FortiSwitches and Security Fabric

Dan Gabor, Systems Engineer

dgabor@fortinet.com
February 2019

1
© Copyright Fortinet Inc. All rights reserved.
Introduction

2
Challenges at the Access Layer

Number of Devices Security Management

30 billion devices by Threats are more IT management

2020 complex and Complex, qualified
breaches more personnel scarce
common and expensive
3
Integrating Network Access in the Fortinet
Security Fabric
There is no other way…

4
 Fortinet Security Fabric
A Security Architecture that provides:

BROAD Visibility & Protection of the

Digital Attack Surface

INTEGRATED Detection of Advanced

Threats

AUTOMATED Response & Continuous

Trust Assessment

Delivered as:

Appliance Virtual Hosted Cloud Software

Machine

5
Secure Unified Access MANAGEMENT-ANALYTICS

Products and services necessary

to provide secure network connec-
tivity, wired or wirelessly, to users
of the Fortinet Security Fabric
FortiAP, FortiWLC, FortiWLM
Wireless Infrastructure
NETWORK

FortiSwitch
Switching Infrastructure

FortiNAC
Network Access Control Appliance Virtual UNIFIED ACCESS
Machine

FortiAuthenticator, FortiToken
FortiConnect
Hosted
Identity and Identity Management
ADVANCED THREAT PROTECTION

6
FortiSwitch in Security Fabric

7
Fortinet Secure Unified Access

Secure
FortiSwitch Pervasive Security through Fortinet
Security Fabric Integration.
Simple
Multiple Simplified Management,
Deployment, and Network Architectures.
Scalable
Stackable up to 300 switches per
FortiGate.

FortiSwitch becomes a logical extension of the FortiGate

8
FortiSwitch Deployment Options

Fortigate Managed Standalone

Via FORTILINK. Security Fabric Enabled. Industry Standard Deployment Model
FortiLink
>_
GUI

API

Command >_
Line

9
New Cloud Management Options for FortiSwitch

FortiSwitch Cloud FortiCloud 3.3

Manage Stand Alone FortiSwitch Deployment Manage FortiLink Enabled FortiSwitch Deployment

FortiLink
Gui >_

API

Command >_
Line

10
 FortiSwitch integration with FortiGate
FORTISWITCH BECOMES A LOGICAL EXTENSION OF FORTIGATE

 First
» A special connection is used
(FORTILINK)
» Specific protocols (CAPWAP,
API, NTP, LLDP) and
information are exchanged
between FG and FSW
(heartbeats, config, monitor,
user data)

11
 FortiSwitch integration with FortiGate
FORTISWITCH BECOMES A LOGICAL EXTENSION OF FORTIGATE

 Then
» VLANs are defined
» VLANs are assigned to ports
» Other configurations for
switches are centralized in FG
(Like 802.1X, etc..) that can be
applied to ports
» Monitoring allows port status
inspection, PoE, VLANs
assigned, etc..

12
Integrated Security
It is our mission

13
 FortiSwitch integration with FortiGate
FORTISWITCH BECOMES A LOGICAL EXTENSION OF FORTIGATE

 Then
» Configured VLANs are
becoming FW interfaces in FG
» FG Security Polices can be
applied to protect traffic as
pleased

14
Workflow Automation Automation

System Threat External Adjust

Notification Reports
Events Alerts Inputs Configuration

TRIGGERS AUTOMATED WORKFLOW ACTIONS

Automated workflows using triggers to deliver appropriate actions

15
 Automated response to compromised devices
TAKING RESPONSE TIME OUT OF THE EQUATION

 How it works
» A devices is detected as
compromised by one element of
the fabric
» Switches and APs can
automatically quarantine the
device at the access layer

 Why it’s important

» Compromised IoT devices are no
longer a threat to the wider
network
» Guest devices (if infected) will be
dealt with automatically

16
Full Visibility and Security Control

17
Simplified Management
Because you need it…

18
 Simplified Management
KEY POINTS

 Zero touch provisioning

» No configuration is needed on FSW

 Stacking
» Offers single ip address management (FG’s Management IP Address)
» Stacking Links are created automatically (no need to configure them)

