-to-schedule delivery of reports.FortiAnalyzer can also feed data to security information and event management (SIEM) solutions, such as Fortinet FortiSIEM , that are integrated into the Security Fabric. This further enhances compliance capabilities through improved visibility (tracking all devices across the infrastructure in real time) and also context (what devices represent an actual threat) to reduce the noise and false positives that multiple security tools can create.Choose Security Designed for OTFortinet offers OT organizations a robust portfolio of security solutions that are part of the Fortinet Security Fabric. The latter simplifies OT security through transparent visibility across the organization, advanced controls for devices and users, and automated compliance management capabilities. At the same time, it secures delicate OT systems without disruption to maximize operational uptime. By combining purpose-built solutions (e.g., NGFW, segmentation, NAC, UEBA, SIEM) into a cohesive security ecosystem, the Security Fabric can protect OT environments against pervasive IT-based threats.1 Jeff Goldman, “IoT Security Fail: 82 Percent of Companies Can’t Identify All Network-Connected Devices ,” eSecurity Planet, November 8, 2017.2 “State of Operational Technology and Cybersecurity Report ,” Fortinet, March 2019.3 Ibid.4Samantha Regan, et al., “Comply & Demand: 2018 Compliance Risk Study ,” Accenture, March 2018.。

Fortinet Delivers Automated, Advanced Security for VMware NSX-T EnvironmentsExecutive SummaryVMware NSX-T, a stand-alone software-defined networking (SDN) platform,addresses the use cases that NSX-V does not support. NSX-T is expected tobe widely adopted in the coming year as enterprises increasingly use multiplehypervisors, containers, and multiple clouds.While NSX-T provides basic firewall capabilities, organizations facing expandingdigital attack surfaces need more. FortiGate VM for NSX-T augments VMwaresecurity with robust protection for both east-west and north-south traffic. Avirtual appliance that integrates with NSX-T Data Center through service insertionas a third-party edge firewall, FortiGate VM performs next-generation firewalling(NGFW), inspection of encrypted secure sockets layer (SSL)/transport layersecurity (TLS) traffic, intrusion prevention (IPS), and web application control.Fortinet is one of the first security vendors that delivers complete integration withthe NSX-T Data Center 2.4, 2.5, 3.0 and 3.1 releases.Cloud Adoption Expands Attack SurfaceRapid cloud adoption means a rapidly expanded attack surface. A recent surveypredicts that 83% of enterprise workloads will be in the cloud by 2020.1 Further,based on recent research, the average enterprise uses as many as 91 differentcloud applications.2 Most of these are adopting multi-cloud approaches, whichresult in security silos that obfuscate security visibility and make it difficult tomanage them through centralized controls.Clearly, there is no shortage of attack vectors. Cloud workloads and applications,whether in the public or private cloud, or Software-as-a-Service (SaaS), must beprotected from sophisticated threats with reliable, elastic security.3Encrypted Traffic at a Record HighAs more and more data is migrated from on-premises data centers to the cloud, thisdramatically expands the amount of encrypted traffic traversing the internet. Onestudy finds that more than 72% of internet traffic is now encrypted.4While encrypted traffic protects data from bad actors, it is not without its risks.Cyber criminals are increasingly using it to deliver malware into their intendedtargets. Unless this encrypted traffic is inspected with the right security tools, anorganization can suddenly find itself facing a potential data breach or operationaldisruption. But many next-generation firewall (NGFW) solutions either lack securesockets layer (SSL)/transport layer security (TLS) inspection capabilities or theperformance to conduct inspections without adding more NGFWs—and thus cost.SOLUTION BRIEF Joint Solution Components n Fortinet FortiGate n VMWare NSX-T Top Features: n Advanced threat prevention for VMware NSX-T SDDC environments n Automated deployment and orchestration of FortiGate VM for SDDCs and private and public clouds n Single-pane-of-glass management and full visibility with FortiManager n Seamless security scaling from SDDCs to private and public clouds n Inspection of encrypted traffic without impacting network performanceFortinet Support for NSX-T Data CenterNSX-T connects all types of applications and is multi-hypervisor aware. It is an SDN stack that supports hypervisors beyond vSphere, such as KVM and OpenStack. In addition, it supports container platforms such as Kubernetes and Docker.The FortiGate VM next-generation firewall (NGFW) integrates with NSX-T to provide security for hypervisors and container orchestration platforms. This results in seamless and consistent security for the applications running on these platforms. It provides purpose-built integration for VMware’s software-defined data center (SDDC) and interoperability with NSX-T through service insertion as a third-party edge firewall.FortiGate VM also protects the north-south (vertical) traffic flow inside the NSX-T environment. It does so, as depicted in the diagram below, by integrating with logical routers in tier 0 and/or 1, depending on where to inspect the traffic. NSX-T connects workloads running in SDDCs and public and private clouds. FortiGate VM enforces security at the connection points between these disparate networks.Fortinet AdvantagesThe Fortinet Security Fabric delivers a more comprehensive and faster response to threats, while enabling organizations to realize improved efficiencies. Specific operational advantages include:• Automatic identification and containment of threats in real time• Seamless security scaling from data centers to clouds• Compatibility with new versions of VMware on AWS• Smooth failover with active/passive high availability (HA)• Improved efficiency with single-pane-of-glass management and visibility with FortiManager• Ability to examine encrypted traffic with no network slowdownThe Security Fabric also offers threat-intelligence advantages that include:• Integrated, comprehensive security posture across the network with sandbox and content security integration via the Fortinet Security Fabric• The latest threat intelligence delivered in near real time by FortiGuard Labs• Efficient, top-rated protection for disparate multi-cloud environmentsThe Best Way to Secure NSX-T EnvironmentsIf you are running NSX-T, you need dynamic security that can enforce security policy across multi-hypervisor and container environments. FortiGate VM integration with VMware’s NSX-T solution extends the NSX-T firewall functionality with advanced security services and allows enterprises to reap all the benefits of SDDCs and public and private clouds with agility and efficiency.Advanced Layer 7 security with FortiGate VM for traffic moving between virtual machines and external networks secures customer assets and data in the cloud against even the most sophisticated threats. FortiGate VM includes multi-layered protections such as firewall, application control, IPS, sandboxing, and threat-protection technologies.1 Louis Columbus, “83% Of Enterprise Workloads Will Be In The Cloud By 2020,” Forbes, January 7, 2018.2 Scott Brinker, “The average enterprise uses 91 marketing cloud services,” Chief Marketing Technologist Blog, June 12, 2017.3 “Quarterly Threat Landscape Report Q3 2018,” Fortinet, November 2018.3 John Maddison, “More Encrypted Traffic,” Fortinet Blog, December 10, 2018. Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.June 23, 2021 10:07 AM。

