FortiGate Cloud-Native: Cloud security and firewalls
  • pl

FortiGate Cloud-Native Firewall – Cloud security and a new paradigm in firewalls

The world of technology is constantly evolving, and with it approaches to security. In an era dominated by the public cloud, traditional network security models based on physical devices and static configurations are becoming less effective. The dynamic, distributed and often ephemeral nature of cloud resources requires a new paradigm – security solutions that are natively integrated with cloud platforms, flexible, scalable and managed in an automated manner. In response to these needs, Fortinet has introduced FortiGate Cloud-Native Firewall (CNF), a service that is redefining the way we think about cloud firewalls. At nFlo, we keep a close eye on the evolution of security technology and understand the need to adapt to new realities, so we bring you a solution that represents a significant step forward in protecting modern cloud environments.

What is the FortiGate Cloud-Native Firewall?

FortiGate Cloud-Native Firewall (CNF) is a next-generation firewall (NGFW) service delivered and managed directly within a public cloud platform (currently available mainly for AWS). Unlike traditional virtual firewalls (such as FortiGate VM), which you have to deploy, configure and manage yourself at the VM level, FortiGate CNF is a managed service. This means that Fortinet (in partnership with the cloud provider) takes responsibility for deploying, scaling, upgrading and maintaining the firewall infrastructure itself.

Administrators focus solely on defining and managing security policies through the familiar FortiOS interface (accessible via FortiManager or a dedicated portal), while all the “machinery” underneath runs transparently and natively for the cloud. FortiGate CNF integrates directly with the networking and orchestration mechanisms of a given cloud platform (e.g. AWS Gateway Load Balancer, AWS Firewall Manager), providing seamless and efficient protection of network traffic in the cloud.

Why is the solution introducing a new paradigm in cloud security?

FortiGate CNF represents a fundamental shift in the approach to cloud network security for several reasons. First, it shifts responsibility for managing the firewall infrastructure from the customer to the service provider. This eliminates the complexity and operational costs associated with deploying, patching, scaling and ensuring high availability of traditional virtual appliances. Administrators can focus on what matters most – defining effective security policies.

Second, FortiGate CNF is designed from the ground up as a cloud native solution. This means that it takes full advantage of the capabilities and mechanisms of a given cloud platform (e.g., auto-scaling, integration with native network services), which provides optimal performance, flexibility and resiliency that is difficult to achieve with traditional VMs. Third, it simplifies security management in multi-tenant and multi-region environments by centrally defining policies and automatically deploying them across the cloud infrastructure. Finally, the pay-as-you-go pricing model better reflects the elastic nature of the cloud, allowing you to pay only for the resources you actually use. All this adds up to a new, more agile, efficient and easier-to-manage model for deploying advanced NGFW functions in the cloud.

What security challenges in cloud environments does FortiGate CNF solve?

Cloud environments, despite their many advantages, bring specific security challenges that FortiGate CNF helps address effectively. First of all, it addresses the complexity of managing network security in dynamic and distributed infrastructures. The traditional approach, which requires manual configuration and management of multiple virtual firewalls, becomes inefficient and error-prone. FortiGate CNF, as a managed service with a central console, significantly simplifies this.

It also addresses the challenge of scalability and flexibility. Automatic scaling built into the CNF service ensures that protection is always matched to the current load, eliminating the risk of bottlenecks or overpaying for unused resources. It helps ensure consistent protection in multi-account and multi-region environments, where manual enforcement of uniform policies is difficult. It also makes it easier to protect internal (east-west) traffic between resources in the cloud, an often overlooked but critical aspect of security. Finally, it reduces the operational burden on IT and security teams, allowing them to focus on strategic tasks instead of maintaining the firewall infrastructure.

How does FortiGate CNF protect against data leakage and malware attacks?

