Fortifying Firewalls The Fortinet Way

firewall

Test Center engineers took a look at FortiOS 3.0 on a Fortigate 300a firewall, one of Fortinet's hardware offerings. FortiOS 3.0 will run on a range of Fortigate appliances and is available as an upgrade for users of earlier versions. While the company's hardware offerings are important, the real power of those devices comes from the underlying operating systems and feature sets.

Solution providers will find significant enhancements to the FortiOS-based product line with new features such as control for instant messaging, including full virus scanning capabilities. Other notable improvements come in the form of granular Web-filtering control, Active Directory support and complete control of peer-to-peer technologies.

Test Center engineers found the product easy to install and were impressed with the SSL-based, browser-powered management interface. The management console offers a good balance between quick setup tasks and the ability to delve deeper into more complex controls.

Administrators are faced with a handsome system status screen that offers hyperlinks to all of the major features of the security appliance. The status screen also is the portal to configuration chores and acts as a dashboard, showing all critical traffic information, hardware statistics and attack information. The System hyperlink expands to show additional system-related tasks, ranging from DHCP configuration to maintenance downloads. Administrators can use the Router hyperlink to define how the unit interacts with the network.

The firewall tab/hyperlink lets administrators define what protection policies are deployed and control what services are allowed on the unit. By default, the unit ships with all access closed and administrators must choose what services and ports to open. That style of implementation helps to avoid overlooked services, immediately helping to guarantee enhanced security. Access policies and service control can be wrapped into administrator-defined protection profiles, allowing different rule sets to be deployed for different users or groups.

The unit offers SSL VPN capabilities, along with PTPP, IPSEC and certificate-based VPNs. Administrators will select the User tab to define access rights to the network. Integration with LDAP, AD and RADIUS is supported, allowing user control to be homogenized across the network.

The integrated antivirus system offers a range of scanning options, from traditional signature recognition to examining file contents to blocking extensions. An innovative feature is the inclusion of grayware blocking, which can be used to block spyware, adware and other unwanted pests. The product offers the same style of protection against intruders. An intrusion-detection system protects against all of the known intrusions, along with using intelligence to protect against zero day attacks. The intrusion-detection engine also identifies traffic and protocol anomalies, and prevents those from entering the network. The product's Web-filtering acts as advertised, offering blocking capabilities based upon content, site classifications and a blacklist. An antispam capability rounds out the product and offers the ability to block mail based upon keywords, addresses, blacklists and other technologies used by spammers.

Solution providers will be intrigued by Fortinet's ability to deal with peer-to-peer and instant messaging traffic. Extensive reporting helps to demonstrate ROI and empowers administrators to diagnose and discover exactly what is happening on the network.

Fortinet's four-tier channel program is quite VAR-friendly. Requirements for Bronze-level partners include an initial purchase plus a valid resale license with an authorized Fortinet distributor. Higher levels, Silver, Gold and Platinum partners, must have technical certification and varied levels of revenue commitment. Margins range from 10 percent to 30 percent. Silver, Gold and Platinum partners receive express routing codes to Fortinet's Technical Assistance Center (Platinum partners receive highest priority). All technical support is based on the purchase of a support contract. There is no cost for field engineering support. Training is offered annually and can be done via the Web or in a classroom.