FORTINET XPERT SUMMIT
FORTINET XPERT SUMMIT - July 5th to 9th 2021
Our expert Consultants are Fortinet certified and can conduct all sorts of integrations requiring Fortinet devices (SDWAN, SDBRANCH, Cloud Security, etc…)
We are one of the only cybersecurity and IS performance Consulting firms in France to have two specializations: Datacenter and Secure SD-WAN.
I have had the opportunity to attend the FORTINET XPERT SUMMIT EMEA Digital Edition.
It was a great opportunity to learn about the new features, best practices and also practice some labs with products that we may not encounter very often, or with newer version of known products.
My global impression about these 5 days are good with some big surprises that many people were not aware of…
I attended the following sessions :
- Meet the FortiManager 7.0!
- Cybersecurity engineered for operational technology
- Microsoft Azure connectivity and deployment
- Combining AWS gateway load balancer and Fortigate to create a scalable security infrastructure.
- Google Cloud architectures lessons learned.
- FORTINET solutions for Kubernetes.
- Simplify your internet browsing protection with AI and isolation.
Below is a quick overview of what I have learned and retained from each.
Meet the FortiManager 7.0!
This session was essentially about presenting the new features and capabilities of the latest version of Fortimanager. The Fortimanager becomes more and more important in the global FORTINET strategy regarding SD-WAN, SD-BRANCH. As you may know FORTINET has opted against a central control plane for it’s SD-WAN and SD-BRANCH approach, they used a distributed approach where the intelligence sits inside each Fortigate device.
The Fortimanager became defacto the only device that can bring the central point of management, configuration of all the FORTINET ecosystem.
This new version is more about small features and GUI enhancements.
GUI reorganization, possibility to search and object inside all the Fortimanager, faceplate for device are now available.
Possibility to add change notes for policy & objects (to keep tracking of why we have deployed this policy) , I suspect that in the future an integration with some ITSM tools like ServiceNow will be possible to correlate directly with an incident or a ticket.
Support for ADOM 7.0, ADOM mixed mode (6.2 and 6.4 together with the possibility to upgrade a 6.2 ADOM to 6.4 and also being able to push policy packages to 6.2 and 6.4 devices).
The possibility to have custom metafield and use them not only in CLI templates, we can now use metafields in other templates (SDWAN, Interface, Static Route, etc…) and bind them to the device we want.
Forticloud SSO is now compatible with Fortimanager.
Conclusion : some features are very useful like the metafield that are used quite everywhere, except that this version is more about the look and feel to attract more and more new customers and people moving from other vendors like Meraki (where the GUI is beautiful and efficient).
Cybersecurity engineered for operational technology
Operational Technology is a main focus for many companies right now and the recent attacks we heard about from the news since the past years have exposed to the world the lack of security and/or the necessity to have a deeper look at the security of operational technology.
FORTINET has the complete set of solutions to address all the component in this area. My personal opinion is that FORTINET is the only vendor who has a solution for each problem we can encounter in OT (I am not saying that all companies should be all in for FORTINET).
Starting with some numbers and findings from analyst (Gartner).
Organizations want to orchestrate and automate their security and their reporting.
Organization wan to have 100% visibility, 75% of OT security solutions will be delivered by IT security solutions.
Purdue model is still the main model in use as the baseline.
FORTINET proposes a 3-step strategy to secure OT environments : visibility – control – flexibility
The zero trust architecture can help companies achieve this.
The presenter shows us 3 approaches / technologies that are used by FORTINET to secure OT environments, for example :
- Access vlan or fortiswitch tied to Fortigate via a Fortilink ; this feature allows to have network segmentation and microsegmentation in OT environment by having all the devices belonging to the same vlan to have their traffic filtered by the Fortigate. This feature is very good because many times in OT environment we are not able to modify the IP adress of the devices while the need to secure and segment remains.
Today I think only Cisco with the sd access is able to provide kind of the same feature.
- Virtual Patching / Virtual Shielding : used Fortigate IPS functionnality to block all known attacks and exploits. This virtual patching is available for operating systems and PLCs.
- Cybersecurity Operation with FortiSIEM : use FortiSIEM business service for OT by analyzing logs and incidents FortiSIEM is able to alert if any specific risk related to OT is about to occur. FortiSIEM also have the possibility to represent any threat using the MITRE attack framewok.
Most use case seen by FORTINET in the OT industry are : Secure Remote Access, Network Visibility, Network Segmentation, Advanced Threat Protection, Centralized Management, Logging Monitoring & Reporting.
Public Cloud with FORTINET
This section covers the 3 topics related to Public Cloud with FORTINET :
- Microsoft Azure Connectivity and Deployment.
- Combining AWS Gateway Load Balancer and Fortigate to Create a Scalable Security Infrastructure.
- Google Cloud Architectures Lessons Learned.
The focus for this XPERT SUMMIT was on the 3 majors CSP (Azure, GCP and AWS), the uses cases were more about IaaS.
