Converged Multi-Threat Security and Networking Platform

FortiGate-224B Reviewer’s Guide

FortiGate-224B Reviewer’s Guide

2 Feb 2007

Table of Content

Introduction ................................................................................................................................................. 3 Marketing Overview and Product Positioning ......................................................................................... 3 Key Features and Benefits......................................................................................................................... 4 Product Review Suggestions .................................................................................................................... 5

Connecting to the FortiGate-224B ........................................................................................................5 System Status Screen ............................................................................................................................6 Switch Menu Screen...............................................................................................................................7 Port-Based Quarantine...........................................................................................................................8 Multi-Threat Security Protection on Switch ports.............................................................................11

Summary.................................................................................................................................................... 13 Availability ................................................................................................................................................. 13 About Fortinet (www.fortinet.com).......................................................................................................... 13 Appendix 1 – Factory Default Configuration.......................................................................................... 14

FortiGate-224B Reviewer’s Guide

3 Feb 2007

Introduction Fortinet would like to thank you for your interest in reviewing our product. This guide is written to provide you with a quick overview of the FortiGate-224B, as well as to provide a highlight of the features that we believe are of the most interest. For a full description of the product features, we encourage you to contact our marketing department to arrange for a more detailed demonstration. Once again, thank you for your interest and for evaluating our product.

Market Overview and Product Positioning Broadband and wireless technologies are enabling flexible virtual offices with network access anytime, anywhere, and from any device. Increased productivity, enhanced customer service and reduced costs are all welcome benefits. Not so welcome are the increasing number of security threats originating from devices inside the network. Laptops, handheld and other mobile devices are frequently used outside the corporate network, over un-trusted connections. These devices are often exposed to viruses, worms and other security threats. Back in the corporate network, these same devices are typically treated as trusted assets and given unrestricted network access. At this point the security threats acquired outside, having completely bypassed perimeter defenses, now proceed to wreak havoc. As a result of the rise in internal threats, administrators are finding that securing the network from the inside is equally as important as securing the network from the outside. To accomplish this goal, you could use multiple point security solutions, including endpoint software agents, policy servers and other security gateways. The problem with this approach is that these solutions are not only costly to own and manage, but also degrade performance and reduce network availability. The FortiGate-224B system provides an all-in-one network access security solution by tightly integrating the Fortinet multi-layered security gateway features with high-performance Layer 2 switching hardware. The FortiGate-224B simplifies the challenge of network access-layer security while providing the highest level of protection and performance. Utilizing the FortiOS suite of security solutions, threats from endpoint devices are automatically identified and blocked before they enter the network. Devices that are not compliant with security policies or exhibit any type of threat will be placed in quarantine. Performance is maximized by the purpose built FortiASIC network content processor. The FortiGate-224B provides self-remediation features that allow users to resolve security violations and regain network access without involving the IT or security staff. The FortiGate-244B leverages the security updates services provided by the FortiGuard Security Subscription services to ensure that the latest attacks are detected and blocked before harming your corporate resources or infecting other end-users devices on your network.

FortiGate-224B Reviewer’s Guide

4 Feb 2007

Key Features and Benefits FortiOS Multi-Threat Security Suite FortiGate-224B supports all the functionality found in FortiGate multi-threat security platforms. This includes firewall, antivirus, intrusion detection and prevention, IPsec and SSL VPN, Web filtering, antispyware, antispam and traffic shaping features. Layer 2 and 3 Switching and Routing In addition to the comprehensive security features, the FortiGate-224B offers high density, multi-port 10/100/1000 Ethernet switching capabilities. Also supported are: VLAN switching, advanced routing, QoS and user authentication. Clientless Port-Based Quarantine The FortiGate-224B provides a simpler and less costly solution to implement than typical Network Access Control (NAC) solutions. In addition to providing port-level access control functionality, The FortiGate-224B also provides threat blocking and device quarantine, all without requiring client software. Configurable Port Quarantine The FortiGate-224B offers initially trusted or un-trusted access control based on security policies. Self-Remediation The FortiGate-224B presents quarantined users with a self-remediation portal, which can include options such as loading software patches/updates, installation of the FortiClient PC endpoint security software or other options based on the administrator’s definitions. Users must pass host checking requirements to be allowed back in to the network.

