Fortinet, Inc. ($FTNT)

[Presentation] Good day, everyone. Thank you for joining today's Demo Day Unified SASE in the AI era. My name is Ruth Goh, and I will be our host for today's session. Before we get started, I encourage all online attendees to view the screen using a laptop or desktop for optimal experience. Additionally, please feel free to download resources listed. For more information on the topics we'll be discussing today. We want to hear from you. Please don't hesitate to ask any questions during the session, and we'll do our best to answer them in real time. Alternatively, you can click on the survey to share your feedback request. So are you feeling lucky today? Two lucky draw prizes will be given away. You might be our lucky draw winners for either the desktop, 5-in-1 wireless charging station or Philips handheld massage gun. The winners will be notified via e-mail after today's webinar. Now let me turn the time over to Alexandra Mehat, Product Marketing Director, for keynote message.

Very happy to be here with you. And I will be later joined at the end of my presentation by our great experts and ADA on SASE that will show you the extent of what SASE is. But today, we are talking about unified SASE in the AI era. Definitely, AI is at the center of every single conversation now that we have with customers, with partners, with analysts also, of course, and it is a key trend and the key challenge on securing AI, making sure you have AI capabilities to help you with threat detection in your solution. And that's definitely what Fortinet has. So let's get started here. You have a lot of challenges that have been brought by AI today. So one of them is shadow AI as a subset of shadow IT, actually. It's what are the users doing? Which Gen AI application are they accessing? What are they sending to these Gen AI applications? So who accesses what? Then AI security, are you using all the key capabilities of AI for threat detection, for that intelligence and triage and alerting that you need every solution so that you're more efficient, thanks to these AI power actually. And then, well, I was talking about securing what the access to these Gen AI application do we -- do you have a solution for that? A lot of customers are asking, well, when employees are accessing ChatGPT Copilot, Claude, Grok, et cetera, I want to know if they're not sending confidential or sensitive information. These are the key challenges from AI today that we can solve with SASE. But let's start with what is our -- well, our solution SASE is actually built with our FortiGuard services. And at Fortinet, we have what we call our FortiGuard Labs. We have more than 1,000 people looking into that, but not only people, they are using AI technology, they are alerting AI, machine learning, deep learning to select, to determine the threats that can be defined. We have 15-plus years of experience in applying AI at Fortinet. And we didn't just start yesterday. AI is really in our DNA. We had the sixth generation of our machine learning engine. And we've blocked more than 3 trillion vulnerability attempts just in 2024, by 2024. And we have more than 500 patents in AI, just in AI by itself. So we are also innovating there in the AI space. But this FortiGuard Labs, well, we have our products everywhere in the world. We're one of the -- well, we have more than half of the firewalls worldwide are Fortinet. So we have the broadest telemetry available. We take it from our firewalls, anonymously, of course, firewalls, e-mails, endpoints or sandbox files, they are all pushing all these data to us. And with that AI mail capability, we are looking into trillions of events to have that real-time automation and that feedback loop into our products. And we're also partnering with research partners. We are a founding member of the Cyber Threat Alliance. We are partnering with the World Economic Forum, with the Interpol and to make sure that all the threats are detected as much as we can, 0-day threats, regular threats. And we are using AI to help us do that with all its power. But what about SASE? What does -- so SASE, secure access service edge, is the way to secure your remote users as well as with SD-WAN and FortiGate users in the office, sorry, unified SASE solution. So we have a clear integration between our FortiGates and our SD-WAN as well as on FortiSASE, you'll see it in the demos later, really that integration is key and really fast and easy to do for simplifying your operations. That is our unified SASE solution. A unified SASE solution is all about convergence, convergence between networking and security with one management, one agent to access. So it's all about simplification. You either access with an agent, without an agent, with different key capabilities, you can connect to FortiGate also if you want to offload the security for guests, for example, to FortiSASE. We also connect with third-party SD-WANs as well as have a cool capability called Thin Edge, you can have an access point or where we call FortiBranch SASE, as kind of a combination between a switch and an AP where you connect the devices and you can offload the traffic to FortiSASE and then make sure that all the security is done there. And our SASE solution has a lot of key capabilities. It's a nice package solution that allows you to secure the Internet access, the private access as well as the SaaS access, including Gen AI applications. So you have Firewall-as-a-Service, secure web gateway for Internet access protection. You have universal ZTNA across everything, same policy, same tags that you can have across the office and the remote locations. that allows you to have a granular private access, checking the security posture at Fortinet, we do it every 60 seconds so that you're sure you're fully protected. Then we have CASB and also SSPM to protect these SaaS application access misconfiguration also through SSPM. And all of that with data leak protection across everything. So it includes Gen AI application, it includes Internet access. So we really check what the user is sending out and make sure it's not sensitive information we have in the EDM, fingerprinting, regex, all these cool capabilities in our DLP that will allow to check that no sensitive information is sent out. We're releasing secure browser extension so that even at the browser level, you have an add-on to existing browsers where you can fully secure your users there. And what is key also is that digital experience monitoring throughout from the endpoint to the point