Preface
Reliable documentation resources are always needed when dealing with recent and innovative technologies and paradigms. This book was born as a response to the need of having a document that could cover Fortinet’s flagship product FortiGate in detail.
The story goes like this: around 2008 two of the book authors (Martin Hoz and Ken Tam) were together at a company meeting, both being already Fortinet employees. A conversation popped up about the need of a technical book on Fortinet products. To that point there was no general book about Fortinet on the market and several times we had people asking for something that could cover the technology and the UTM paradigm in general. Couple years had past, the book idea went dormant mainly due to busy work schedule, but it remained as part of the to-do list for both of them. As of 2010, Fortinet CTO Michael Xie had brought up the idea of having a published book on Fortinet key selling product FortiGate during one of the FIAT meetings, where Martin was a member of, along with other two co-authors of this book. FIAT is the Fortinet Innovation Advisory Team, a group of individuals that assist the Fortinet CTO Office on defining Research and Development direction. Since Ken Tam already had some experience with co-authoring a book with a previous employer, a company that was also founded by the brothers Michael & Ken Xie, this idea was brought to Ken’s attention thus began the book development. The initial thought was the book would need at least a third author, and so Ken McAlpine, a technical genius that had to deal with some of the most complex FortiGate deployments, joined the project which officially started on Summer 2011. What nobody had planned was the amount of workload that takes to write a book combining activities with a main day job that was so demanding due the growth rates Fortinet had been experiencing since its IPO. The team asked Bruce Matsugu to help on reviewing and commenting the manuscripts but then the point was reached where it was necessary to also add him as an author, along with another Fortinet veteran, Rick Basile, who also expressed interest on the project.
At the time we all committed to the project, we all saw the great opportunity we had because of the need of a good Technical FortiGate / FortiOS book. At that point, Fortinet had sold more than 400,000 devices but besides the official documentation, there was not any other written reference. We have to say Fortinet Documentation team is quite good, and the quality of what is produced by them is probably one of the highest in the security industry. But such documentation does not incorporate experience, and we wanted to add value to what it was published already there. With this at sight, the discussion to define the Table of Contents was focused on how could we add value on top of the Fortinet official documentation. We didn’t want just to write about the same topics with a different set of words. We truly wanted to add something that someone working with a FortiGate would find valuable as a reference, and something that could give a piece of advice on how to deal with the whole new paradigm that UTM represents in general. UTM allows users to greatly benefit on increased security, enhanced service levels and efficiency, but we believe until this book, there was no text that gave Fortinet the right amount of importance, illustrating that with real-life examples, but above all illustrating UTM is not only for the Small and Medium Business but also for Large Enterprises, Carriers and Service Providers that want to realize the benefits it offers.
This is what we have today here. In every chapter, the author tried to put not only the technical concepts and knowledge that will allow the reader to have a good understanding of the topic at hand, but also tips and tricks, so the reader can benefit of the experience the authors have had through the years of exposure to the technology in different situations, which is usually not covered by the formal Fortinet documentation. We also wanted to add some information on the book about how to handle FortiGate-related projects and how to use this technology to solve issues on some key verticals where Fortinet approach has a clear differentiator over any other technology out there. So, the book you have in your hands is technical in nature, but also gives you some ammo to be better prepared when in the middle of a project related to Fortinet technologies.
Finally, since this book comes after Fortinet sponsored “Unified Threat Management for Dummies”, a free book that can be found on Fortinet’s website, an effort was made to not overlap with the content offered there.
Intended Audience
Plainly put, this book is for you if you have to work with a FortiGate as an implementer, administrator or support engineer. Whether you work for a Fortinet Partner or a Fortinet User, this book will help you understand a bit more on the UTM world in general and the FortiWorld in Particular.
To make better use of this book, it is assumed that you have at least experience on networking, TCP/IP and some security technology experience. There is an effort to explain in detail as much as possible about the different technologies mentioned, but the book is not to be used as your first one on the topic of Security. Fortinet experience also is not assumed, so it’s ok if you are using this book as your first FortiGate text, but you will greatly benefit of having either a Hardware version of the FortiGate or a FortiGate-VM, so you can practice the concepts and commands explained.
Organization of this book
The book is organized in three big parts:
Section I - General Introduction
The chapters in this section are meant to explain what you are going to commonly find as concepts in the UTM world. It introduces you to the story and some debate on UTM versus other security philosophies but also gives you an introduction on how the FortiGate hardware was designed and how the FortiOS operating system was architected, so you can gain a better understanding on those.
