NSE 3 FortiADC CompleteCourse v3 WM 2019Q4

Download as pdf or txt
Download as pdf or txt
You are on page 1of 42

NSE 3 FortiADC

Welcome to the NSE FortiADC product training.


These are the topics you will learn about in this course, beginning with a product overview.
After completing this lesson, you should be able to:

• Identify the business drivers and security challenges customers currently face

• Describe the FortiADC product key features

• Identify the sales strategies and competitive advantages of FortiADC


There are many driving forces behind the need for application delivery. Applications are growing in numbers
and complexity and older hardware is barely able to keep up. Most businesses need their mission-critical
applications available and able to quickly recover from outages.

Application delivery controllers, or ADCs, are a mature product with near 100% penetration in the enterprise
market.

By 2024, 5G network coverage is expected to reach 40% of the global population, and will account for 1.5
billion subscriptions. Leveraging the benefits of 5G, key use cases are set to include enhanced mobile
broadband, massive IoT applications, and critical communication infrastructures. It’s hard to define the killer
5G application, because everything could be a 5G application.

The Cloud Generation is everyone who lives and works in this unique era, as computing breaks the
boundaries of desktops and data centres, to embrace the mobile, social, global, crowd-sourced, always-on
realities of modern life. It's a time when critical data, applications and infrastructure are shifting from running
behind the firewall to running on the cloud and number of cloud applications that an average enterprise
organization using is 928.

By the end of 2019, Gartner believes that, more than 80 percent of enterprise web traffic will be encrypted.
SSL is growing as applications are secured. ADCs offload and accelerate secure traffic helping to meet
capacity requirements.

For these reasons and many more, the growth rate for ADCs is strong, and that’s a big opportunity that many
vendors, including Fortinet, are looking to take advantage of.
Gartner publishes a Market Guide for Application Delivery Controllers. In it, they recommend an ADC to
improve application availability, performance, and security.

Fortinet was not reviewed in depth in this market guide, we were mentioned.
There are many forces behind the need for application delivery. Applications are growing in numbers and in
complexity. The primary reason a customer needs an ADC is to expand capacity for web applications. When
coupled with the growing volume of encrypted traffic, the current, older ADC infrastructure is showing signs of
stress. As server resources become constrained, users experience application outages, and slower response
times. These symptoms can lead to application abandonment and in many cases, lost revenue opportunities.

Most businesses need their mission-critical applications available and able to quickly recover from outages.
Outages are costly and may break service level agreements (SLAs).
FortiADC is an integral part of the Security Fabric. But what is it and what are its features?

FortiADC is an application delivery controller that scales web-based applications for increased user
capacity, and provides application availability.

FortiADC is part of Fortinet’s Application Security solution set, along with other products, including
FortiWeb, FortiDDoS, FortiMail, and FortiDB.

FortiADC can enhance the user experience by expanding web application capability. It reduces the
amount of encrypted traffic that FortiGate needs to scan. It can control the flow of web traffic between
clients and a cluster of FortiGate devices, ensuring that the traffic load is balanced between devices.
The latest, FortiADC models, can also protect the network from a DDoS attack.
The top five features of FortiADC are:

Server load balancing allows FortiADC to scale applications across multiple servers and to ensure application
availability.

Secure traffic offloading removes bottlenecks caused by encrypting and decrypting and speeds secure
application traffic.

Global server load balancing across data centers ensures a quick recovery after a disaster.

Persistence maintains connections between users and an application server ensuring a seamless experience.

HTTP compression improves the delivery of application code to users to make applications more responsive.

So what do these benefits mean as they relate to customer problems? When application performance
degrades because additional applications are added, or demands increase, FortiADC balances the load
between servers. Moreover, it maintains user connections to servers and with features, such as HTTP
compression, and improves application response time. Another hit to performance can caused by the firewall
decrypting encrypted traffic. Overall, the user’s experience and application reliability is improved. Should a
server or a site suffer a catastrophic outage, FortiADC’s global server load balancing ensures that service is
maintained.
Here’s a simplified view of a Fortinet-based infrastructure deployment with other products, such as a
FortiGate, FortiWeb, FortiMail, and wireless products including, FortiWiFi and FortiAPs.

