• Perspective
Published on 25 July 2022

FORTINET XPERTS SUMMITS in Madrid

As sophisticated new cyber threats continue to impact the security of businesses around the world, it's critical that organizations have the support they need to defend against them. This includes the partners they rely on for security expertise. Fortinet hosts annual regionally organized EMEA XPERTS Summit events for its partners to ensure they are up to date on the latest Fortinet technologies and solutions and maintain their cybersecurity expertise.

This event organized by Fortinet takes place every year in a different city in Europe.
This year the event was held in Madrid.

The concept of this event is to have all the participants actively participate on the different Fortinet technologies, after a short presentation. 4 days of sessions divided into one in the morning and one in the afternoon. The different sessions present a cybersecurity solution followed by a practical lab of about 3 hours. This allows us to work in a practical way on the cybersecurity topic proposed by Fortinet.
It can be a known topic, but in its new version or a new topic that attracts our technical interest.
To be able to participate, you need to have a partnership with Fortinet and be at least NSE 4 certified.
Most of the people I've met are integrators.
But, I think that as consultants, we also have a place there, because new solutions coming on the market can be interesting for our customers.

The event starts with a plenary session with explanations of the week's proceedings, followed by a buffet.
The event ended on the Jarama circuit where the finalists of the Fortinet Fabric Challenge competed. The finalists had several configurations to perform in the following areas:

  • Wan-Remediation
  • BGP Self Healing
  • Fabric Orchestration
  • SASE - SIA
  • SASE - ZTNA

The whole of this challenge touches several transverse technologies of Fortinet like FortiNAC, FortiClient, SSO, SAML login, SD-WAN, BGP routing, SASE and Zero Trust Network Access (ZTNA), Fortinet Identity and Access Management (IAM), FortiManager, FortiGate, FortiSwitch, etc...

This chalenge we were able to attend ended with a meal where we were all invited.
I found myself at my table with some Swiss people with whom I could converse (in German), which made me realize that there were many integrators at the event, and also many NSE 8.

The course of my sessions:

Day1 : Building an MSSP SD-WAN Service Portal
First Inline Protection with the New FortiDDoS F-Series (DPDK)

Day 2 : Wired LAN Edge Simplified Security
Threat Hunting with FortSIEM and FortSOAR

Day 3 : Here’s why Fortinet Continues to Move Up and Right in the Gartner WLAN MQ
FEX update : New Products and New usages

1. Building an MSSP SD-WAN Service Portal

This presentation provided an overview of Fortinet's new product, FortiPortal.

It is a self-service portal that allows users to manage the security of FortiManager, FortiGate, VM, VDOM, FortiWifi, VPN, SD-WAN through a single user portal.

Mode of operation:

  • All configurations/updates are sent directly to the FortiPortal which replicates them to the FortiManager via an API to all MSSP (Managed Security Service Provider) Admins, then the
  • FortiGate is updated from the FortiManager.
  • The logs are either sent directly to the FortiPortal or to the FortiAnalyzer, which sends them to the FortiPortal with an MSSP Admins account.
  • The different VPN, SD-WAN connections can be configured directly on the FortiPortal
  • WiFi analysis through the FortiPortal portal
  • SAML and SSO access management on FortiPortal

Benefits :

  • FortiPortal enables FortiManager configurations without the need for ADOM access
  • FortiManager through FortiPortal is not exposed to the public network
  • A single interface to administer all devices managed by FortiManager and FortiAnalyzer
    Have visibility and analysis of all security devices

Lab :

Provide FortiPortal, FortiManager and FortiAnalyzer to act as a SAML service provider to authenticate your Fortinet administrators to FortiAnthenticator.

2. First Inline Protection with the New FortiDDoS F-Series (DPDK)

My first steps in Cybersecurity at Fortinet.

This presentation talks about how FortiDDoS F-Series, or how the massive machine learning architecture, combats DDoS attacks while providing the most advanced and lowest latency.

Mitigating DDoS attacks on the market today, without compromising on the performance normally associated with CPU-based systems.

Application used: FortiDDoS

FortiDDoS protects against all attacks from all layers of the OSI model.

Benefits and advantages of the FortiDDoS solution:

FortiDDoS does not rely on signature files that need to be updated with the latest threats, so you are protected against known and unknown threats zero-day attacks. For example: no signatures or Regex for protocols - all 256 protocols are monitored for each packet.

>230,000 parameters monitored in each direction in each of the 4 to 16

Protection profiles. (Why no signature is required above)

Unlike competitors, every packet in every flow is inspected. Millions of connections with thousands of monitored parameters per connection. Some attacks can be stopped at the FIRST packet. All mitigation measures < 2 seconds. Other vendors go to 18s. ISP typically 5 minutes or more.

Minimizes the risk of "false positive" detection by reassessing the attack every 15-60 seconds to ensure that "good" traffic is not disrupted

FortiDDoS designed for the smallest packet, highest pps rates for linerates quoted. For example, the highest theoretical pps for 2x10GE is 30Mpps. FDD-1200B tested at > 40 Mpps. (Note that the E and F series have more limits).

FortiDDoS continuously learns traffic patterns for millions of parameters and automatically adjusts important parameters for seasonality.

Mitigation is fully autonomous and no user intervention is expected.

Reporting can be done per attack (B/E) or at regular intervals.

With massively parallel behavioral algorithms, FortiDDoS can detect and mitigate simultaneous DDoS attacks from basic Bulk Volumetric to sophisticated Layer 7 SSL-based attacks

Lab:

How FortiDDoS inspects 100% of incoming and outgoing Layer 3, 4 and 7 packet flows and mitigates multi-vector attacks by using autonomous machine learning to create adaptive baselines of hundreds of thousands of parameters.