The statement from FORTINET is clear and loud : The cloud is the future and the future is now.
The 3 sessions were very well detailed (especially the AWS session)
The cloud transformation journey is a 3 steps process :
1- Lift and shift application : single virtual network.
2- Expand cloud network : multiple virtual network with north-south and east-west security.
3- Deploy cloud native architecture : enter the MultiCloud.
Thanks to their native integration with all the major CSP, FORTINET enables to :
- Easily interact with our workload located inside the public Cloud.
- Connect the public Cloud to on-premise location.
- Create bridge beween different Public Cloud via Fortigate device.
- and many more…
For each Cloud Provider, we have 2 main deployment options : the high availability mode and the scaled mode. These deployment options have quite the same behaviour in every CSP where we have Fortigate.
The high availability mode can be achieved via load balancer sandwich or via the SDN connector. It is important to note that everytime you have to deal with a load balancer in the Cloud you will end up in most the case with SNAT being applied because the Fortigate will not be able to see the real IP of the external devices that going through him, instead he will see the load balancer IP.
In the Public Cloud we should design architecture for resilience first, whereas onpremise, we design architecture for availability first.
Many tips and best practices regarding how and when to use SDN connector, Load Balancer, Transit Gateway, Azure vWan and also the AWS Gateway Load Balancer.
AWS Gateway Load Balancer is a great feature at first sight, but be careful when you use it, because it comes with many constraints and it complexifies the trafic flows. We should always ask the customers why they want to use this feature before starting implementing it.
FORTINET also makes a focus on why their Fortigate Firewall in AWS is better than the AWS managed native Firewall.
These 3 sessions were very interesting for technicians with an already good knowledge and know-how in Public Cloud. The Gateway Load Balancer (GWLB) explanation requires more than a standard AWS knowledge.
FORTINET solutions for Kubernetes
This session was a discovery session for me.
As usual we started with definition and the why of Kubernetes, which is an important point to highlight.
Kubernetes allows us to decouple infrastructure and scaling (natively load balanced, scale up and scale down dynamically, self healing capability).
CNF recommandation to secure a Kubernetes cluster are : TLS everywhere, Use RBAC, Disable ABAC, Use SSO, Separate the Kubernetes components.
FORTINET has solutions to protect the periphery and the inside of a Kubernetes cluster.
Fortiweb can be used for routing HTTP and HTTPS trafic from outside to inside the Kubernetes cluster, the Fortiweb will comunicate with the ingress Kubernetes controller via API.
FortiCWP has a dedicated license for container that allows to scan images used by the CI/CD pipeline and look for vulnerabilities or infected images. We also have CI/CD benchmark to compare security best practices with other implementations.
FortiADC can be used as a load balancer for a Kubernetes cluster.
FORTINET can secure the east-west trafic inside a pod via its partnership with Tigera (Calico) and can go more beyond that because the Calico product can communicate with FortiSIEM for log management and analysis, Fortimanager to pull policy from a central repository.
FORTINET’s approach to reduce the Kubernetes attack surface is to :
1 – Secure the management infrastructure
2 – Secure network communication
3 – Secure container and code
Simplify your internet browsing protection with AI and Isolation
I need to let you know that I choose this session full of despair because it was the only one remaining. My initial thoughts was “Why does FORTINET push for a proxy while this market seems to be swallowed by Cloud security companies like Zscaler, Netspoke, etc?”
My second question was : “What lays beyond the FortiIsolator ?”
For the proxy market I was totally wrong. The secure web gateway (SWG) market will reach $10.9B by 2024.
The Remote Browser Isolation has a low market penetration (1-5 %) and will reach $6.6B by 2027.
This is a huge opportunity for any security vendor like FORTINET.
The FortiProxy, I think is a proxy (or better call it web security gateway) as usual with salt of machine learning to help enhance the detection of website and/or content a company wants to filter.
FortiIsolator blew my mind with a simple concept of having a containerized web browser that executes the page before the result is transfered to the browser of the end user.
As soon as the page is rendered by the FortIsolator the container is destroyed and ready to receive a new request.
The Fortisiolator is a kind of zero trust browsing.
The integration between FortiProxy and FortIsolator is quite obvious, you apply FortiProxy first for your web traffic ; and for the categories where you are in doubt, you send this traffic to the Fortisiolator for a second round of inspection.
FortiIsolator can also be integrated with Fortimail in order to secure all the link inside emails and render them before sending the result to the end user, providing a very effcient tool against phishing.
FortiProxy and Fortisolator are only available on-premise : physical hardware or VM (WMWARE ESX an NUTANIX AHV), if you want some Cloud based solution today it is not possible.
I suspect that FORTINET will at least integrate the FortiIsolator into their FortiSASE solution in order to offer a cloud based Zero Trust Browsing solution.
Senior IT Consultant & Manager at EVA Group