Вы находитесь на странице: 1из 5

FortiGate-620B Security Appliance Frequently Asked Questions

FAQ

Hardware Questions
Q: What is the FortiGate-620B? A: The FortiGate-620B is a new medium and large enterprise-class FortiGate with FortiASIC hardware acceleration for firewall/VPN. The FortiGate-620B offers twenty (20) 10/100/1000 Ethernet interfaces. Sixteen of these interfaces are accelerated by the FortiASIC NP2 network processor for wire-speed firewall throughput of 16 Gbps and IPSec VPN throughput of 12 Gbps. Intrusion prevention and antivirus throughput (1 Gbps and 250 Mbps, respectively) are accelerated via the FortiASIC content processor found in all FortiGate models. Optional Advanced Mezzanine Card (AMC) expansion options allow for an additional 4 Gigabit SFP-based Ethernet ports or local HDD capacity for log storage. The FortiGate-620Bs increased firewall/VPN throughput and high port density relieves medium and large businesses of the restraints that have historically prevented internal network security segmentation. Q: What types of security features are available on the FG-620B? A: Fortinets FortiGate-620B is a purpose-built appliances that provide comprehensive security capabilities including firewall, antivirus, antispyware, intrusion prevention, IPSec and SSL VPN, web content filtering, spam filtering, spyware/grayware filtering, and traffic management tools. The FG-620B is designed for medium to large enterprises and regional offices. This full-featured network security appliance offers comprehensive protection to distributed networks, meeting the needs for an array of mission critical applications such as Email, Web, VOIP, IM, and P2P with extensive network management, logging, and reporting capabilities. Q: What is different about the Fortinet FG-620B? A: The FG-620B is a disruptive new multi-threat security device that offers best in class throughput and port density by leveraging the power of FortiASIC network and content processors. Competitive advantages include: 3X greater FW/VPN throughput than any other product in its class Double the number ports of any other product in its class Optional AMC expansion capability (4 x NP accelerated SFP ports or HDD for local log and content archive) Best price/performance ratio of any product in its class Lowest price per port of any product in its class Lowest cost per Mbps of firewall throughput of any product in its class Backed by Fortinets own FortiGuard Service Subscriptions which include: FortiGuard Antivirus and Antispyware Service FortiGuard Intrusion Prevention System Service FortiGuard Web Filtering Service FortiGuard Antispam Service Q: What is the advantage of having so many FortiASIC Network Processor-accelerated ports? A: Increasing newtork sizes, throughputs, and applications warrant internal network segmentation points for Gbps links in order to increase security layers and decrease security zone size. These drivers are requiring increased performance and interfaces within security infrastructure.

Fortinet

August 2008

Q: Will fiber SFPs be supported by the FG-620B? A: The 20 ports available on a FG-620B base model are copper ports. However, the FG-620B does support AMC expansion module ASM-FB4, which offers four additional FortiASIC network processor-accelerated SFP ports which support fiber transceivers. Q: What happened to the older mid-range FortiGate products? A: Fortinet still sells most of these older models, however based on Moores Law of increasing density of circuitry and performance over time with a decreasing price, Fortinet now offers the much higher performing FG-620B with a greatly improved price/performance ratio over older models. The FG-620B offers increased port density, security throughput, and modularity. Q: What is an AMC expansion slot? A: The Advanced Mezzanine Card (AMC) standard, also known as AdvancedMC, was developed by the PCI Industrial Computers Manufacturers Group (PICMG), which has over 100 companies building to the specification. AdvancedMC has been developed to meet the requirements for the next generation of carrier grade communications equipment. Q: What optional cards are supported by the FG-620B? A: The FG-620B supports two optional AMCs: 1. The ASM-FB4 AMC, which provides four additional FortiASIC network processor-accelerated SFP ports for an additional 4Gbps firewall and 3Gbps IPSec VPN throughput. 2. The ASM-SO8 AMC, which provides 80GB of disk-based storage for local logging and content archiving. The FortiGate does not boot from the disk drive, nor does it store configuration or operating system files on it. Q: What benefit does the ASM-SO8 hard drive AMC option provide? A: The hard drive option provides the added benefit of storing logs and quarantine files locally. This option would also allow customers to store traffic log data which is not available from a memory logging-only configuration. These added features are also available with an external FortiAnalyzer device which provides other benefits such as content logging, forensic analysis, as well as over 300 standard and customizable reports. Q: Is the FG-620B appliance rack mountable? A: Yes. All mid-range models come with rack mount ears and optional rubber feet to allow flexibility in any mounting environment. All models have built-in cooling fans. Each consumes only one rack unit of space in an industry standard 19-inch equipment rack. Q: Are there different models for countries with 220V vs. 110V power? A: All models have a built-in power supply that auto-senses between 100 to 240 VAC. Each unit comes with a regional power cord for most common worldwide power socket configurations. Simply add the proper two-digit suffix to the SKU when ordering to specify the desired power cord option, e.g. FG-620B-US or FG-620B-UK. Power cord choices include: -US (USA style), -UK (United Kingdom style), -EU (European style), -AU (Australian style). Q: Is the FG-620B RoHS compliant? A: Yes, the FG-620B is RoHS compliant.

