FortiOS™ 6.

0
Fortinet’s Network Operating System

Control all the security and networking capabilities

in all your Fortinet Security Fabric elements with one
intuitive operating system. Improve your protection
and visibility while reducing operating expenses and
saving time with a truly consolidated next-generation
enterprise firewall solution. FortiOS enables the
Fortinet Security Fabric vision for enhanced
protection from IoT to Cloud.

Broad Visibility
What’s New — Highlights
The FortiOS provides IT teams a holistic
view into devices, traffic, applications,
§§ Security Fabric Automation
and events and the ability to stop a
§§ Indicator of compromise (IOC)
threat anywhere along its attack chain.
quarantine and IP ban
§§ Security ratings ranking and expanded
rating rules
Integrated Detection
§§ Asset tagging
Supports the coordinated detection of
§§ Multi-path intelligence for SD-WAN
advanced threats through sophisticated
§§ Multi-cloud support with Fabric
and centralized analytics.
Connectors
§§ External Web Filter black lists
§§ New FortiGuard services
Automated Response
As part of the latest Fortinet Security Fabric,
the FortiGate is able to automatically
provide continuous trust assessment and
then provides an immediate, coordinated
response to detected threats.

DATA SHEET
FortiOS™ 6.0

OVERVIEW

Introducing FortiOS 6.0

increasing digital connectedness of organizations is driving the
requirement for a security transformation, where security is
integrated into applications, devices, and cloud networks to protect
business data spread across these complex environments.

FortiOS™ 6.0 delivers hundreds of new features and capabilities

that were designed to provide the broad visibility, integrated threat
intelligence, and automated response required for digital business.

The Fortinet Security Fabric, empowered by FortiOS 6.0, is an

intelligent framework designed for scalable, interconnected security
combined with high awareness, actionable threat intelligence, and
open API standards for maximum flexibility and integration to
protect even the most demanding enterprise environments.
Fortinet’s security technologies have earned the most independent
certifications for security effectiveness and performance in the
industry. The Fortinet Security Fabric closes gaps left by legacy
point products and platforms by providing the broad, powerful, and
As companies look to transform everything from their business
automated protection that today’s organizations require across their
operating models to service delivery methods, they are adopting
physical and virtual environments, from endpoint to the cloud.
technologies such as mobile computing, IoT and multi-cloud
networks to achieve business agility, automation, and scale. The

FortiOS 6.0 Anatomy

FortiOS is a security-hardened, purpose-built operating system that is extensive feature set that enables organizations of all sizes to
the software foundation of FortiGate. Control all the security and deploy the security gateway setup that best suits their
networking capabilities in all your FortiGates across your entire environments. As requirements evolve, you can modify them with
network with one intuitive operating system. FortiOS offers an minimal disruptions and cost.

2 [Link]
 FortiOS™ 6.0

HIGHLIGHTS
FortiManager
FortiAnalyzer
Security Fabric FortiSIEM

FortiGate Integration
The Security Fabric enables security to dynamically expand and Partner API FortiGateVM

adapt as more and more workloads and data are added, and at
the same time, seamlessly follow and protect data, users, and
applications as they move back and forth between IoT, smart
FortiOS
devices, and cloud environments throughout the network.
FortiClient FortiWeb
A FortiGate firewall may be deployed at the heart of the Security
Fabric, expanding its security reach via visibility and control, by FortiGate

tightly integrating with other FortiGates and Fortinet products,

plus Fabric-Ready solutions.
FortiGuard
FortiAP/FortiSwitch FortiMail

FortiSandbox

FortiView, Topology and Threat Map

Visibility
FortiView, in FortiOS 6.0, provides you with 360° visibility into your network traffic. With a single click you can view traffic by source,
destination, application, threat, interface, device, policy, and country. Graphical visualizations, such as country and topology maps and
volume-based bubble charts are available in addition to comprehensive table views. These enable you to identify issues quickly and
intuitively.

3
FortiOS™ 6.0

HIGHLIGHTS
Security Rating
The Security Fabric Audit is a feature that allows you to analyze
your Security Fabric deployment to identify potential vulnerabilities
and highlight best practices that you can use to improve your
network’s overall security and performance. Also, by checking your
Security Fabric Score, which is determined based on how many
checks your network passes/fails during the Audit, you can be
confident that your network is getting more secure over time.

Automation
Stitches are new administrator-defined automated work flows that
use if/then statements to cause FortiOS to automatically respond to
an event in a pre-programmed way. Because stitches are part of the
security fabric, you can set up stitches for any device in the Security
Fabric.

Advanced Threat Protection FortiSandbox Query

File Submission 1
Fortinet offers the most integrated and 1 File submission for analysis
1 File Submission 2 2 Respective analysis results
automated Advanced Threat Protection
File Status Result for
Auto File Hold & are returned
2 Detailed Status Report Quarantine 3a
Remediation
(ATP) solution available today through an ATP 4 FSA Dynamic
Threat DB Update
FSA Dynamic
Threat DB Update 4
3a Auto File Quarantine on host
framework that includes FortiGate, FortiSandbox, SECURED BY
FORTIGUARD ®
with option to hold file until result

3b Manual Host Quarantine

FortiMail, FortiClient, and FortiWeb. These by administrator
Real-time engine and
3c Manual Source IP Quarantine
products easily work together to provide closed intelligence updates
using firewall
FortiGate FortiClient
loop protection across all of the most common 3b
Protection
Control Host Quarantine
4 Proactive dynamic Threat DB
attack vectors. 3c Enforce Network
Quarantine
update to gateway and host

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

System Integration §§ Standard-based monitoring output – SNMP Netflow/Sflow and Syslog §§ Detailed logs and outputs provide more insights so that organizations
support to external (third-party) SIEM and logging system can accurately and quickly identify and resolve incidents or problems.
§§ Security Fabric integration with Fortinet products and technology §§ Ability to reuse organization’s existing systems lowers TCO and
alliance streamlines processes.