of presence to the POP as well as the connectivity between the POP and the application. We check the latency, the jitter at the endpoint side. We check CPU, memory, bandwidth, WiFi connection to make sure that when you want to troubleshoot any issue, you really can do it from end to end, from the endpoint to the application itself. And I was talking about that key integration between our SD-WAN and our SASE, which you'll see in the demo moving forward. So all of these services are really based on our FortiGate AI-powered services. It also includes Sandbox in SASE actually. And these FortiGate services I've talked about, AI-powered services are here in SASE to help you out and to have all these performance, resilience, efficiency in your SASE solution. We also have our FortiAI Assist that is available today in our SD-WAN, very soon in our SASE, where this DEM capability can also be assisted through that Gen AI assistant that will make troubleshooting done in minutes instead of hours or even days sometimes. So AI is really at the heart of our SASE solution and our SASE solution also protects Gen AI application. So it's across everything. You have that -- I was talking about the challenges. So you have that visibility of everything the user does, which application they're accessing, what they're searching for actually on the Internet and these type of stuff, very detailed analytics and reporting. We have that -- these AI-powered FortiGuard services that are here with all their power and all this data analytics that we can push back into our product as well as this FortiAI Assist, the Gen AI assistant that helps you troubleshoot faster and configure faster also. So really, AI is at the heart of everything. It's not just securing AI, it's AI security at the same time. And so it's both sides of the solution. A little flashback kind of on what we've done recently in the last 6 months to 1 year in FortiSASE. So we really expanded that Gen AI security that I was talking about, making sure that we have that full DLP on it. We'll see it in the next slide. Then we enhanced all these BYOD, bring your own device connectivity as well as contractor connectivity. So we have that agentless T&A portal that we can use for private application access. Also that secure browser extension. It's not ripping and replacing your browser that you're used to with a full new browser. It's the same security capabilities, but just with an add-on as security. So it's a very lightweight installation for contractors or BYOD. Also, we've expanded -- we'll see the map later, but we're expanding our number of POPs. We have almost 100 of them, more than 100 compute POPs. We're using our own POPs. We're growing also our own data centers of POPs throughout the world. We expanded also our public cloud POPs. We have Google Cloud POPs, AWS POPs and now Oracle with OCI public cloud POPs. It's -- we're really expanding the reach so that you can access to the closest and have the best performance and the lowest latency. Let's go a little bit deeper on that Gen AI because it's really that SASE and the AI era is, as I said, every conversation I have with customers, or partners, or analysts is about how do I secure the access to my Gen AI? How do I know if customers -- my employees are not sending sensitive data to AI apps. So first, we do that web filtering with our in-line CASB, make sure that we have all the profiles, we can allow, monitor, block, warn, disable access to Gen AI applications. Then we have a really broad Gen AI application catalog. We have all of them, that's not the whole list, of course, you see here. We have the ChatGPT, the Copilot, the Claude, the Grok, the Anthropic, et cetera, et cetera. The whole list we support them. And as I said, DLP is key. We are going to check whatever is sent to that Gen AI application for, I don't know, fingerprinting. So you make sure that you have a fingerprinting of your document and you make sure that this a confidential document or document with sensitive information is not sent out or we can have source code detected so that you don't send source code out. Your employees don't send anything. That's really key and the key -- well, the solution to the key challenge that I was talking about initially. So I was talking about that network of POPs. We have POPs globally everywhere and it's growing our own POPs to improve the performance, lower the cost also for you as well as Google Public Cloud POPs with AWS, OCI and Google Cloud. We are also in the marketplace for Google and AWS so that you can also purchase FortiSASE from there. Really, we really try to expand the number of POPs. We're one of the largest ones out there. And yes, very important too. Number one, we've been the only vendor with SD-WAN customer choice for 7 years. So it's not just us saying it, it's our customers saying it here in the Gartner Peer Insights and giving us that customer choice. It's for SD-WAN as well as for SSE and for ZTNA. Actually, for ZTNA, we're the only vendor and have that customer choice, and we're a leader in the SASE platforms MQ. So we're pretty proud of all of that. And as well, SASE is all about securing our customers' employees, securing these remote workers, the workers everywhere, wherever they are at home, in a coffee shop at an event or in the office. So -- but it's doing it with that converged solution. It's not a lot of point products that bring complexity. It's a simpler and faster operation. It's one platform, one management, one agent. Digital experience monitor for troubleshooting everywhere and FortiAI Assist on SD-WAN today, FortiSASE soon. So it's really simplifying your life, your operations very easily. Second, reliable and improved user experience is always on. You get fast, consistent and secure access everywhere to application, private, SaaS or to the Internet. And all of this, it lowers the risk, lowers the gaps. There's less gaps, especially with that convergence, less point products, same policy everywhere throughout. So it lowers the risk, which is very important for you, maybe some CIOs and CISOs out there. And it it's really you give the access they need and you make sure the employees are safe and secure from malware or threats wherever they are. And that's kind of peace of mind for all of you and making sure that even in this AI era, your employees are still safe. Well, thank you very much, and I will give it up to our great SASE experts here for great demos that would show you SASE in real life and how it's really done everything there.

