We have pioneered an innovative, high performance network security solution to the fundamental problems of an increasingly bandwidth-intensive network environment and a more sophisticated information technology (“IT”) threat landscape. We are a leading provider of network security appliances and the market leader in Unified Threat Management (“UTM”). Through our products and subscription services, we provide broad, integrated and high performance protection against dynamic security threats while simplifying the IT security infrastructure for enterprises, service providers and government entities worldwide. Our flagship UTM solution consists of our FortiGate appliance products that provide a broad array of security and networking functions, including firewall, VPN, antivirus, intrusion prevention, Web filtering, antispam, and WAN acceleration. Our FortiGate appliances, from the FortiGate-50 for small businesses and branch offices to the FortiGate-5000 series for large enterprises and service providers, are based on our proprietary technology platform. This platform includes our FortiASICs, which are specifically designed for accelerated processing of security and networking functions, and our FortiOS operating system, which provides the foundation for all of our security functions. Our FortiGuard security subscription services provide end-customers with access to dynamic updates to our antivirus, intrusion prevention, Web filtering and antispam functionality based on intelligence gathered by our dedicated FortiGuard Labs team. By combining multiple proprietary security and networking functions with our purpose-built FortiASIC and FortiOS, our FortiGate UTM solution delivers broad protection against dynamic security threats while reducing the operational burden and costs associated with managing multiple point products.
We complement our FortiGate product line with a family of FortiManager appliances, which enable end-customers to manage the system configuration and security functions of multiple FortiGate appliances from a centralized console, as well as FortiAnalyzer appliances, which enable collection, analysis and archiving of content and log data generated by our products. We also offer other appliances and software that provide additional protection, such as: (i) FortiMail, a family of multi-featured, high performance messaging security appliances, (ii) FortiDB, a family of appliances that provide centrally managed database-specific security, (iii) FortiClient, a software product that provides endpoint security for desktops, laptops and mobile devices and that is primarily used in conjunction with our FortiGate appliances, (iv) FortiWeb, an appliance that provides security for Web-based applications, and (v) FortiScan, an appliance designed to provide endpoint vulnerability assessment and remediation.
Technology and Architecture
Our proprietary FortiASIC, hardware architecture, FortiOS operating system and associated security and networking functions combine to form a platform that integrates security features and enables our products to perform sophisticated security processing for networks with high throughput requirements.
Our FortiASIC family of ASICs is comprised of the FortiASIC content processor, or CP, line and the FortiASIC network processor, or NP, line. These custom ASICs are designed to enhance the sophisticated security processing capabilities implemented in software by accelerating the computational intensive tasks such as firewall policy enforcement or IPS anomaly detection. This architecture provides the flexibility of implementing accelerated processing of new threat detection without requiring a new ASIC release. We are able to implement additional new computationally intensive security tasks in later generations of ASICs thereby providing further acceleration capabilities. The FortiASIC CP is currently included in most of our entry-level and all of our mid-range and high-end FortiGate appliances. The FortiASIC NP is currently included in most of our high-end and some of our mid-range FortiGate appliances, delivering further accelerated firewall and VPN performance.
FortiASIC CP. Our sixth generation FortiASIC CP implements several techniques in hardware to assist in computationally intensive tasks, such as protocol parsing and encryption/decryption processing associated with VPN. In addition, the FortiASIC CP implements other techniques, such as shared memory integration, to reduce the overhead associated with processing data in multiple locations. The FortiASIC CP is a critical component that accelerates processing of sophisticated content inspection tasks executed by the FortiOS.
FortiASIC NP. Our second generation FortiASIC NP is an in-line processor that is designed to accelerate some of the common tasks associated with the processing of network traffic, especially in the context of network security. In particular, the FortiASIC NP is capable of accelerating several computationally intensive security tasks such as firewall policy enforcement, encryption and decryption of VPN traffic and traffic shaping, to enable increased network security protection while minimizing any impact to network bandwidth and throughput. The FortiASIC NP is also flexible in its ability to handle a variety of network traffic types and is agnostic to packet size and other attributes that are different among various network deployments.
Custom Hardware Architecture
Our custom hardware architecture provides the foundation for all FortiGate platforms, combining the integration of FortiASICs with general purpose processors, high-performance network interfaces and custom expansion capabilities. By developing a custom hardware architecture, we are able to incorporate our ASICs within the system to optimize their ability to process traffic for network and security functions.
FortiOS provides the foundation for the operation of all FortiGate appliances, from the core kernel functions to the security processing feature sets. FortiOS provides multiple layers of security including a hardened kernel layer providing protection for the FortiGate system, a network security layer providing security for end-customers’ network infrastructures, and application content protection providing security for end-customers’ workstations and applications. FortiOS directs the operations of processors and ASICs as well as providing system management functions such as command-line and graphical user interfaces. We make available updates to the FortiOS through our FortiCare support services. FortiOS also enables advanced, integrated routing and switching, allowing end-customers to deploy FortiGate devices within a wide variety of networks, as well as providing a direct replacement solution option for legacy switching and routing equipment. The FortiOS implements a suite of commonly used routing protocols as well as address translation technologies allowing the FortiGate appliance to integrate and operate in a wide variety of network environments. Our technology permits seamless integration into existing network infrastructures with minimal disruption. Additional features include Virtual Domain, or VDOM, capabilities and traffic queuing and shaping enabling administrators to set the appropriate configurations and policies that meet their infrastructure needs. FortiOS also provides capabilities for logging of traffic for forensic analysis purposes which are particularly important for regulatory compliance initiatives like PCI DSS. FortiOS’s packet classification, queue disciplines, policy enforcement, congestion management, and other traffic optimization functionality are designed to help control network traffic in order to optimize performance.
Security and Networking Functions
Our FortiOS incorporates the following seven core security and networking technologies: Firewall. Our firewall technology delivers high performance network and application firewalling, including the ability to enforce policies based on the application behavior. Our technology identifies traffic patterns and links them to the use of specific applications, such as instant messaging and peer-to-peer applications, permitting application access control. By coupling application intelligence with firewall technology, the FortiGate platform is able to deliver real-time security with integrated application content level inspection, thereby simplifying security deployments.
Virtual Private Network. Our advanced VPN technology provides secure communications between multiple networks and hosts, through both secure socket layer, or SSL, and IPsec VPN technologies, leveraging our custom FortiASIC to provide hardware acceleration for high-performance communications and data privacy. Benefits include the ability to enforce complete content inspection and multi-threat security as part of VPN communications, including antivirus, Intrusion Prevention System, or IPS, and Web filtering. Additional features include traffic optimization providing prioritization for traffic across VPNs.
Antivirus. Our antivirus technology provides protection against malware, including viruses, spyware and trojans. Our FortiGuard security subscription services provide updates to signatures to maintain a high level of accuracy and detection capabilities in our products.
Intrusion Prevention System. Our IPS technology provides protection against current and emerging network level threats. In addition to signature-based detection, we perform anomaly-based detection whereby our system alerts users to traffic that fits a specific attack behavior profile. This behavior is then analyzed by our FortiGuard Labs team to identify threats as they emerge and generate new signatures that will be incorporated into our FortiGuard services.
Web Filtering. Our Web filtering automation technology works in concert with our research team to collect, analyze and categorize websites to provide real-time protection through website ratings and categorization.
Our Web filtering technology is a pro-active defense feature that identifies known locations of malware and blocks access to these malicious sources. In addition, the technology enables administrators to enforce policies based on website content categories, ensuring users are not accessing content that is inappropriate for their work environment. The technology restricts access to denied categories based on the policy by comparing each Web address request to a Fortinet hosted database.
Antispam. We employ a variety of antispam techniques to detect and block spam. These techniques include a hosted service performing algorithmic validations of messages against known spam messages, sophisticated reputation service designed to evaluate and track valid email sources and destinations, intelligent image scanning to evaluate the validity of images and dynamic heuristic rules to allow messages to be evaluated based on content within each message. These techniques can be combined to identify and block spam with high accuracy catch-rates and to minimize false positives. We test all filter, rule and definition updates against a large test database of messages to safeguard against inadvertent filtering of legitimate messages.
WAN Acceleration. Our storage-enabled and storage-ready FortiGate appliances provide the ability to accelerate network traffic across the wide area network by implementing a combination of application content caching and protocol optimization techniques. Combined with our VPN technologies, end-customers can take advantage of low-cost public network infrastructures to extend their network reach while experiencing high-performance for their network traffic with comprehensive privacy and security.
In addition to the seven core security and networking functions mentioned above, we also incorporate additional technologies within FortiGate appliances that differentiate our UTM solution, including: Application Control. Our application control technology provides the ability to define granular network-based application policies giving end-customers additional control over application access. By designing and implementing a dynamic application behavior detection engine, FortiGate appliances can detect unique applications regardless of the underlying protocol. Many applications have migrated to Web-based interfaces, enabling opportunities to carry additional malicious threats. By identifying the application based on the characteristics of the traffic and behavior, policies can be set to control which Web applications are allowed or denied thereby reducing the opportunity for both known and new potentially malicious applications to penetrate the infrastructure.
Data Leakage Prevention (DLP). Our DLP technology provides the ability to define rules based on corporate policies, and consequently detect and prevent confidential data from being distributed outside of the corporate network. By leveraging the inspection capabilities within FortiOS, these DLP policies are able to identify and stop the transmission of confidential data within various application content. Additional capabilities include the identification of the source where known confidential data is being originated from, thereby allowing administrative action to take place. Traffic that has been identified based on these corporate policies can be archived for further analysis.
Traffic optimization. Our traffic optimization technology combines quality of service techniques with traffic shaping to provide better service to selected network traffic based on customer policies without causing interruptions to other traffic.
SSL inspection. Our SSL inspection technology provides the ability to decrypt SSL application content for processing by the FortiOS. The ability to inspect encrypted SSL content enables our customers to ensure protection from malware that would be otherwise hidden from traditional security products, and enforce the full complement of security and networking features available within FortiOS.
