Service Overview
Managed FortiGate Service (MFGS) is a remote cloud-based managed network operations service run by Fortinet NOC experts.
The Managed FortiGate Service helps organizations manage their network infrastructure efficiently by providing:
• FortiGate Provisioning: Simple device provisioning according to the supported use cases. The list of supported use cases is available in the Managed FortiGate Service Use Cases document.
• Change Management: Evaluation / Implementation / Verification of change requests according to Fortinet Security Best Practices (FSBP) and ITIL methodology.
• System Hardening:
• SOCaaS Incident Remediation: Configuration assistance to respond/remediate SOCaaS escalated events.
• System Audit / Security Posture Review: Auditing of FortiGate configuration according to Fortinet Security Best Practices.
• Outbreak Alert: Configuration assistance on how to protect from an outbreak.
• PSIRT Advisories: Configuration assistance on applying a workaround or a permanent fix.
• FortiGate Firmware Upgrade: Remote FortiOS firmware upgrade activity for onboarded FortiGates from/to supported firmware versions.
The service is run by network security experts skilled in maximizing performance and uptime of mission critical environments. By following Fortinet best practices and ITIL™ methodologies, the service aims at controlling risks to minimize the impact that configuration changes may have on the business.
The service runs on a 24x7x365 basis.
The MFGS team is located in North America, EMEA, and APAC regions to ensure global coverage.
The service is designed to complement MSP offerings to help streamline best practices and to scale operations.
Managed FortiGate Service is part of a broad range of offerings to help MSP scale up operations, which includes:
1. Quick Start Services: PS-led service to help initialize customers on-board to the optimal best practices.
2. Managed FortiGate Service: This service.
3. SOC as a Service: Automated detection, investigation, and escalation of confirmed incidents to MSP SOC teams.
4. Managed Endpoint: Full set of options, including managed EDR, Forensics, ZTNA and others.
All of these services are designed from ground up to interface with MSP SOC teams as the customer interface.
This service leverages:
• FortiSOAR to automate, orchestrate, and facilitate handling of service requests.
• FortiManager Cloud as the cloud-based management platform.
• A custom-built service portal
This service provides a unique blending of:
• People: Fortinet network security experts.
• Processes: Fortinet best practices and ITIL.
• Technology: Fortinet owned products and services.
The service is available globally.
No, the service is delivered remotely only.
Managed FortiGate Service is delivered in English only.
The team is structured with NOC Operations (front-end), NOC Engineering (back-end), and Service Delivery.
During the onboarding wizard you will be able to share with us specifics of your deployment. For each onboarded FortiGate, we take a “normal operation baseline” focused on resource KPI to understand your system usage.
This service provides simple device provisioning according to the supported use cases.
Network design and planning that results in design documents are out of scope but they can be provided by other Fortinet departments.
All change requests are raised via the Managed FortiGate Service portal.
No, this service covers change requests for FortiGate devices only. Third party configurations (e.g. LDAP servers) are out of scope.
As this is a managed service, all changes should be done centrally by the Managed FortiGate Service team but you are allowed to make changes locally by connecting to each FortiGate for emergencies or to implement use cases not yet covered by the service.
No, customers have read only access to the FortiManager Cloud instance used by the MFGS team.
Yes, remote firmware upgrades from/to supported firmware versions are covered by this service
This service covers change requests/device provisioning as detailed in the published use cases. See Managed FortiGate Service Use Cases.
The service has been designed to fit multiple solutions/verticals that are looking for change management, device provisioning and system hardening according to the supported use cases.
Customers keep their FortiGate local admin account (super_admin profile with Read/Write access) for emergencies or to implement locally use cases not yet covered by the service.
Customers already onboarded to the service can add new FortiGates by submitting a Device Onboarding service request from the MFGS portal.
Migrations from existing FortiManager instances, either on-premises or FortiManager Cloud, to MFGS are not supported. During onboarding your existing FortiManager Cloud instance will be deleted and a new MFGS instance will be provisioned under your FortiCare account.
Yes, for use cases that can be covered by both SOCaaS and MFGS, the integration operates as below:
SOCaaS:
• Detect: Identify potential threats.
• Investigate: Analyzer the threat to make sure it’s a true positive versus a false negative.
• Escalate: Inform the customer about the threat, and escalate to the MFGS team as well.
MFGS:
• Contain: Bring the incident under control as soon as possible (e.g. quarantine).
• Remediate: Apply measure in place to prevent it from happening in the future.
• Currently 60% of SOCaaS use cases can be contained or remediated by the Managed FortiGate Service.
Subscription and onboarding
This service is currently available for FortiGates, FortiAP, FortiSwitch, and FortiExtender.
Each managed FortiGate requires an individual service entitlement to be purchased and registered through a licensed reseller.
FortiAP, FortiSwitch, and FortiExtender do not require separate entitlements; they fall under the umbrella of the FortiGate entitlement they are connected to. For more info about pricing please contact your Fortinet Partner or Fortinet Sales Account Manager.
New customers can initiate service onboarding by completing the onboarding wizard using the Managed FortiGate Service portal. During this step, customers will provide details of the FortiGates they wish to onboard to the service.
The team is targeting to fulfill onboarding requests within three business days.
For customers who are interested in a 30-day trial/POC, please contact your Fortinet Partner or Fortinet sales representative for details.
To subscribe to MFGS, purchase the subscription license for each managed FortiGate then register it in FortiCloud.
The service is delivered remotely therefore network connectivity to communicate to the service is required.
To ensure tracking and visibility, all communication is centralized through our service portal.
Yes.
The service is currently designed to support up to 50 sites (small network). For larger deployments, please consult with your consulting system engineer for an assessment.
This warning is expected as the FortiGate device is onboarded to the Managed FortiGate Service and managed via FortiManager Cloud.
Requirements
Service requirements are detailed in the MFGS user guide. See Managed FortiGate Service User Guide.
Managed FortiGate Service Portal
Service Portal utilization is detailed in the MFGS User Guide. Please see the Managed FortiGate Service User Guide.
Data security and compliance
The service is aiming to achieve ISO27001 and SOC2 Type 2 certification by 2024.
We have implemented data handling best practices in line with ISO27001, SOC 2 guidelines, and global and regional practices.
Configuration objects are stored in our datacenters located in San Jose and Frankfurt.
Customer Support
Troubleshooting break/fix is not covered by the Managed FortiGate Service team.
For technical support assistance customers can reach out to Fortinet TAC directly where support will be provided based on the purchased level of service.
Service Requests raised through the MFGS portal are not visible in FortiCare.
RMA services are not covered by this service.
Customers should reach out to Fortinet TAC/RMA directly so that the process based on the purchased level of service can be followed (e.g. Advanced replacement, PRMA, etc.).
Once the replacement device received and configured with basic connectivity to make it reachable from the internet, a device onboarding request should be raised to add the newly received device to the service.
Not at the moment. In the future the MFGS team will be reachable by phone for emergency changes only.