Central Management §§ Fortinet/third-party automation and portal services support via APIs and §§ Comprehensive APIs and CLI commands offer feature-rich
and Provisioning CLI scripts service enablement.
§§ Rapid deployment features including cloud-based provisioning solutions §§ Comprehensive rapid deployment options save time and costs.
§§ Developer community platform and professional service options for §§ Fortinet Developer Network (FNDN) empowers large service providers
complex integrations and enterprises with shared implementation/customization/
integration knowledge.

Cloud and SDN Integration §§ Multi-cloud support via integration with Openstack, VMware NSX, §§ Robust and comprehensive SDN integration capabilities allow
Nuage Virtualzed Services, and Cisco ACI infrastructure organizations to implement cloud solutions securely without
§§ NEW: Ease of configuration with GUI support and dyanamic address compromising agility.
objects

4 [Link]
 FortiOS™ 6.0

HIGHLIGHTS
FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE
Visibility §§ Drill-down and topology viewers that illustrate real-time and historical §§ One-click remediation against listed sources/destinations offers
threat status and network usage with comprehensive contextual accurate and quick protection against threats and abuses.
information §§ Unique threat score system correlates weighted threats with particular
§§ Aggregated data views with remote control of downstream FortiGates users to prioritize investigations.
§§ Fabric-wide views expand visibility beyond a single security entity,
allowing organizations to quick spot problems and address them.

Automation §§ NEW: Wizard-based automation workflow that performs approrpiate §§ Reducing risk exposure, and replacing manual security processes with
actions based on triggers defined, across Security Fabric automation also helps address the organizational challenges of tighter
§§ NEW: Automatically quarantine compromised hosts using FortiClient budgets and a skilled staffing shortage.
via EMS or connection via FortiSwitch and FortiAP

Authentication Authorization and §§ Interface with FortiAuthenticator and a wide variety of external identity §§ FortiOS integrates with a wide variety of AAA services to facilitate user
Accounting (AAA) management systems to facilitate user authentication processes. admission control from various entry points, giving users a simplified
§§ Wide-ranging single sign-on identity acquisition methods, including experience while implementing greater security.
Windows AD, terminal servers, access portals, and mail services §§ Easily implement two-factor authentication for user and administrator
§§ Built-in token server that manages both physical and mobile tokens access at little cost.
for use with various FortiOS authentication requirements such as VPN
access and FortiGate administration.

Compliance & Security Rating §§ Periodic system configuration check using a pre-defined §§ Automates compliance auditing, which frees up administration
PCI-compliance checklist resources.
§§ Endpoint enforcement: posture checking profile assignment based on §§ Simplified mobile user security enforcement by easily distributing and
device/user groups updating clients’ security profiles that are consistent with gateway
§§ Fabric-wide FortiGate security configuration and client vulnerability protection.
status checks §§ Quickly verify the status and health of your setup and connected
§§ NEW: Security rating ranking benchmarks against peers devices within the Fabric and identify any gaps that can potentially
leave you at greater risk.

Advance Threat Protection (ATP) §§ Flow- and proxy-based AV options for choice between protection and §§ Supported by proven and industry-validated AV research services
performance §§ Ability to adopt robust ATP framework that reaches mobile users and
§§ Local file quarantine (for models with storage) branch offices, detecting and preventing advanced attacks that may
§§ Anti-bot capability using IP reputation DB terminates botnet bypass traditional defenses by examining files from various vectors,
communication to C&C servers including encrypted files
§§ Receive dynamic remediation (malicious file checksum and URLs) DB
updates and detail analysis reports from external Fortinet file analysis
solution (FortiSandbox)

Vulnerbility Assessment §§ Endpoint vulnerability views that present ranked vulnerable clients with §§ Easily identify vulnerable hosts across the fabric.
details

IOC Detection §§ NEW: IOC service integration displays IOC detection data from §§ Administrators can easily identify suspicious hosts and quickly or
FortiAnalyzer onto FortiView and topology maps automatically quarantine them.

Wireless Controller §§ Integrated wireless controller for Fortinet’s wide range of AP form §§ The wireless controller integrated into the FortiGate console provides
factors, including indoor, outdoor, and remote models, with no true single-pane-of-glass management for ease-of-use and lower TCO.
additional license or component fees
§§ Enterprise-class wireless management functionality, including rogue AP
protection, wireless security, monitoring, and reporting
§§ 802.3az support on WAVE2 WiFi APs
§§ Manage distributed cloud-based FortiAPs

Switch Controller §§ Integrated switch controller for Fortinet access switches with no §§ Expands security to access level to stop threats and protect terminals
additional license or component fees from one another
§§ Improved GUI configuration support

WAN Interface Manager §§ Supports the use of 3G/4G modems via USB port or FortiExtender §§ Allows organizations to use or add 3G/4G connectivity for WAN
connections while maintaining access control and defining usage for
those links

5
FortiOS™ 6.0

HIGHLIGHTS

Operation
FortiOS provides a broad set of operation tools that make identification and response to security and network issues effective. Security
operations is further optimized with automations, which contribute to faster and more accurate problem resolutions.