Thank you. In this session, I will be covering the topic from SD-WAN to true Unified SASE. For today's agenda, I will be covering our view of Fortinet Unified SASE and 2 demos. First, demo, securing private assets for branch and remote users through FortiSASE. Second demo is FortiSASE integration with FortiManager. Fortinet Unified has a combined FortiSASE a cloud delivered security service with Fortinet Secure SD-WAN both are built on a single operating system, which is FortiOS, to provide a unified single vendor SASE solution. FortiSASE includes integrated security services such as Secure Web Gateway, Firewall-as-a-Service, CASB or DLP zero trust network access, digital experience monitoring, remote browser isolation and SD-WAN. As you can see from the diagram on the left-hand side, there is a remote user, which can be the agent or agentless or for the branch user or the Thin Edge device, which is FortiAP or features. On the right-hand side, there is a destination, it can be the Internet access, SaaS by Microsoft 365, Salesforce and also public cloud. Beside that, we also can integrate with the private cloud, which is the corporate data center to provide private access or accessing to the private resources in the company. Fortinet Unified SASE is a platform built with the single management console or single pane of glass. All the configuration is from a single portal instead of accessing multiple portal or devices to make the configuration change. First demo, securing private access for branch and remote users through FortiSASE. In this demo, I will demonstrate how to secure both remote and branch users when assessing private resources. For the remote users, the user connect via IPSec to the nearest FortiSASE security, leveraging geo location and latency. All the traffic is then routed to the security POP for security inspection. For branch users without an agent installed on the endpoint, the branch edge device such as the router or firewall will establish an IPSec partner to the FortiSASE on-prem security port. All the traffic will be redirected through the FortiSASE security port for security inspection. In my demo environment, there are 2 server has been set up at the data center site, the HR server and the finance server. In order to provide access to the private resources for the remote user or branch users, we do have the ability to connect using the SD-WAN. By integrating the FortiSASE with SD-WAN, the solution enhance resiliency application assets for both remote and branch users. I will show you how easy it is to integrate the FortiSASE with existing SD-WAN. There are 2 parts of this configuration need to configure in FortiSASE to integrate with SD-WAN. The first is the BGP setting and next will be the secure private access setting. To configure BGP setting, go to network BGP and you need to configure a router ID sub. And for the SDA Hub belongs to, we will use the default FortiSASE autonomous system, which is SPA Hub is same AS number with the FortiSASE. And for the FortiSASE AS number we use is 65001. And for the hub selection method, we use the hub health and priority, and we need to configure the health check IP address. Next, I will show you the secure private access configuration, go to operation Secure Private access. To configure the new service function or new tunnel, you can click on create. And there are 2 ways to configure. One is using the easy configuration key that you can retrieve from. You can get it from the hub by FortiGate or the second one, you can do a manual configuration. In this, demo I have 2 IP has been configured to Hub 1 and Hub 2, on the service connection priority, by default, when you have configured the IPSec connection, all the security POP will initiate the IPSec partner with the hub. So in my case, I have 2 hubs, the Hub 1, Hub 2. So as you can see, in all my security POP, I have configured and there are 2 IPSec has been initiated to the Hub and Hub 2. And default, the priority is P1 for both tunnel. And for this demo, I have manually changed the Hub 2 to P1 and Hub 1 to P5 priority. So that in Hong Kong POP, Hub 2 will be the priority to access to the private resources. Click on the health. You can see for the hub that I configure Hub 1 and Hub 2 and Trio has been initiated the connection and the tunnel is up, and this is the health check and the BGP also has been established. And you can click on one of the tunnel and you click on the view the BGP route. And this is showing that all the BGP route learned by the security POP. Let's move to demo. I have a remote user that connected using finance and Test locker. And I will -- okay, I have 2 server. One is the HR server and the finance server. Let me try to access to the HR server. Okay. Access to the HR server is failed. Let me try to access to finance server. For this access to the finance server is success. Okay. Let's proceed for the demo with another user. I have another user. This user is logged in as HR. So from these HR users, I will assess the same resources again. First, I will access to HR server. And second, I will access to finance server. Okay. access to the finance server is failed, but the HR server is success. Let's move on to another demo with the same user HR. On this endpoint, I will be accessing to both HR and finance server again. HR server is still, even though I'm logged in as a HR user. Let's see why this happened. Let's go back to the FortiSASE. We will check on the