FortiProxy - NGSWG

Fortinet Vietnam SE

1
Agenda
 Introducing FortiProxy
 Proxy Features
 FortiProxy vs FortiGate
 FortiProxy Models
 FortiProxy Licensing
 Deployment Modes & Scalability
 Competitive Analysis

2
Introducing FortiProxy
Next-Gen Secure Web Gateway
Secure Web Gateway market
Protect users against internet threats

Web Application
Servers
Secure web gateways (SWG) utilize URL filtering, advanced
threat defense and legacy malware protection to defend
users from internet-borne threats, and to help enterprises
Internal User
enforce internet policy compliance
FortiWeb

SWGs today are implemented primarily because of their

security functionality. Vendors that are focused on providing
strong anti-malware and advanced threat detection
FortiGate FortiProxy
functionality that are best positioned to win in this market

External User

4
 Secure Web Gateway Role
• Defend users from internet-borne threats

• Filters unwanted software/malware from user-initiated

• Enforce Internet Policy Compliance

• Provide visibility into encrypted traffic/websites

• Deployment flexibility to secure any user

• Insure an instant, fast internet access using WAN-

Optimization and Web-Caching

5
 FortiProxy Secure Web Gateway (SWG)

 High Performance and Scalability Proxy

 Dedicated Secure Web Gateway Solution
 Pay As You Grow License
 Multi-Layered Detection to prevent threats
 Authenticated Web Application Control
 WAN Optimization and Advanced Caching

SSL INSPECTION MULTI-LAYERED PROTECTION AUTHENTICATED ACCESS

 Powerful hardware  Integration with proven  Granular application control policies
 Removes blind spots in FortiGuard Threat  Activity monitoring
encrypted traffic Intelligence  Restricts access to social websites
 Multiple inspection methods  Integration with FortiSandbox using user or group identity

6
FortiProxy Features
 FortiProxy Features
• Intrusion Prevention System
• Full Proxy Application • Monitor and Logging
• Application Control
• Content Caching • Data Analytics
• Antivirus
• WAN Optimization • FortiView Integration
• Web Filtering
• Video Caching & Stream Splitting • FortiAnalyzer Integration
• DNS Filtering
• FortiCloud Integration
• Web Rating Overrides
• Data Leak Prevention
• SSL/SSH Inspection
• Content Analysis (3rd party solution)
• User Authentication
• Sandbox Inspection
• Browser Isolation

Performance Security Visibility

FortiProxy OS

8
Integration with Advanced Threat Protection
FortiGuard Labs
4 Security Updates

3b Intelligence Sharing

1 FortiSandbox 1
File Submission/ 3a File Submission/
Result Real-time Intelligence Updates Result

2a Block Objects

FortiProxy
FortiClient (ATP Agent)
3rd party Endpoint Agent

2a
File Quarantine

Available with On-Premise or Cloud FortiSandbox

9
 Browser Isolation - Zero Trust Web Browsing
• Clientless remote browser isolation
• Works with any modern HTML5 capable browser
• Mitigate against web based threats whilst retaining productivity
• No third party code ever runs on the local machine
• Browser session runs in clean remote container
• Rendered page image displayed to client
• Supports web page interactivity e.g. links, forms,
video, audio

10
 FortiProxy Integration with Browser Isolation (FortiIsolator)
• Provide full Browser isolation based on Web categories
• FortiProxy policy integration with FortiIsolator with Several deployment modes:
• Explicit Proxy
• Transparent Proxy

• Mitigate against web based threats whilst retaining productivity

11
Integration with FortiIsolator

12
Integration with FortiIsolator

13
 “ On-box AI” - Content Analysis
• Content Analysis is able to detect NSFW
images and videos
• Near zero false negatives or near zero false
positives achievable
• Accomplished with Neural Network based
Image recognition technology
Weapons Extremism Graphic Violence
• Enforce for end user very sensitive to of illicit
images & videos

Image

Videos
Pornography Drugs
Text

14
Acceptable Use Policy Enforcement
Authentication
FortiProxy Build-In Authentication Methods
• FSSO
• LDAP/Radius
• Kerberos
• Single Sign On – SAML
FortiAuthenticator • FortiToken
• X-Auth-User Header