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

Configuration §§ Wide variety of configuration tools — Client software, Web UI, and CLI §§ Unique FortiExplorer configuration tool allows administrators to quickly
§§ Ease of use with intuitive, state-of-the-art GUI and wizards access configurations, including via mobile phones and tablets.
§§ One-click access and actions between log viewers, FortiView, policy §§ VPN wizards facilitate easy setup, including to popular mobile clients
tables, and more and other vendors’ VPN gateways.
§§ Intelligent object panel for policy setups and edits §§ Useful one-click access and actions bring administrators to next steps
quickly and accurately to swiftly mitigate threats or resolve problems.
§§ NEW: Asset tagging

Log & Report §§ Detailed logs and out-of-the-box reports that are essential for §§ Includes deep contextual information, including source device details
compliance, audits, and diagnostic purposes and strong audit trail
§§ Real-time logging to FortiAnalyzer and FortiCloud §§ GUI Report Editor offering highly customizable reports
§§ Common Event Format (CEF) support §§ Managing logs holistically simplifies configuration and guarantees
§§ Logging consolidation within Security Fabric that critical information from every FortiGate is centrally collected and
available for analysis. This closes any gaps in intelligence.

Diagnostics §§ Diagnostic CLI commands, session tracer, and packet capture for §§ Comprehensive diagnostic tools help organizations quickly remediate
troubleshooting hardware, system, and network issues problems and investigate abnormal situations.
§§ Hardware testing suite on CLI
§§ Policy and routing GUI tracer

Monitoring §§ Real-time monitors §§ Dashboard NOC view allows you to keep mission-critical information in
§§ NOC Dashboard view at all times. Interactive and drill-down widgets avoid dead-ends
during your investigations, keeping analysis moving quickly and smoothly.
§§ NEW: IOS push notification via FortiExplorer app

Policy and Control

FortiGate provides a valuable policy enforcement point in your network where you can control your network traffic and apply security
technologies. With FortiOS, you can set consolidated policies that include granular security controls. Every security service is managed
through a similar paradigm of control and can easily plug into a consolidated policy. Intuitive drag-and-drop controls allow you to easily
create policies, and one-click navigation shortcuts allow you to more quickly quarantine end points or make policy edits.

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

Policy Objects §§ GeoIP and FQDN defined address objects to intelligently track dynamic §§ Comprehensive range of object types that facilitate today’s dynamic
IP/IP ranges and granular network requirements
§§ Internet Service DB: dynamically updated DB that provides a list of
popular cloud applications with their vital information that you can use
for policy setup, routing, and link load-balancing configurations

Device Identification §§ Identification and control of network access for different types of §§ Empowers organizations to add critical security to today’s BYOD
devices present on the network environment by identifying and controlling personal devices
§§ Improved device identification and management

SSL Inspection §§ Effectively examine SSL-encrypted traffic with various security controls, §§ Identify and block threats hidden within encrypted traffic without
such as AV and DLP significantly impacting performance
§§ High-performance SSL inspection with content processors
§§ Reputable sites database for exemptions

Actions §§ Implements security policies that use a combination of source objects, §§ Flexible policy setup using additional identified elements and active
IPs, users, and/or devices user notifications assist organizations in implementing effective network
§§ Highly customizable notifications are sent when user activities are security, while robust quarantining features helps to mitigate threats
not allowed
§§ Automatically or manually quarantine users/attackers
§§ Directs registered FortiClient to host quarantine

6 [Link]
 FortiOS™ 6.0

HIGHLIGHTS

Security
FortiGuard Labs provides the industry-leading security services and threat intelligence delivered through Fortinet solutions. FortiOS manages
the broad range of FortiGuard services available for the FortiGate platform, including application control, intrusion prevention, web filtering,
antivirus, advanced threat protection, SSL inspection, and mobile security. Service licenses are available a-la-carte or in a cost-effective
bundle for maximum flexibility of deployment.

Industry-leading security effectiveness

Fortinet solutions are consistently validated for industry-leading security effectiveness in
industry tests by NSS Labs for IPS and application control, by Virus Bulletin in the VB100
comparative anti-malware industry tests, and by AV Comparatives.
§§ Recommended Next Generation Firewall with near perfect, 99.47% security
effectiveness rating. (2017 NSS Labs NGFW Test of FortiGate 600D & 3200D)

§§ Recommended Breach Prevention Systems with 99% overall detection. (2017 NSS
Breach Prevention Systems Test of FortiGate with FortiSandbox)

§§ Recommended Data Center Security Gateway with 97.87% and 97.97% security
effectiveness. (2017 NSS Data Center Security Gateway Test with FortiGate 7060E
and 3000D)

§§ Recommended Next Generation IPS with 99.71% overall security effectiveness. (2017
NSS Next Generation IPS Test with FortiGate 600D)

§§ ICSA Certified network firewalls, network IPS, IPsec, SSL-TLS VPN, antivirus.

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

Anti-Malware §§ Flow- and proxy-based AV options for choice between protection §§ Supported by proven and industry-validated AV research services
and performance §§ Ability to adopt robust ATP framework that reaches mobile users and
§§ Anti-bot capability using IP reputation DB terminates botnet branch offices, detecting and preventing advanced attacks that may
communication to C&C servers bypass traditional defenses by examining files from various vectors,
§§ Receive dynamic remediation (malicious file checksum and URLs) including encrypted files
DB updates and detail analysis reports from external Fortinet file
analysis solution (FortiSandbox)
§§ NEW: Virus Outbreak Protection as an additional layer of proactive
protection targeted at new malware; comparing and detecting threats
using a real-time FortiGuard checksum database
§§ NEW: Content Disarm and Reconstruction (CDR) removes exploitable
content before reaching users

IPS and DoS §§ Regular and rate-based signatures, supported by §§ Proven quality protection with “NSS Recommended” award for superior
zero-day threat protection and research for effective, IPS coverage and cost/performance
implementation §§ Adapts to enterprise needs with full IPS features and NGIPS capabilities,
§§ Integrated DoS protection defends against abnormal traffic behaviors such as contextual visibility
§§ CVE reference for IPS signatures §§ Supports various network deployment requirements, such as sniffer
mode, and compatible with active-bypass FortiBridge or built-in bypass
ports for selected model

