Introducing FortiGate 6000 Series

Rajoo Nagar
February, 2018

© Copyright Fortinet Inc. All rights reserved.

DX
is the integration of digital technology into all
areas of a business, resulting in fundamental
changes to how businesses operate and how
they deliver value to customers

[Digital Transformation]
2
Digital Enterprise Edge

 More Apps (threat protection becoming the norm)

 More SSL (60%+ of traffic encrypted)
 More throughput (because of cloud)

3
What is TP (Threat Protection) Performance?

AV

FW
+ APP
CONTROL

IPS

Threat Protection Performance is measured when FW, App Control, IPS and AV services are turned on

4
Why is Threat Protection Performance Important?

79% $11.7M 2-7 days

Of organizations reported Global Average Cost of Average time from
critical severity exploits2 Cyber Crime in 2017 containment to remediation

Notes/Sources:
1. Fortinet Threat Landscape Report Q3 2017
2. Accenture 2017 Cost of Cybercrime Study
3. 2017 Sans Incident Response Survey

5
Why is it Important to Inspect Secure (SSL) Traffic?

To ensure all Traffic including

encrypted is subject to the
same security inspection.

If you are not inspecting

secure traffic you are leaving
the door wide open for cyber
criminals.

6
SSL Traffic Increasingly Insecure

SSL Traffic Encrypted Malware

80% 50%
Of Enterprise Web Traffic will Of attacks targeting enterprises
be encrypted by 2019* will use SSL in some form
by 2019*

Source: Gartner

7
Fortinet Addresses Stringent Throughput, Threat
Protection & SSL Needs

Introducing
FortiGate 6000 Series

Fortinet’s 6000 series of next-generation firewalls deliver the highest threat

protection performance in a compact appliance form-factor to meet the most
demanding network security needs

We Announced the 6000 Series on February 5th, 2018

8
FortiGate 6000 Series
A New Line of Very High End Next Generation Firewall Appliance

New NGFW series for Enterprise Edge

 3 RU Form Factor
Environments
 Hot Swappable Redundant
 Ultra-high Performance Compact NGFW - Up to 100 Power Supplies
Gbps threat protection in a streamlined appliance
 2TB SSD Local Storage
 Industry’s Highest SSL Inspection Performance -
Delivers SSL inspection and advanced security for
encrypted traffic without imposing performance
penalties
 Flexible Network Interfaces – 10G/25G/40G and
100G for modern network architectures migrating
from 10GE to 100GE FortiGate 6000 Series
 Single Pane of Glass Management
Two Models: FG-6300F and FG-6500F
Available end of March, 2018

9
FortiGate 6000 Series – Fastest Threat Protection Appliance
One License. One FortiOS. One User Interface. Single Pane of Glass.

Fastest NGFW Appliance on the Market

FortiGate 6300F PA-5260 Cisco-FP-4140 Check Point 23800

$180,000 $180,000 $210,000 $172,000

Fortinet is Leading the Industry in Advanced Security Throughput

*FG-6500F Target Threat Protection Performance numbers - please refer to Datasheet for specifications

10
FortiGate 6000 Series – Industry’s Highest SSL Inspection

SSL Inspection Use Cases FG-6300F/6500F

 Enterprise & Campus Edge
 Data Center Edge
 Data Center Core
SSL Inspection
70 Gbps / 130 Gbps
Throughput (FW + IPS)
Ciphers (measured with)
AES256-SHA and TLS
1.2 (industry mandated)

New Architecture with CP9 Provides

 SSL Acceleration
 Full Pattern Matching – IPS
 VPN Suite B Cryptography

11
Where Does the 6000 Series Fit in the Network?

CLOUD
Enterprise Edge
 Expanded digital attack surface (Threat WAN
Protection performance)
 Need to inspect encrypted SSL traffic
 Scale to support growing volume of
network & cloud traffic

Data Center Consolidation

 Adding more applications and more throughput
 Shrinking space and power
 Reduce device sprawl
 Ensure availability, resiliency of apps
 High security performance & capacity in
smaller footprint

12
FortiGate 6000 Series – Architectural Innovation
 Advanced NGFW Architecture
» Clear data plane and management plane separation
» Hardware load balancing to achieve very high performance and session rates
» Eliminates bottleneck introduced by traditional NGFW packet processing approaches, allowing
support for exponentially increasing endpoint connections without imposing performance penalties