logs. We will check on the locks to the private access or the SPA log. As you can see, I do have a HR user and accessing to the finance server is getting blocked. The HR user is connected to the Singapore POP and using the Hub 1. And let's check on the finance user. For the finance user, it is connected to the Hong Kong POP. And the private access tunnel we use is using Hub 2. This is because I have changed the priority for the Hub 2 in the Hong Kong P to the highest priority, which is the P1 and then the H1 will be the P5. Now let's check on the policy. For private access, as you can see, for the policy I configure to the HR server only allowed by only HR user or HR member can access to the HR server. And for the finance, only finance group user can access to the finance server. That's why as you can see from the demo previously, HR user can only access to the HR server and finance user only can access to the finance server. Remember, I have demo using 2 remote user assessing -- connect using the HR user. But while one of the user is accessible to the -- the HR server is accessible, another is not because of the security posture that I configure. So in my policy, I configure the user from the HR with the security tag compliance then only can access to the HR server. Let's check on the server, the remote user for the first one that can access to the HR server. Let's check on the security posture tag. It is shown as a compliance. Let's check on the another remote user using HR. The security posture is as a noncompliance. That's why the users are not able to access to the HR server, even though connected to the VPN. From the previous demo, the FortiSASE not only check based on the user name and password, but it also check the endpoint compliance whether the employees meet the security posture that has been configured. Next demo, I will showcase using the branch user. And in the FortiSASE, I have provisioned on-ramp security that is allow the branch user, the branch device to connect to the FortiSASE and route or redirect all the traffic to the FortiSASE inspection. So as you can see the connections, there are 2 branch has been connected to FortiSASE. Let's access to one of the endpoint at the branch office. So from this branch office, this branch office will be able to access the Internet from the SE. And I will show access from this branch user to access to the HR server. And from here, I can also access to the finance server. Let's check on the configuration. In my policy, secure private access policy, I have a branch policy. So for this, I will allow the user in the branch to access all the private application. This is only for demo purpose. With this, I have concluded my first demo. Next demo is FortiSASE integration with FortiManager. FortiSASE can be integrated with FortiManager to provide centralized management for selected configuration setting. Only specific configurations are seen from FortiManager to SASE, including policy package, security profile group, external feed, firewall address and address group, services and services group as well as user-related configuration such as local user, PKI user, the LDAP users, user groups and authentication source like LDAP and RADIUS. In this demo, I will showcase the integration between the FortiSASE and FortiManager, along with the use of FortiAI Assist to help configuration policy for FortiSASE. Currently, FortiAI Assist has some limitation. Only certain tasks can be performed using it. In this demonstration, FortiAI Assist will be used to create a firewall object and create a policy to allow FortiSASE user to access through Internet. Let's check the on the FortiSASE. First, you need to go to the system center management setting. You need to enable the status. After that, you need to save it. On the FortiManager side, you will prompt the request that there is a new request from the FortiSASE. And you need to generate the FortiManager key. This key will be added to the FortiManager to authorize the FortiSASE device. In the FortiManager, you will receive a request from FortiSASE. You might say more, I have authorized the FortiSASE in FortiManager. That's why I'm not getting any prompt. Let's move on to the policy creation using the FortiAI Assist. So first, you can click on the FortiAI Assist icon. And I put my question is to request the FortiAI Assist to create a policy for SASE user to access Internet using the profile IT group. Okay. As you can see, the CLI script has been generated to create a policy. But from the script that some of the parameters we need to manually replace it. So I will save the script and the SASE interface need to be replaced with SASE underscore ingress zone. And for the destination interface need to replace to the SASE underscore public zone, and I will change the SASE address to all as well. For this name, I will change for the SASE. And I will I need to run the script through the policy package, and then I will save it. And from the script, you can run it to the policy default policy package. There is no error. And now we can go through the policy package to check the policy has been created. And now I will install the policy to FortiSASE. Okay. The installation now has success. Let's move to the FortiSASE, go to the security policy. As you can see that the policy has been configured successfully from the FortiManager. With this, I have concluded my demo session, and I will pass the session to the next presenter.