As a full-fledged next-generation firewall (NGFW), FortiGate CNF provides multi-layered protection mechanisms against key threats, such as data leaks and malware attacks, applied to network traffic flowing through the service:

  • Antivirus protection: the service uses Fortinet’s antivirus engine, powered by FortiGuard Labs, to scan network traffic for known malware (viruses, Trojans, spyware, etc.). Detected threats are automatically blocked.
  • Intrusion Prevention System (IPS): FortiGate CNF analyzes traffic for signatures of known exploits and network attacks. It can detect and block attempts to exploit vulnerabilities in operating systems and applications before they reach protected resources.
  • Web Filtering: The service can block access to websites known to host malware, phishing or other malicious content, and can enforce policies on access to certain categories of sites (e.g., social media, gambling).
  • Application Control: Identifies and controls traffic generated by thousands of applications, including those used to exfiltrate data (e.g., file-sharing services, instant messaging).
  • Potentially DLP (depending on functionality): In the future or as part of an integration, the service may offer basic Data Loss Prevention functionality, monitoring traffic for patterns that match sensitive data.

With these integrated security features, FortiGate CNF provides a solid barrier to protect cloud resources from many common attack vectors and data leakage attempts.

How is FortiGate CNF different from traditional firewall solutions?

The main difference between FortiGate CNF and traditional firewall solutions (both physical and virtual FortiGate VM) lies in the delivery and management model. Traditional firewalls require the customer to purchase, deploy, configure, manage and maintain the infrastructure (hardware or virtual). The customer is responsible for scaling, software upgrades, ensuring high availability and monitoring device health.

FortiGate CNF operates under a managed service model. This means that Fortinet (in partnership with the cloud provider) takes responsibility for the entire infrastructure underneath. The customer doesn’t have to worry about deploying virtual machines, scaling them, patching the operating system or configuring HA. Instead, it only configures and manages security policies through a central console (FortiManager or a dedicated portal). This is a cloud-native approach that fits better with the operating model and the benefits of the public cloud, such as flexibility, scalability and a pay-per-use model.

How does FortiGate CNF’s “known bad IP addresses” filtering work?

One of the most basic but highly effective methods of protection is blocking traffic coming from known malicious Internet sources. FortiGate CNF uses a dynamically updated IP address reputation database, provided by FortiGuard Labs, for this purpose. This Fortinet global threat intelligence network constantly monitors the Internet, identifying IP addresses associated with various types of malicious activity, such as:

  • Botnets (sources of DDoS attacks, spam, scanning)
  • Command & Control (C&C) servers used by malware.
  • Sources of brute-force attacks
  • Tor network nodes or anonymous proxies often used to hide identities
  • Other suspicious or compromised hosts.

FortiGate CNF can be configured to automatically block any traffic coming in or going out to/from IP addresses on this “blacklist.” This is a simple but very effective first line of defense that allows it to filter out much of the malicious traffic before it even reaches the more advanced inspection engines, while reducing the load on the system.

Why is geo-fencing a key function for organizations with compliance requirements?

Geo-fencing, the ability to create security policies based on the geographic location of a source or destination IP address, is an important feature of FortiGate CNF, especially for organizations subject to specific compliance requirements or operating in markets with specific data flow regulations.

With geo-fencing, an organization can, for example:

  • Block inbound traffic from countries or regions with which it does not do business or that are known for high cybercrime activity. This reduces the attack surface.
  • Restrict access to certain services or data only to users from specific geographic locations, which may be required by certain data privacy regulations or specific licensing agreements.
  • Prevent data exfiltration to unauthorized countries by monitoring or blocking outbound traffic to specific geographic regions.

This ability to enforce policies based on geolocation is a valuable tool in the arsenal of organizations concerned about security and compliance in a global Internet environment.

Summary: Key benefits of FortiGate CNF.

  • Simplified management: responsibility for firewall infrastructure shifted to vendor, focus on policies.
  • Native cloud integration: Fully utilize the scaling, networking and orchestration mechanisms of cloud platforms (e.g. AWS).
  • Flexibility and scalability: Automatically adjust resources according to current workload.
  • Consistent multi-cloud security: Centrally manage policies across multi-account and multi-region environments.
  • Advanced NGFW protection: Access to Fortinet’s proven security features (IPS, AV, Web Filter, App Control).
  • Cost optimization: Pay-as-you-go payment model and reduced operating costs.

How does FortiGate CNF simplify security management in multi-cloud environments?

Managing security in environments with multiple cloud accounts (multi-account) or even multiple cloud providers (multi-cloud) is one of the biggest challenges for IT teams. Each platform has its own tools, interfaces and concepts. FortiGate CNF is designed to significantly simplify this task through centralization and automation.