Application Control §§ Detects and acts against traffic based on applications while providing §§ Superior coverage, including both desktop and mobile applications,
visibility on network usage enabling better management of network access policies.
§§ Fine-grained control on popular cloud applications, such as SalesForce, §§ Applies deeper application inspections for better control and visibility as
Google Docs, and Dropbox more enterprises rely on public cloud services

Web Filtering §§ Enterprise-class URL filtering solution that includes quotas, user §§ Multi-layered anti-proxy avoidance capabilities with integrated
overrides, transparent safe search, and search engine keyword logging. application control and IPS allow organizations to implement air-tight
§§ Superior coverage with URL ratings of over 70 languages and identifies web usage controls
redirected (cached and translated) sites

7
FortiOS™ 6.0

HIGHLIGHTS
FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE
Firewall §§ High-performance firewall with SPU-powered appliance §§ Industry’s top firewall appliance with superior cost-performance ratio
§§ Easy-to-use policy management with unique Section or Global
View options
§§ NGFW Policy-Based Mode

VPN §§ Comprehensive enterprise-class features for various types of §§ The FortiGate’s unmatched performance for VPN allows organizations
VPN setups to establish secure communications and data privacy between multiple
§§ SSL and IPsec VPN wizards networks and hosts by leveraging custom security processors (SPUs)
to accelerate encryption and decryption of network traffic
§§ NEW: Cloud-assisted one-click VPN

DLP §§ Monitor network traffic and stop sensitive information from leaving the §§ Prevent sensitive information from leaving the network, easily and
network by matching against file format and content definitions cost-effectively
§§ The FortiExplorer Watermark Tool allows organizers to apply document
marking for DLP

Email Filtering §§ Highly effective, multilayered spam filters with low false positives §§ Cost-efficient anti-spam solution for small organizations or branch
offices without requiring investment in an additional system

Networking
With FortiOS you can manage your networking and security in one consistent native OS on the FortiGate. FortiOS delivers a wide range of
networking capabilities, including extensive routing, NAT, switching, Wi-Fi, WAN, load balancing, and high availability, making the FortiGate a
popular choice for organizations wanting to consolidate their networking and security functions.

SD WAN
FortiGate SD-WAN integrates next generation WAN and security
capabilities into a single, multi-path WAN edge solution. Secure
SD-WAN makes edge application aware and keeps application
performance high with built-in WAN path controller automation. With
integrated NGFW, it is easier to enable direct interent access and
continues to keep high security posture with reduced complexity.

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

Routing / NAT §§ Comprehensive routing protocols and NAT support §§ Wide-ranging routing features that meet carrier and enterprise
§§ Traffic redirection with ICAP and WCCP support resilience networking requirements

L2 / Switching §§ Ability to craft software switches or emulate VLAN switches from §§ Flexible interface configurations offer various setup possibilities that
interfaces best suit an organization’s network requirements, while providing
§§ Support SPAN ports and port aggregation with multiple interfaces. optional access security
§§ Implement admission control modes on interfaces such as 802.1x or
captive portal.
§§ Comprehensive WiFi and WAN interface configuration options
§§ VXLAN support
§§ NEW: EMAC VLAN Support

Offline Inspection §§ Sniffer mode allows threat and usage monitoring of network §§ Offline mode provides flexibility when deploying into existing critical
activities offline networks where in-line security solution is not yet appropriate

8 [Link]
 FortiOS™ 6.0

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

SD WAN §§ Intelligent WAN path control with ability to direct traffic among WAN §§ Broad coverage of application visibility and first packet classification for
links based on (over 3,000) applications and users/user groups efficient SD-WAN adoption
§§ Measure application transactions such as latency, jitter and packet-loss §§ Integrarted NGFW and SD-WAN on the same appliance further reduces
plus built-in automatic fail-over to determine preferred paths and TCO and complexity
maintain the optimal application performance of business critical §§ WAN Path Controller automation continues to provide high application
applications performance
§§ Use QoS, Traffic Shaping and policy routing for bandwidth management §§ Industry’s highest IPSEC VPN performance
§§ Enable IPSEC VPN for WAN links and get advantage of industry’s §§ Zero Touch Deployment of SD-WAN Edge
highest VPN performance and high tunnel scalability
§§ Peer to peer and remote user WAN optimization and byte caching
technologies

High Availability §§ Support for industry standard VRRP and various proprietary solutions, §§ Flexible high availability offerings allow organizations to pick the most
with ability to combine more than one high availability solution into a suitable solutions based on their network environments and SLA
single configuration requirements

IPv6 §§ Comprehensive IPv6 support for routing, NAT, security policies, §§ Operating mode options provide flexibility when deploying into existing
and more or new networks, reducing network change requirements

Explicit Proxy §§ Explicit HTTP and HTTPS, FTP over HTTP, or SOCKS proxying of IPv4 §§ Integrated, enterprise-class explicit web proxy provides HTTP and
and IPV6 traffic on one or more interfaces HTTPS proxying with the added benefits of UTM security and
§§ Transparent web proxy user identity

Essential Network Services §§ A wealth of networking services such as DHCP, DNS server, NTP §§ Built-in, out-of-the-box capabilities let organizations quickly provide
server etc. necessary network services to internal terminals or to integrate with
other network devices

Platform Support
Performance Ultimate deployment flexibility
The FortiGate appliances deliver up to five times Protect your entire network inside and out through a policy-driven
the next generation firewall performance and network segmentation strategy using the Fortinet solution. It is easy
10 times the firewall performance of equivalently to deploy segment optimized firewalls, leveraging the wide range of
priced platforms from other vendors. The high FortiGate platforms and the flexibility of FortiOS to protect internal
performance levels in the FortiGate are based network segments, the network perimeter, distributed locations,
on a Parallel Path Processing architecture in FortiOS that leverages public and private clouds, and the data center — ensuring you
performance, optimized security engines, and custom developed have the right mix of capabilities and performance for each
network and content processors. Thus, FortiGate achieved the deployment mode.
best cost per Mbps performance value results.