Software Questions
Q: What is FortiOS? A: FortiOS is the multi-layered security software that runs on all FortiGate products. It is a proprietary securityhardened operating system that provides all of the multi-threat security functions. FortiOS provides the capability to manage FortiGate devices either via a secure GUI web-based user interface or a command line user interface. Q: What is the latest version of FortiOS? A: At the time of writing, Version 3.0 MR7 Patch 1 is the latest release of FortiOS. It was released to the public in October 2008. Q: What type of security modules does FortiOS offer? A: Fortinet's FortiGate systems provide the industry's broadest suite of best in class security protections in a single platform, inclusive of firewall, IPSec VPN, SSL VPN, antivirus, antispyware, intrusion detection/prevention system, web content filtering, antispam and traffic shaping functionality. Deployed as an integrated or standalone solution,
Fortinet 2 August 2008

FortiGate systems detect and eliminate today's threats as well as emerging bended threats that cannot be detected and eliminated by competitive solutions. Q: Can I assign two ports as dual WAN interfaces for load balancing traffic? A: Yes you can. There are a couple of methods for doing this. One is to use the built-in Equal Cost Multi-Path (ECMP) routing mechanism offered in version 3.0 MR2 and above. This method uses a simple hash algorithm to automatically balance sessions between two or more equal cost routes. The other is to use policy-based routing rules (available since version 2.8) to manually send some traffic to one port and other traffic to a different port. You can route based on source or destination IP addresses or based on protocol type / TCP or UDP port numbers, or any combination of the above. Q: What happens to log messages if I dont have the hard drive AMC installed? A: Log messages can be sent to external logging and reporting devices such as a FortiAnalyzer, or can be forwarded to any syslog compatible server. Once sent to a FortiAnalyzer, log messages can be browsed directly from the FortiGate web GUI. Additionally each FortiGate reserves a small amount of memory for short term logging which can be uploaded or deleted as needed. Due to memory constraints FortiGate cannot perform detailed traffic or content logging to local memory. Multiple log output destinations are supported. The FortiGate can send logs to up to three syslog servers or FortiAnalyzers. Q: What types of high-availability features are offered? A: All mid-range FortiGate models support high-availability (HA) clustering. This includes both active-passive and active-active HA where the standby unit can also be used to load balance the traffic and in some cases provide additional processing power and overall throughput gains. The Fortinet HA clustering technique allows clustering of up to four units for increased reliability and performance. Various load-balancing algorithms are available such as round robin, least connections, and weighted round robin to take best advantage of different clustering configurations. However you can only combine like-models together in the same cluster.

Security Subscription Services


Q: What subscription services are available? A: All standard FortiGate product security subscription services are available on each FortiGate appliance. Security subscription services are inclusive of the FortiGuard Antivirus, IPS, Web Filtering, and Antispam services. Security subscription service bundles are also available to save cost over buying each service separately. No user licensing or user restrictions exist on any FortiGate model. Q: How often are these subscription services updated? A: Each FortiGuard service has constantly upgraded databases in order to keep your FortiGate units up to date to protect against recent cyber threats. The signature and vulnerability based Antivirus, Antispyware and Intrusion Prevention System services have the ability to automatically push real-time updates to registered and configured units at any time 24 hours a day. The real-time services inclusive of Antispam and Web Content Filtering are constantly upgraded databases that maintain the highest possible accuracy. Q: How does Fortinet subscription service response time compare to the industry? A: Fortinets FortiGuard subscription services with Service Level Agreement and FortiGuard Distribution Network provides Fortinet customers with the highest responsiveness of security vendors in both response time of creating new signatures to new exploits and breadth of coverage for antivirus, antispyware, web content filtering, intrusion prevention and antispam.

