The Fortinet FortiGate Next-Gen Firewall
I have had the pleasure of working with Fortinet’s FortiGate Next-Gen Firewall for a while now. Working with several security architects over the past few years, I have witnessed them face a major complexity hurdle, managing point products, with no integration and lack of visibility.
Research shows that by 2019 80% of enterprise traffic will be encrypted, and 50% of attacks targeting enterprise will be hidden, in encrypted traffic.
FortiGate utilises purpose-built security processors and threat intelligence security services to deliver top-rated protection and high performance including encrypted traffic. FortiGate reduces complexity with automated visibility into applications, users and network and provides security ratings to adopt security best practices.
I have long regarded FortiGate as a leading firewall offering. Although there are several reasons I hold FortiGate in high regard, one of my favourite features on the FortiGate platform is Application Control.
FortiGate’s Application control technologies detect, monitor and act against network traffic based on the application that generated the traffic. It also uses protocol decoders with signatures that analyse network traffic to detect application traffic, even if the traffic uses non-standard ports or protocols.
This deep level of inspection normally leads to reduced throughput. However, unlike a traditional security gateway, which relies heavily on CPUs for packet inspection, FortiGate’s hardware architecture allows FortiOS to automatically utilise appropriate hardware components to achieve optimal performance. This prevents the CPU from becoming a bottleneck.
In support of application control, the Content Processor (CP), which is a specialized ASIC chip that handles demanding cryptographic computation for SSL inspection and intensive signature matching, is used to offload these processes from the CPU. This enables FortiGate to minimize performance degradation when administrators opt for greater visibility, security and control.
At the time of writing, FortiGuard Application Control supports more than 4,100 applications, of which 310 falls within the “collaboration” category and 150 falls within the “social media” category. The social media applications include popular social media sites such as Facebook, Twitter, Snapchat, Pinterest and Instagram just to name a few.
For more up to date lists and figures, please visit:
So why is Application Control my favourite feature?
Let me validate why this is my favourite feature. In addition to providing network administrators with the ability to granularly control what users can access – going down to what function they can use within a particular application (such as login to Facebook is allowed but Facebook chat is disallowed), it can also expose the contents of chat messages and other valuable pieces of information. This allows Saasyan Assure to unlock the value of data and help schools better fulfil their pastoral care duties.
Saasyan Assure analyzes the data and notifies pastoral care staff and educators when students attempt to access inappropriate websites and videos, use potentially dangerous search keywords, or are involved in negative social media activity. Artificial Intelligence built into Assure helps teachers by automatically categorising abusive content.
Furthermore, enabling Application Deep Inspection on social media applications is extremely simple with FortiGate. It starts with creating an application sensor that monitors the social media category or a handful of social media apps and setting the list action to Monitor. The Monitor action instructs Fortigate to not block but monitor and log the behaviour and payload of these applications. Once this is in place, you can assign this sensor to the security policy which allows the network users to access the Internet. Please note that to inspect all traffic, SSL/SSH inspection must be enabled.
Best of Breed Pastoral Care with FortiGate and Assure
Having accomplished the above, Fortigate exposes the chat messages sent over social media platforms through its logging mechanism which feeds into Saasyan Assure. Assure in turn adds the required metadata, normalizes it, passes all these chat messages through its alerts module which detects profanity, cyber-bullying, self-harm, etc, notifies the relevant people about such activity, stores all this info in a cloud-based data warehouse, retains it for 12 months and makes it available for easy reporting and analysis.
Often, in school administration circles you hear IT leaders talk about having to make a choice between an enterprise-grade firewall and a best of breed pastoral care system because it is widely believed that you cannot have both without doubling up the investment. Fact is when you leverage an enterprise-grade firewall such as Fortinet’s FortiGate and a best of breed pastoral care system such as Saasyan Assure, you are not making a compromise, you are betting on a winning combination, without necessarily overextending on your budgetary allocation.