SSL
Inspection
FortiProxy

Web Filtering
• Integration with threat intelligence
• Upload external blacklists
• Web Application Control
• Static web filtering
User accessing web • Warning Page to user
15
 SSL-VPN & IPsec VPN
FEATURES
Provide full SSL VPN support
Support the following modes:
»Tunnel mode configuration
»Web Mode configuration
Provide a custom login page to SSL VPN
connections
Full FortiClient Support
FEATURES
 Provide full IPSEC VPN support
 Support Wizard configuration
 Support following methods:
»Site to Site (FPX, FGT and Cisco)
»Remote Access (FortiClient, MAC, Android,
Windows)
»Custom
 Provide several Tunnel Templates
16
 Most Popular Supported CDNs
Content Caching & Video Caching Youtube

Google Video

 Content Caching Metacafe

» FortiProxy is your network “memory”, remembering Foxnews

content and returning it locally rather than wasting DailyMotion
precious internet bandwidth Break
 Streaming Media Caching MSN
» 30+ CDNs and growing Yahoo
» Detects same video ID when content comes from Myspace
different CDN hosts
» Seek forward/backward in video
» Adverts cached separately
 RTMP Stream Splitting and HTTP Live Streaming
» Download live video streams once, serve to many
clients
» Useful for live video events (sporting events,
corporate presentations etc)
» Optimise the network during high bandwidth
corporate events

17
Video Content Caching
Optimise the network during high bandwidth corporate events
RTMP/T Stream Splitting, HTTP Live Streaming and MPEG-DASH
• Download live video streams once, serve to many clients
• Useful for live video events (sporting events, corporate
presentations etc.)
• Optimise the network during high bandwidth corporate events

18
WAN Optimization

 Peer-to-Peer WAN Optimization

» Optimize “chatty” protocols
» Object and byte caching to reduce traffic between
offices and datacentres
» Overcome last mile limitations and delay WAN
upgrades
» Reduce latency and application performance
» Improve customer satisfaction
» Integrates with FortiGate deployments via WCCP

19
 Caching Feature
CACHE CACHE PRELOAD CHUNKED CACHE
COLLABORATION SUPPORT SUPPORT

 Cache content sharing and
clustering protocol
 Pre-load cache content based on
manually defined URL pattern with
scheduled crawling function
 Useful for schools and hotels where
popular content can be predicted
 Support for caching of chunked
and ranged requests
 Commonly seen in video
downloads

20
 Reverse Cache Prefetch

PREFETCH

FEATURES

 You can now configure a user agent(such as

Wget) for prefetch URLs
 You can ignore robots.txt rules when creating
prefetch URLs and reverse cache prefetch
URLs

Benefits
 More accurate prefetch based on user agent

21
 FortiView - Real time Monitoring
 Provides a real-time and historical traffic data from log
devices by source, domain, destination, threat map,
RTT, and Application Service.
 Application Service:
» HTTP/S Traffic Statistics
» User Analytics
» Cloud Applications
» Caching and Optimization
» Top Sources, Destination and Sessions
 Security:
» Threat map
» Top attacks, Geo IP, Quarantine
 System:
» System logs
» Traffic logs

22
 Logging and Monitoring
 Provides a real-time and historical data and security
logs from security profiles.
» Forward Traffic
» AntiVirus
» Web Filtering
» Application Control
» IPS and more…

 Attack, Traffic, & Event Logging

 Traffic monitor per application
 Attack Event history per application
 Latest Alerts

23
FortiCloud Integration

Centralized logging, reporting and analysis for FortiProxy devices

24
FortiProxy Vs. FortiGate
Market Focus
Why to choose FortiProxy as a SWG solution:

Focus!!! – FortiProxy is developed and targeted for Proxy Based market. It is

undergoing specific feature development in upcoming months. As such expect several
new features to appear specific to SWG only!
Hardware – best hardware for a firewall is not necessarily the same as for SWG solution
• More RAM and Disk for (Cache) performance
• Proxy oriented Software Architecture
License – PAYG and All-Inclusive license. Customers pay only for the exact capacity
currently required, which prevents over-spending on the initial solution