 Topology integration, device monitoring

» All information you need to monitor

19
Stacking
FGT is single IP for management

MCLAG or
STP running
in the inter-
switch links

Each inter-switch link is formed

automatically

Each FSW is a separate unit

20
FortiSwitch in Fortinet Security Fabric

21
FortiSwitch Topology Example

22
FortiSwich Manager Module
FSW in FortiLink Mode

23
Scalability
Because it’s important

24
 Scalability
KEY POINTS

 Support up to 300 switches per Fortigate

» Easy to add, plug and play

 Stacking
» You can have one big network

 Flexible deployment options

» Data Center or Campus

25
From simple to advanced deployment
Singe FG or HA

26
Large Enterprise Deployment
MCLAG – Link and Switch Redundancy

 Allows more bandwidth

and resiliency
MCLAG

MCLAG
rack1 rack2 rack3

MCLAG MCLAG MCLAG

MCLAG MCLAG MCLAG

27
Product Lineup
From Campus to Data Center

28
FortiSwitch Gigabit Access Switch Family

Entry Mid Range Premium Aggregation

100 Series 200 Series 400 Series 500 Series
 Entry Level Switch  Mid level Switch  Enterprise Switch  Aggregation Switch
 Desktop to wiring  Typical wiring closet  Large wiring closet or
closet. switch. highspeed uplink req.
 24 to 48 ports POE+
 8 to 24 ports, POE  24 to 48 ports POE+  24 to 48 ports POE+ Capable
Capable Capable Capable
 Up to (4) 10 Gigabit
 (2) Gigabit Ethernet  (4) Gigabit Ethernet  Up to (4) 10 Gigabit Ethernet (2) 40 Gigabit
SFP uplink ports SFP uplink ports Ethernet SFP uplinks Ethernet SFP uplinks

29
FortiSwitch Aggregation Switch Family

1000 Series 3000 Series

 10 GbE Aggregation Switch
 24 or 48 ports
 Four QSFP28 100 GbE Uplinks or Six 40
GbE QSFP+
 Two Dual hot swappable power supplies
 40 GbE Aggregation Switch
 32 ports
 Dual hot swappable power supplies

30
FortiSwitch Rugged Switch Family

 Rugged Access Switch

 12 or 24 GbE ports
 Passive cooling, No fans or moving parts
 Redundant power inputs
 Built to IP30 standards

112D-POE 124D Switch

 8x GE RJ45, 4x GE SFP slots  16x GE RJ45, 4x GE SFP slots
 8x GE Ports are PoE/PoE+  8 shared media interfaces
capable. (GE RJ45 / GE SFP slots)

31
Use cases
2 out of many…

32
Use Case One

Distributed Enterprise Retail - K-12 - Healthcare

Use case profile: Branch /
Retail
Lean IT organizations.
Local support limited or not available.
Mandated Security.
Requirements such as PCI, HIPPA, CIPA.
Constant Change.
Requirements change quickly, new users and
systems under constant review
Why Fortinet:
Ease of Management
Manage Security, Access, and WAN in one interface
Simple to provision and manage FortiGate
Proven Effective Security Secure SDWAN

Easy to Scale
33
Use Case Two

Large Distributed Enterprise and Campus

Use case profile:
Constant Change.
Requirements change quickly, new users
and systems under constant review
Reduce Management Complexity
Limit the number of screens
Ease provisioning and time to resolution

Why Fortinet:
Adaptable
Architecture able to securely and quickly scale.
Ease of Management FortiGate
Secure SDWAN
Manage Security, Access, and WAN in one interface.
34
WHY Fortinet
And this is your decision

35
Why Our Customers Choose Fortinet Ethernet

Fortinet Security Pedigree

FortiSwitch integrates directly into the Security
Fabric via FortiLink
Easy to implement port level Role Based Access
and Control.
Simplified Management
Manage security and access from one familiar
interface
No license for FortiGate management
36
37