3. Wired LAN Edge Simplified Security

This presentation based on Fortinet's switching was divided into three parts:

  • Securing a LAN & WLAN network
  • FortiLink v. 7.2
  • FortiSwitch v. 7.2

Securing a LAN network:

  • Security visibility
  • Segmentation (LAN & WLAN, SD-WAN Prioritization, SD-Branch Control)
  • LAN & WLAN micro-segmentation
    o Intra-VLAN traffic blocking
    o Intra-SSID traffic blocking
    Advanced profiles
    o LLDP
    o 801.1X authentication
    o QoS
  • Isolation of unknown devices to a Guest network segment
  • Quarantine of compromised devices
  • Dynamic prevention of unknown devices from reaching the network
  • Securing WiFi hotspots (FortiAP), switches (FortiSwitch), Firewall (FortiGate) and WiFi controllers through a single dynamic link, FortiLink
  • Enhanced SD-Branch (Switch, AP, Firewall, FEX) security with FortiNAC (Network Admission Control)
  • Zero Touch Deployment for all devices sent to a branch or teleworker (FortiManager pushes the configuration of all devices from FortiZTP)

FortiLink v. 7.2 :

  • Improved diagnostics for FortiSwitch (PortHealth, MCLAG ICL Health, Port Statistics, Clients)
  • Enhanced FortiSwitch ports (in terms of columns for better visibility and diagnostics)
    o Dynamic VLAN and Transceiver power
    o Option to reset counters
    o Trunks (LACP mode)
  • VxLAN - FortiLink L3

FortiSwitch v. 7.2 :

  • Tunnel VxLAN (FSW)
  • Wake-on-LAN (WoL)

Lab :

  • Pre-authorization of FortiSwitch using a wildcard
  • Create an MCLAG topology
  • FortiSwitch NAC policy (segmentation by VLAN)
  • FortiSwitch management using VXLAN interfaces

4. Threat Hunting with FortiSIEM and FortiSOAR

This presentation was my second foray into Cybersecurity. I presented the latest features of the latest version of FortiSIEM Manager and FortiSOAR.A quick reminder about SIEM (Security Information Event Management) whose purpose is:-

Collect and store security event data from network devices for further analysis of the cause of the event

Enable organizations to detect threats and breaches earlier

Provide the information needed to remediate and prevent future threats

Real-time analysis-

A seamless platform that performs automated network and security operations and can correlate security event data with network and infrastructure performance data to provide real-time SOC and NOC analysis

FortiSIEM in its new version 6.5 includes a management console (FortiSIEM Manager). - Centralized monitoring of up to 50 remote FortiSIEM instances- View, delete, modify, and add comments to incidents- Run FortiSOAR, runbook, and connectors- FortiSOAR (Security Orchestration, Automation, and Response) is an add-on module to FortiSIEM. FortiSOAR is a solution dedicated to modern SOCs, with many features: SOC queue management, vulnerability management, out-of-band (OOB) resource management, metrics repository, business reporting, SLA monitoring and more.

FortiSOAR makes it easy for security analysts to investigate alerts and understand, analyze and manage the data.

  • Management of alert and incident lists in a grid format with information filtering
  • Mini dashboard for each grid for greater visibility and better identification of trends
  • Define new modules and customize fields, views and permissions
  • Define client views, data models, fields and grids using the graphical editor

The latest version of FortiSOAR 7.2.0 offers the following new features:

  • Content Hub
  • Threat Intelligence Management
  • ML Phishing classifier

Lab :

  • Configure the collector on the FortiSIEM supervisor
  • Install the FSM Server agent
  • Configure Netflow on the FortiGate
  • Threat hunting scenario exercise (phishing)

5. Here’s why Fortinet Continues to Move Up and Right in the Gartner WLAN MQ

Incursion in the wireless network mode seen by Fortinet. This presentation allowed me to see what Fortinet offers compared to what Cisco AireOS, IOS XE or Cisco Meraki offers.

The first strength of Fortinet is to converge the Firewall, Switching, WiFi and NAC part in a single console inside the FortiGate.The main new wireless networking features in version 7.0.4 are:

  • DARRP Enhancements-
  • Support for channel bandwidth
  • Support for multiple DARRP profiles
  • Optimized scheduling per profile-
  • Support for FortiWifiWPA3-
  • Supports dynamic VLAN assignment in tag name-
  • Optimize broadcast/multicast over AP-
  • 802.1X enhancement -
  • Add a Syslog server inside a FortiAP profile-MAC Address client filtering
  • Automatic update of FortiAP firmwares-
  • 802.1ax BSS coloring-
  • Security profile on FortiAP

Lab: Using FortiGate as a real wifi controller (WLC)

6. FEX update : New Products and New usages

Probably the least known wireless network part for my part.

FEX (FortiExtender) are equipments to extend a LAN, WAN network thanks to a 4G/5G module.

How does it work?

  • The FortiGate is usually located in the back-office or IT bays
  • This is not a good location for optimal 3G/4G reception
  • To overcome this problem, FortiExtender is used to avoid signal loss and get closer to the cell tower, while staying INSIDE

Extensions WAN (FortiExtender)

  • Primary connection
  • Secondary connection
    • Always on
    • On demand
    • SD-WAN Rules
  • Multiple links

Three possibilities for the management of FortiExtender:

  • FortiGate-managed (main use)
    • FEX is directly connected to FortiGate
  • Stand-Alone (FEX is administered through a console GUI)
    • Only FEX
  • Administration through FortiExtender Cloud via LTE Internet
    • A device is connected to the FortiExtender which connects to the LTE Internet to join the FortiExtender Cloud

We didn't have any labs on this session, just demos on how to configure the FEX, either on a FortiGate or through the Cloud solution.

Author

Patrice Beau

Article written by
Tristan Loret