When to go with FortiGate as SWG :

• Not enough resources to manage a separate SWG appliance

• Budget/spending pressure
• Consolidation of SWG and NGFW within one-box

26
Comparing “Apples-to-Apples”
Comparing apples to apples: FortiProxy talk the same language & metrics as SWG solution
• “Seat license”- this is crucial when replacing Symantec SG and any SWG gear. FGT has
throughput and not # of seat.
• PAYG and All-Inclusive license - customers pay only for the exact capacity currently required,
which prevents over-spending on the initial solution
• Number session per seat. FPX has 2x more session for each seat compare to Symantec.

Flexible deployment (Transparent, Explicit, Inline…) multi Pac files, multiple different policies
(transparent, SSL, explicit, redirection…)

Best Caching and Optimization – Caching is one of the core features when using forward proxy
solution. FortiProxy provide advanced caching features such:
• Cache-collaboration - Collaboration web caching allows multiple FortiProxy units within one
organization to share all cached objects
• Prefetch URL (Crawl) – proactive preload caching objects
• Reverse Cache Prefetch
• RTMP/HTTP Stream Splitting
• Dynamic Adaptive Streaming over HTTP (MPEG-DACH)
27
Comparing “Apples-to-Apples”
FortiProxy WebUI: FortiProxy is focus on Proxy features WebUI. With FortiProxy, you can create all the configuration
from WebUI without the need of CLI (compare to FortiGate)
• Features like Web Proxy profile, Kerberos and others are needed to be add via CLI in FortiGate compare to
FortiProxy

Hardware: best hardware for a firewall is not necessarily the same as for SWG solution. FortiProxy is a Proxy oriented
Software Architecture compare to Firewall which is Flow oriented
• FortiProxy support more memory and disk for caching & performance scaling
• FortiProxy support Bypass ports for flexible deployment

On-Box AI with Image & Video Content Moderation

• Automated computer vision AI that detects visual threats including pornography, extremism and graphic
violence. Empower your application with AI content moderation that recognizes threats in images, videos and
streaming media.

FortiIsolator/Fireglass – Symantec has “Fireglass” solution which provide isolate-browser for customers. FortiProxy
has integration with FortiIsolator as part of the configuration. FGT is still not there.

Credential Phishing prevention (will be part of FGT 6.4) - detects and blocks known credentials being sent by web
requests. Scan username and password in submission traffic to internet websites against your sensitive corporate
network credential, and define right action FortiGate can take to prevent credential phishing
28
Feature FortiProxy 1.2 FortiGate 6.2
Deployment & Performance
Flexible deployment  
Performance (“Seat” license, PAYG)  
Bypass ports  
Security Features
Intrusion Prevention  
Application Control  
IPS  
AntiVirus  
Web & DNS Filtering  
Web Rating Overrides  
DLP  
SSL/SSH Inspection  
Content Analysis (on-box AI)  
FortiIsolator Integration  
Credential Phishing prevention  
Caching & WAN Optimization
Advanced Web & Video Caching  
High throughput caching  
High volume storage  
WAN Optimization  
Reverse Web Cache  
RTMP/HTTP Stream Splitting  
Dynamic Adaptive Streaming over HTTP (MPEG-DACH)  
Generic
User Authentication  
Policy Test  
Multiple Pac Files/Policies  
FortiSandbox Integration  
29
FortiProxy Models
FortiProxy Form Factors
Multiple options for maximum deployment flexibility

Appliances Virtual Machines Public Cloud

• 3 models • 6 VM models • 4 VM models
• From 500 to 50K • Caching/WAN Opt and SWG Features • BYOL
users
• CPU-based • AWS and Azure Cloud
• Support for 10GE
• Perpetual licensing
• Dual Power Supply
• VMware, Hyper-V, and KVM
• Bypass ports

Centralized Management

• Perpetual licensing

• Full visibility and control for all FortiProxy form Factors

• Support VMware and KVM Hypervisors

31
FortiProxy Product Lineup
FPX-400E FPX-2000E FPX-4000E FPX-VM

SWG

 500 – 4,000 users  2,500 – 15,000 users  10,000 – 50,000 users  100 – 50,000 users

