2. 2
Industry Validation for Fortinet’s Data Center Strategy
“Fortinet moves into second
due to its strong position
and price/ performance,
and [should] gain some
ground at the very high end
of the market.”
Data Center Security Products, Biannnual Market Share, Size & Forecast, Oct 2014
Data Center Security Appliance Market Share
2015 Enterprise Firewall MQ – Fortinet Strengths:
“-In addition to enterprise NGFW deployments, Fortinet is well-suited to
deployments in carriers, data centers, service providers and distributed
enterprises (for example, retail and franchises).
-Fortinet has a well-articulated strategy regarding virtualization, public
cloud and SDN, and has a promising partnership with VMware NSX.”
3. 3
Data Center Trends
BYOD, Mobility & SaaS
Anytime, anywhere access
User-centric apps & services
Customer/client responsiveness
Big Data & Internet of Things
Billions of connected devices
Continuous data aggregation
Warehousing of petabytes of confidential data
Network Impact
Higher core throughput & scalability
Higher port density
Increased small/mixed packet traffic
Low user latency
IPv4 to IPv6 migration
Increased east-west traffic
Data Center Transformation
Server & network virtualization
Multi-tenant public clouds
Elasticity & agility
4. 4
Data Center Consolidation and SDN Evolution
Data Center Firewalls
Deployments
Data center edge
Top of rack
Virtual machine
protection
SDN orchestration
Drivers
Data center
consolidation
Migration 10G to 100G
Network segmentation
Securing East West
traffic virtualization
and SDN
EAST WEST
NORTH
SOUTH
Data Center/SDN VM & SDN Solution
FortiGate VM Series
VMware (NSX)
Cisco ACI
OpenStack
AWS
Azure
KVM
Hyper V
DC FW Solution
FortiGate High End
Series with 100G+
throughput in an
Appliance
5. 5
Software-Defined Security Vision
Physical
& Virtual
Security
Appliances
FortiGate FortiManagerFortiSandbox FortiAnalyzer FortiWeb FortiADC
Virtualization SDN Cloud (IaaS) Cloud (SaaS)
vSphere
XenServer
Hyper-V
NSX
FortiMail
1. Security must integrate with & support underlying SDx Infrastructure, i.e. cloud &
SDN IaaS platforms
2. Security is itself fundamental infrastructure that can and should become agile
and elastic, i.e. Software-Defined, independent of other SDx transformation
6. 6
Fortinet’s Software-Defined Security Framework
Virtual x86
Containers
Hardware-Based
Platforms
Virtual
Appliances/
Services
Platform
Orchestration
& Automation
Single
Pane-of-Glass
Management
Software-Defined Security Framework
Data Plane Control Plane Management
Plane
PlatformExtensibility
7. 7
Virtual Appliances/Services
Virtual Appliances & VDOM’s Provide Scale-Out Elasticity
Scale-Out
Performance
Boundary
Benefits
Scale-Up
Elastic Firewall
Capacity
East-West
Traffic Visibility
Deployable in
Public Clouds
vSphere
XenServer
Hyper-V
8. 8
Platform Orchestration & Automation
Auto-Scaling
Firewall & Rule
Provisioning
SDN Flow
Visibility (dynamic
flow control,
overlay/
underlay traffic)
Dynamic Policies
(follow logical port,
IP, MAC)
Benefits
VM VM VM
VMware
Control Plane
Fortinet Service VM
Control Plane Orchestration
Network Visibility
Elastic provisioning
Distributed
Object-based policy
Agility Through Control Plane Integration
NSX
ACI
9. 9
Single Pane-of-Glass Management
Consistent Policies and Posture Across the Hybrid Cloud
Public Cloud Physical Networks Virtualization
Centralized Management and Policy
VM VM VM
VMware
VM
Management & Policy Logging & Analysis SaaS-Based Portal
10. 10
Software-Defined Security Use Cases
Auto-Scale/Auto-Provision Protection for Elastic Workloads
Hypervisor Hypervisor
Requirements Solution
Auto-scale virtual firewall
capacity to new virtualization
hosts
FortiGate-VMX
Auto-provision firewall rules to
new workload VM instances
FortiGate-VMX, FortiGate for
Cisco ACI
Orchestrate firewall service
insertion, service chaining (via
SDN flow control)
FortiGate-VMX, FortiGate for
Cisco ACI
Orchestrate physical and virtual
firewalls
FortiGate for Cisco ACI
Distributed firewall rules across