I'm going to walk you through secure Internet access everywhere, managed and unmanaged device. That is agent-based and agentless secure Internet access. We'll see how easy it is to set up that it's not complex. For example, we'll see how we can apply the same policy set, the same web filter application controls for both agent and agentless devices, making it easy to manage policy and apply controls. So as an agenda, we will have a bit of an overview of the demo and what we'll see today, then we'll jump on to 2 different hosts that are connected to FortiSASE, one using an agent and the other being agentless using a PAC File configuration. Both these hosts are directly connected to the Internet. The managed device with the agent will have a full secure tunnel to FortiSASE while the other device will securely forward its traffic to FortiSASE based on the proxy PAC File configuration. During the demo session, we'll see and discuss what the differences are in the user experience, policy control options and the considerations for using either agent or agentless. With regards to user experience, we will see that a user on either a managed or unmanaged device will have a very similar experience. The same policy will be applied. So both users will experience the same block messages, have the same allowed access and receive the same threat control messaging as we run through the demo sequence of connecting to various Internet resources and destinations. As we go through the demo, we will look at the policy options for both agent and agentless connections. We'll see how we can be very efficient at removing the complexity by applying the same Internet controls to both agent and agentless devices, meaning we could have a single secure Internet policy that can be applied across managed and unmanaged devices. Of course, we could apply different Internet controls as well as apply these controls to specific users or groups for agent and agentless devices and users. But keeping it simple, it is possible to streamline and maintain a single Internet policy. Further to this, we will look at what additional controls we can apply with an agent-based device. For example, using device posture as a means to further enforce secure Internet access. So what are the considerations for using an agent or agentless-based approach? Typically, we would see FortiSASE agent being installed on organization-owned devices. That is the organization has full control of the device, and it is likely enrolled in a mobile device management platform. Generally, these devices are used by an employee of the organization. Unmanaged devices, on the other hand, are more likely to be a BYOD device, like a contractor's device, where the user still needs to access corporate resources in a secure way, either -- even though they are not an employee or have a corporate device. For example, the agentless device could be used to access corporate Office 365 environment. The organization wants the contractor user to go through a secure control point we like FortiSASE to be able to access their SaaS services. So the user must come from the FortiSASE public source IP address where conditional access policies based on the user source IP can be applied at the SaaS service itself. Next, we're going to jump into the demo and see some secure Internet access controls being applied, and we'll see them in action. So in this demo, we will look at secure Internet access for a corporate user on a managed device. That is the device with FortiSASE agent installed. We'll also look at a contractor user on an unmanaged device where they have turned on the proxy so that they can access the corporate services. Our scenario is a corporate user that has received a personal e-mail via the webmail. This e-mail is suggesting that they have won something. We will see the secure Internet access policy protect the user as they explore a spam e-mail and click on the links. So let's jump into the demo and see how it turns out for them. All right. So on our corporate device, the first thing we will look at is the agent to confirm that we are indeed on a managed device with a secure tunnel to FortiSASE. We can see that we are on a managed device as we have the agent installed, and it is managed by FortiSASE. And we can see that management connection there. We can see that the VPN is up. This is an always-on auto connect VPN, meaning that the agent will establish the tunnel when the user logs into their device. Finally, we can see that we have some Zero Trust tags applied which can be used in FortiSASE secure Internet policy to provide more controls on their access. Now a user is going to browse the Internet and access their personal webmail. So you can see that we have a mail here and the user has won a prize. So they're super keen to find out what this prize is. So they click on the link, and we get a block, right? We are getting a block on category phishing, right? So this is clearly an unsavory email, though our user is not picking up on that just yet. They're persistent, so they move forward and they try and download the brochure to see if they can find out any more information about their prize, but we get a high security alert now on this one, right, that is infected with a virus. Still, our user is not having it. So they go back and I think I must need to update my details as it's asked and they click on the link. Again, we get another high security alert, the virus detection. Our user is curious, so they click on the FortiGuard information link to try and get some more understanding about why they may be getting a block and what this is all about and why they can't access information about their prize. And we do note here that this detection is based on