1The cybersecurity threat landscape is always changing. As quickly as risks are perceivedand blocked, cyber criminals are already developing new lines of attack. Understandably,this poses an ongoing problem for organisations who offer cybersecurity services to theirclients. To meet this challenge head-on, service providers require robust and flexibleinfrastructure that enables them to offer an appropriate level of security to their end-usercustomers.The Need for a Modern, Efficient SolutionExponential-e, an award-winning cloud and unified communications services provider,approached Fortinet with this concern in mind. Fortinet’s preexisting relationship withExponential-e meant they were a natural choice for the update.As an organisation who places a strong emphasis on offering peace of mind to theircustomers, it was vital that Exponential-e carefully considered their strategy for thisupdate to ensure the most effective results. In order to continue providing a resilient andcost-effective Managed Firewall service for their customers, Exponential-e were thereforelooking to update their systems.Exponential-e already had an established Managed Firewall offering, which helped theircustomers protect their corporate networks from security threats and unauthorised accessattempts. This was based on a shared enterprise FortiGate firewall cluster for centralisedmanaged firewall services and smaller FortiGate firewalls for dedicated devices.However, although it was suitable at the time of implementation, the technology thatpowered this was ageing. For example, the enterprise firewall cluster was at full capacity,and all management was being performed directly on the device with no centralisedmanagement. This was both time-consuming and potentially error-prone. Exponential-ewere therefore seeking to update and relaunch their Managed Firewall offering as aManaged Next Generation Firewall (MNGF) service, which would help to meet a numberof security and operational concerns in line with the objective to become a managedsecurity service provider (MSSP).For example, evolutions in the threat landscape meant Exponential-e’s existinginfrastructure was at risk of becoming insufficient. Security breaches could result ina huge loss of trust and substantial business losses, so it was important for them toaddress this problem.Provider Navigated the Changing Threat Landscape“The success of Exponential-e’s Managed Firewall offering rests on our ability to provide an efficient, cost effective and, most importantly, robust security service. While it can be challenging to meet these objectives in a rapidly changing digital world, Fortinet’s products have allowed Exponential-e to continue to offer a world-class service to our customers.”– Mukesh Bavisi, Managing Director, Exponential-e Details Customer: Exponential-e Industry: MSSP / Service Provider Location: London, UK Business Impact n n Ability to meet modern cyber-threat risks n n Improved cost-effectiveness n n Greater operational efficiency n n Increased end-user visibilityCopyright © 2020 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be May 2, 2020 6:05 AM D:\Fortinet\Case Study\Exponential - e\cs-FA-how-one-managed-service-provider-navigated-the-changing-threat-522020CASE STUDY | How One Managed Service Provider Navigated the Changing Threat Landscape649500-0-0-EN Additionally, their current infrastructure had become unnecessarily costly to deploy andmaintain. This was another pressing concern that needed to be addressed. As a serviceprovider, Exponential-e was keen to ensure maximum operational efficiency and thereforeneeded to increase the cost-effectiveness of their offering.Finally, Exponential-e were also driven by an increasing customer demand for morevisibility of threat data. Increasingly, customers prefer this to a “black box” service, soExponential-e required an interface that could provide their customers with higher visibilityand admin capabilities.Meeting Exponential-e’s RequirementsTo address these concerns, Fortinet worked closely with Exponential-e to build a strategythat would continue to help them drive their business success moving forward. Fortinetprovided a range of infrastructure to meet Exponential-e’s initial requirements, including twoFortiGate enterprise firewalls (NGFWs), as well as FortiManager, FortiAnalyzer, FortiPortal,and FortiDeploy solutions. In combination, these products allowed Exponential-e to offer amuch richer feature set for their customers, including zero-touch provisioning of customerpremises equipment (CPE).Exponential-e also needed infrastructure that could adapt to emerging threats, asopposed to a rigid product that would rapidly become outdated. The Fortinet FortiGuardsecurity subscription was therefore an ideal solution, as it is constantly updated to ensurecustomers are equipped to deal with emerging threats. This is backed up by Fortinet’slarge, dedicated FortiGuard research team, who constantly scour the cyber landscape todiscover, preempt, and block developing threats. This means that Fortinet’s customers, likeExponential-e, can rest assured that their offering is robust and updated enough to standup to emerging attacks.This solution also met Exponential-e’s requirement to promote higher operational efficiency.A key problem with their existing solution was that the level of manual deployment involvedwas not cost-effective. Fortinet’s new solution has allowed Exponential-e to provide more efficient services for their customers, reducing the overall costs for the ongoing maintenance and support of the managed services they offer.As a service provider who manages systems on behalf of their clients, this was an important concern to address. The higher efficiency of Fortinet’s new infrastructure achieved this, empowering Exponential-e to manage a greater number of solutions, in a more efficient way.As an additional benefit, having previously worked with Fortinet FortiGate enterprise firewalls, Exponential-e already had knowledge of Fortinet products and services. This meant the new products were deployed smoothly, as the training and enablement requirements were minimal.Exponential-e’s Managed Firewall service is now robust enough to keep up with customer expectations. Their customers can benefit from their own dedicated virtualised firewall, offering features like end-user network control access, high availability, health monitoring, and configuration backup. Since implementing their new platform, Exponential-e have doubled their revenue from security services while increasing operational efficiency. Ultimately, Fortinet’s solution has helped them to win more business and deliver the level of service expected by customers in the modern threat landscape.。