FortiGate-224B Technical Specifications Security Hardened Platform Yes 10/100 Switch Ports 24 10/100/1000 Switch Ports 2 10/100 WAN Ports 2 USB Ports 2 RS-232 Console Connection Port Yes Layer 2 Switch Performance 4.4 Gbps Concurrent Sessions 400,000 New Sessions/Second 4,000 Firewall Throughput 150 Mbps VPN 168-bit Triple-DES Throughput 70 Mbps Antivirus Throughput 30 Mbps Dedicated IPSec VPN Tunnels 200 Max Defined Security Policies 2,000

FortiGate-224B Reviewer’s Guide

5 Feb 2007

Product Review Suggestions The following section suggests a methodology for evaluating the FortiGate-224B system and provides a quick reference to setting up and connecting to the system. Screen captures are provided to walk you through the Web-based configuration and highlighted features. Command line interface (CLI) configuration is available in the FortiGate-224B system, but it will not be covered in this review guide. For more details on the CLI configuration, please refers to the “FortiGate Administration Guide” and “CLI Reference Guide”, available from the product documentation section at www.fortinet.com.

Connecting to the FortiGate-224B You can configure and manage the FortiGate-22B unit using HTTP or a secure HTTPS connection from any computer running Microsoft Internet Explorer 6.0 or more recent browser. The web-based manager supports multiple languages. You can use the web-based manager to configure most FortiGate-224B settings, and to monitor the status of the FortiGate-224B. To connect to the web-based manager:

• Power on the FortiGate-224B • Set the IP address of the administration PC’s Ethernet interface to the static IP address

“192.168.1.2” with a net mask value of “255.255.255.0”. • Connect the administration PC to the FortiGate-224B “WAN1” interface using the crossover cable

or an Ethernet hub and appropriate cables. • Start Internet Explorer and browse to the address https://192.168.1.99.

Note: Remember to include the “s” in https:// • The login screen below should appear.

The default login name and password is: Login : admin Password : (none) See Appendix 1 for the Factory default configuration.

FortiGate-224B Reviewer’s Guide

6 Feb 2007

System Status Screen The System Status Screen provides you with a quick glance of the FortiGate-224B system upon successful logon. The configuration menu can be found in the navigation menu bar on the left side of the browser window. A sample main user interface screen is provided below.

FortiGate-224B Reviewer’s Guide

7 Feb 2007

Switch Menu Screen The Switch Menu Screen provides the key configuration menu for the switching functionalities in the FortiGate-224B. As illustrated below, this screen provides the configuration for all the switch ports, port 1 to port 26. Note: WAN 1 and WAN2 ports are not part of the switch port configuration and configuration for these two ports can be found in the System > Network menu.

The “Interface”, “VLAN” and “SPAN” tags along the top of the main window of the interface contain the configuration menus for VLAN and Spanning Tree (SPAN) configuration. Clicking the “Edit” icon for each port will open up the port-specific settings for more configuration options (illustrated below). Configuration options include: VLAN, Spanning Tree, 802.1x and more.

FortiGate-224B Reviewer’s Guide

8 Feb 2007

Port-Based Quarantine The Switch > Port Quarantine menu page contains the configuration options for client security check profile and port quarantine policy to determine the types of security check that perform on each interface and action taken if the security check is failed. “Client profile” menu defines the client security checks when such profile is applied. It is important to note that the FortiGate-224B will perform the security check all on clients connected to the FortiGate-224B. No client software is required on the client PC. Selecting the Switch > Port Quarantine > Client Profile > Create New will bring out the Client Profile configuration menu. See below for the client profile configuration options. Selecting “Enable OS Check” option will open up the OS check options.

Depends on the client profile, the client security check can be based on:

• Antivirus software • Firewall software • Up-to-date Operation System software.

Note that a Client Profile is not active unless it is applied to a port or ports through the port quarantine policy configuration in the Strict Policy or Dynamic Policy menu page.