the AB AI malware detection model. So the users they get -- I still need to grab some more information about this. I'm going to follow the link to the website and see if I can actually find out what this mountain lodge is all about. However, we get another block, we got a web page block that unrated. So this is a newly formed domain and is something that we should be suspicious of. So our corporate user is feeling a little bit frustrated now that they cannot see exactly what they've won. They know that the secure VPN solution on their corporate device is stopping and blocking them. So they forward the e-mail to their friend, who was a contractor at the company, however, they have their own device. So let me go through and forward that e-mail now. So user is hoping that the contractor will be able to access this e-mail and tell them what they've won. They will send that through. And then we'll go jump on our contractor device then check out what's going on for our contractor. So here on our contractor device, we can see the proxy settings. We can see that we have enabled the scripts. It's an easy toggle on the device to turn it on or off, and we have put in the script address, which is hosted in FortiSASE. So it's really easy to set up. So our contractor is going to go browse the Internet. To do that, our contractor will need to authenticate on FortiSASE. They attempt to get to our hotmail account, we'll get our redirect and we will authenticate. All right. So now that we can safely browse the Internet, we will sign into our web mail. See what -- from our corporate friend. All right. So we can see we do have that e-mail. It has arrived. So we're going to open it up, going to read the message. Hi, can you please see if you can access this e-mail to see what I've won. So I'll scroll up and have a look. So our contractor is going to click on the link, see what they've won, and we're getting the same block as what our corporate user was getting. So again, we're picking up on a phishing attempts. Our contracted user attempts to download the brochure. And again, we're getting the same block, picking up that there's a virus on that link. Now our contractor is not going to click on any more links rather, our contractor is going to try and find out what is the Mountain View Lodge scam all about. So they go and try and use ChatGPT as an AI engine to find out what's going on and they paste in their search. Well, we get a block. Now the contractor has not thought twice about that, didn't work, so they've moved on and they're going to use Google AI model and do the same search here. While that loads -- all right, so we get a result there. So Google AI is working for our contractor. Okay. So the user experiences that we have had is very similar between our agent and our agentless approach, where we're getting the same blocks and the same controls. What I'm going to do now is we're going to have a look at FortiSASE at the policy to see why we'll get the user experiences that be worth, but we'll do is we'll go to security, and we'll have a look at our security profiles. And the profile group of interest is this demo web filter. You can see we have our antivirus configured. And we can see that we have picked up some threat detections. We have our web filter, so our content filter configured and we come in and have a look. And if we scroll down to our threats, our security risk, we can see we are blocking on everything, and I keep coming down. We can see unrated is also blocked. If I look at our DNS filter, in the same way, we are blocking on security with categories. If I scroll down, we can see we are blocking on the unrated as well. Now why did our corporate contractor user have limited access to ChatGPT, we come down to our application control. We can see that we are blocking all AI, generative AI. If we come and have a little bit signatures. So there's a whole stack there in ChatGPT is one of them. We cancel out of there. Now the reason we're able to access the Google AI is because we have an override, right, we are allowing that as part of our secure Internet access control. So once we've configured our profile group demo web filter in this case, we would apply it to our policies. So we have proxy policies here and we have policies. Proxy policies being for our agentless devices, we jump in and have a look at the policy. We can see that we are applying that demo web filter security profile group here. Now you also see that we can specify users if we wanted to create different secure internet access policies for different users. And if we come and have a look at our policies, we'll see that we are using the same demo web filter profile. So it's exactly the same. So we're getting that consistency now, that's secure Internet access everywhere whether my user is an agent or an agentless-based device. Also, you can see I can specify user, just like I could in the agentless, the proxy policy. But additionally, you can see that we have a security posture tag applied. So our agent devices must have a compliant security tag to pass through this rule. If we just jump back to my agent-based device. We can see that we do have that compliant tag. Now those tags can be configured to appear based on a whole number of conditions. It could be that my antivirus is running. It could be that I'm running Windows 11, and it was updated in the last 2 weeks. It could be that I've got a particular certificate on my device or it could be a combination of those things. And should I not meet that rule set, then my tag might change and so will my access. Okay. So that's all I wanted to run through today. I'm going to hand it over now to the next presenter to take you through the next session. Thank you very much.

