Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • AMP Architecture Guide

    Home FortiGate / FortiOS 7.6.0 AMP Architecture Guide
    7.6.0
    7.6.0

    Key components

    Key components

    When planning your AMP deployment, you should consider these components in your design and configurations.

    Security Profiles

    Responsible for the AMP configuration, AV + SSL/SSH Security profiles define which features to use and how they behave.

    Firewall Policy

    In addition to matching traffic, the policy specifies which security profiles to apply to matching traffic.

    High Availability

    Not only provides greater processing throughput, but adds the benefit of redundancy.

    VDOMs

    Useful for separating traffic to be processed or evaluated differently. This can be useful for multi-tenancy as well as for management traffic vs business traffic.

    Logging

    Logging provides many benefits such as deepening your insight to traffic patterns and trends, as well as recording the actions taken in the event of a malware incident.

    Quarantining

    When a malware event is identified, quarantining can help prevent the spread of an infection.

    Air-gapped Deployments

    Disallowing internet connectivity for a network greatly reduces the attack vectors. However, it presents the obstacle of maintaining up-to-date AV engines and signatures without a connection to the FortiGuard network.

    Security profiles & Sandboxing

    To implement advanced malware protection, there are two security profiles you must consider: Antivirus and SSL/SSH inspection.

    Antivirus security profile

    The AV security profile controls which, and subsequently how, AMP features are implemented. You may elect to use some or all of them in your deployment. Review the features and select those which are necessary. When selecting the features to include, be aware of related requirements to implement them. For example, some features are only available in proxy mode. You can find a complete listing of the differences in the FortiGate Admin Guide.

    The following protocols can be enabled in an AV Security Profile:

    Inspected Protocols

    Enable to inspect the protocol for session inspection: HTTP, SMTP, POP3, IMAP, FTP, and CIFS. Disabled protocols are not inspected.

    MAPI and SSH can be inspected in proxy-based mode.

    The following Advanced Persistent Threat (APT) protection are available:

    Feature

    Description

    Content Disarm and Reconstruction

    This option is available in proxy-based mode when at least one protocol is enabled for inspection and AntiVirus scan is enabled.

    See Content disarm and reconstruction for more details.

    Treat Windows executables in email attachments as viruses

    Enable to deem all Windows executable files located in email traffic as viruses.

    Send Files to FortiSandbox for Inspection

    Enable to send files to FortiSandbox for inspection. The FortiSandbox must be enabled.

    Use FortiSandbox database

    Enable to use the signature database from FortiSandbox. The FortiSandbox must be enabled.

    Send files to FortiNDR for inspection

    This option is available in proxy-based mode when at least one protocol is enabled for inspection, AntiVirus scan is enabled, and FortiNDR is enabled. See Using FortiNDR inline scanning with antivirus for more details.

    Include mobile malware protection

    Enable to use the mobile malware protection database from FortiGuard for content scanning.

    Quarantine

    This option is available when at least one protocol is enabled for inspection and AntiVirus scan is enabled.

    Enable to quarantine infected files.

    See also Downloading quarantined files in archive format.

    Additionally, to prevent virus outbreaks, you can use various lists and databases to further protect your endpoints:

    Feature

    Description

    Use FortiGuard outbreak prevention database

    Enable to use the outbreak prevention database that is available with Advanced Malware Protection on FortiGuard. A license is required. See FortiGuard Subscriptions and FortiGuard Bundles for more details.

    • Block: block the malicious traffic.

    • Monitor: log malicious traffic and allow it to pass inspection.

    Use external malware block list

    Enable to use one or more external blocklist file hashes.

    • Block: block the malicious traffic.

    • Monitor: log malicious traffic and allow it to pass inspection.

    • All: use all malware block lists.

    • Specify: select specific malware block lists.

    See External malware block list and Malware hash threat feed for more details.

    Use EMS threat feed

    This option is available when at least one protocol is enabled for inspection and AntiVirus scan is enabled.

    Enable to use malware threat feeds from FortiClient EMS. A FortiClient EMS Fabric connector with EMS threat feed enabled is required. See EMS threat feed for more details.

    For more information, see the Antivirus chapter in the FortiGate Admin Guide.

    Sandboxing

    Sandboxing is a technique for scanning and detecting zero-day malware and viruses by executing suspicious files in a sandbox environment. These environments are controlled and allow suspicious files to freely download and execute malicious payload in order to identify potential threats.