Security Deployment Scenarios


Q: How do I determine what size FortiGate is needed for my deployment? A: Units are deployed based on throughput performance, not number of users. In fact, all FortiGate models have unlimited user licenses. Customers choose the proper model based on desired Firewall, or VPN, or content scanning performance needed. Customers should note that if they want to enable multiple security functions such as FW + VPN + AV they would use the lowest common performance factor as the denominator, which is usually the AV scanning performance. Contact your local Fortinet SE or Fortinet Value Added Reseller for assistance in FortiGate sizing. A sizing tool is also available on the Sales Intranet/Partner extranet site which will ask questions about users, throughput, and traffic requirements to help properly size the right model for customer requirements.
Fortinet 3 August 2008

Q: How is the FG-620B positioned against the rest of the mid-range and high-end FortiGate models? A: The FG-620B is a replacement to the FG-800 product. It is the second new medium and large product introduction following the FG-310B. The price and performance of the FG-620B is roughly double that of the FG-310B, and is intended to continue raising the standard for mid-range security products by offering a high number of wire speed firewall ports. The new standard that Fortinet is setting for mid-range products and above is wire speed firewall ports on all models. Historically, firewall throughput has been the main metric used to determine product classification. Since all mid-range and high-end FortiGates will offer wire speed firewall, the new metric to determine classification is the full content inspection (i.e. IPS and AV). These are the performance metrics that distinguish mid-range products from high-end products. Other features of the high-end products (3000 series and 5000 series) may include switch-based form factors, stackability using multiple switch blades, extensive AMC modularity, dual power supplies, SFP ports, and, of course, increased IPS and AV throughput and content level metrics such as number of sessions, new sessions per second, number of policies, etc. Q: What security modules are recommended for MSSP (managed security service providers)? A: MSSPs typically need a flexible Customer Premise Equipment (CPE) platform that can be remotely managed and can have many security options available for menu-style security service offerings. All FortiGate models come with built-in remote management tools that allow centralized security policy management and remote event monitoring for control via a security operations center. Additional products available such as FortiManager and /or FortiAnalyzer provide the management tools to administer remote sites and scales from a multiple branch office network up to a global multi-domain operation. Q: What security modules are recommended for perimeter security? A: Perimeter networks generally require Firewall and VPN (IPSec and/or SSL) features and also will benefit from IPS and Antivirus protection. In some deployment scenarios where compliance requirements are in place that restrict access to specific web content, Web Content Filtering protection may be appropriate. Q: What security modules are recommended for secure messaging? A: A secure messaging system normally includes Antivirus and Antispam security and can also include Instant Messenger security if applicable. Q: What security modules are recommended for data center? A: Data Center security will normally require network and application security features including Firewall, IPS and Antivirus features. Antivirus protection will generally be used for specific application protocols used in the data center such as HTTP / FTP for web servers and SMTP / POP for email servers.

Performance & Throughput


Q: Can I cluster these units together for better performance? A: Yes, with HA clustering in active-active mode customers can gain performance improvements, but only for certain types of traffic; including antivirus scanned sessions and TCP sessions only. Consult with your local Fortinet SE to find out more about implementing HA in your environment. Q: What are the key technical specifications and throughput measurements of the FG-620B? A: See performance metric chart below:

Fortinet

August 2008

System Performance

FortiGate-620B Base Model 16 Gbps 16 Gbps 12 Gbps

FG-620B With Optional 4-Port AMC Module (ASM-FB4) 20 Gbps 20 Gbps 15 Gbps

Firewall Throughput - Avg Size Packets (512 byte) Firewall Throughput - Small Size Packets (64 byte) IPSec VPN Throughput Antivirus Throughput IPS Throughput Dedicated IPSec VPN Tunnels Concurrent Sessions New Sessions/Sec Policies Unlimited User Licenses

250 Mbps 1 Gbps 20,000 600,000 25,000 100,000 Yes

Q: What are the performance assumptions for these metrics? A: The FortiGate-620B firewall throughput specification is based on benchmark results for 512-byte and 64-byte UDP packets processed while the FortiGate is operating in NAT mode. Antivirus performance is measured based on HTTP traffic with 32-Kbyte file attachments and IPS performance is measured based on UDP traffic with 512-byte packet size. Actual performance may vary depending on network traffic and environments.
Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders. Disclaimer Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. FG-620B-FAQ-R4-1108

Fortinet

August 2008

Вам также может понравиться