Today, I will demonstrate how FortiSASE secures SaaS and AI application access across different user types and risk scenarios. Organizations today are moving towards SaaS and AI platform like ChatGPT, Microsoft Copilot and DeepSeek. However, this introduced 3 key challenges. how do you securely enable access for unmanaged users like contractors? How do you protect sensitive company data when users interact with SaaS? And most importantly, how do you prevent data exposure when using generative AI platform? This is exactly where FortiSASE provides a unified solution. In this demo, I will walk through 3 phases. First, agentless Zero Trust access for contractors; second, advanced data protection using agent-based inspection; and finally, policy enforcement for generative AI interactions. In terms of the workflow in Phase 1, we will have 2 unmanaged users, John and Tammy. Both of them will be authenticated through SAML and get redirected to the configured ZTNA agentless portal based on their SAML groups. In Phase 2, we will have a single agent based user running FortiClient on a Windows device and they're trying to share some sensitive credit card information online. And finally, in Phase 3 same FortiClient agent-based user who will be interacting with ChatGPT and DeepSeek trying to lead some unsupported key orders with the AI agent online. Let's start with a contractor scenario. This user is accessing corporate applications from an unmanaged device, meaning we cannot rely on endpoint control. Using FortiSASE, access is provided through an agentless ZTNA portal where your identity is verified before granting access to specific locations. This is where we define a specific dedicated applications. The application can be an IP base or FQDN. Those IP will be completely hidden from the end user. After we define the applications, you can move towards the bookmarked portal. You can define which users or user group have access to which applications. For example, I have 2 users here. One will have access to the payment and database based on the user group of finance, while the other user will have access to the sales, which is basically a FortiManager of portal access. For us, it's not only about the access, but also we have a security inspection when you can define different security policies similar to the standard firewall policy looking at the user group applications and what kind of security inspections should be applied. For me here, the authentication will be based on SAML. And the SAML has been configured under FortiSASE SSO. We are using the same suite SAML authentication. Now I just need to move to the portal, copy the portal URL, move to my machine open the browser, paste the URL, authenticate this is my application. As defined by my policy. So my user Tammy is based of old engineering, which is allowing FortiManager-only access. If I go back in applications here. The IB information of my FortiManager is completely hidden from the end user. You can just try to log in and your contractor can have a normal access to the FortiManager from outside. If I sign out, I will be using John. John has 2 different applications based on what we have defined on the bookmark portal here, payment and database, if hover the data appears all the information are completely hidden from the end user. If I go back and then open the other application, we don't expose any information about my private app to the end user. The key concept here, access is not just a network based. It's an application specific, and it follows the Zero Trust principles. Even in this scenario, FortiSASE applies in line DLP controls a similarly different files. You'll see here my DLP has blocked the file because it has social security information based on my DLP policy. If I go back and then I try to download a different file, let's say, this one simulating a credit card information, again, it will be blocked by my FortiSASE portal. If I go here and then go again file, this time, I will try to leverage Microsoft Purview label protection, try to download the blocked file. Again, the file will be blocked based on my defined DLP rules. To look at the DLP rules, this is my application policy, matching the finance. In this one, we have our security profile that has DLP and endpoint. If I go back to my security profile and the security profile, I go down my DLP. Here, I had my DLP rules triggered the customize. I have a different DLP rules, some of them are file based and some of them are messages. We were hitting the first one and the second one here. If you look at the Microsoft Information Protection labels, you can define it here in FortiSASE. And within the rule, you will have your dictionary that has a specific value of matching your information protection label. So we are sure that the file tagged to this is blocked by FortiSASE. If I go back as well and try to simulate downloading an infected file FortiSASE will be able to detect and block the file based on our antivirus rule. This really provides a strong baseline level of protection for unmanaged users. However, because this is an agentless, inspection is limited compared to the full endpoint-based visibility. Let's now move to a managed user scenario where deeper control is possible. In this phase, we are working with a managed device where the FortiSASE agent is installed. This allows for deeper inspection across all traffic and enables more advanced data protection techniques. Here, we are using the exact data matching. Unlike the traditional DLP that relies on patterns, EDM allows the system to identify a specific company data, such as internal recorders or sensitive data sets. Under FortiSASE security profiles, we have our profile resources that define our DLP template. From the resources, we have the EDM templates, let's add the existing one. You have 2 ways to upload your company data, either through external feed or file