    Sandboxing requires time to execute, therefore there are two modes of protection.

    • Post-transfer scanning – this method requires the FortiGate to send new, unknown suspicious file to a FortiSandbox for analysis. Before a verdict is returned, the file is allowed to pass through the policy. If the verdict returned is positive for a threat, the signature of the file is added to the FortiSandbox signature database which is synchronized to the FortiGate. Future downloads of the file will match the signature and be blocked by the security profile.

      With the Advanced Threat Protection bundle, Sandbox SaaS, also known as FortiGate Cloud Sandbox, is included in the subscription enabling the FortiGates to send suspicious files to the FortiGate Cloud Sandbox for post-transfer scanning.

      See Using FortiSandbox post-transfer scanning with antivirus for more details.

    • Inline scanning – this method requires the FortiGate to send new, unknown suspicious files to a FortiSandbox for analysis. While scanning is happening, the FortiGate holds the file until a verdict is returned. Malicious files will be blocked inline.

      Inline scanning requires either a FortiSandbox appliance, FortiSandbox Cloud or the FortiGuard Inline Malware Prevention System subscription.

      See Using FortiSandbox inline scanning with antivirus for more details.

    See Configuring sandboxing for more details.

    SSL/SSH Inspection security profile

    SSL/SSH inspection controls how encrypted traffic is processed. When configured, this profile allows for deep inspection where traffic is inspected through encryption. It is highly recommended to use deep inspection to inspect encrypted traffic, which comprises the vast majority of internet traffic. When implementing deep inspection, careful consideration and intentional planning should be given to certificate use and management. A certificate authority (CA) certificate is used by the FortiGate and must be trusted by the endpoints that deep inspection is being performed for. See Deep Inspection in the FortiGate admin guide.

    SSL inspection can also be applied to inspect encrypted traffic that is destined for an internal server. The Protecting SSL Server option of the SSL/SSH Inspection profile is typically applied to an inbound firewall policy for clients on the internet that access a server behind the FortiGate. FortiGate uses the server certificate of the protected server to simulate the real server, which enables FortiGate to decrypt and inspect traffic destined to the real server. Therefore, a valid server certificate must be installed on the FortiGate to enable traffic inspection. You can read more about protecting an SSL server in the FortiGate admin guide.

    NGFW Firewall policy modes

    FortiGates have 2 firewall policy modes, profile-based and policy-based.

    Profile-based NGFW mode

    Profile-based NGFW mode matches traffic by various patterns based on L2, L3 and L4 headers. It leverages security profiles which define how the given protection is applied. For example, a web-filtering profile would define which category of sites may be blocked for users. Additional web-filtering profiles may be created to allow for policies to apply web-filtering differently. This mode is both the default and preferred mode on the FortiGate and is exclusively discussed in this guide.

    When implementing profile-based advanced malware protection, you must select flow or proxy mode inspection. It is advised to be consistent with the mode across all policies where possible. Flow mode is the preferred inspection mode.

    Policy-based NGFW mode

    Policy-based mode allows you to define the application and URL category directly in the policy for matching, rather than defining a security profile and adding that profile to the policy. This may benefit firewall administrators migrating from different vendors with a similar implementation, however Fortinet recommends using the profile-based NGFW mode.

    High Availability

    Using multiple FortiGates in a cluster to provide advanced malware protection provides the ability to share the inspection load to achieve higher scanning throughput that one FortiGate may achieve alone. While the same could be achieved by implementing a single larger, more powerful FortiGate, high availability (HA) brings the additional benefit of redundancy. This removes the single point of failure that a lone FortiGate has, and helps ensure your network has uninterrupted security.

    HA can be implemented in several ways and a firm understanding of the options available is advised to guide the selection process. The following sections aim to provide examples of how Antimalware can be implemented using the various HA options available to you.

    FGCP

    FortiGate Clustering Protocol (FGCP) is the Fortinet proprietary HA solution which works both to form the FortiGate cluster as well as define how multiple FortiGates can work in unison to secure your network. FGCP also defines how the cluster behaves in the event of a FortiGate failure. FGCP can be implemented in an Active-Passive and an Active-Active cluster.

    Active-Passive

    In an active-passive setup, the subordinate FortiGates have matching configuration to the primary FortiGate so in the event of a failure on the primary, one of the subordinate FortiGates replaces it without any changes. While FGCP has the ability for the primary FortiGate to sync active connections and sessions to subordinate FortiGates, many sessions subject to security profiles are not resumed after a failover. This includes AntiVirus scanning.

    Active-Active

    In an active-active set up, FortiGates load-balance the sessions between the cluster members. By default, active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units. When configured to use flow-based scanning, antivirus security profiles are never load balanced and are always processed by the primary unit.

    See HA and load balancing for more details.

    FGSP

    With the FortiGate Session Life Support Protocol (FGSP), each FortiGate receives traffic by means of an external balancing method. It can be L2 with LACP or L3 with ECMP/VRRP. Sessions are synchronized between members. With AV policies, traffic is forwarded to the session owner by L2 or L3 for inspection. The peer who receives the first packet of a session becomes the session owner. When the session owner synchronizes the session with its peers, the session owner’s member ID is added to the session information. If a peer receives any packet that has a member ID that is not its own, it forwards the packet to the correct member, eliminating any asymmetry to the traffic and enabling one FortiGate to completely inspect each session.

    FGSP is primarily used instead of FGCP when external load balancers are part of the topology, and they are responsible for distributing traffic amongst the downstream FortiGates. FGSP provides the means to synchronize sessions between the FortiGate peers without needing a primary member to distribute the sessions like in FGCP active-active mode. For more information, please consult the Admin Guide.

    See UTM inspection on asymmetric traffic in FGSP for more details.

    VDOMs

    FortiGate VDOMs provide many benefits and should be considered when there is a use case to keep traffic separated, such as a Managed Security Services Provider (MSSP) using one FortiGate for multiple customers. The use of VDOMs ensures that traffic from each customer or tenant is not mixed with another’s; their traffic is subject to their own virtual FortiGate and configuration. This is often referred to as multi-tenancy.

    VDOMs also allow for the use of global objects, such as security profiles, which may be applied to one or more VDOMs. This is particularly useful for companies that have security requirements for connecting customers. By applying a policy with security profiles to scan traffic, the company can ensure any customer access meets their security requirements.

    VDOMs can also work with HA in a virtual clustering configuration. This setup allows a FGCP HA cluster to utilize different HA cluster members as the primary unit for processing traffic to a specific VDOM. This allows traffic to be distributed amongst different cluster members while working in an Active-Passive setup.

    See HA virtual cluster setup for more details.

    Logging

    FortiGate logging can be done both on blocked traffic and allowed traffic. Blocked traffic helps identify malicious activity or traffic which goes against company policy, and allowed traffic helps inform the company of network usage. Companies often have a policy to retain logs for a certain amount of time. This is both to help with analyzing and understanding trends as well as for forensics in the event of a breach.

    FortiAnalyzer provides a centralized logging solution which provides both a repository to archive logs, as well as a database that advanced analytics can be performed on. FortiAnalyzer also has the ability to alert administrators when certain conditions are met. This includes creating event handlers that are triggered by certain logs, and can also incorporate advanced FortiGuard threat intelligence to provide indicators of compromise and outbreak notifications. See the FortiAnalyzer Admin Guide for details.

    Quarantining

    When a user and device downloads a virus file, it is possible for the FortiGate to detect and perform quarantining on the offending device. This can be an effective solution to prevent further spread of the virus, but disallowing traffic from the compromised device.

    Furthermore, it is possible to quarantine and archive the malware file for further analysis. For more information, see Downloading quarantined files in archive format.

    Air-gapped deployments

    In air-gapped environments, critical components and infrastructure are completely closed off from the Internet. Deploying FortiGates in an air-gapped environment means they are not able to freely communicate with FortiGuard to maintain up-to-date antivirus engines and signatures. Careful consideration must be taken to ensure these FortiGates receive updates in a secure but timely manner. These solutions include:

    Manual download and upload

    FortiGuard Distribution Network (FDN) updates can be manually downloaded and uploaded to FortiGates. See Manual Updates.

    FortiManager as local FortiGuard server

    FortiManager can act as a local FortiGuard server to provide updates on a schedule or on demand to reachable FortiGates. Similar to FortiGates, FortiManager requires the administrator to download update packages and licenses manually, then upload them to FortiManager. This allows for scalability while maintaining a closed network.

    See the FortiGate Admin Guide and FortiManager Admin Guide sections.

    Previous
    Next

    Key components

    Key components

    When planning your AMP deployment, you should consider these components in your design and configurations.

    Security Profiles

    Responsible for the AMP configuration, AV + SSL/SSH Security profiles define which features to use and how they behave.

    Firewall Policy

    In addition to matching traffic, the policy specifies which security profiles to apply to matching traffic.

    High Availability

    Not only provides greater processing throughput, but adds the benefit of redundancy.

    VDOMs

    Useful for separating traffic to be processed or evaluated differently. This can be useful for multi-tenancy as well as for management traffic vs business traffic.

    Logging

    Logging provides many benefits such as deepening your insight to traffic patterns and trends, as well as recording the actions taken in the event of a malware incident.

    Quarantining

    When a malware event is identified, quarantining can help prevent the spread of an infection.

    Air-gapped Deployments

    Disallowing internet connectivity for a network greatly reduces the attack vectors. However, it presents the obstacle of maintaining up-to-date AV engines and signatures without a connection to the FortiGuard network.

    Security profiles & Sandboxing

    To implement advanced malware protection, there are two security profiles you must consider: Antivirus and SSL/SSH inspection.

    Antivirus security profile

    The AV security profile controls which, and subsequently how, AMP features are implemented. You may elect to use some or all of them in your deployment. Review the features and select those which are necessary. When selecting the features to include, be aware of related requirements to implement them. For example, some features are only available in proxy mode. You can find a complete listing of the differences in the FortiGate Admin Guide.

    The following protocols can be enabled in an AV Security Profile:

    Inspected Protocols

    Enable to inspect the protocol for session inspection: HTTP, SMTP, POP3, IMAP, FTP, and CIFS. Disabled protocols are not inspected.

    MAPI and SSH can be inspected in proxy-based mode.

    The following Advanced Persistent Threat (APT) protection are available:

    Feature

    Description

    Content Disarm and Reconstruction

    This option is available in proxy-based mode when at least one protocol is enabled for inspection and AntiVirus scan is enabled.

    See Content disarm and reconstruction for more details.

    Treat Windows executables in email attachments as viruses

    Enable to deem all Windows executable files located in email traffic as viruses.

    Send Files to FortiSandbox for Inspection

    Enable to send files to FortiSandbox for inspection. The FortiSandbox must be enabled.

    Use FortiSandbox database

    Enable to use the signature database from FortiSandbox. The FortiSandbox must be enabled.

    Send files to FortiNDR for inspection

    This option is available in proxy-based mode when at least one protocol is enabled for inspection, AntiVirus scan is enabled, and FortiNDR is enabled. See Using FortiNDR inline scanning with antivirus for more details.

    Include mobile malware protection

    Enable to use the mobile malware protection database from FortiGuard for content scanning.

    Quarantine

    This option is available when at least one protocol is enabled for inspection and AntiVirus scan is enabled.

    Enable to quarantine infected files.

    See also Downloading quarantined files in archive format.

    Additionally, to prevent virus outbreaks, you can use various lists and databases to further protect your endpoints:

    Feature

    Description

    Use FortiGuard outbreak prevention database

    Enable to use the outbreak prevention database that is available with Advanced Malware Protection on FortiGuard. A license is required. See FortiGuard Subscriptions and FortiGuard Bundles for more details.

    • Block: block the malicious traffic.

    • Monitor: log malicious traffic and allow it to pass inspection.

    Use external malware block list

    Enable to use one or more external blocklist file hashes.

    • Block: block the malicious traffic.

    • Monitor: log malicious traffic and allow it to pass inspection.

    • All: use all malware block lists.

    • Specify: select specific malware block lists.

    See External malware block list and Malware hash threat feed for more details.

    Use EMS threat feed

    This option is available when at least one protocol is enabled for inspection and AntiVirus scan is enabled.

    Enable to use malware threat feeds from FortiClient EMS. A FortiClient EMS Fabric connector with EMS threat feed enabled is required. See EMS threat feed for more details.

    For more information, see the Antivirus chapter in the FortiGate Admin Guide.

    Sandboxing

    Sandboxing is a technique for scanning and detecting zero-day malware and viruses by executing suspicious files in a sandbox environment. These environments are controlled and allow suspicious files to freely download and execute malicious payload in order to identify potential threats.

    Sandboxing requires time to execute, therefore there are two modes of protection.

    • Post-transfer scanning – this method requires the FortiGate to send new, unknown suspicious file to a FortiSandbox for analysis. Before a verdict is returned, the file is allowed to pass through the policy. If the verdict returned is positive for a threat, the signature of the file is added to the FortiSandbox signature database which is synchronized to the FortiGate. Future downloads of the file will match the signature and be blocked by the security profile.

      With the Advanced Threat Protection bundle, Sandbox SaaS, also known as FortiGate Cloud Sandbox, is included in the subscription enabling the FortiGates to send suspicious files to the FortiGate Cloud Sandbox for post-transfer scanning.

      See Using FortiSandbox post-transfer scanning with antivirus for more details.

    • Inline scanning – this method requires the FortiGate to send new, unknown suspicious files to a FortiSandbox for analysis. While scanning is happening, the FortiGate holds the file until a verdict is returned. Malicious files will be blocked inline.

      Inline scanning requires either a FortiSandbox appliance, FortiSandbox Cloud or the FortiGuard Inline Malware Prevention System subscription.

      See Using FortiSandbox inline scanning with antivirus for more details.

    See Configuring sandboxing for more details.

    SSL/SSH Inspection security profile

    SSL/SSH inspection controls how encrypted traffic is processed. When configured, this profile allows for deep inspection where traffic is inspected through encryption. It is highly recommended to use deep inspection to inspect encrypted traffic, which comprises the vast majority of internet traffic. When implementing deep inspection, careful consideration and intentional planning should be given to certificate use and management. A certificate authority (CA) certificate is used by the FortiGate and must be trusted by the endpoints that deep inspection is being performed for. See Deep Inspection in the FortiGate admin guide.

    SSL inspection can also be applied to inspect encrypted traffic that is destined for an internal server. The Protecting SSL Server option of the SSL/SSH Inspection profile is typically applied to an inbound firewall policy for clients on the internet that access a server behind the FortiGate. FortiGate uses the server certificate of the protected server to simulate the real server, which enables FortiGate to decrypt and inspect traffic destined to the real server. Therefore, a valid server certificate must be installed on the FortiGate to enable traffic inspection. You can read more about protecting an SSL server in the FortiGate admin guide.

    NGFW Firewall policy modes

    FortiGates have 2 firewall policy modes, profile-based and policy-based.

    Profile-based NGFW mode

    Profile-based NGFW mode matches traffic by various patterns based on L2, L3 and L4 headers. It leverages security profiles which define how the given protection is applied. For example, a web-filtering profile would define which category of sites may be blocked for users. Additional web-filtering profiles may be created to allow for policies to apply web-filtering differently. This mode is both the default and preferred mode on the FortiGate and is exclusively discussed in this guide.

    When implementing profile-based advanced malware protection, you must select flow or proxy mode inspection. It is advised to be consistent with the mode across all policies where possible. Flow mode is the preferred inspection mode.

    Policy-based NGFW mode

    Policy-based mode allows you to define the application and URL category directly in the policy for matching, rather than defining a security profile and adding that profile to the policy. This may benefit firewall administrators migrating from different vendors with a similar implementation, however Fortinet recommends using the profile-based NGFW mode.

    High Availability

    Using multiple FortiGates in a cluster to provide advanced malware protection provides the ability to share the inspection load to achieve higher scanning throughput that one FortiGate may achieve alone. While the same could be achieved by implementing a single larger, more powerful FortiGate, high availability (HA) brings the additional benefit of redundancy. This removes the single point of failure that a lone FortiGate has, and helps ensure your network has uninterrupted security.

    HA can be implemented in several ways and a firm understanding of the options available is advised to guide the selection process. The following sections aim to provide examples of how Antimalware can be implemented using the various HA options available to you.

    FGCP

    FortiGate Clustering Protocol (FGCP) is the Fortinet proprietary HA solution which works both to form the FortiGate cluster as well as define how multiple FortiGates can work in unison to secure your network. FGCP also defines how the cluster behaves in the event of a FortiGate failure. FGCP can be implemented in an Active-Passive and an Active-Active cluster.

    Active-Passive

    In an active-passive setup, the subordinate FortiGates have matching configuration to the primary FortiGate so in the event of a failure on the primary, one of the subordinate FortiGates replaces it without any changes. While FGCP has the ability for the primary FortiGate to sync active connections and sessions to subordinate FortiGates, many sessions subject to security profiles are not resumed after a failover. This includes AntiVirus scanning.

    Active-Active

    In an active-active set up, FortiGates load-balance the sessions between the cluster members. By default, active-active HA load balancing distributes proxy-based security profile processing to all cluster units. Proxy-based security profile processing is CPU and memory-intensive, so FGCP load balancing may result in higher throughput because resource-intensive processing is distributed among all cluster units. When configured to use flow-based scanning, antivirus security profiles are never load balanced and are always processed by the primary unit.

    See HA and load balancing for more details.

    FGSP

    With the FortiGate Session Life Support Protocol (FGSP), each FortiGate receives traffic by means of an external balancing method. It can be L2 with LACP or L3 with ECMP/VRRP. Sessions are synchronized between members. With AV policies, traffic is forwarded to the session owner by L2 or L3 for inspection. The peer who receives the first packet of a session becomes the session owner. When the session owner synchronizes the session with its peers, the session owner’s member ID is added to the session information. If a peer receives any packet that has a member ID that is not its own, it forwards the packet to the correct member, eliminating any asymmetry to the traffic and enabling one FortiGate to completely inspect each session.

    FGSP is primarily used instead of FGCP when external load balancers are part of the topology, and they are responsible for distributing traffic amongst the downstream FortiGates. FGSP provides the means to synchronize sessions between the FortiGate peers without needing a primary member to distribute the sessions like in FGCP active-active mode. For more information, please consult the Admin Guide.

    See UTM inspection on asymmetric traffic in FGSP for more details.

    VDOMs

    FortiGate VDOMs provide many benefits and should be considered when there is a use case to keep traffic separated, such as a Managed Security Services Provider (MSSP) using one FortiGate for multiple customers. The use of VDOMs ensures that traffic from each customer or tenant is not mixed with another’s; their traffic is subject to their own virtual FortiGate and configuration. This is often referred to as multi-tenancy.

    VDOMs also allow for the use of global objects, such as security profiles, which may be applied to one or more VDOMs. This is particularly useful for companies that have security requirements for connecting customers. By applying a policy with security profiles to scan traffic, the company can ensure any customer access meets their security requirements.

    VDOMs can also work with HA in a virtual clustering configuration. This setup allows a FGCP HA cluster to utilize different HA cluster members as the primary unit for processing traffic to a specific VDOM. This allows traffic to be distributed amongst different cluster members while working in an Active-Passive setup.

    See HA virtual cluster setup for more details.

    Logging

    FortiGate logging can be done both on blocked traffic and allowed traffic. Blocked traffic helps identify malicious activity or traffic which goes against company policy, and allowed traffic helps inform the company of network usage. Companies often have a policy to retain logs for a certain amount of time. This is both to help with analyzing and understanding trends as well as for forensics in the event of a breach.

    FortiAnalyzer provides a centralized logging solution which provides both a repository to archive logs, as well as a database that advanced analytics can be performed on. FortiAnalyzer also has the ability to alert administrators when certain conditions are met. This includes creating event handlers that are triggered by certain logs, and can also incorporate advanced FortiGuard threat intelligence to provide indicators of compromise and outbreak notifications. See the FortiAnalyzer Admin Guide for details.

    Quarantining

    When a user and device downloads a virus file, it is possible for the FortiGate to detect and perform quarantining on the offending device. This can be an effective solution to prevent further spread of the virus, but disallowing traffic from the compromised device.

    Furthermore, it is possible to quarantine and archive the malware file for further analysis. For more information, see Downloading quarantined files in archive format.

    Air-gapped deployments

    In air-gapped environments, critical components and infrastructure are completely closed off from the Internet. Deploying FortiGates in an air-gapped environment means they are not able to freely communicate with FortiGuard to maintain up-to-date antivirus engines and signatures. Careful consideration must be taken to ensure these FortiGates receive updates in a secure but timely manner. These solutions include:

    Manual download and upload

    FortiGuard Distribution Network (FDN) updates can be manually downloaded and uploaded to FortiGates. See Manual Updates.

    FortiManager as local FortiGuard server

    FortiManager can act as a local FortiGuard server to provide updates on a schedule or on demand to reachable FortiGates. Similar to FortiGates, FortiManager requires the administrator to download update packages and licenses manually, then upload them to FortiManager. This allows for scalability while maintaining a closed network.

    See the FortiGate Admin Guide and FortiManager Admin Guide sections.

    Previous
    Next