Enable Deep Visibility for Applications,
Users, and Devices with FortiGate
Next-Generation Firewalls
Executive Summary
Traditional firewalls are typically only able to allow or block connections based
on port and protocol. However, network access is now dynamic and contextual,
operating under zero-trust principles. In addition, the modern enterprise is hybrid,
spanning on-premises data centers, public clouds, corporate branches and
campuses, as well as remote sites. Today’s IT teams require deep visibility into
applications, users, and devices to defend enterprise networks against cyberthreats
across the entire environment, but this is often a challenge.
Compounding the visibility problem is that almost all internet traffic is now
encrypted. Enterprises are finding large swathes of network blind spots as they
shift from expensive hub-and-spoke architectures to distributed models with direct
internet access at sites. Malicious actors can exploit these network gaps, hiding
threats in encrypted traffic.
Over 95% of internet traffic
is now encrypted.
1
FortiGate Next-Generation Firewalls (NGFWs) deliver the visibility into encrypted traffic and user, application, and device activity
necessary to build contextual, evolving network and security policies that secure digital transformation. FortiGate NGFWs can
identify and control all users, applications, and devices on the network with advanced data collection and analysis techniques.
IT domains, covering the entire network infrastructure.
Application Control
The FortiGuard Application Control Service attaches to FortiGate NGFWs and quickly identifies known and unknown
applications traversing the network. It enables easy creation of policies to allow, deny, and restrict access to applications,
certain functions within applications, and application categories.
1
SOLUTION BRIEF
FortiGate NGFWs can identify applications not only by matching their port and
protocol but also by the application signature, heuristic behaviors, and other
identifying indicators. With a combined look at application signatures and internet
control rules. Below are some ways FortiGate identifies applications beyond
Application signatures: Allowed network traffic is assigned a signature based
on transaction characteristics and whether the application port is default or
nonstandard. Traffic is scanned for threats and deep analysis.
Encryption:
decrypted, and application signatures are applied again on the decrypted flow.
“…companies that inspected
incoming traffic said that 70%
of malware came in over an
encrypted connection.”
2
Decoders: If the application protocol is known, it is then used to apply additional context-based signatures to detect
other applications that may be tunneling inside of the protocol. Decoders validate that the traffic conforms to the protocol
Heuristics: FortiGate heuristic analysis uses behavioral analytics to determine the identity of evasive applications. This
analysis.
If the FortiGate is unable to identify an application based on its signature, then it will rely on behavioral characteristics
through heuristics, classifying the previously unknown application into an existing application group and applying dynamic
filters or policy-based forwarding to achieve the desired result.
Identifying applications can provide meaningful context about the network. FortiGate can reveal information about the
inherent function, application ports, protocol, technology, and behavioral characteristics of the application, which enables IT
teams to make confident and informed access policies. Once the team understands how an application is being used on the
network, a variety of policies and responses beyond allow and block can be applied.
FortiGuard Application Control also allows organizations to build policies and control functions within each application.
Examples include:
n
Allowing access to Facebook but blocking Facebook Messenger file transfers
n
Letting users access Gmail but disabling Google Chat
n
Blocking file uploads to Dropbox, Box, or Google Drive
n
Filtering unwanted video categories from being viewed on YouTube
FortiOS, the FortiGate operating system, provides extensive visibility into application usage in real time, as well as trends over
time through views, visualizations, and reports. Application control keeps malicious, risky, and unwanted applications out of
the network through control points at the perimeter, in the data center, and internally between network segments.
User Identification
FortiGate user identification provides better visibility into network activity and detection against malicious or damaging
behavior. FortiGate user identification identifies users across operating systems in any location, providing improved visibility
into application usage based on users. This gives IT teams a more relevant picture of network activity.
SOLUTION BRIEFEnable Deep Visibility for Applications, Users, and Devices with FortiGate Next-Generation Firewalls
The power of user identification becomes evident when an unfamiliar application is found on the network. Whether using
n
The application
n
The user
n
Bandwidth and session consumption
n
Source and destination of the application traffic
n
Any associated threats
User mapping
information can be mapped to security policies for safer network usage, reserving application access only for those who have a
at the same time setting more stringent policies for sensitive applications like pen-testing tools or remote desktop controllers.
Group mapping
Defining policy rules based on user groups can simplify IT management, as policies and rules are already in place and do not
need to be reconfigured when adding new users to groups. FortiGate can apply these rules and group updates, supporting
a variety of directory servers, including Microsoft AD, Novell eDirectory, and Sun ONE Directory Server. After enabling user
identification and leveraging group mapping, security policies can be configured for specific users and groups. These include
safely enable applications based on users and groups of users, in either outbound or inbound directions.
Examples of user-based and group-based policies include:
n
n
–
Allow sales to access Salesforce and Microsoft 365
–
Allow all users to watch YouTube but block specific video categories
deep user insight and automate policy controls.
Device identification
While user identification provides user-based policy, and application identification provides app-based policy, device
traceability for devices and associating network events with specific devices, device ID delivers context for how events relate to
With FortiGate, advanced device policies and prioritization can be categorized by:
n
Class, such as secure networked devices
n
Critical devices, such as servers and medical devices
n
Environmental devices, like badge readers, cameras, and fire alarms
n
3
SOLUTION BRIEFEnable Deep Visibility for Applications, Users, and Devices with FortiGate Next-Generation Firewalls
SSL/TLS 1.3 decryption
Given that malware is regularly hidden in encrypted traffic, it’s critical that encrypted traffic is examined. FortiGate NGFWs deliver
based on sites or categories. With Fortinet’s high-performance proprietary security processing units, there is no need to choose
between security and performance.
Central and unified management
Centralized and unified management is the most critical capability of an HMF. If separate domains, such as corporate sites, public
and private clouds, and remote workers, require protection via separate dashboards, then IT complexity increases while visibility is
greatly reduced.
unified, and automated protection that extends from corporate sites to the cloud and remote workers. And because different
organizations have different requirements for managing their dispersed network firewalls, all form factors of the centralized
FortiGuard AI-Powered Security Services
With over 8 million sensors deployed around the world, FortiGate NGFWs are able to leverage the latest global threat intelligence
3
shows that FortiGate NGFWs are 99.88%
effective against malicious exploits and evasions.
Conclusion
Identifying applications, users, and devices on the network is an important capability
in managing and securing enterprise networks. FortiGate NGFWs are known for
their advanced visibility and control over network traffic, as well as unparalleled
performance. FortiGate defines and automates policies that ensure appropriate
use, stop threats, and reduce the enterprise attack surface. Centralized and unified
management integrates the FortiGate appliance with other security form factors,
such as virtual firewalls, cloud-native firewalls, and Firewall-as-a-Service, to build a
most advanced attacks.
SOLUTION BRIEFEnable Deep Visibility for Applications, Users, and Devices with FortiGate Next-Generation Firewalls
1
Network Encryption: A Double-edged Sword for Cybersecurity
3
®
, FortiGate
®
, FortiCare
®
and FortiGuard
®
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.
www.fortinet.com