FEATURE HIGHLIGHTS THE FORTINET ADVANTAGE

Physical Appliance (+SPU) §§ Integration with proprietary hardware architecture that includes §§ Superior software and hardware integration ensures most optimal use
acceleration components (SPU) and multicore processors of hardware components, yielding best cost/performance for customers

Virtual Systems §§ Virtual Domains (VDOMs): Virtualized FortiOS components to multiple §§ Offers MSSPs and large organizations the ability to run separate
logical systems on a single virtual or physical appliance. instances of FortiOS for multi-tenant environment or to consolidate
§§ Proxy and Flow-based VDOM options to simplify security various security gateways for lower TCO
profile settings
§§ NEW: Global security profiles

Hypervisor §§ Support for popular hypervisor platforms, including VMware vSphere, §§ Consistent management and features between physical and virtual
Citrix and open source Xen, KVM, and MS Hyper-V appliances reduces management cost and simplifies deployments

Cloud §§ Support for public cloud services: Amazon Web Services (AWS) and §§ Consistent management and features between on-premises and cloud
Microsoft Azure platforms reduces management cost and simplifies deployments

9
FortiOS™ 6.0

SPECIFICATIONS

Security Fabric ADVANCE THREAT PROTECTION (ATP)

SYSTEM INTEGRATION External cloud-based or on-premise file analysis (OS sandbox) integration:
- File submission (with option to select types)
SNMP System Monitoring: - Receive file analysis reports
- SNMP v1and v2c support - Receive dynamic signature updates from file analysis system (file checksum and malicious URL DB)
- SNMP v3 implementation includes support for queries, traps, authentication, and privacy
- SNMP traps alerting to events such as a full log disk or a detected virus VULNERBILITY ASSESSMENT
Traffic Monitoring: Display list of vulnerable hosts and their vulnerabilities via telemetry with FortiClient
- sFlow version 5 and Netflow V9.0
External Logging: IOC DETECTION
- Syslog Display list of compromised hosts via information provided by FortiAnalyzer
- Reliable syslog (RAW Profile) based on RFC 3195
- WebTrends WELF compatible WIRELESS CONTROLLER
Technology ecosystem encompasses leading partners in the Firewall and Network Risk Management, SDN Manages and provisions settings for local and remote Thin Access points or switches (selected models)
and Virtualization, Security Information and Event Management (SIEM), Systems Integration, Testing and
Set up access and authentication methods for SSIDs and VLANs, supports integrated or external captive
Training, and Wireless markets
portal, 802.1x, preshared keys
Native integration with FortiSandbox, FortiSandbox Cloud, FortiMail, FortiMail Cloud, FortiCache, and FortiWeb
Multiple PSK for WPA Personal
Security Fabric logging
WiFi Security: Rogue AP suppression, wireless IDS
- Synchronised logging to FortiAnalyzer configurations among FortiGates
- Data exchange (information such as topology and device asset tags) with FortiAnalyzer Wireless topology support: Fast roaming, AP load balancing, Wireless Mesh and bridging
Controlled failover between wireless controllers
CENTRAL MANAGEMENT AND PROVISIONING
Central management support: FortiManager, FortiCloud hosted service, web service APIs SWITCH CONTROLLER

Rapid deployment: Install wizards, USB auto-install, local and remote script execution Extends access control and security to wired devices by managing Fortinet switches (FortSwitch) via
CAPWAP-like communication.
CLOUD AND SDN INTEGRATION Ability to configure switch port features such as PoE, VLAN assignment from GUI
Integration with Openstack, VMWare NSX, and Cisco ACI infrastructure
WAN INTERFACE MANAGER
VISIBILITY Support USB 3G/4G Wireless WAN modems
Interactive and graphical visualizer for user, device, network, and security activities (FortiView):
- A variety of GUI consoles that display current and historical status using different perspectives such as
‘sources’, ‘destinations’, ‘interfaces’, ‘applications’, ‘threats’ etc.
- Threat and VPN map Operation
- Data views options: Table, bubble chart, or world map if applicable CONFIGURATION
- File analysis/sandbox result view (FortiSandbox integration required)
- Endpoint Vulnerability view (FortiClient integration required) Management access: HTTPS via web browser, SSH, telnet, console
- Accelerated session indication on ‘All sessions’ FortiView Console FortiExplorer:
- WHOIS Lookup for Public IP addresses within FortiView and log tables - Management client on IOS platforms
Physical and logical topology viewers that illustrate: - Ease-of-use by using USB connectivity
- location of hosts within the security fabric network - Provides mobile notification (as part of automation feature)
- one-click access to quarantine, IP ban, or access detailed contextual information of hosts Feature Store: Toggle GUI component displays
- connections between security fabric entities Create tags (based on multiple administrator-defined categories) to separate and categorize network objects,
- SD-WAN related information such as link usage interfaces, and devices
Aggregated data views with downstream FortiGates within a Security Fabric GUI configuration:
- presented on FortiView, topology maps, and monitors - ‘One-click’ access that quickly transfer administrators to next step panels
- Dynamic object selectors and predictive search queries
AUTOMATION
Web UI administration language support: English, Spanish, French, Portuguese, Japanese, Simplified Chinese,
Define automations within the Security Fabric using simple if-then setup Traditional Chinese, Korean
Quarantine remote host automatically at access layer with FortiAP and/or FortiSwitch, or FortiClient via EMS
LOG & REPORT
AUTHENTICATION AUTHORIZATION AND ACCOUNTING (AAA)
Logging facilities support: Local memory & storage (if available), multiple syslog servers, multiple
Local user database and remote user authentication service support: LDAP, Radius and TACACS+, two-factor FortiAnalyzers, WebTrends servers, FortiCloud hosted service
authentication Reliable logging using TCP option (RFC 3195)
Single-sign-on: Intergation with Windows AD, Microsoft Exchange Server, Novell eDirectory, FortiClient, Citrix Encrypted logging & log Integrity with FortiAnalyzer
and Terminal Server Agent, Radius (accounting message), POP3/POP3S, user access (802.1x, captive
portal) authentication Scheduled batch log uploading or real-time logging

PKI and certificates: X.509 certificates, SCEP support, Certificate Signing Request (CSR) creation, auto- Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets
renewal of certificates before expiry, OCSP support Comprehensive event logs: systems & administrators activity audits, routing & networking, VPN, user
Integrated token server that provisions and manages physical, SMS, and Soft One Time Password (OTP) tokens authentications, WiFi related events
Brief traffic log format option
COMPLIANCE AND SECURITY RATING Sending logs to syslog servers in Common Event Format (CEF)
Run a series of system configuration compliance check and log results periodically or on-demand IP and service port name resolution option
Security Fabric Rating: audit components within the fabric against best practices, provide results and
recommendations, then allow users to easily apply remediations for some items DIAGNOSTICS
Manages network devices compliance via client software: Diagnostic CLI commands, session tracer, and packet capture for troubleshooting hardware, system, and
- Posture checking: Enforce client software installation and desired settings accordingly to device type/group network issues.
and/or user/usergroup and/or locations (IPs) Policy and routing GUI tracer
- Quarantine clients if hit vulnerability level threshold
Packet flow CLI tracer

10 [Link]
 FortiOS™ 6.0

SPECIFICATIONS

Hardware testing suite on CLI APPLICATION CONTROL

Detects thousands of applications in 18 categories: Business, Cloud IT, Collaboration, Email, Game, General
MONITORING
Interest, Mobile, Network Service, P2P, Proxy, Remote Access, Social Media, Storage/Backup, Update, Video/
Graphical Monitors: Real-time system, network service, and users status viewers Audio, VoIP, Web Chat and Industrial.
Dashboard: customized widgets and layout Custom application signature support
Supports detection for traffic using HTTP/2 protocol and able to block QUIC traffic so taht browser
automatically falls back to HTTP/2 + TLS 1.2

Policy and Control Filter-based overrides by: behavior, category, popularity, technology, risk, vendor, and/or protocol
Actions: Allow, block, reset session (CLI only), monitor only
POLICY OBJECTS
SSH Inspection
Policy objects: predefined, customs, object grouping, tagging, and coloring
Deep application control over popular public cloud services, such as SalesForce, Google Docs, and Dropbox
Address objects: subnet, IP, IP range, GeoIP (Geography), FQDN
Internet Service DB: Dynamically updated DB that provides a list of popular cloud applications with their vital WEB FILTERING
information that can be used for policy setup, routing and link load-balacing configurations. Web filtering inspection mode support: Proxy-based, flow-based, and DNS
DEVICE IDENTIFICATION Manually-defined web filtering based on URL, web content and MIME header
Device Identification: Device and OS fingerprinting, automatic classification, inventory management Dynamic web filtering with cloud-based real-time categorization database:
Support for MAC Authentication enforcement and bypass - Over 250 million URLs rated into 78 categories, in 70 languages
Safe Search enforcement: transparently inserts Safe Search parameter to queries. Supports Google, Yahoo!,
SSL INSPECTION Bing and Yandex, definable YouTube Education Filter
Inspect SSL encrypted traffic option for IPS, application control, antivirus, web filtering, and DLP Proxy avoidance prevention: Proxy site category blocking, rate URLs by domain & IP address, block redirects
SSL MITM Mirroring from cache & translation sites, proxy avoidance application blocking (application control), proxy behavior
blocking (IPS)
SSL Inspection Method options: SSL certificate inspection or full SSL inspection
Web filtering local categories & category rating override
SSL inspection exemption by site reputation DB, web categories, and/or policy addresses
Web filtering profile override: Allows administrator to temporarily assign different profiles to user/user group/IP
ACTIONS Multiple, external blacklist support
User notifications: customizable replacement message for block sites and attachments Restrict access to Google Corporate Accounts only
Web Browser top banner insert (Fortinet Bar): shows application control violations, Endpoint control Additional features offered by proxy-based web filtering:
enforcement, web browsing quota etc. - Filter Java Applet, ActiveX, and/or cookie
User quarantine: - Block HTTP Post
- Manually assigned with perpetual or customizable duration - Log search keywords
- Automatically when triggered by violated IPS signature - Rate images by URL
- Block HTTP redirects by rating
- Exempt scanning encrypted connections on certain categories for privacy
- Web Browsing quota by categories
Security FIREWALL
ANTI-MALWARE Operating modes: NAT/route and transparent (bridge)
Botnet server IP blocking with global IP reputation database Schedules: one-time, recurring
Antivirus database type selection (on selected models) Session helpers and ALGs: DCE/RPC, DNS-TCP, DNS-UDP, FTP, H.245 I, H.245 0, H.323, MGCP, MMS,
Virus Outbreak Prevention Database query: uses real-time checksums DB of newly detected threats before PMAP, PPTP, RAS, RSH, SIP, TFTP, TNS (Oracle)
AV signatures are available VoIP traffic support: SIP/H.323 /SCCP NAT traversal, RTP pin holing
Content Disarm and Reconstruction option: Protocol type support: SCTP, TCP, UDP, ICMP, IP
- AV Engine removes all active content in real time before passing to user User and device-based policies
- Forward orginal file to sandbox for further analysis, quarantine or discarded
Policy Management: Sections or global policy management view
Flow-based or proxy-based AV option:
- Support for popular web, mail, and FTP protocols NGFW policy mode: setup policies with applications and URLs as objects
- Scan encrypted traffic with SSL inspection VPN
Option to treat Windows executables in email attachments as viruses Customizable SSL VPN portal: color themes, layout, bookmarks, connection tools, client download
File quarantine (local storage required) SSL VPN realm support: enables multiple custom SSL VPN logins associated with user groups
(URL paths, design)
IPS AND DOS
Single-sign-on bookmarks: reuse previous login or predefined credentials to access resources
IPS engine: 7,000+ up-to-date signatures, protocol anomaly detection, rate-based detection, custom
signatures, manual, automatic pull or push signature update, threat encyclopedia integration Personal bookmarks management: allow administrators to view and maintain remote client bookmarks