FortiADC is typically deployed behind the firewall and in front of the application servers it manages. In this
diagram, it’s behind both the FortiGate firewall and the FortiWeb web application firewall. There are many
deployment options ranging from a standalone FortiADC that connects directly to the internet, all they way to
globally distributed FortiADC devices, in complex enterprise data center environments.
Let’s look at a few of the key technologies offered by FortiADC, starting with server load balancing. To
address the need to expand an application and ensure availability, an ADC with server load balancing is
placed in front of servers, to manage application traffic.

The ADC is provided with a single IP address, and users access the application using that single IP address,
and the ADC directs traffic to the application servers with other IP addresses. Servers are actively monitored
for connections, utilization and even if they’re up or down, by using a health checking process. If a server has
too much traffic or is down, user traffic is directed to other servers until that server returns to normal.

Depending on the capacity of the server load balancer, new servers can be seamlessly added to increase
capacity and handle millions of users. If an organization is relying on an older technology for traffic
management, with server load balancing they can achieve up to a 25% increase in server performance. With
an ADC, users do not experience an outage if a single application server is offline.
Another key feature of our FortiADC is secure application traffic offloading.
The processing of secure SSL traffic can quickly consume server resources and can slow them down by 50%
or even more. Servers also don’t have the capacity to manage more than a few hundred secure transactions
per second. This creates a huge performance hit on the application and response times for end users.

An ADC can offer software, or hardware-accelerated solutions that can handle tens of thousands of
transactions per second.

By offloading SSL encryption and decryption from the servers to the ADC, the servers get back to serving
unencrypted applications, and the ADC maintains security to the end users.
When an organization has only one data center, it’s susceptible to outages. IT managers need redundancy,
not just for servers or ADC hardware failures, they need to make sure their applications are unaffected by
bigger service outages or disasters.

Global server load balancing, or GSLB, links two or more ADCs to provide routing of traffic between data
centers. Based on DNS, traffic will automatically be sent to a different data center should the primary one go
down.

GSLB helps organizations survive outages and it can also be used to improve application response times by
routing users to the closest data center.
FortiADC offers multiple levels of protection to defend against attacks that target your web applications.
FortiADC web application firewall (WAF) can detect a zero day attack and protect from OWASP top,10 and
many other threats with multi vector protection such as SQLi and XSS protection, Web scraping, Brute Force,
Web defacement, protocol validation (HTTP RFC) and Web attack signature using FortiGuard WAF security
services for Layer 7 attacks (subscription required). Also, FortiADC WAF provides full web vulnerability
scanning for your website, to detect and alert against known attacks.
This slide shows the top ten threats defined by the OWASP project. FortiADC’s WAF module protects against
these threats.

Web application security risks can come from a wide range of sources–it covers from the human role
(attacker, normal client and site administrator, to the software and hardware factors such as hack tools,
browser, server, framework, program language and web application.

OWASP focuses on identifying the most serious web application security risks for a broad array of
organizations, but it seems that there isn’t only one solution that can cover all threats, because some threats
needs to be defended by network security device, and others should include security server side protection
(WAF).

.
As the threat landscape evolves, many new threats require a multipronged approach for protecting
applications. Advanced persistent threats that target users can take many different forms than traditional
single-vector attack types, and can evade the protections offered by only a single device.

FortiADC is the first ADC solution in the market with sandbox service. FortiADC’s antivirus and deep
integration into Security Fabric with FortiSandbox, extends basic security protections to scan file attachments
for known and unknown threats.
FortiADC provide policy enforcement and access control to all applications..

For authentication and authorization to all internal and external users and FortiADC support multiple services:
• Local authentication
• RADIUS and LDAP
• Full AD FS proxy
• SAML SSO
• Kerberos
• OTP—FortiToken and Google authenticator
• HTTP basic SSO
You need to know and understand the relationship between client and servers.

To find where the clients are coming from, which OS and browser they are using and which content they are
searching in an application.

All of this is information, and that is crucial to IT/organization in order to understand customers, but also to
monitor application and content.

For that, FortiADC offers real-time and historical information about your appliance, which includes the logical
topology of real-server pools, user/application data-analytics, security threats, attack maps, and other system
events and alerts.

