Deep Packet Inspection isn't a FortiGuard feature. It's a separate built-in feature you can enable to do "man-in-the-middle" on-the-fly decryption of outgoing or incoming traffic on a per-policy basis. With DPI, UTM features like AV, Web Filtering, Intrusion Protection, etc. can fully
inspect the traffic and are thus more effective. Without DPI, encrypted traffic can only be partially inspected and encrypted payloads like ransomware can sneak through.
An example multi-layered approach to preventing ransomware on a single FortiGate would typically involve the following UTM features:
- IRDB Blacklisting (via top-sorted Deny rules) of inbound and outbound traffic to IP addresses with negative reputation (e.g. Tor, Botnet, spammers, anonymizer proxies, etc.), or optionally, blocking all outbound traffic by default and only allowing outbound traffic to necessary/authorized ISDB destinations (e.g. Office 365).
- DNS filtering to intercept lookups of malicious or Botnet domains (Botnet DB) at the early DNS lookup stage, before client-server traffic even begins.
- Web Content Filtering to intercept HTTP/HTTPS traffic to malicious or other risky or unapproved website categories (as maintained by FortiGuard's category lists), and gain visibility into risky user behavior.
- Intrusion Protection Services (IPS) to intercept both inbound and outbound malicious behavior patterns like hacking, brute-forcing, vulnerability exploitation or denial-of-service attacks, and also block connections to known Botnet IPs (Botnet DB).
- AntiVirus DB to intercept malicious payloads in traffic that has been allowed through the above layers.
- Optionally, Geo-IP restrictions to limit access to things you publish like your SSL-VPN to whitelisted countries and reduce your exposure slightly (limited protection)
- Selectively, enable deep packet inspection to allow all of the above features to work more effectively on encrypted traffic like HTTPS and SSH.
All of the above can be considered your first lines/layers of defense. Your desktop and server's hardened security configuration, and lastly your desktop and server antivirus software should be considered your last line of defense for ransomware.
So, all the FortGuard Security bundles include AV and IPS, but the ATP
bundle doesn't IRDB/ISDB (IP Reputation), Web Filtering, DNS Filtering, Botnet DB, or Geo-IP, so I'd recommend the UTP
bundle at a minimum as it includes everything above. The ENT
bundles would be worth considering if you're are a larger enterprise managing a number of FortiGate firewalls where you'd want to centralize your management, reporting and automation of threat remediation (beyond the scope of this discussion).