upload. Once the data has been uploaded, it will be displayed on the right side. You can view my interest. If I go back, I have defined two matching criteria, one, which is the mandatory field, to look at the credit card information or credit card number. And this can be matched with either the first name or last name as per my data set. We can view the record is here on the file on Column 14 that credit card information and in column 5 and 6, we have the last name and the first name. Once we have defined our DLP EDM template, we can start to create our DLP rules under profiles. This time, I will be using advanced DLP profile within the advanced DLP profile as long as we have the deep inspection enabled. If I go down to the DLP customize, I have my existing EDM rule. It's a message type edit. This is my current sensor. Usually, the DLP rule should be containing a sensor. And within the sensor, we can define multiple dictionaries. So inside my sensor, I have my dictionary. If I added the existing one, it should be matching more employee data, which is the initial dictionary we have defined under the EDM profile resources. So go back to the action, I will be looking at all the protocols, but basically for our scenario, looking at the HTTP post is enough. The action will be blocked. And the way we block at is when the customer trying to enter our message, under the existing policies, my active DLP policy, we are basically looking for all the users, and we are enforcing this specific profile, advanced DLP. On the client side, I have a FortiClient connected to FortiSASE with an active telemetry and VPN established. Once I try to open my browser and try to paste some sensitive information outside, let's say, DLP, we should see that as the user attempts to upload or share sensitive company data, FortiSASE will detect the data and it blocks the action in the real time. Let's try to view the data in our file. It's matching the correct information. So the credit card's number with the first name has defined our message here. This is critical for protecting customer data and internal documents when using the SaaS platforms. It also reduces the risk of accidental data leakage which is one of the most common causes of breaches. Now that we have secured the SaaS access and data, let's look at the next challenge, generative AI usage. Gen AI platforms are being adopted across organizations, but they introduced a new type of risk because the biggest risk is not accessing these platforms, it's what the users submit into them. Here, the user is interacting with multiple AI platforms such as the ChatGPT, DeepSeek and Google Gemini. The user has FortiClient with tunnel up and established with for FortiSASE. FortiSASE will be configured to apply policies based on a defined key words related to sensitive topics such as confidential data, customer recorders or internal projects. And FortiSASE, I have a DLP profile configured to match different LLM applications. For example, with the existing rule here, if I try to add instead of looking any message that will be submitted as part of the HTTP post within the sensor itself. It has a dictionary. And within that dictionary, we should have our existing data. As I mentioned, we will be looking at blocking based on a specific keyword. And these key words are basically code and tips. So anytime the user will try to the message that has code, like can you fix my code, or can you help me with my code or it has something like I need some tips or guidance? The evaluation criteria can be all, which is and or any like or. After we define the security profile, we have to link it back to our security policy. I have one active policy at the moment, which is LLM applications. Within this policy, I am mentioning all 3 different destinations. Those destinations are the ChatGPT, Google Gemini and DeepSeek. From the user perspective, I have a machine that has the FortiClient connected to FortiSASE. Next, I will try to open my browser. I have a session open to ChatGPT and another one to a DeepSeek. So I will start, I have my normal conversations. You should see that ChatGPT is responding back to us. Now I'll try to send some information that will trigger our keyword. We should see the communication is broken at this moment, even if you try, you can start again. Again, the conversation will be blocked. Now I'll move to DeepSeek. On DeepSeek we will try to send something similar that will trigger the keyword. From our demo, we saw that when such a content is detected, FortiSASE blocks or restricts the interaction in real time. This really allows the organization to safely enable the AI adoption without risking any data exposure. This is important because AI platforms retain and process user input which can create long-term data exposure risk. Across all 3 cases, FortiSASE provides a consistent and unified approach to security. We have seen secure access for unmanaged users, advanced data protection for managed devices and policy control for AI interactions, all delivered through a single platform without requiring multiple disconnected tools. To summarize, FortiSASE enables organizations to access Gen AI securely by combining zero trust access, real-time data protection and centralized visibility. And this ensures that organizations can move fast with the modern technologies while staying fully in control of their data and risk posture. Thank you. And I hope that you have enjoyed our demo for today.

Thank you once again for investing your time with us. We hope that today's session has been informative and insightful. As we wrap up, we kindly request you to take a moment to fill the survey form as your feedback is important to us. The on-demand webinar will be available after today and sent to your registered e-mail address. We look forward to seeing you again in our next Demo Day Webinar. Stay safe, and have a wonderful day ahead.