 Highly Resilient for Improved Experience

» The resilient design includes management interfaces redundancy and hot swappable/redundant
power supplies

13
FortiGate 6300F / 6301F

① 2 x GE RJ45 Management Ports

② 3 x GE SFP Management/HA Slots
③ 24 x 25/10GE SFP28/SFP+ Slots
1 2 3 4 ④ 4 x 100/40GE QSFP28/QSFP+ Slots

239 Gbps* 70 Gbps* Large Enterprise / Data

Firewall throughput SSL Inspection Throughput Center / Service Provider
NGFW / ISFW / DCFW /CCFW
100 Million* 80 Gbps*
Concurrent Sessions NGFW Throughput

60 Gbps* 20,000 5,000 4,096 Yes

Threat Protection Throughput
* Target specification

14
FortiGate 6500F / 6501F

① 2 x GE RJ45 Management Ports

② 3 x GE SFP Management/HA Slots
③ 24 x 25/10GE SFP28/SFP+ Slots
1 2 3 4 ④ 4 x 100/40GE QSFP28/QSFP+ Slots

239 Gbps* 130 Gbps* Large Enterprise / Data

Firewall throughput SSL Inspection Throughput Center / Service Provider
NGFW / ISFW / DCFW /CCFW
170 Million* 140 Gbps*
Concurrent Sessions NGFW Throughput

100 Gbps* 20,000 5,000 4,096 Yes

Threat Protection Throughput
* Target specification

15
Core Network Security Product Range
Fabric Topology
Policy/Objects FortiGate 01 - Unlimited
NGFW
Application Control
IPSec
URL
Switching IPS

Routing AV
FortiGate 01 - Unlimited
Sandboxing

Audit Reports NEW FortiGate 5000/7000

SD-WAN

Switch Controller
FortiGate 6000
AP Controller FortiGate 1000-3000

FortiGate 100-900

FortiGate 30-90

Rugged

Entry-Level Mid-Range High-End Ultra High-End Chassis Virtual Machine Cloud

Security Processor (SPU) Powered Virtualized

16
Industry Comparison
FortiGate 6000 Series Disrupting the NGFW Landscape
Real-World SSL Inspection on all FortiGate Datasheets

Performance Palo Alto

Fortinet Checkpoint Cisco
Parameter Networks
 Only security vendor to
P
▬ P P publish SSL performance
Firewall (1518/512/64B
(1518B UDP) HTTP 1024B
UDP)

P P  Measured with industry

FW + App Control ▬
HTTP 1024B
HTTP 64K HTTP 64K mandated ciphers AES256-
P SHA and TLS 1.2
SSL Inspection
TLS 1.2, AES-SHA ▬ ▬ ▬
(FW+IPS)
256

NGFW (FW + P
 Measured with IPS enabled
P P
App Control +
Enterprise Mix
▬ Unknown
HTTP1024B for real-world scenario
IPS) (private mix)

Threat Prevention
(FW + App P P
Unknown ▬ ▬
Control + IPS + Enterprise Mix
(private mix)
AV)

18
Fortinet Support of Industry Mandated Ciphers for SSL
 DES/3DES in CBC mode [RFC2405]
 HMAC-MD5 (MD5 for SSL)
 HMAC-SHA1 (SHA1 for SSL)
 DES/3DES-HMAC-MD5 (MD5 for SSL)
 DES/3DES-HMAC-SHA1 (SHA1 for SSL)
 AES in CBC mode (Key length: 128bit/192bit/256bit)
 AES-HMAC-MD5 (MD5 for SSL)
 AES-HMAC-SHA1 (SHA1 for SSL)
 HMAC-SHA256/384/512 (only for TLS)
 DES/3DES-HMAC-SHA256/384/512 (only for TLS)
 AES-HMAC-SHA256/384/512 (only for TLS)
 NSA "Suite B": GCM-128/256(only for TLS) RFC6460
19
6000 Series vs. Industry Average Spec Comparison
FortiGate Industry Average
Specification Enterprise Benefits using 6300F
6300F (Based on same price)

