Tag Archives: UTM/NGFW

UTM/NGFW

UTM/NGFW

If the policy matching the packet includes security profiles, then the packet is subject to Unified Threat Management (UTM)/Next Generation Firewall (NGFW) processing. UTM/NGFW processing depends on the inspection mode of the FortiGate: Flow-based (single pass architecture) or proxy-based. Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors.

Single pass flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified by sampling packets in a session and using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats.

Proxy-based UTM/NGFW inspection can apply both flow-based and proxy-based inspection. Packets initially encounter the IPS engine, which can apply single-pass flow-based IPS, Application Control and CASI (as configured). The packets are then sent to the proxy for proxy-based inspection. Proxy-based inspection can apply VoIP inspection, DLP, AntiSpam, Web Filtering, Antivirus, and ICAP.

 

Content processors (CP8 and CP9)

Most FortiGate models contain FortiASIC Content Processors (CPs) that accelerate IPsec and SSL VPN encryption/decryption and key exchance and flow-based content processing pattern matching. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP8 and new CP9 processors.

 

CP9 capabilities

The CP9 content processor provides the following services:

  • Flow-based inspection pattern matching acceleration with over 10Gbps throughput
  • High performance VPN bulk data engine
  • Key Exchange Processor that supports high performance IKE and RSA computation
  • DLP fingerprint support

 

CP8 capabilities

The CP8 content processor provides the following services:

  • Flow-based inspection pattern matching acceleration
  • High performance VPN bulk data engine
  • Key Exchange Processor that supports high performance IKE and RSA computation

Kernel

Traffic is now in the process of exiting the FortiGate unit. The kernel uses the routing table to forward the packet out the correct exit interface.

The kernel also checks the NAT table and determines if the source IP address for outgoing traffic must be changed using SNAT. SNAT is typically applied to traffic from an internal network heading out to the Internet. SNAT means the actual address of the internal network is hidden from the Internet.

 

Egress

Before exiting the FortiGate outgong packets that are entering an IPsec VPN tunnel are encrypted and encapsulated. IPSec VPN encryption is offloaded to and accelerated by CP8 or CP9 processors. Packets are then subject to botnet checking to make sure they are not destined for known botnet addresses.

Traffic shaping is then imposed, if configured, followed by WAN Optimization. The packet is then processed by the TCP/IP stack and exits out the egress interface.