The platform offers a single, consistent management interface (via FortiManager or a dedicated portal) for defining and enforcing security policies across all connected cloud environments (mostly AWS for now, but with the prospect of other clouds). Administrators can create central policies, which are then automatically propagated and enforced in the corresponding CNF instances across accounts and regions. Using native cloud orchestration mechanisms (e.g., AWS Firewall Manager) allows policies to be consistently applied to new resources as they are created. This eliminates the need to manually configure security for each individual account, reduces the risk of errors and provides a consistent level of protection across the distributed cloud infrastructure.

How do dynamic security policies adapt to changes in cloud infrastructure?

Cloud environments are inherently dynamic – resources (virtual machines, containers) are created, deleted and scaled continuously, often automatically. Traditional firewall policies, based on static IP addresses, become very difficult to manage under such conditions and quickly become obsolete. FortiGate CNF solves this problem by supporting dynamic security policies.

Instead of basing rules on IP addresses, policies in FortiGate CNF can use dynamic objects, such as tags assigned to cloud resources (e.g. AWS EC2 tags) or dynamic address groups. When a new resource is created and tagged with the appropriate tag (e.g., “webserver-prod”), it is automatically subject to the policies defined for that tag, without having to manually update firewall rules. Similarly, when a resource is deleted, it is no longer subject to the policy.

This ability to automatically adapt security policies to the constant changes in cloud infrastructure is key to maintaining effective protection in dynamic environments. It ensures that the right protections are always applied to the right resources, regardless of their lifecycle or IP address.

What financial benefits does the FortiGate CNF pay-for-use model offer?

Traditional firewall licensing models are often based on purchasing licenses for a specific bandwidth or number of users, regardless of actual usage. In dynamic cloud environments, where workloads can change rapidly, such a model often leads to overpaying for unused resources. FortiGate CNF introduces a more flexible and cost-effective pay-for-use model, typical of cloud services.

Charges for the FortiGate CNF service are usually based on the amount of data actually processed (e.g., per GB) and the number of active service hours or other measurable consumption metrics. This means that you only pay for what you actually use. During periods of lower traffic, costs are lower, and during peak load periods they increase dynamically as the service scales.

This model eliminates the need for large upfront investments (CAPEX) in licenses and hardware and allows security costs to be more closely aligned with actual business needs. It also provides cost predictability over the long term and facilitates budgeting in the operating model (OPEX).

How does FortiGate CNF integrate with AWS and Azure?

Currently (as of the time of this writing), FortiGate CNF is most deeply integrated with the Amazon Web Services (AWS) platform, where it is offered as a managed service directly in the AWS Marketplace. This integration leverages key AWS services such as:

  • AWS Gateway Load Balancer (GWLB): Used to transparently insert a CNF service into the path of network traffic without complicated routing changes.
  • AWS Firewall Manager: Enables central management and deployment of FortiGate CNF policies across multiple accounts and VPCs within an AWS organization.
  • AWS Security Hub: The integration allows alerts and results from CNF to be sent to the central AWS security dashboard.
  • AWS CloudWatch: To monitor the performance metrics and status of the CNF service.

For Microsoft Azure, Fortinet also offers cloud native solutions, although the implementation may differ from the CNF model in AWS. Typically, it uses FortiGate VM deployed in high availability and scalability mode (e.g., using Azure Virtual Machine Scale Sets) and integrated with Azure Load Balancer and Azure Route Server/User Defined Routes (UDR) to direct traffic. Management is also done through FortiManager. While the integration mechanisms may be different, the goal remains the same – to provide flexible, scalable and centrally managed NGFW protection in an Azure environment. Fortinet continues to expand its integrations with major cloud platforms.

How does the solution provide protection for internal (east-west) traffic in the cloud?

Protecting traffic at the edge of the network (north-south), i.e. communication between the cloud and the internet or on-premise network, is crucial, but securing internal traffic (east-west), i.e. communication between resources running inside the cloud (e.g. between different VMs, containers or application layers), is becoming equally important. Attackers who gain access to one resource in the cloud often try to spread laterally inside the virtual network.

FortiGate CNF can be used to inspect and enforce security policies for east-west traffic as well. By integrating with cloud routing mechanisms (e.g. VPC Route Tables in AWS, UDR in Azure), traffic between different subnets or availability zones can be routed through a FortiGate CNF instance. This allows the same advanced security features (firewall, IPS, AV, App Control) to be applied to internal traffic as to external traffic. This enables the implementation of microsegmentation rules and significantly reduces the possibility of lateral traffic by attackers, increasing the overall resilience of the cloud environment.

Why does a consolidated security architecture reduce operating costs?

Using FortiGate CNF as part of Fortinet ‘s broader, consolidated security architecture (Security Fabric) brings significant benefits in the form of reduced operational costs. Instead of managing multiple separate point security solutions from different vendors (e.g., separate firewall, separate IPS, separate web filter), an organization can consolidate multiple functions into a single FortiGate platform, managed centrally.

This eliminates the need to train staff in the use of many different tools, and simplifies policy management, monitoring and reporting processes. Automation built into Security Fabric and FortiGate CNF (e.g., automatic threat response, automatic policy deployment) further reduces manual effort for IT and security teams. Unified visibility and correlation of events across the architecture accelerates diagnosis and resolution. All of this translates into lower operational costs (OPEX) for maintaining and managing the security infrastructure.

How does DNS filtering and IPS work in FortiGate CNF?

As a full-fledged NGFW, FortiGate CNF includes key protection mechanisms, such as DNS filtering and Intrusion Prevention System (IPS), operating in the context of network traffic flowing through the service:

  • DNS Filtering: This feature monitors and controls DNS queries sent by protected cloud resources. Using the FortiGuard database, it can block access to domains known to host malware, phishing, C&C servers or other malicious content. It can also enforce company policies by blocking access to undesirable categories of sites (e.g., gambling, social media) already at the DNS query level, before an HTTP/S connection is even attempted.
  • Intrusion Prevention System (IPS): The IPS engine analyzes network traffic for signatures of known exploits and attacks at the network and application level. It uses FortiGuard’s extensive, constantly updated database to identify attempts to exploit vulnerabilities in operating systems, network services or applications. Once an attack signature match is detected, the IPS can automatically block malicious traffic, preventing the attack from being successful.

Both of these mechanisms are important layers of preventive protection, neutralizing many common threats before they reach protected resources in the cloud.

How does automation via REST APIs speed up the implementation of security policies?

In dynamic cloud environments, where infrastructure is often managed via Infrastructure as Code (IaC) and CI/CD processes, the ability to automate configuration and security management becomes crucial. FortiGate CNF (like other Fortinet solutions managed by FortiManager) provides a powerful REST API development interface.

This API allows DevOps and security teams to interact programmatically with the FortiGate CNF platform. It is possible to create scripts or integrate with automation tools (e.g. Ansible, Terraform, Python scripts) that can automatically create, modify and deploy security policies, network objects, security profiles and other configuration items.

As a result, security policies can be treated as code (Policy as Code), stored in version control systems (such as Git) and deployed as part of automated CI/CD flows along with infrastructure and applications. Such automation drastically speeds up the process of deploying new services and updating policies, ensures configuration consistency and minimizes the risk of human error, which is essential for maintaining security in rapidly changing cloud environments.

What business scenarios use FortiGate CNF most effectively?

FortiGate CNF, because of its natively cloud-based architecture and managed service model, is particularly well suited to specific business and technology scenarios:

  • “Cloud-First” / “Cloud-Native” Organizations: Companies that are building their infrastructure and applications from the ground up in the public cloud and want a security solution that is as flexible, scalable and managed as other cloud services.
  • Multi-account and Multi-Region Environments on AWS: Organizations using multiple AWS accounts and regions that need a simple way to centrally manage and consistently enforce network security policies across their AWS infrastructure.
  • Companies with Limited IT/Security Resources: The managed service model relieves internal teams of the task of maintaining the firewall infrastructure, allowing them to focus on defining policies and responding to incidents.
  • Organizations Seeking to Optimize Costs (OPEX): The “pay-as-you-go” payment model is attractive to companies preferring operating costs to large initial investments in hardware and licenses.
  • Companies Needing Rapid Deployment: The ease and speed of getting the CNF service up and running is an advantage for organizations needing to quickly deploy NGFW protection in the cloud.
  • Securing East-West Traffic: Scenarios that require inspection and control of traffic between different segments of the cloud virtual network.