FortiADC provide an auto alert system based system statistics for SLB, RTT, BW, CPU, and more, which
allow the IT to be proactive in case of problem in network or application.
FortiADC leverages the strengths of FortiGuard labs with subscription services for WAF signatures and IP
reputation providing protection against the latest threats. This is a part of the standard bundle subscription.

FortiADC also employs FortiGuard web filtering to manage websites for secure traffic inspection when used
with FortiGate.

The product’s antivirus and integration with FortiSandbox extend basic security protections to scan file
attachments for known and unknown threats. This comprises, together with the WAF security service and IP
reputation, the advanced bundle.
FortiADC is available as a physical or virtual appliance. The FortiADC VM is supported on numerous
hypervisors, such as VMware vSphere, Citrix ZenServer, Microsoft Hyper-V, and others. Please see the
FortiADC datasheet for a full list.

If your customer has moved their operations to the public cloud, FortiADC can be deployed on AWS, Azure,
and others. For a complete list, see the datasheet.
There are a variety of FortiADC models encompassing small and mid-sized businesses, commercial,
enterprise, and large enterprise environments. The hardware models are primarily differentiated based on
Layer 4 throughput, SSL hardware acceleration, and the port configurations on the appliances. Generally,
lower-end models don’t offer hardware-based SSL offloading or high-capacity network connectivity. Midrange
to higher-end enterprise models generally are differentiated by throughput and network port configurations.

Because this information changes regularly, you are encouraged to visit Fortinet.com to download and
review the current FortiADC datasheet for the latest models, features, and to get more information on the
FortiADC virtual machine versions. For more information, see the Product Manager’s public-facing deck found
on Fuse and the partner portal. The deck, and other great material, is also available from the Resources
section.
NSE 3 FortiADC

Good job! You now understand FortiADC, and its features and benefits.

Now, you will learn about specific sales strategies and other FortiADC-related sales enablement topics.
NSE 3 FortiADC

Welcome to the NSE FortiADC product training, sales enablement section.


NSE 3 FortiADC

Now that you have completed the FortiADC product overview, you will learn about sales strategies and other
FortiADC-related sales enablement topics.
According to research conducted by MarketsandMarkets, the global application delivery controller market is
expected to grow from USD 2.4 billion in 2019 to USD 3.9 billion by 2024, at a compound annual growth rate
(CAGR) of 10.0% during the forecast period.

Major growth drivers for the market include several advantages of application delivery controller such as
improved performance by distributing traffic among multiple servers, optimizing resources by efficiently
allocating traffic based on application types, and ensuring application and data-access consistency.
With bandwidth demand growing faster than budgets, and with cyberattacks constantly on the rise, it can be
challenging to securely and efficiently deliver applications at the speed users expect. Fortinet Application
Delivery Controller (FortiADC) optimizes the availability, user experience, and application security of
enterprise applications. FortiADC provides application availability using Layer 4/Layer 7 load balancing, data
center resiliency, application optimization, and a web application firewall (WAF) to protect web applications
from the OWASP Top 10, and many other threats.

FortiADC is an application delivery controller that manages multiple web servers to expand application
capacity. It provides scale, reliability and protection for web applications. It routes users to best performing
resources for optimal experience and offloads repetitive server tasks to speed response times.
The FortiADC Application Delivery Controllers (ADC) optimize availability, user experience, performance, and
application security. FortiADC provides unmatched load balancing and web security, regardless of whether it
is used for applications across a single data center, or to serve multiple applications to millions of users
around the globe. It includes application performance, WAF, global server load balancing, link load balancing,
and user authentication all in one solution to deliver availability, performance, and security in a single all-
inclusive license.

This slide shows key features of FortiADC. The benefits of these features are:
• Layer 7 load balancing
• Policy-based routing dynamically rewrites content for applications and server configurations.
• Web application firewall
• Complete security for your web-based applications from the OWASP Top 10 and many other threats.
• Application optimization
• Speed up web application delivery with compression, caching, HTTP 2.0, and HTTP page speed-up.
• Security fabric integration
• AV and Sandbox integration scans attachments to protect from the latest threats.
• Global server load balancing
• Distributes traffic across multiple geographical locations for disaster recovery.
• Secure traffic management
• SSL offloading, forward proxy, and visibility increase responsiveness and assist in scanning for
threats.
FortiADC is fully qualified by Microsoft for use with its Exchange and Lync communication platforms.