 3 Gbps Proxy Mode
 1.5 Gbps AV, WF, App
 1 Gbps AV,WF,
App.Ctrl, IPS, SSL Full
Inspection
 9 Gbps Proxy Mode
 4 Gbps AV, WF, App
 3 Gbps – AV,WF,
App.Ctrl, IPS, SSL Full
Inspection
 18 Gbps Proxy Mode  Performance HW
 9 Gbps AV, WF, App dependant
 6 Gbps – AV,WF,
App.Ctrl, IPS, SSL Full
Inspection

Intrusion Advanced Caching

Web/DNS Application Anti-Virus Content Analysis Traffic Shaping
Prevention and WAN Opt.
Filtering Control
+ DNS Protection

32
 FortiProxy Appliance Lineup

Specification FPX400E FPX2000E FPX4000E

Base
Advanced Caching and WAN Optimization
Features
User License 500-4000 Users 2,500-25,000 Users 15,000-50,000 Users

Service License
(All-Inclusive) Web Filtering, DNS Filtering, Application Control, DLP, AV, IPS, Botnet (IP/Domain) and FortiSandbox Cloud

Ports 4 x 10/100/1000 RJ45 2 x 10/100/1000 RJ45 4 x 10/100/1000 RJ45

2 x 10/100/1000 RJ45 bypass 2 x 10/100/1000 RJ45 bypass
2 x 1GbE SFP 2 x 1GbE SFP
2 x 10GbE SFP+ 4 x 10GbE SFP+
Memory 8GB 64GB 128GB

Storage 4TB (2 x 2TB HDD) 8TB (4 x 2TB HDD) 8TB (4 x 2TB HDD)
(plus 4 x 2TB Optional) (plus 8 x 2TB Optional)
SSL Hardware 2 x CP9 2 x CP9 2 x CP9

Power Supply AC power supply (Optional Dual) Dual AC power supply Dual AC power supply

All platforms support FIPS 140-2 and Common Criteria

33
FortiProxy VM Lineup (VM01-VMUL)

Specification VM01 VM02 VM04 VM08 VM16 VMUL

Base
Features Advanced Caching and WAN Optimization

User 100 Users 100 - 500 Users 100 -2,500 Users 100 - 10,000 Users 100 -25,000 Users 100 - 50,000 Users
License
Hypervisor
Support VMware ESX/ESXi, KVM Platform and Microsoft HyperV

Service
License SWG Protection Bundle:
Web Filtering, DNS Filtering, Application Control, DLP, Antivirus, IPS, Botnet (IP/Domain) and FortiSandbox Cloud

CPU 2x vCPU 4x vCPU 8x vCPU 16x vCPU 32x vCPU Unlimited vCPU

Memory
Unlimited (G) x RAM

Storage 1 Disk 2 Disks 2 Disks 4 Disks 8 Disks 16 Disks

Ports Up to 10 Interface

34
 Cloud Services
MICROSOFT AMAZON WEB GOOGLE
AZURE SERVICE CLOUD

FEATURES FEATURES FEATURES

 SDN ready  SDN ready  SDN ready

 Cloud Integration  Cloud Integration  Cloud Integration
 BYOL  BYOL  BYOL planned
 PAYG in progress  PAYG in progress  PAYG planned

BENEFITS BENEFITS BENEFITS

 Deployed on a with 3rd party cloud solution  Deployed on a with 3rd party cloud solution  Deployed on a with 3rd party cloud solution

35
FortiProxy Licensing
FortiProxy License Offering
FortiProxy offers PAYG License (per “seat”) which allows the customer to
scale according to his needs.