How to deploy FortiGate CNF in existing cloud infrastructure step by step?

The FortiGate CNF deployment process (especially on AWS, where it is most mature) is designed to be as simple as possible and integrated with cloud tools. Typical steps include:

  1. Subscription Service: Purchase a FortiGate CNF subscription in the AWS Marketplace.
  2. Configuring Central Management: Log in to the FortiGate CNF portal (or FortiManager) and configure basic settings, including connection to the AWS accounts to be protected.
  3. Defining Security Policies: Create central firewall policies, security profiles (IPS, AV, Web Filter, etc.) and routing rules in the management console.
  4. Integration with AWS Firewall Manager (optional, but recommended): Configure AWS Firewall Manager to automatically deploy and enforce FortiGate CNF policies on selected VPCs and accounts within the AWS organization.
  5. Configure Routing in VPC: Configure routing tables in protected VPCs to route appropriate traffic (e.g., traffic to/from the Internet, traffic between subnets) through FortiGate CNF service endpoints (typically via AWS Gateway Load Balancer Endpoint).
  6. Monitoring and Tuning: Monitor the performance of the service, analyze logs and possibly adjust policies based on observations.

Fortinet provides detailed guides and documentation, and support from partners such as nFlo can further ease the process.

How does FortiGate CNF support organizations in meeting standards such as GDPR or ISO 27001?

Maintaining compliance with data protection standards (such as RODO/GDPR) and information security management standards (such as ISO 27001) is critical, including in cloud environments. As an advanced next-generation firewall, FortiGate CNF provides important technical mechanisms that support compliance with many of the requirements of these standards:

  • Network Access Control: Precise firewall policies allow for least privilege enforcement and network segmentation, which is fundamental to protecting data and systems.
  • Threat Protection: IPS, antivirus, web and DNS filtering features help protect against malware and attacks that could lead to data security breaches.
  • Secure Communication: the ability to create and manage VPN tunnels (IPsec, SSL) ensures secure data transmission.
  • Logging and Audability: FortiGate CNF generates detailed logs of network traffic, security events and configuration changes, which are essential for monitoring, incident analysis and compliance audits.
  • Central Policy Management: Facilitates consistent implementation and enforcement of security policies across the cloud infrastructure.

Implementing and properly configuring FortiGate CNF is therefore an important part of building a cloud environment that complies with key regulations and security standards.

Summary: FortiGate CNF – A new paradigm of firewall in the cloud

  • Managed service: Fortinet takes care of the infrastructure, you focus on policies.
  • Native integration with the cloud: Leverage AWS/Azure mechanisms for optimal performance and scalability.
  • Flexibility and auto-scaling: Resources adjusted dynamically as needed.
  • Centralized multi-cloud management: One interface for multiple accounts and regions.
  • Dynamic policies: Tag-based rules adapt to changes in infrastructure.
  • Pay-as-you-go model: Payment for actual consumption, optimizing OPEX costs.
  • Full NGFW coverage: Access to Fortinet’s advanced security features.

How does the solution address scalability challenges in dynamic cloud environments?

One of the biggest advantages of the cloud is its flexibility and scalability. However, traditional virtual firewalls often struggle to keep up with these dynamics – scaling them requires manual intervention, adding new instances and reconfiguration. FortiGate CNF is designed to take full advantage of the native scalability mechanisms of cloud platforms.

As a managed service, the infrastructure underneath is automatically scaled by Fortinet and the cloud provider in response to changing traffic loads. When traffic increases, the service dynamically allocates more compute and network resources to ensure consistent performance and throughput. When traffic decreases, resources are released. This process is transparent to the user, who doesn’t have to worry about managing the capacity of the firewall infrastructure. This built-in, automatic scalability ensures that protection is always available and efficient, regardless of traffic fluctuations, which is crucial in dynamic cloud environments.

What innovations does the FortiGate CNF bring to cloud security compared to the competition?

FortiGate CNF introduces several innovative concepts that set it apart from traditional virtual firewalls and some competing cloud native solutions. The key innovation is the managed service model itself for a full-fledged NGFW, which shifts the burden of infrastructure management to the provider, significantly simplifying operations for the customer.