Firewall 239 Gbps 75 Gbps 3x higher firewall throughput compared to industry average

Threat Protection 3x higher threat protection throughput compared to industry

60 Gbps 18 Gbps
(FW + AC + IPS + AV) average benefits higher threat prevention

4x higher NGFW throughput compared to industry average

NGFW 80 Gbps 20 Gbps
benefits higher application access control

11x better SSL inspection throughput compared to industry

SSL Inspection 70 Gbps < 6.5 Gbps
average provides complete protection against rising SSL traffic

Concurrent 3x higher sessions compared to industry average increases

100 Million 36 Million the productivity as more users are getting benefit of complete
Sessions security
Enables higher connectivity and throughput with benefit of
HW Load Balancing Yes No
scaling to support influx of mobile/IoT traffic

Note: Industry average is calculated based on NGFW appliances from Palo Alto Networks,
Checkpoint, and Cisco

20
Comparison of Similarly Priced NGFW*
Palo Alto
Specifications Check Point Cisco FirePower FORTINET
Networks
PA-5260 23800 FP-4140 FP-4150 FG-6300F FG-6301F
Appliance Model
(3U) (2U) (1U) (1U) (3U) (3U)

FW Throughput 72.2 Gbps (w/ AC) 43 Gbps 25 Gbps (w/ AC) 30 Gbps (w/ AC) 239 Gbps 239 Gbps

NGFW Throughput
30 Gbps 7.2 Gbps 20 Gbps 24 Gbps 80 Gbps 80 Gbps
(FW + AC + IPS)

Threat Prevention
Throughput 30 Gbps TP 4.5 Gbps Not published Not published 60 Gbps 60 Gbps
(FW + AC + IPS + AV)

SSL Inspection 6.5 Gbps

Not published Not published Not published 70 Gbps 70 Gbps
Throughput (SSL Decrypt only)

Concurrent Sessions 32M 51.2M 25M 30M 100M 100M

24x 10GE SFP+ /

(4) GE Cu 24x 10GE SFP+ /
Base: 8x GE (Cu), 8x Base: 8x GE (Cu), 8x SFP28
(16) 10GE SFP+ /SFP SFP28
Network Interfaces (10) GE + 3 slots 10GE SFP+, 4x 40GE 10GE SFP+, 4x 40GE 4x 40GE/100G
(4) 40GE/100GE 4x 40GE/100G
QSFP+ QSFP+ QSFP28
QSFP28 QSFP28

2x 1TB HDD or 2x
Storage 240GB SSD, 2TB HDD 400 GB 400 GB Nil (FortiAnalyzer) 2TB SSD (NVMe)
480GB SSD

Fortinet has disrupted the NGFW Landscape with the 6000 series
 Up to 10x faster Threat Prevention for the same price
 More storage, higher port density, higher session capacity
 Fortinet’s latest NGFW is the fastest in the industry, widening the gap between us and other NGFW offerings
* Publicly available performance numbers from datasheet and website

21
Comparison Based on Broader Selection Criteria

Palo Alto
NGFW Selection Criteria Fortinet Check Point Cisco
Networks

3rd Party Validated Security Effectiveness (NSS Labs

consistently Recommended ratings for NGFW, DCSG, P Partial Partial P
DCFW, DCIPS, NGIPS Tests)

Threat Protection Throughput P P X X

SSL Inspection Throughput P X X X
Intrusion Prevention (IPS) Throughput P Partial Partial Partial

Concurrent sessions P Partial Partial Partial

IPsec VPN Throughput P X X X

Single Pane of Glass P P P X
Price/Performance P Partial X X

22
Fortinet Leading and Recommended …as a NGFW FortiGate
Enterprise Firewall

Gartner Enterprise FW MQ 2017: NSS Labs 2017 NGFW Testing:

Leader Recommended (FG-3200D)

NSS Labs 2017 Next Generation Firewall (NGFW) Security Value Map™

23
..And Leading as Data Center Security Gateway (DCSG) FortiGate
Enterprise Firewall

NSS Labs 2017 DCSG Testing:

Recommended

FG-3000D FG-7060E

 Both Recommended
 Best TCO
 Fastest IPS Performance
 Near Perfect Exploit block
 100% Evasions blocked

24