Benefits:
• Scalable performance without the need for hardware replacement
• Customers pay only for the exact capacity currently required, which prevents over-
spending on the initial solution
• Overcomes capacity planning challenges
• Reduces the risk associated with data center growth for best investment protection

37
 Licensing Model
• PAYG User Based Licensing – Minimum users required

3 Support : 24x7 or 8x5

SWG Protection Bundle*

Web Filtering, DNS Filtering, User-based
2 Content Analysis (Optional) * * Pricing
Application Control, DLP, AV, Botnet
IP/Domain and Sandbox Cloud

Hardware / Virtual
1
Fixed Price
(Include Advanced Caching and WAN Optimization + DNS Protection)

* Scale up to 50K users depend on HW/VM Model

* * Equal to SWG Protection Bundle amount

38
 Licensing Scenario 1
Number of seats: 5,000
Appliance Type: Hardware
Services and Support: SWG Protection Bundle, Content Analysis Service and 24x7 FortiCare Contract
Content Analysis: Required

UNIT SKU Description

1
FortiProxy-2000E FPX-2000E FortiProxy2000E, 2xRJ45 GbE, 2xRJ45 GbE Bypass, 2xSFP GbE, 2xSFP+ 10GbE

SWG Protection - Web Filtering, DNS Filtering, Application Control, DLP, AV, Botnet 10
2 (IP/Domain), IPS, Sandbox Cloud. 500 User license with SWG Protection (Minimum Orders
FC-10-XY2KE-620-02-DD order 5 and up to 30)

10
3 FC-10-XY2KE-160-02-DD Content Analysis Service. 500 User license (Minimum order 5 and up to 30) Orders

39
 Licensing Scenario 2
Number of seats: 3,000
Appliance Type: Virtual
Services and Support: SWG Protection Bundle, Content Analysis Service and 24x7 FortiCare Contract
Content Analysis: Not Required

UNIT SKU Description

1
FortiProxy-VM08 software virtual appliance designed for VMware ESX/ ESXi,
FortiProxy-VM LIC-FPRXY-VM08 Microsoft HyperV and KVM platform. 16 x vCPU core, 32GB RAM and 4TB Disk.

2 SWG Protection - Web Filtering, DNS Filtering, Application Control, DLP, AV, Botnet 30 Orders
(IP/Domain), IPS, Sandbox Cloud. 100 User license with SWG Protection license
FC-10-XYVM8-621-02-DD with 24x7 support (Minimum order 1 and up to 10)

FC-10-XYVM8-160-02-DD Content Analysis Service. 100 User license (Minimum order 1 and up to 10)

40
Deployment Modes & Scalability
 Deployment Modes
Inline (L2/L3) Deployment (Transparent)
• Suitable for smaller enterprises (Less than 500 users)
• Deployed behind the NGFW
• Interesting traffic that needs to be inspected configures on
Proxy, and the remaining traffic is automatically bypassed
to the NGFW

Explicit Deployment
• Suitable for larger enterprises
• Proxy can be deployed in any location within the enterprise
• Support for multiple PAC files allows flexibility

WCCP/PBR Deployment (Transparent) • Suitable for larger deployments

• If distribution of PAC files is not convenient, WCCP or
PBR mode is supported
• Policies are configured on the NGFW/Router to direct the
interesting traffic to the proxy

42
High Availability
Active/Passive Failover
• Full configuration synchronization
• Seamless failover
• No downtime
• WCCP Load Balancing

Configuration-Sync
 Sync FortiProxy devices
 Seamless integration into already existing HA/LB
environments

43
Active-Passive Cluster & Central Logging

Master Passive

Logging via master

FortiProxy’s

FortiAnalyzer Active - Passive cluster

Configure

44
Config Sync Cluster & Central Logging

Master Slave Slave

Logging via master

FortiProxy’s

FortiAnalyzer
Config Sync cluster

Configure either one

45
FortiProxy Vs. Broadcom
(Symantec  Blue Coat)
 Market Focus
Broadcom lacks focus or vision to when it comes to a SWG solution.