Deep integration with native cloud networking and orchestration services (such as AWS GWLB and Firewall Manager) allows for more seamless and efficient deployment and management than solutions that require complex workarounds or manual routing configuration. The use of dynamic tag-based policies is another innovative approach that better addresses the dynamic nature of cloud resources than traditional IP-based policies. Finally, offering the full range of FortiOS NGFW features in a cloud-native model, managed through a familiar and consistent FortiManager/Infinity Portal interface, represents a comprehensive and mature approach that can outperform the functionality of some simpler native cloud firewalls.

How do you prepare your IT team to effectively use FortiGate CNF?

Although FortiGate CNF simplifies the management of firewall infrastructure, effectively leveraging its capabilities still requires proper knowledge and preparation of the IT and security team. Understanding the new operating model – moving from device management to policy management within the service – is key. The team must become familiar with the management interface (FortiManager or the dedicated CNF portal) and learn how to define security policies, security profiles and routing rules in this new context.

A solid knowledge of the network architecture and security mechanisms of the cloud platform on which CNF is deployed (e.g. AWS VPC, Security Groups, Route Tables, IAM) is also essential. Understanding how CNF integrates with these native services is crucial for proper configuration and troubleshooting. It’s worth investing in dedicated Fortinet training on FortiGate, FortiManager and CNF specifics. Equally important is developing new operational processes for policy implementation, monitoring, incident response and compliance management in a managed service model. The support of a partner such as nFlo in the training and adaptation process can significantly accelerate full effectiveness.

What cloud cyber security trends are shaping the development of FortiGate CNF?

The development of FortiGate CNF is driven by key trends shaping the future of cyber security in the cloud. The dominant trend is the move toward convergence and integration of various security tools into Cloud Native Application Protection Platform (CNAPP) platforms. FortiGate CNF fits into this trend by integrating NGFW functions with other elements of the CloudGuard ecosystem (CSPM, CWPP).

Another important direction is the increasing use of artificial intelligence (AI) and machine learning (ML) to automate detection, risk analysis and threat response. We can expect to see further development of AI capabilities in FortiGate CNF. The growing importance of Zero Trust architectures is forcing the development of features that provide contextual access control based on device identity and state, in which CNF also plays a role. API security is becoming increasingly critical, which will drive the development of dedicated API protection functions within CNF. Finally, the need to simplify management and automation in multi-cloud environments will continue to be a key driver for solutions such as the FortiGate CNF.

In summary, FortiGate Cloud-Native Firewall (CNF) is an innovative approach to cloud network security that combines the advanced capabilities of Fortinet’s next-generation firewall with the flexibility, scalability and management simplicity characteristic of cloud-native services. By shifting infrastructure responsibility to the provider and offering centralized policy management in multi-cloud environments, FortiGate CNF allows organizations to focus on what matters most – providing effective protection for their cloud resources and applications.

Interested in implementing a modern, cloud native firewall? Contact the experts at nFlo. We will help you understand how FortiGate CNF can revolutionize the security of your cloud infrastructure and support you in its implementation process.

About the author:
Przemysław Widomski

Przemysław is an experienced sales professional with a wealth of experience in the IT industry, currently serving as a Key Account Manager at nFlo. His career demonstrates remarkable growth, transitioning from client advisory to managing key accounts in the fields of IT infrastructure and cybersecurity.

In his work, Przemysław is guided by principles of innovation, strategic thinking, and customer focus. His sales approach is rooted in a deep understanding of clients’ business needs and his ability to combine technical expertise with business acumen. He is known for building long-lasting client relationships and effectively identifying new business opportunities.

Przemysław has a particular interest in cybersecurity and innovative cloud solutions. He focuses on delivering advanced IT solutions that support clients’ digital transformation journeys. His specialization includes Network Security, New Business Development, and managing relationships with key accounts.

He is actively committed to personal and professional growth, regularly participating in industry conferences, training sessions, and workshops. Przemysław believes that the key to success in the fast-evolving IT world lies in continuous skill improvement, market trend analysis, and the ability to adapt to changing client needs and technologies.

Other articles by the author
Share with your friends