Improve Application Access and Security With Fortinet Zero Trust Network AccessExecutive SummaryThe massive shift from working in an office to working at home has highlightedmany security and connectivity challenges. In addition, today’s networks arehighly distributed with resources spread across data centers and multipleclouds. It’s critical for organizations to enable secure access from anywhere toany application—while applying consistent security policies. That’s why today’senterprises need to evolve remote access from traditional virtual private networks(VPNs) to a zero-trust network access (ZTNA) solution. SOLUTION BRIEF Gartner predicts that by 2023, 60% of enterprises will phase out traditional VPNs and use a ZTNA model.1Fortinet ZTNA simplifies secure connectivity and reduces the attack surface. Users are authenticated and verifiedbefore they are allowed to access a particular application. The solution includes a set of products that integrate into the Fortinet Security Fabric, enabling easy management and end-to-end visibility.Fortinet ZTNA AdvantagesBuilding a zero-trust network access solution requires a variety of components—a client, a proxy, authentication, and security. But in most organizations, these solutions are provided by different vendors. The components often run on different operating systems and use different consoles for management and configuration, so establishing a zero-trust model across vendors is nearly impossible.With Fortinet, not only can you easily establish zero-trust access through one vendor but also with one operating system. FortiOS 7.0 updates turn an organization’s existing Fortinet infrastructure into the newest part of a zero-trust architecture. FortiGate next-generation firewalls (NGFWs) and FortiClient endpoint protection employ ZTNA capabilities with simplified management. The same adaptive, application access policy is used whether users are on or off the network. And, bybuilding ZTNA into FortiOS, it’s tightly integrated into the Fortinet Security Fabric, enabling easy management andsuperior visibility.Fortinet can apply ZTNA to remote users, home offices, and other locations, such as retail stores, by offeringcontrolled remote access to applications. It’s easier and faster to initiate than a traditional VPN. This gives users a better experience while providing a more granular set of security protections. It doesn’t matter if applications are in the data center, private cloud, or public cloud. Users and applications can be geographically independent and still create secure and reliable connections.Data CenterPublic CloudFortiClient Campus FortiClientBranchFortiClientRemoteSaaSCopyright © 2021 Fortinet, Inc. All rights reserved. Fortinet ®, FortiGate ®, FortiCare ® and FortiGuard ®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.March 2, 2021 10:27 AMHow It WorksThe Fortinet solution enables ZTNA capabilities by leveraging new features inFortiOS 7.0 and by using FortiClient as the ZTNA agent. To protect traffic over theinternet, the FortiClient ZTNA agent on the device creates an encrypted, securetunnel from the device to the ZTNA enforcement point (FortiGate).This tunnel is created on-demand, transparent to the user, which solves a majorpain point of VPN remote access. Because everyone on the network is no longerconsidered automatically trusted, the same tunnel is created whether the user is onor off the network.This architecture has benefits on the application side, as well. Because the user isconnecting to the FortiGate and then proxying that connection to the application,the application can exist on-premises, in a private cloud, or in a public cloud—allwhile hidden from the internet. The application only needs to establish a connectionwith the FortiGate, keeping it hidden from prying hackers or bots.Secure Remote Access for Today’s Distributed Networks and UsersFortinet makes it easy to transition from traditional VPN to ZTNA. With thetechnology built into the FortiOS operating system, delivering consistent andsecure access, regardless of user or application location, is simplified. It’s abetter experience for the end-user and easier to manage for the network admin.Moreover, the attack surface is reduced via the ongoing verifications and proxy-edapplications. The Fortinet ZTNA solution delivers more secure remote access than atraditional VPN, while enabling a better user experience. Fortinet ZTNA does not require secure access service edge (SASE) services. However, Fortinet SASE can become FortiOS proxy points when they shift to FortiOS 7.0. SASE and ZTNA services will be able to be delivered alongside each other. n n ZTNA will provide secure access and application access control.n n SASE will provide the Firewall-as-a-Service (FWaaS), sandboxing, data loss prevention (DLP), secure web gateway (SWG), and malware protection, as well as the network peering.1 Mike Wronski, “Since Remote Work Isn’t Going Away, Security Should Be the Focus ,” Dark Reading, September 24, 2020.。