∗ Chapter 1 - Introduction to UTM (Unified Threat Management) - Gives you some history on the UTM term, the philosophy behind it, the advantages versus other approaches such as Best-of-Breed or Next Generation Firewall, as well as how Fortinet differentiates itself versus other UTM proponents.
∗ Chapter 2 - FortiGate Hardware Overview - Discusses how the FortiGate is designed from the hardware standpoint, and above all it explains the core of the magic behind it: how the different Forti-ASICs (Application Specific Integrated Circuits) work and interoperate to achieve great performance results while keeping the flexibility to accommodate for new features
∗ Chapter 3 - FortiOS Introduction - Explains the FortiOS architecture, and how Fortinet excelled where others took a long time to catch-up: how the different parts interoperate, how to manage it and how to ensure you are doing things the right way
Section II - UTM Technologies Explained
The chapters in this section discuss how the different technologies offered by the FortiGate/FortiOS duo work, how can they solve problems in your organization, as well as tips and tricks on how to size, deploy and troubleshoot them. There are also a couple of chapters devoted to FortiManager and FortiAnalyzer, the central management solutions to handle configuration management, monitoring, logging and reporting when a large amount of FortiGate devices is deployed.
∗ Chapter 4 - Connectivity and Networking Technologies - gives you the foundation to understand how networking technologies such as 802.3AD, 802.1q or dynamic routing protocols are used in a FortiGate, how they are configured and some advice on design and troubleshooting
∗ Chapter 5 - Base Network Security - covers the common security concepts that you can find on most security products. FortiOS Firewall, Identity Based Authentication, Two-factor authentication with FortiToken, IPSec and SSL VPN, Traffic Shaping and SSL Inspection and Offloading are all technologies discussed here.
∗ Chapter 6 - Application Security - deals with the basic content inspection of the FortiGate. By basic, we mean the content inspection technologies that have been for a long time as part of the FortiGate offer, and thus have a lot of maturity and are commonly used. We work with IPS, Web Content Filter, Application Control and Network Antivirus, but also some time is devoted to review the FortiGuard Network: the cloud-based security updates that feed the FortiOS components to remain updated for greater accuracy and effectiveness.
∗ Chapter 7 - Extended UTM Functionality - reviews functions that some analysts take as part of a Next Generation Firewall, some as part of eXtended Threat Management (XTM) but all offered as part of the FortiGate featureset. DLP, Endpoint Control, WAN Optimization, Web Caching and Vulnerability Management are reviewed.
∗ Chapter 8 - Analyzing your Security information with FortiAnalyzer - reviews how to use FortiAnalyzer to get more information out of the logs generated by the FortiGate, how to then discover patterns, get reports, and find relevant information. Information that could be useful in informing executive staff of the benefits of the FortiGate or giving detailed information to a forensics examiner.
∗ Chapter 9 - Managing your Security configurations with FortiManager - reviews how to use FortiManager to keep a centralized configuration source for your FortiGate deployment
Section III - Implementing a Security (UTM) Project
Here we come to the section that probably makes a difference in this book versus any other.
In chapters 10 to 12 we deal with the project around UTM: how the project should be conceived, what to do to ensure a bigger degree of success when communicating to the non-technical side of the organization, and how to apply all the knowledge gotten in the book when solving problems in an Educational organization, on a Distributed Enterprise and a Financial Organization. Common needs, solutions to them, and typical advice that will help to extract more value out of your FortiGate ecosystem on these specific scenarios. Authors hope that by taking a look on these examples, you can deduct more easily how to approach other scenarios not discussed there.
∗ Chapter 10 - Designing a Security Solution - deals with some project management issues you might find in your path while working on the installation, configuration or maintenance of a FortiGate solution.
∗ Chapter 11 - Security on Distributed Enterprises and Retail - details solutions and best practices to the challenges posed by the fact of having a security policy that needs to be enforced in multiple places while it has to be centrally managed to keep compliancy and central enforcement at the same time.
∗ Chapter 12 - Security on Financial Institutions - Mentions how FortiGates can address typical issues found on financial institutions, where things like low latency or detailed transactional logging are important.
Appendices
Complementing the rest of the book we have some appendices that touch important parts of the FortiGate ecosystem:
∗ Appendix A - Troubleshooting the project - deals with some suggestions that might impact your work when project is late or budget seems won’t be enough.
∗ Appendix B - Troubleshooting technically - shows you what commands to run when something goes wrong, but above all gives you some ideas on how to approach the issue to find a quicker solution.
∗ Appendix C - Country codes - Lists the country codes available used for chapter 5.
Breakdown of the contributing authors work: