Unified Threat Management (UTM)
Security
Next generation firewall sits at the perimeter of the network with the purpose of protecting internal assets from external threats. A security appliance is required for each location and will support signature based IPS, web-content filtering, gateway malware protection.
Benefits
- Quick issue resolution via Fortinet Certified Engineers
- Additional technical assistance available as needed directly from manufacturer
- Ensure company assets are protected at an additional level – from the edge – rather than just at the endpoints
- Mitigate the risk of unwarranted bandwidth consumption that could slow employee productivity
- Improve staff efficiency through policies by ensuring employees aren’t accessing non work-related web content during work hours
- Extensive network security from internal and external threats
- Mitigate the risk of installation of spyware, spam, phishing, etc. by proactively blocking sites categorized as “malicious”
Setup
- Service Provider to obtain correct login information and provide to Collabrance all the following relevant information:
- Login information
- Routing information
- WAN interface setup
- Internal (LAN) interface setup
- Wi-Fi information
- ISP contact information - occasionally need to contact when there is no current firewall
- Single web content filtering policy (white list / black list)
- VPN information
- Point to point
- User VPN
- Collabrance to program FortiGate according to Collabrance standards and Fortinet best practices
- Configure device Host Name
- Setup Inspection mode to Proxy
- Apply FortiOS updates
- Configure Primary (& Secondary if applicable) WAN interface(s) (usable IP’s, subnet mask, Gateway (provided by Service Provider)) Configure LAN interface – (usable IP, subnet mask, Gateway (provided by Service Provider))
- Configure DHCP (if applicable)
- Configure DNS (if applicable)
- Configure Static Routes (default routes- Provided by Service Provider)Configure WiFi (if applicable) – SSID and Passphrase provided by Service Provider
- Corporate Wi-Fi
- Guest Wi-Fi
- Configure management interface
- Configure Policies (5 basic / default policies created by Collabrance)
- Disable SIP ALG Helpers
- Setup UTM functionality
- Setup antivirus
- Setup web-content filtering
- Setup intrusion prevention
- Setup Client to Fateway SSL or IPSec VPN (requires domain environment)
- Configure FortiGate for user VPN
- Send FortiClient setup documentation to end users
- Enable SNMP on FortiGate
- Attach appliance to Nuspire NuSecure
- Verify logs are being captured
- Attach appliance to FortiManager
- Verify configuration and policy packages are being backed-up
- Attach appliance to PRTG
- Verify WAN and LAN connectivity, interface utilization (bandwidth), ping (uptime and availability), and WAN latency (Internet latency)
- Document setup and support details in ConnectWise
- Check all settings for accuracy
- Coordinate on-site installation with Service Provider
- Over the phone, walk Service Provider or their designee through hookup
- Failure to meet scheduled appointment time will result in penalties and reschedule appointment (See Service Provider expectation document)
- Testing to ensure appliance is working properly
- Testing to ensure customer has access to necessary resources
- Register FortiGate, check for 3 year, 24x7 agreement
- Verify FortiGuard subscription is active and definitions are being updated
- Login to appliance ~ 3 days after installation to make sure everything is working properly
- Setup read only access, upon request, for a single user account for the Service Provider
Elective Services (Setup) available for additional fee
- Site to Site VPN Tunnels (fee based)
- Flat fee between two supported FortiGate units
- Hourly fee if not between supported FortiGate units
- Different subnets at each site is required
- Static public IP addresses at both sites is required
- Antivirus and IPS Security policies enabled on VPN policies
- Statement of work required if the other firewall is not in the Collabrance technology stack, or Collabrance cannot configure the other end of the tunnel
- Custom Application Filtering: Statement of work required
- Custom Traffic Shaping/Quality of Service: Statement of work required
- Setup user-level reporting for Web-Content Filtering (Requires LDAP)
- Setup multiple Web-Content Filter policies so different rules can apply to different sets of users (Requires FSSO)
- Setup of VOIP and/or other technologies that may be impacted by, controlled by or passes through the UTM (such as VOIP, security systems, etc.)
Service Specific Commitments
Emergency Maintenance Window: Any time; Customer or Service Provider will be notified prior to maintenance if time falls outside of Standard Maintenance Window.
Roles & Responsibilities
Collabrance Responsibilities
Standard Service included in support fee
- Hardware, and full replacement warranty
- Next business day replacement shipping
- Service Provider must have minimum of one appliance on hand that matches maximum model in their customer base
- Automatic replacement of appliance at the end of useable life
- Operating system updates (FortiOS)
- Real-time FortiGuard signature updates for AV, content filter, intrusion prevention system
- Monitoring and management tools –
- Nuspire NuSecure – Captures logs for analysis and reporting
- FortiManager – Remote management tool, manages updates
- PRTG – Monitors bandwidth, connectivity, ping, and latency
- Required: ISP must deliver static IP address
- Web-Content Filtering
- The following web-content categories are blocked and will not be unblocked: Proxy Avoidance, Gambling, Nudity and Risqué, Pornography, Peer-to-Peer file sharing, Malicious Websites, Phishing, and Spam URLs. Sites in these categories pose a security risk which leave customers open to malware and hacking. Legitimate white list exceptions will be made when requested by the customer: e.g. Powerball.com, etc. Any exceptions to this policy will require a liability waiver to be signed by the service provider. Policy exceptions of this nature will be charged at the hourly billable rate.
- The following categories will also be blocked by default, but may be unblocked if the customer requests: Drug Abuse, Hacking, Illegal or Unethical, Explicit Violence, Extremist Groups, and Child Abuse.
- Appliance configuration and policies are backed up off site
- Change requests
- Requested changes to routing, policies, and Network / Port Address Translation
- Subscriber requested changes to content filtering (global policy changes only)
- Investigating security alerts
- Investigating alerts generated by PRTG and NuSecure
- Monitoring signature updates
- Monitoring health of appliance
- Manually updating signatures when automatic updates fail
- Manually updating operating system when automatic update fails
- VPN support (largest number of tickets)
- Site to site (Fortinet to Fortinet)
- User VPN
- Product knowledge
- Certified technicians
- Continuing education
- Ability to upgrade or downgrade to other appliances in the program
Elective Services available for additional fee
- Configuration changes due to ISP/device location change
- Assistance with answering questions for compliance/regulations/audit.
- Setup, configure or make changes to hardware that Collabrance does not control (VPN set up, point to point connections, MPLS-style connections)
- Web Content Filtering, multiple policies: Different web content filtering policies to apply different rules to different groups of users. Requires FSSO.
- Install SSL certificates
- Web-Content Filtering, user reporting: Gives the customer the ability to see where specific users are going on the Internet. Requires LDAP.
- 90 days of live data available for reporting on traffic/web utilization and UTM events
- 3 months of archived data available
- Setup of VOIP and/or other technologies that may be impacted by, controlled by or passes through the UTM (such as VOIP, security systems, …)
Service Provider Responsibilities
- Maintain at least 1 preconfigured UTM in inventory (of the highest model level currently in Service Provider’s fleet) to be used for emergency replacements.
- All Collabrance-managed Unified Threat Management (UTM) devices must be assigned to the Collabrance portal, regardless of where they were purchased.
- All firewalls in a Subscriber environment, regardless of whether they are managed by Collabrance or where they were purchased, should have maintenance coverage (e.g. FortiCare/FortiGuard UTP or better for Fortinet products, or an equivalent product for other brands) to provide the best security and customer experience.
- Provide onsite labor for installation, hardware replacement, and troubleshooting.
- Obtain and maintain FortiCare and FortiGuard UTP subscriptions on any Fortinet devices procured outside of Collabrance as well as Fortinet 24 X 7 support contracts.
- Acquire SSL certificate for compliance needs.
- Ensure Subscriber has support contracts on any and all devices, hardware and/or software that may be impacted by, controlled by or passes through the UTM. Collabrance is not responsible for any device, hardware and/or software that may be impacted by the UTM.
Subscriber Responsibilities
- Customer should be familiar with the location of the firewall in case the Service Desk needs the customer to assist in very basic troubleshooting. e.g. rebooting the appliance
- Responsible for maintaining support contracts on any and all devices, hardware and/or software that may be impacted by, controlled by or passes through the UTM. Collabrance is not responsible for any device, hardware and/or software that may be impacted by the UTM.
Technical Details
- Base configuration will include the following
- MultiWAN Setup
- Port Forwarding for services (HTTP/HTTPS, SMTP, etc)
- Setup of one internal corporate network
- Setup of one corporate Wi-Fi network (See “Wireless Networking: Fortinet”)
- Setup of one guest Wi-Fi network (See “Wireless Networking: Fortinet”)
- Setup of Antivirus Profile
- Does not negate the need to Endpoint Security
- Setup of Application Control Monitoring ONLY
- By default all applications are allowed
- Changes to this may incur a fee
- Setup of Intrusion Protection
- Includes FortiGuard best practice to apply Default Action to Medium, High and Critical events per FortiGuard
- Setup and Support of Remote user VPN connection
- SSL(preferred) or IPSEC
- FortiClient VPN client is supported (not Cisco AnyConnect, etc)
- For complete list of requirements to utilize VPN client, please reference the service catalog document RMM Remote Connectivity.
- Active Directory required (no local username/passwords on firewall)
** Disclaimer: Service Providers must comply with identified Collabrance Requirements in order for items referenced in our Service Catalog to perform properly. **