FortiADC has been tested and approved for use with Microsoft Exchange 2010 and 2013. For Lync, FortiADC
was tested and approved with Lync 2013 which also covers qualification for the evolution of Lync to “Skype for
Business”. Please visit docs.fortinet.com for more information and to obtain copies of the deployment guides
for these products.
This slide shows a sample of a sales pitch script you can use for FortiADC.

The problem focuses on keeping up with web application server capacity.

The solution focuses on FortiADC performance, features, and global server load balancing.

The benefits section hits it home with a complete package of speed and features, and at 30% less expensive
than the competition.
In general, any organization that hosts its own applications in a data center is going to need an ADC at some
point. The size of the company is not as important as the number of users it supports on these hosted
applications. This is particularly true for hosting companies and online services.

The verticals that usually require it most are, e-commerce and online services, financial services, education,
healthcare, and MSPs/hosting companies.
This slide shows four of the common buyer personas you will most likely encounter with FortiADC.

Starting with the CISO, who is generally focused on security issues, focus the conversation on FortiADC
advanced web application security features and IP reputation.

For CIOs that are more interested in costs and operations, FortiADC offers robust features and simplified
deployments.

CFOs will want to know about the cost of FortiADC compared to competitors, and the reduced costs to
operate FortiADC in comparison.

Technical decision makers will want to know that FortiADC offers the features they need to meet the needs of
the business, and that it is easy to manage.
To help you quickly uncover FortiADC opportunities, you can ask a few questions to see if there may be
interest. The easiest question, that’s not even listed is, “Do you need to replace an existing ADC?”. That’s
usually going to be the top reason a customer will be interested.

The rest of these questions focus on the needs behind a new ADC. First, you’ll want to find out if they have
applications that are outgrowing a single server.

In the mid-range market, ADCs are critical to expand Exchange. FortiADC are qualified by Microsoft for these
products.

Secure traffic growth is exploding. You’ll want to uncover any pain points they are experiencing. FortiADC
offers high performance SSL offloading on most models.

Finally, if a customer needs to expand an application across multiple data centers, they’re probably looking to
provide disaster recovery. FortiADC offer global server load balancing at no extra cost.
Customers will generally know if they need an ADC, because this is a mature data center solution. The
objections you’ll most likely encounter surround speed, features, and brand.

Customers that need high performance ADCs may not think that Fortinet has the throughput to handle their
requirements. This is not true, be sure to tell them that Fortinet offers high-performance models with speeds
up to 300Gbps. 300 Gbps is a very high throughput and in general will meet the needs of approximately 95%
of customers.

If you have a customer who's not familiar with FortiADC, or only thinks Fortinet is only known for its firewalls,
Fortinet has a solid ADC product. Fortinet has been in the market since 2010 with FortiBalancer, therefore,
the company has more than 10 years of experience in ADCs market.

Sadly, many customers go line-by-line through the datasheets to compare manufacturers, figuring that more
features equals a better ADC. Most customers never need most of the advertised features, however, they
base their decision on things they may never use. If a customer needs a particular feature that isn’t offered by
FortiADC, that’s one thing. However, if they plan to use the core features that are offered by FortiADC, they’ll
get a solid device at a much lower TCO.

FortiADC is a completely independent application delivery controller. It can operate in nearly any data center
environment. However, it is optimized to work with Fortinet over the Fortinet Security Fabric for threat
intelligence sharing and advanced threat detection that other vendors cannot offer.
The first use case focuses on deploying FortiADC to expand the capabilities of FortiCache and FortiMail.

FortiCache is Fortinet’s web content caching product line that stores web content on the network to speed
delivery and reduce impacts on network traffic. In large-scale environments, FortiADC can be deployed to
expand caching capacity by enabling a seamless cluster of caches that act as a larger one.

FortiMail is Fortinet’s email security product line. FortiMail is limited to the number of email users it can
manage on a single device. In large environments where more than one FortiMail is required, FortiADC can
be deployed in front of a FortiMail cluster to seamlessly route traffic to the best performing device.