IPS Actions: Default, monitor, block, reset, or quarantine (attackers IP, attackers IP and Victim IP, incoming Limit SSL portal concurrent users
interface) with expiry time One time login per user options: Prevents concurrent logins using same username
Filter-Based Selection: Severity, target, OS, application, and/or protocol SSL VPN web mode: For thin remote clients equipped with a web browser only and support web application,
Packet logging option such as HTTP/HTTPS Proxy, FTP, Telnet, SMB/CIFS, SSH. VNC, RDP, Citrix

IP(s) exemption from specified IPS signatures SSL VPN tunnel mode: for remote computers that run a variety of client and server applications, SSL VPN
client supports MAC OSX, Linux, Windows Vista and with 64-bit Windows operating systems
IPv4 and IPv6 rate-based DOS protection (available on most models) with threshold settings against TCP Syn
flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCTP/ICMP session flooding (source/destination) SSL VPN port forwarding mode: uses a Java Applet that listens on local ports on the user’s computer. When
it receives data from a client application, the port forward module encrypts and sends the data to the SSL
IDS sniffer mode VPN device, which then forwards the traffic to the application server.
Active bypass with bypass Interfaces (selected models) and FortiBridge Host integrity checking and OS check (for windows terminals only) prior to SSL tunnel mode connections
MAC host check per portal
Cache cleaning option just before the SSL VPN session ends

11
FortiOS™ 6.0

SPECIFICATIONS

Virtual desktop option to isolate the SSL VPN session from the client computer’s desktop environment EMAC-VLAN support: allow adding multiple Layer 2 addresses (or Ethernet MAC addresses) to a single
IPsec VPN: physical interface
- Remote peer support: IPsec-compliant dialup clients, peers with static IP/dynamic DNS Virtual Wire Pair:
- Authentication method: Certificate, pre-shared key - Process traffic only between 2 assigned interfaces on the same network segment
- IPsec Phase 1 mode: Aggressive and main (ID protection) mode - Available on both transparent and NAT/route Mode
- Peer acceptance options: Any ID, specific ID, ID in dialup user group - Option to implement wildcard VLANs setup
- Supports IKEv1, IKEv2 (RFC 4306)
- IKE mode configuration support (as server or client), DHCP over IPsec OFFLINE INSPECTION
- Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128. AES192, AES256 Sniffer Mode: Dedicate an interface exclusively where all traffic entering the interface is processed by the
- Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256, SHA384, SHA512 sniffer
- Phase 1/Phase 2 Diffie-Hellman Group support: 1, 2, 5, 14
Offline Security inspection: AV, Web Filtering, Application Control, IPS, and Anti-spam
- XAuth support as client or server mode
- XAuth for dialup users: Server type option (PAP, CHAP, Auto), NAT Traversal option SD WAN
- Configurable IKE encryption key expiry, NAT traversal keepalive frequency
- Dead peer detection WAN load balancing (weighted) algorithms by: volume, sessions, source-destination IP, Source IP, and
- Replay detection spillover
- Autokey keep-alive for Phase 2 SA WAN link checks for SLAs:
IPsec Configuration Wizard for termination with popular third-party devices - Ping or HTTP probes
- Monitoring criteria including latency, jitter, and packet loss
Cloud-assisted One-Click VPN: easily configure hub-and-spoke VPN for multiple sites of Fortigate with the
- Configurable check interval, failure and fail-back thresholds
help of cloud portal
Multi-path intelligence using rules defined by:
IPsec VPN deployment modes: Gateway-to-gateway, hub-and-spoke, full mesh, redundant-tunnel, VPN
- Source address and/or user group
termination in transparent mode,
- Destination address and/or a slection of over 3,000 applications
IPsec VPN Configuration options: Route-based or policy-based - path selection using particular link quality criteria or SLAs defined
VPN monitoring: View and manage current IPsec and SSL VPN connections in details Traffic shaping and QoS per policy or applications: Shared policy shaping, per-IP shaping, maximum and
Other VPN support: L2TP client (on selected models) and server mode, L2TP over IPsec, PPTP, guaranteed bandwidth, maximum concurrent connections per IP, traffic prioritization, Type of Service (TOS),
GRE over IPEC and Differentiated Services (DiffServ) support
Option to set up traffic shaping profile by defining the percentage of interface bandwidth for each classified
DLP traffic and then bind to interfaces
Web filtering inspection mode support: proxy-based, flow-based and DNS Traffic Shaping Policies: Assigns traffic shape profile according to matching policy based on source,
DLP message filter: destination, service, application, application category, and/or URL category.
- Protocol supported: HTTP-POST, SMTP, POP3, IMAP, MAPI, NNTP DSCP support:
- Actions: Log only, block, quarantine user/IP/Interface - DSCP match in SD-WAN rules
- Predefined filter: Credit card number, Social Security ID - DSCP tagging of forwarded packets based on identified applications
DLP file filter: Inline and out-of-path WAN optimization topology, peer to peer, and remote client support
- Protocols Supported: HTTP-POST, HTTP=-GET,SMTP, POP3, IMAP, MAPI, FTP, NNTP
Transparent Mode option: keeps the original source address of the packets, so that servers appear to receive
- Filter options: size, file type, watermark, content, if encrypted
traffic directly from clients.
DLP watermarking: Allows filter files that pass through the FortiGate unit and contain a corporate identifier
WAN optimization techniques: Protocol optimization and byte caching
(a text string) and a sensitivity level (Critical, Private, and Warning) hidden in a watermark. Support Windows
and Linux free watermarking tools WAN optimization protocols supported: CIFS, FTP, HTTP(S), MAPI, TCP
DLP fingerprinting: Generates a checksum fingerprint from intercepted files and compares it to those in the Secure Tunneling option: Use AES-128bit-CBC SSL to encrypt the traffic in the WAN optimization tunnel
fingerprint database Tunnel sharing option: Multiple WAN optimization sessions share the same tunnel
DLP archiving: Records full content in email, FTP, IM, NNTP, and web traffic Web caching: Object caching that accelerates web applications and web servers by reducing bandwidth
usage, server load, and perceived latency. Supports caching of HTTP 1.0 and HTTP 1.1 web sites
EMAIL FILTERING
SSL Offloading with Web caching:
Mail protocol support: IMAP(S), POP3(S), and SMTP(S) - Full mode: performs both decryption and encryption of the HTTPS traffic
Anti-Spam DB query: IP address check, URL check, and email checksum - Half mode: performs only one encryption or decryption action
Local Spam Filtering: HELO DNS Lookup, return email DNS check, and Black/White List Option to exempt certain web sites from web caching with URL patterns
Support advanced web caching configurations and options:
- Always revalidate, Max cache object zie, negative response duration, fresh factor, Max/Min/Default TTL,
proxy FQDN, Max HTTP request/message length, ignore options, cache expired objects, revalidated
prama-no-cache
Networking WAN optimization and web cache monitor
ROUTING / NAT
EXPLICIT PROXY
Static and policy routing
Explicit web & FTP proxy: FTP, HTTP, and HTTPS proxying on one or more interfaces
Dynamic routing protocols: RIPv1 and v2, OSPF v2 and v3, ISIS, BGP4
Proxy auto-config (PAC): Provide automatic proxy configurations for explicit web proxy users
Content routing: WCCP and ICAP
Proxy chaining: Web proxy forwarding to redirect web proxy sessions to other proxy servers
NAT configuration: Per policy based and central NAT Table
Web proxy forwarding server monitoring and health checking
NAT support: NAT64, NAT46, static NAT, dynamic NAT, PAT, Full Cone NAT, STUN
IP reflect capability
Multicast traffic: sparse and dense mode, PIM support
Load balancing for forward proxy and proxy chaining
L2 / SWITCHING Explicit web proxy authentication: IP-based authentication and per session authentication
Layer-2 interface modes: Port aggregated, loopback, VLANs (802.1Q and Trunking), virtual hardware, Transparent web proxy
software, and VLAN switches
VXLAN support: IPV6
- interVTEP (VXLAN Tunnel End Point) IPv6 Support: Management over IPv6, IPv6 routing protocols, IPv6 tunnelling, firewall and UTM for IPv6
- Support for multiple remote IPs, these remote IPs can be IPv4 unicast, IPv6 unicast, IPv4 multicast, traffic, NAT46, NAT64, IPv6 IPsec VPN
or IPv6 multicast
IPv6 SD-WAN Support: Ping6 link monitor, IPv6 source and destination objects