Fortinet无线网络安全解决方案1. 概述Fortinet安全解决方案不仅仅是针对有线网络，而且也覆盖了无线网络。

Fortinet新推出的瘦AP可以把FortiGate作为控制器，高速无线连接和内容层安全可以兼而得之。

FortiAP 是Fortinet公司在多年无线领域和安全领域经验积累上推出的产品。

该设备对希望获得更多安全的无线用户来说是一个新的选择。

通过该设备，无线用户可以选择从网络到应用层的各种安全功能，比如设置第七层的应用优先级，数据防泄漏和网络访问控制等等。

无线平台控制（AC）模块被集成到各个FortiGate设备上，该控制模块可以对所有FortiAP进行集中管理和监控。

所有的经过认证的无线数据都会被转发到作为控制平台的FortiGate，FortiGate通过防火墙策略和UTM安全功能对数据包进行处理，以发现不安全隐患。

用户通过控制平台可以控制网络访问、迅速方便地升级策略和依据法律进行监控。

专用的软硬件体系设计，使其保障网络安全的同时，不会成为网络速度的瓶颈。

FortiAP-200系列可以以最小数量部署，而为用户提供高性能和多种安全保障。

FortiGate 和FortiAP组成了业内领先的安全、性能和可扩展的安全解决方案。

Fortinet简化了设备价格体系，采用FortiGate作为通用管理平台，降低了用户总体拥有成本。

FortiAP和FortiGate构成了无线网络安全解决方案：●符合安全法规要求：检测和报告非法AP，细粒度地终端控制，审计式报告，专用的分析；●降低总体拥有成本：灵活部署，充分发挥现有FortiGate，不需要单独采购集中控制器，所以能够有效地降低成本；●FortiGate控制器比起竞争对手来说其扩展能力更为强大。

2、简要拓扑结构在Fortinet的无线解决方案中，FortiGate作为无线的集中管理器，而FortiAP作为瘦AP的接入端，无线用户的认证和数据流转发均由FortiGate完成。

Fortinet产品家族fortinet 的产品家族涵盖了完备的网络安全解决方案包括邮件，日志，报告，网络管理，安全性管理以及fortigate 统一安全性威胁管理系统的既有软件也有硬件设备的产品。

更多fortinet产品信息，详见/products.FortiGuard服务订制fortiguard 服务定制是全球fortinet安全专家团队建立,更新并管理的安全服务。

fortinet安全专家们确保最新的攻击在对您的资源损害或感染终端用户使用设备之前就能够被检测到并阻止。

fortiguard服务均以最新的安全技术构建，以最低的运行成本考虑设计。

fortiguard 服务订制包括：1、fortiguard 反病毒服务2、 fortiguard 入侵防护（ips）服务3、 fortiguard 网页过滤服务4、fortiguard 垃圾邮件过滤服务5、fortiguard premier伙伴服务并可获得在线病毒扫描与病毒信息查看服务。

FortiClientforticlient 主机安全软件为使用微软操作系统的桌面与便携电脑用户提供了安全的网络环境。

forticlient的功能包括：1、建立与远程网络的vpn连接2、病毒实时防护3、防止修改windows注册表4、病毒扫描forticlient还提供了无人值守的安装模式，管理员能够有效的将预先配置的forticlient分配到几个用户的计算机。

FortiMailfortimail安全信息平台针对邮件流量提供了强大且灵活的启发式扫描与报告功能。

fortimail 单元在检测与屏蔽恶意附件例如dcc（distributed checksum clearinghouse）与bayesian扫描方面具有可靠的高性能。