FortiGate-224B Reviewer’s Guide

9 Feb 2007

Port-Based Quarantine - Continued After a client profile is created, it can be applied to a port or multiple ports using the Strict Policy or Dynamic Policy configuration menu. The Strict Policy configuration menu displays the quarantine actions that are strictly defined by the desired security policy. Strict Policy quarantines clients and enforces security policy by performing client check before providing access to the network. Once the client check passes, the client will be placed in the pre-define VLAN unless the port state changes (disconnect or reconnect). The Strict Policy configuration interface (found by navigating to Switch > Port Quarantine > Strict Policy > Create New) is illustrated below.

FortiGate-224B Reviewer’s Guide

10 Feb 2007

Port-Based Quarantine - Continued Dynamic Policy provides a way to dynamically quarantine clients if a security event occurs after network access is granted. It also offers more configuration option that redirects the quarantined client to a quarantined VLAN where self-remediation can be optionally offered by providing downloadable software patches or security software. Once the client has applied the appropriate software patches or security software to enable a successful security check, it can then be automatically removed from the quarantine VLAN and placed back onto its regular VLAN. The Dynamic Policy configuration interface (found by navigating to Switch > Port Quarantine > Dynamic Policy > Create New) is illustrated below.

Selecting the Portal button will open up the self-remediation configuration options where quarantined clients are redirected to. The URL configuration area defines the sites allowed while in quarantine to obtain software patches or other security software for download.

FortiGate-224B Reviewer’s Guide

11 Feb 2007

Multi-Threat Security Protection on Switch ports The FortiGate-224B integrates the FortiOS Multi-Threat Security Suite to provide complete blended threat protection the switch ports. Leveraging the security protection profile, different levels of protection can be assigned to different VLANs, as well as the WAN interfaces. The Protection Profile configuration menu can be found by navigating to Firewall > Protection Profile. Protection profiles contain all antivirus, Web filtering, antispam, intrusion prevention and other security module options. There are pre-defined protection profiles available or you can select Create New to configure a new protection file to uniquely satisfy your needs. See the following illustration for configuration options in the protection profile interface.

Clicking on the blue arrow next to the AntiVirus, Web Filtering and other headers expands the sub-menu for that security module.

FortiGate-224B Reviewer’s Guide

12 Feb 2007

Multi-Threat Security Protection on Switch ports - Continued Once the desired protection profile is configured, it can be applied to the VLAN and WAN interface by navigating to the Firewall > Policy menu. Select “Create New” to create a new policy and select the appropriate interface in the Source and Destination field. The pre-defined protection profile can be applied by checking the Protection Profile option and selection the appropriate profile in the pull down menu.

Note: “guest-vlan200” is a VLAN created in the Switch > Port > VLAN section of the configuration interface.

FortiGate-224B Reviewer’s Guide

13 Feb 2007

Summary The above steps outline suggestions to provide a quick overview of some of the key features found in the FortiGate-224B. The FortiOS security suite specific features found in the FortiGate-224B are not covered in this reviewer’s guide. It is recommended that you contact Fortinet representatives to arrange for a full product demonstration and review. Thank you once again for your time and interest in reviewing the FortiGate-224B.

Availability The FortiGate-224B is available now through Fortinet’s network of channel partners worldwide. More information on this and other Fortinet products please visit: http://www.fortinet.com/products.

About Fortinet (www.fortinet.com) Fortinet is the pioneer and leading provider of ASIC-accelerated multi-threat security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and antispam--providing customers a way to protect multiple threats as well as blended threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified eight times over by ICSA Labs (firewall, antivirus, IPSec, SSL, IPS, client antivirus detection, cleaning and antispyware). Fortinet is privately held and based in Sunnyvale, California.

FortiGate-224B Reviewer’s Guide

14 Feb 2007

Appendix 1 – Factory Default Configuration Administrator account

User name: admin Password: (none)

WAN1

IP: 192.168.1.99 Netmask: 255.255.255.0 Administrative Access: HTTPS, Ping

WAN2 IP: 192.168.100.99 Netmask: 255.255.255.0 Administrative Access: Ping

Ports fe01 to fe24 Ports ge25 and ge26

IP: Undefined Netmask: Undefined Administrative Access: Undefined

Network Settings

Default Gateways (for default route) 192.168.100.1 Default Route A default route consists of a default gateway and the name of the interface connected to the external network (usually the Internet). The default gateway directs all non-local traffic to this interface and to the external network. Primary DNS Server 65.39.139.53 Secondary DNS Server 65.39.139.63