“Broadcom is a hardware company and software isn't their core competency. Broadcom doesn't seem
to be a vision or roadmap for how it fits into Broadcom's existing software business…”

“As with recent Broadcom acquisitions (Brocade & CA Technologies), drastically cutting costs and
selling to only the largest clients is the preferred playbook to be followed with Symantec as well. This
strategy has left many customers with diminished support, end-of-life products, and technology that will
either be retired or no longer receive investments in either R&D or support.
• They will eliminate over $1 Billion in spending across R&D (40% cut) and Sales (82% cut)
• They will only focus on the Global 2000 customer base and essentially let the commercial accounts
churn out of their business” 1

1 https://www.observeit.com/blog/why-broadcoms-symantec-acquisition-wont-solve-their-insider-threat-problems/

47
Positioning Against Broadcom (Symantec <== Blue Coat)
Broadcom Strengths
• Public company and established
brand
• Strong advertising
• Broad product lines
• Industry market leadership
• Leader in features
• Vast experience with SWG
market
Broadcom Weaknesses
• Highest TCO
• Lack of Focus and vision on
SWG market/customers
• Broadcom HW are expensive
and underperform (SSL)
• Expensive configuration options
• Customers need to pay for each
feature/module, making the
product extremely expensive
FortiProxy Advantages
• Best Price/performance
• All features included at no extra cost
• FortiGuard Labs delivers robust, real-time
threat intelligence from around the globe
• Part of Fortinet Security Fabric
• Strong security offering
• Superior GUI design, usability and visibility
(FortiView)
• Integration with Fortinet product such:
FortiGate, FortiSandbox, FortiAnalyzer,
FortiIsolator and FortiADC
48
FortiProxy Vs Broadcom - Features
Users (Seat)
Session per user
performance
Memory/HDD
IPS
Antivirus
DLP
Anti-Malware Protection
Web Reputation/Score
Content Analysis/Filtering
Web & DNS Filtering
Application Control
Stateful Firewall
Modules / Features
Sandbox Cloud
Sandbox On-prem
Web and Video Caching
Cache Collaboration
Traffic Shapping/QoS Policy
WAN Optimization
Advanced WebUI
Advanced Visibility
Logging and Reporting
10/100/1000 Mbps Ports
Build-in Ports 10 Gbps Ports
Bypass Ports
Drive Disk Disk for Cache
Low Level Mid Level High Level
FortiProxy-400E ASG-200-X FortiProxy-2000E ASG-400-X FortiProxy-4000E ASG-500-X
500-4,000 500-2,500 2,500-15,000 1,000-25,000 10,000-50,000 10,000-50,000
10 5 10 5 10 5
Need to replace Need to replace
Maximum value Maximum value Maximum value based on users* Maximum value based on users*
 X  X  X
     
     
     
     
 Additional HW  Additional HW  Additional HW
     
     
 X  X  X
 Basic  Basic  Basic
     
     
 X  X  X
     
     
 Basic  Basic  Basic
 Basic  Basic  Basic
 Basic  Basic  Basic
4 2 4 2 6 2
0 0 2 0 4 1
0 2 2 2 2 2
4TB (2 TB x2) 2x 500GB 8TB (2 TB x2) 3-8x 1TB 8TB (2 TB x2) 8-16x 1TB
49
 FortiProxy Key Differentiators

Backup Price-Competitiveness Effectiveness On-Box AI Flexibility

FortiProxy is a purpose- Seat licensing is incredibly FortiProxy licensing provides you New AI helps intelligently rate on Flexible Transparent and
built forward SWG proxy attractive compared to the double the amount of proxied- the fly and on-box the images to Explicit mode deployment
with industry-rated market. This translates to sessions compared to competitors reduce Weapons, Alcohol, Gore, options available via L2, L3,
FortiGuard services. LOWER TCO for clients. (Broadcom/Symantec/Blue Coat) – Porn, Extremism, inline and out-of-path
This price advantage is especially key Swim/Underwear. This AI looks topologies. Even more
for clients thinking of replacing their at actual content itself on a per flexible than Symantec Proxy
Proxy with FortiProxy. image level. deployment mode.

High availability Maximum Performance Visibility Seamless Integration Direct integration

through clustering and No performance degradation for With FortiView, clients can with air gap isolation with FortiSandbox. For
single cache storage SSL inspection. We all know once see what is happening on solution (FortiIsolator) to Symantec, they need CAS
through cache Symantec Proxy runs SSL, their networks in order to provide content to users in before they can connect to
collaboration. Hence no performance will drop future refine policy the most secure manner their Sandbox.
external LB needed. significantly.

50
Summary