在fortinet卓越的fortios 与fortiasic技术的支持下，fortimail反病毒技术深入扩展到全部的内容检测功能，能够检测到最新的邮件威胁。

Fortinet and Intel Secure DeviceSOLUTION BRIEF | Fortinet and Intel ® Secure Device Onboard Security SolutionCopyright © 2021 Fortinet, Inc. All rights reserved. Fortinet ®, FortiGate ®, FortiCare ® and FortiGuard ®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.June 8, 2021 9:42 AMsb-fortinet-and-intel-security-device-onboard-solution-1071054648821-A-0-EN Figure 1: Secure Device Onboarding workflow with Intel SDO and FortiNAC—extending IoT security to the network perimeter.Joint Use Casesn Securely onboard IoT endpoints to the networkn Use secure onboarding information to define granular security policies on the FortiNAC for the IoT endpoints.Fortinet FortiNACFortiNAC is Fortinet’s network access control solution that enhances theSecurity Fabric with visibility, control, and automated response for everythingthat connects to the network. FortiNAC provides protection against IoT threats,extends control to third-party devices, and orchestrates automatic responses to awide range of networking events.Intel ® SDOA service that enables a device to be powered on to dynamically provision to a customer’s IoT platform of choice in seconds—with a zero-touch, automated process secured by the device’s hardware root of trust.About IntelAt Intel, building a better world is our business. Our mission is to utilize the power of Moore’s Law to bring smart, connected devices to every person on earth while serving as a role model for how companies should operate. We power amazing experiences through a diverse product line and exciting partnerships. Our strategy is a virtuous cycle of innovation—the cloud and the data center, the Internet of Things, memory and FPGAs all bound together by the goal of greater connectivity and enhanced performance. Our global team, over 107,000 strong across 58 countries, is a powerhouse of engineering and technological excellence that empowers solutions to the world’s toughest problems while creating the technology of tomorrow. We are Intel, and Amazing Works Here.Solution Componentsn Fortinet Security Fabric: FortiGate, FortiNAC n Intel ® Secure Device Onboard (Intel ® SDO)IoT device connects to network FortiNAC puts device in “rogue” network SDO onboarding workflow kicks offFortiGate enforces access policy for IoT Device FortiNAC communicates security policy to FortiGate YES NODevice onboarded securely。

XX学校无线安全解决方案一、XX学校WLAN现状及改造需求该校有1500个学生，130个教师，建筑物信息如下：1、两个操场2、1幢行政楼（1楼大会议室、2-4层每层8个办公室，5楼三个教学机房）3、4幢教学楼（每层4个教室）4、1幢食堂（2层）5、1幢宿舍楼（4层，每层20个房间，点位布在走廊即可）随着移动设备（智能手机和平板电脑）的普及，公司人员基本每人都有支持连接网络的移动设备，来公司办事的访客上网需求也在不断增加。

为了更好的方便内部人员和访客在公司办公区域使用无线网络，集团管理信息部网络设备部计划对现有无线WLAN网络升级改造，实现最新最安全的无线安全技术部署。

本次无线WLAN安全网络的升级改造，本着以人为本的原则，采用性价比最高的业界著名的无线安全集成解决方案。

为了更好的发挥WLAN的作用，特提出以下需求。

1、无线AP间需具有无缝漫游功能，满足无线用户在不同AP区域移动时，网络不间断；2、无线AP支持多种用户认证方式，比如LDAP、Radius、本地用户、来宾用户等；3、无线AP需实现对非法AP的压制功能；4、支持公司现有的LDAP认证服务器；5、对内部员工实现首次登录后下次无需手动登录即可连接WLAN；6、对外部访客实现独立管理，生成临时WLAN接入帐号；7、AC控制器具有双机热备（HA）功能，当一台AC出现故障后，另一台AC控制器自动接管工作，而不影响无线用户使用。

二、Fortinet无线安全网络接入解决方案1、Fortinet无线安全接入方案综述Fortinet公司是一家美国纳斯达克（股票代码：FTNT）上市企业，全球统一威胁管理（UTM）市场持续排名第一，全球网络安全市场排名第四的安全设备供应商。

他们提供的无线网络安全接入解决方案深受广大用户认可，具有接入简便、安全性高、性价比高的特点。

Fortinet的无线网络接入及安全方案由AP（无线接入点）和AC（无线接入控制器）两部分组成。