cluster or data center
FortiGate-VMX, FortiGate for
Cisco ACI
Scale web apps and social media to
connect virally with customers, partners,
users at cloud speed, while transparently
ensuring data privacy & compliance
IaaS
11. 11
Centralized Policy
and Logging/Reporting
Software-Defined Security Use Cases
Secure Inter-VM Traffic in Virtual Environments
FortiAnalyzer
North-South
Data Center Edge
East-West
Hypervisor Hypervisor
FortiManager
Requirements Solution
Inter-VM traffic visibility FortiGate-VM or FortiGate-VMX
Stateful firewall session during
live VM migration (e.g. vMotion)
FortiGate-VMX
Distributed firewall across
cluster (policies follow VM
independent of logical IP/MAC)
FortiGate-VMX
Distributed firewall rules across
distributed virtual switch
FortiGate-VMX
Inspect VXLAN encapsulated
traffic
FortiGate-VMX
Centralized management across
physical and virtual firewalls
FortiManager, FortiAnalyzer
Virtual Machine Firewall
(East West)
Data Center Firewall
(North South)
Overcome visibility and
enforcement challenges with
inter-VM traffic and logical
networks
12. 12
Software-Defined Security
Micro-Segmentation in Consolidated Data Centers
Mitigate increasing concentration of data
and risk in consolidated and multi-tenant
data centers
Declarative, whitelist-based policy model
Fine-grained honeycomb based on users,
roles, other metadata
Deploy into flat, open networks without
disrupting network and infrastructure Leaf nodes
Cisco
APIC
Spine nodes
13. 13
Platform Extensibility & Ecosystem Integration
Virtual x86
Containers
Hardware-Based
Platforms
Virtual
Appliances/
Services
Platform
Orchestration
& Automation
Single
Pane-of-Glass
Management
Software-Defined Security Framework
Data Plane Control Plane Management
Plane
PlatformExtensibility
Cloud/SDN
Ecosystem
XML
JSO
N
Other
Interfaces
Logging/
Event
SDN
Controllers
Programmable
Switches
Cloud
Management
Centralized
Policy &
Analytics
Orchestration
Platforms
Mgmt
API’s
CLI/
Scripting
14. 14
Fortinet Programmable Networking Partnership Ecosystem
ORCHESTRATION PLATFORMS
PROGRAMMABLE SWITCHING
• ACI announced
• vCNS certified
• NSX program
CENTRALIZED POLICY & ANALYTICS
PlatformExtensibility
Software-DefinedSecurityFramework
SDN CONTROLLERS
API’s
17. 17
Fortinet FortiGate-VMX
• The Challenge
» Tight integration with
virtualization/network platform
• VMware Network Extensibility APIs (NetX)
» Shared object database for easy creation
of security policies
» Automated deployment of security
services and policy enforcement
» Easily support live migration(s) of
applications within clustered
environments
» Dynamic security policy updates for
newly created services without normal
time lag paper trail requests
Q4 2014Q3 2014January 2014 2015
18. 18
VMware Kernel VMware Kernel
vDistributed Switch
1. Initiate communication with vCenter Server
2. Register Fortinet as security service with vCNS Manager
3.Auto-deployFortiGate-VMXtoallhostsinsecuritycluster
4.FortiGate-VMXconnectswithFortiGate-
VMXServiceManager
5. License verification and configuration
synchronization with FortiGate-VMX
6.Kernelagentcreationanddefaultre-directionrulesforeach
hostincluster
7. Real-time updates of object database
8.PushpolicysynchronizationtoallFortiGate-
VMXdeployedincluster
Fortinet FortiGate-VMX
19. 19
Cisco ACI Partnership
Source: Infonetics
Technology collaboration with Cisco to bring Fortinet’s
data center security to #1 SDN platform sought by
enterprise customers
Joint PR and demo at RSA Conference
»Integration of FortiGate into Cisco ACI deployment
Joint demo at Interop (April 2015)
Product launch targeted late Q2 2015
20. 20
Cisco ACI (Application Centric Infrastructure) Overview
Spine nodes
Leaf nodes
ACI Fabric in Datacenter
APIC
VM VM VMVM VM VM
External
Internal
NET-a
NET-b
PoC shows FortiGate service insertion and orchestration in Cisco APIC
» APIC (Application Policy Infrastructure Controller) is SDN controller
» FortiGate device package contains XML metadata