Our core product offerings consist of our FortiGate UTM appliance family, along with our FortiManager central management appliance and FortiAnalyzer central logging and reporting appliance, both of which are typically purchased to complement a FortiGate deployment.
Our flagship FortiGate appliances offer a set of security and networking functions, including firewall, VPN, antivirus, intrusion prevention, Web filtering, antispam and WAN acceleration. All FortiGate appliances are based on our proprietary operating system, FortiOS, and substantially all FortiGate models include our proprietary FortiASICs to accelerate content and network security features implemented within FortiOS. FortiGate appliances can be centrally managed through both embedded Web-based and command line interfaces, as well as through FortiManager which provides a central management architecture for thousands of FortiGate appliances.
By combining multiple network security functions in our purpose-built security platform, the FortiGate provides high quality protection capabilities and deployment flexibility while reducing the operational burden and costs associated with managing multiple point products. Through FortiGuard security subscription services, our products enable end-customers to add security functionality as required by their evolving business needs and the changing threat landscape. By purchasing FortiGuard security subscription services, end-customers obtain coverage and access to regular updates for antivirus, IPS, Web filtering and antispam functions for their FortiGate appliances. With over 30 models in the FortiGate product line, FortiGate is designed to address security requirements for small-to-mid sized businesses, remote offices, large enterprises, and service providers.
Each FortiGate appliance runs our FortiOS operating system, and substantially all include our FortiASIC CP. The significant differences between each model are the performance and scalability targets each model is designed to meet, while the security features and associated services offered are common throughout all models.
The FortiGate-30 through -100 series models are designed for perimeter protection for small- to mid-sized businesses and remote offices and as customer premises equipment for service providers. Optional wireless LAN, or WLAN, integration is available for the FortiGate-50, -60 and -80 models, marketed as FortiWiFi, delivering additional network access and security for wireless environments.
The FortiGate-200 through -800 series models are designed for perimeter deployment in mid-sized to large enterprise networks. These products offer increased capacity and scalability designed to provide high network performance while delivering the same broad security suite as all FortiGate models. Additionally, the FortiGate-310 and -620 models provide hardware modularity, allowing end-customers the flexibility to customize solutions to their requirements, as well as permitting us the opportunity to produce new modules to sell into existing end-customer deployments.
The FortiGate-1000 through -5000 series models deliver high performance and scalable network security functionality for perimeter, data center and core deployment in large enterprise and service provider networks. Additionally, most of these products provide hardware modularity, allowing end-customers the flexibility to customize solutions to their requirements, as well as permitting us the opportunity to produce new modules to sell into existing end-customer deployments. Products within the FortiGate-3000 and -5000 series leverage Advanced Mezzanine Card, or AMC, industry standards for hardware modularization to support the advanced networking requirements of large enterprises and service providers, including high-speed networking, WAN connectivity, and network attached storage connectivity. The FortiGate-5000 series is also compatible with the Advanced Telecommunications Computing Architecture, or ATCA, standard, resulting in a flexible hardware platform for system modularity. This modularization gives end-customers the ability to deploy an initial FortiGate configuration with room to grow as their network security needs evolve. The inclusion of network load balancing and advanced switching functionality provides additional flexibility in how end-customers utilize the FortiGate modules within the FortiGate chassis. In addition, our FortiGate-5000 series ATCA blades can be utilized in other third-party vendors’ industry standard ATCA chassis, allowing FortiGates to be deployed into a much wider range of network solutions. Our FortiGate-5000 series appliances offer modular, chassis-based architecture based on the ATCA and AMC industry standards. We brand a subset of our FortiGate-3000 and -5000 series products as FortiCarrier to reflect products specifically targeting a subset of service providers. These products add incremental security, networking and management functionality often utilized in service provider deployments.
FortiGate System Virtualization (VDOM)
In addition to providing network and content level security, FortiOS also offers system virtualization capabilities—the ability to “divide” a security appliance into multiple separately provisioned and managed instances. This capability is currently deployed in substantially all of our FortiGate products as our virtual domain, or VDOM, feature, where administrators have the ability to segment a single FortiGate appliance platform into multiple FortiGate instances. Network security system virtualization, using our VDOM feature, provides isolation between each virtual system, giving administrators flexibility in configuration and traffic management capabilities for each virtual instance. For example, for a service provider that is delivering managed security services to multiple customers, each customer of the service provider may require a tailored set of security services that suits their specific network requirements. To accomplish this, the service provider could use our FortiGate virtualization feature to partition one FortiGate blade or appliance into hundreds of instances, customizing each instance for each customer. This ensures that each of their customers’ networks is separate and private with unique routing, management and policy enforcement. By implementing virtualization, each customer of a security service provider has the ability to refine its requirements to meet its specific goals. The virtualization of our FortiGate functionality lowers capital and operational expenditures for enterprises and service providers and simplifies administration and management.