12 [Link]
FortiOS™ 6.0

SPECIFICATIONS

HIGH AVAILABILITY Configurable virtual systems resource limiting and management such as maximum/guaranteed ‘active
High availability modes: Active-passive, active-active, virtual clusters, VRRP, FG-5000 series clustering sessions’ and log disk quota

Redundant heartbeat interfaces VDOM operating modes: NAT/Route or Transparent

HA reserved management interface VDOM security inspection modes: Proxy or Flow-based

Failover:
- Port, local and remote link monitoring HYPERVISOR
- Stateful failover
Support for popular hypervisor platform, including VMware vSphere, Citrix and open source Xen, KVM, and
- Subsecond failover
MS hyper-V
- Failure detection notification
Deployment Options: CLOUD
- HA with link aggregation
Support for public cloud services: Amazon AWS and Microsoft Azure
- Full mesh HA
- Geographically dispersed HA
Standalone session synchronization

ESSENTIAL NETWORK SERVICES

Others
Built-in DHCP, NTP, DNS Server, and DNS proxy OTHERS
FortiGuard NTP, DDNS, and DNS service Web Application Firewall:
- Signature based, URL constraints and HTTP method policy
Server load balancing: traffic can be distributed across multiple backend servers:
- Based on multiple methods including static (failover), round robin, weighted or based on round trip time,
Platform Support number of connections.
- Supports HTTP, HTTPS, IMAPS, POP3S, SMTPS, SSL or generic TCP/UDP or IP protocols.
PHYSICAL APPLIANCE (+SPU) - Session persistence is supported based on the SSL session ID or based on an injected HTTP cookie.
Integrates with SPU components for traffic processing acceleration.
NOTE: Feature set based on FortiOS V6.0 GA, some features may not apply to all models. For availability, please refer to Software
feature Matrix on [Link]
VIRTUAL SYSTEMS
Virtual Systems (FortiOS Virtual Domains) divide a single FortiGate unit into two or more virtual instances of
FortiOS that function separately and can be managed independently.

REFERENCES

RESOURCE URL
The FortiOS Handbook — The Complete Guide [Link]
Fortinet Knowledge Base [Link]

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA SALES OFFICE
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 KIFER ROAD 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6395.2788 United States
Tel: +1.408.235.7700 Tel: +1.954.368.9990
[Link]/sales

Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other
product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product
will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in
Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant
hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
FST-PROD-DS-FOS FOS-DAT-R6-201804