» Customer benefits vary with use case, e.g. auto-provision new workloads in
multi-tenant clouds
21. 21
OpenStack Integration Efforts
Service Providers – Open Source OpenStack
» With open source through extensible mgmt API
» In production in NEC and other provider clouds
Enterprise – Supportable OpenStack distro
» HP Helion OpenStack emerging as frontrunner – need out-
of-box integration
» Fortinet announced HP AllianceOne partnership
» FG-VM certified HP Helion Ready
VM VM VM
Hypervisor
23. 23
Software-Defined Security Framework Extensions for Service Providers
Virtual x86
Containers
Hardware-Based
Platforms
PlatformExtensibility
Virtual
Appliances/
Services
Platform
Orchestration
& Automation
Single
Pane-of-Glass
Management
Software-Defined Security Framework
Cloud/SDN
Ecosystem
XML
JSON
Other
Interfaces
Logging/
Event
SDN
Controllers
Programmable
Switches
Cloud
Management
Centralized
Policy &
Analytics
Orchestration
Platforms
Mgmt
API’s
CLI/
Scripting
Data Plane Control Plane Management
Plane
SaaS
Multi-Tenancy
On-Demand
Self-Service
Network
Function
Virtualization
Service Provider Extensions
24. 24
Network Function Virtualization
Firewall VNF Service Chaining – Modular, Interoperable, Scalable
ETSI Multi-Vendor PoC on D-NFV (CPE)
D-NFV Alliance – Commercialized Offering on RAD Hardware
25. 25
Orchestration
Deployment and
instantation
Service Insertion into
virtual network
On-Demand Self-Service – Utility-Based Pricing/Metering
Benefits
Pricing Options
Hourly/Annual
(per-instance)
Five different instance
sizes
Bundled support
subscription
Utility-based Consumption
Licensing
Provisioning
Metering
Billing
Protection
On-Demand
Pay-as-you-Go
User/Tenant
Self-Service
27. Lan & Wan Solutions
Innovare la tua Azienda. La nostra sfida
Editor's Notes
-Encapsulate firewall, other network security in VM
-Can handle both east-west and north-south traffic
-Bridged on the virtual switch to get inline
-Deployable in public clouds where HW not allowed
New FortiGate-VM for VMware’s Software-Defined Data Center (Networking, Compute, Storage)
Phase I (2014) – Interoperates with vSphere, vCloud and NSX
Visibility and enforcement of all virtual network traffic – Transparent to network topology
Orchestration - Auto deployment and provisioning of FortiGate virtual appliances and software-defined network configuration
Automation - Instant-on protection of new VM instances
Distributed firewall - Object-based rules follow VM’s across data center
VM-based rules follow IP address, port changes (e.g. due to failover or site recovery)
Session state maintained across vMotion (live migration) events
Phase II (2015 planning) – Direct NSX integration enhancements (only works with NSX)
Potentially higher L2/L3 firewall performance
Service-based – SLA-driven orchestration, policies
Richer event-based workflows
Customer are not for products and Security Appliances, they are looking for Security Alliances to their specific Network.
FortiGate the widest range of Security Appliances from the 30D all the way to a Blade
FortiOS is the most flexible Network Operating systems allowing different personalities such as Firewall, VPN, SWG, NGFW, ATP and UTM with
This makes FortiGate suitable for deployment in the
Enterprise Campus (Edge)
Branch Office
Data Center
Distributed Enterprise
Cloud
Access
Customer are not for products and Security Appliances, they are looking for Security Alliances to their specific Network.
FortiGate the widest range of Security Appliances from the 30D all the way to a Blade
FortiOS is the most flexible Network Operating systems allowing different personalities such as Firewall, VPN, SWG, NGFW, ATP and UTM with
This makes FortiGate suitable for deployment in the
Enterprise Campus (Edge)
Branch Office
Data Center
Distributed Enterprise
Cloud
Access
Hardware appliances can lose visibility to East-West virtual swtich traffic
SDN/SDDC network virtualization can exacerbate challenges (e.g. VXLAN overlays)
Logical ports, IP’s, MAC can break static policy rules