There are complete deployment guides and solution briefs for both of these scenarios on docs.fortinet.com.
In the use case shown on this slide, you will look at a situation where a customer needs to inspect secure
traffic for threats, but doesn’t want to bog down FortiGate with the overhead of decryption and encryption.

FortiADC SSL Forward Proxy is a feature that allows two FortiADC devices to sandwich a FortiGate or
cluster of FortiGate devices to create an un-encrypted traffic zone so that FortiGate devices can scan for
threats without having to decrypt and re-encrypt traffic. Users can subscribe to the FortiGuard web filtering
service to aid in managing website exceptions for traffic that is not to be scanned, such as banking or
sensitive health data.

For more information, you can download the SSL Forward Proxy Solution Guide.
The use case shown on this slide is from a customer that needed high-volume website filtering from a cluster
of FortiGate devices.

A high-end FortiADC was deployed in front of a cluster of three FortiGate devices to route outbound web
traffic to the Internet. The organization didn’t want a chassis-based system so they could swap out FortiGate
devices as needed without affecting end users.

In effect, FortiADC allowed the creation of a high availability cluster of FortiGate devices, so that if one should
fail, the other two would pick up the load until the failed unit was replaced or put back in service.
In the marketplace, the main advantage of FortiADC is price to performance. It offers a complete lineup of
application delivery solutions to meet the needs of almost every segment, with price points that provide the
lowest TCO per gigabit of Layer 4 throughput.

The ADC market is broken out into three primary segments: small, mid-size, and enterprise. While FortiADC
covers all of these markets, it has many more solutions targeted at the upper-mid-size and enterprise
markets.

In the SMB market, you’ll run into smaller players like Kemp and Barracuda.

The key players in the enterprise space are F5—the industry leader, Citrix, Radware, and A10. Although
FortiADC cannot compete with the higher-throughput of these competitors, it is the most cost-effective
solution when it comes to speeds of less than 50 Gbps.
So why to go with FortiADC ?

This slide shows that, FortiADC includes everything a customer needs , without having to buy option after
option to get a solution. That includes global server load balancing, link load balancing, and SSL offloading.

FortiADC offers the following:

Best total cost of ownership. Customers are no longer willing to pay the cost of F5 (new gear or renewals) for
many features they don’t even use. Convey the message that FortiADC can cover 90% of F5’s features at a
much lower cost.

Unmatched application visibility and control offered by FortiView. FortiADC offers integrated AV and
FortiSandbox (no need for ICAP against third-party AV) because FortiADC is part of Fortinet Security Fabric.

Advanced Features (GLB, WAF, LLB). This works as an entry point to talk about the rest of FortiADC features
and grow the project into a bigger one.

Don’t forget about FortiCare. Our support is just as good as F5 and Citrix, and is much better than smaller
players like Barracuda and Kemp, especially when it comes to enterprise solutions.
To help you better understand FortiADC pricing, let’s compare low, medium, and high-end models.

For a smaller to mid-sized organization, you’ll typically sell a FortiADC 100, 200, or 300 model.

Medium-sized enterprises often step up to hardware-based SSL offloading with mid-range models like 400,
and 1000. Sometimes, they will show an interest in the FortiADC VM platforms.

Larger enterprises typically step up to our highest performing models and VMs.

FortiADC uses many FortiGuard services and is fully supported by FortiCare.

For the most up-to-date information, view the price lists on Fuse and the partner portal.
In summary, FortiADC solves a number of problems.

In many of today’s networks, users experience poor web application performance because of the limited
capacity of the servers. FortiADC solves this by load balancing and HTTP compression, to name a couple.

The increased volume of encrypted traffic can degrade network performance. FortiADC can offload the SSL
traffic to restore network speeds.

Server or site outages can deny services to users and customers. With load balancing and geolocation data
centers, high availability is assured.
You should now be able to:
• Identify the business drivers and security challenges customers currently face
• Describe the FortiADC product key features
• Identify the sales strategies and competitive advantages of FortiADC
NSE 3 FortiADC

Congratulations!

You’ve completed both lessons of the NSE 3 FortiADC courses.


NSE 3 FortiADC

After you’ve studied this course, don’t forget to take its quiz. To earn your NSE 3 certification, you must pass
each quiz for at least four courses.

Thank you for your time.

You might also like