Overview:
FortiSandbox is a high-performance security solution
that utilizes AI/machine learning technology to
identify and isolate advanced threats in real-time.
FortiSandbox inspects files, websites, URLs and
network traffic for malicious activity, including
zero-day threats, and uses sandboxing technology
to analyze suspicious files in a secure virtual
environment.
FortiSandbox supports multiple operating systems and file types, and provides
reporting capabilities for quick threat identification and response. Suitable for
organizations of any size and can be deployed on-premises, in the cloud, or as a
hosted service, and integrates natively with 11 Security Fabric products and other
tools to evaluate suspicious content.
10 X Effective Throughput
over traditional Sandboxes,
allowing for scaling
operations without
impacting performance
Real-Time Verdicts
Prevent delays and
unknown files from entering
the network with real-time
analysis and filtering
Integration at every stage
Extend zero-day threat
protection to NGFWs and
other major areas of your
infrastructure
Accelerated Threat Investigation
Speed investigation with
built-in MITRE ATT&CK®
matrix to identify a variety
of malware
Platform Evolution
FortiSandbox G Series
Leveraging on our previous F and E models*, FortiSandbox 1500G and 500G provide cutting
edge technological advancements performance, real-time sharing of threat intelligence across
multiple geographical locations, and integrating Fortinet’s Security Fabric and third party
providers.
Performance Optimization
With twice the VM capacity and file processing capabilities, our G Series delivers unparalleled
stability, the highest detection accuracy, and best-breed throughput, while offering flexible
and cost-effective deployment solutions.
Features Summary:
FortiSandbox is the most flexible threat-analysis appliance available as it offers various
deployment options for unique configurations and requirements. Organizations can choose to
combine these options.
Security Fabric Integration
FortiSandbox natively integrates with FortiGate, FortiMail, FortiWeb, FortiADC, FortiProxy,
FortiClient (ATP agent), Fabric-Ready Partner solutions, and via JSON API or ICAP with
third party security vendors. The integration provides suspicious content submission, timely
remediation, and reporting capabilities.
This integration extends to other FortiSandbox solutions allowing instantaneous sharing of
real-time intelligence. This feature benefits large enterprises that deploy multiple FortiSandbox
solutions in different geo-locations. This zero touch automated model is ideal for holistic
protection across different borders and time zones.
Threat Mitigation
FortiSandbox uniquely integrates with various products through the Security Fabric platform
that automates your breach protection strategy with an incredibly simple setup. Once
malicious code is identified, FortiSandbox will return risk ratings and the local intelligence is
shared in real time with Fortinet, Fabric-Ready Partners, and third-party security solutions to
mitigate and immunize against new advanced threats. The local intelligence can optionally be
shared with the FortiGuard Labs, to help protect organizations globally. The diagram following
describes the automated mitigation process flow.
- Submit file and URL for analysis from the FortiGate, FortiMail, client or file server.
- Block suspicious file and URL inline on the device or quarantine on the client.
- Share IoCs to the FortiGate devices (optional to FortiGuard) for intelligence sharing.
MITRE ATT&CK-based Reporting and Investigative Tools
FortiSandbox provides a detailed analysis report that maps discovered malware techniques
to MITRE ATT&CK framework with built-in powerful investigative tools that allows Security
Operations (SecOps) teams to download captured packets, original file, tracer log, malware
screenshot. STIX 2.0 compliant IOCs provide rich threat intelligence and actionable insight
after files are examined (see image below).
FortiSandbox also allows SecOps teams to optionally record a video or interact with the
malware in a simulated environment.
NetShare Scan
The FortiSandbox facilitates scanning of file repositories via CIFs, NFS, AWS S3 Buckets, and
Azure Blob. This feature allows system admin and web hosting to sanitize any file sharing. It is
the ideal option for enhancing an existing multi-vendor threat protection approach.
HA-Cluster
The FortiSandbox natively supports clustering to expand the throughput capacity of up to
99 worker nodes. The HA feature provides redundancy for uninterrupted critical operation.
Platform as a Service (PaaS)
Hosted FortiSandbox services offer the same Fortinet Security Fabric integration as
FortiSandbox appliances. FortiSandbox (PaaS) can easily scale to facilitate current and future
business needs without big upfront investments, offering lower operational costs. Fortinet
maintains, updates, and operates the platform on your behalf.
Real Time Anti-Phishing
The FortiSandbox v4.4 provides protection against zero-day phishing. The URLs extracted
from emails and embedded from documents are processed in the FortiGuard cloud. The web
pages are downloaded in real-time and analyze using patented technologies to determine any
phishing signs.
Features Summary
Advanced Threat Protection
- Inline blocking to detect and protect against Zero-day Malware including ransomware
- Real-time identification of Zero-day Phishing sites including spam and malware-hosted sites
- AI-powered static code analysis identifying possible threats within non-running code
- Deep learning powered VM-Less emulation of Windows executable codes (PEXBox)
- Network threat detection in sniffer mode. Identify botnet activities and network attacks,
malicious URL visits
- Sandbox Community Cloud for shared analysis within the worldwide community of
FortiSandbox deployments
Systems Integration Support
- File and URL submission by Security Fabric devices
- Integrated mode with FortiGate. HTTP, SMTP, POP3, IMAP, MAPI, FTP, IM, and their equivalent SSL-encrypted versions
- Integrated mode with FortiMail. SMTP, POP3, IMAP
- Integrated mode with FortiClient EMS. HTTP, FTP, SMB
- Integrated mode with FortiWeb. HTTP
- Sniffer mode. HTTP, FTP, POP3, IMAP, SMTP, SMB
- Proxy inspection via ICAP
- MTA/BCC mode via SMTP
- NetShare Scan mode via CIFs, NFS, AWS S3, and Azure Blob
- JSON API to automate the process of uploading samples and downloading actionable malware indicators to remediate
- Dynamic Threat Intelligence DB update of malicious file checksum and URL
- Remote and secured logging with FortiAnalyzer, FortiSIEM, CEF servers and syslog servers
Deployment
- File submission from integrated device(s)
- Sniffer mode deployment with TCP RST support to reset client’s connection with the
suspicious server
- Network Share Scan with large file support (e.g., ISO images, network shared folders, SMB/
NFS, AWS S3, and Azure Blob)
- Proxy adapter submission with multi-tenancy support
- Port monitoring for fail-over in a cluster
- OT deployment with supported services: BACnet, HTTP, IPMI, Modbus, S7comm, SNMP,
TFTP
- High-availability with Primary and Secondary nodes for redundancy
- Clustering up to 99 worker nodes for higher throughput
- Air-gapped networks support
- Aggregate interface support for increased bandwidth and redundancy
- Isolated administrative traffic from VM image traffic
Advanced Scan (Static AI Scan) Features
- Integrated with the full FortiGuard Antivirus database of heuristic and checksum signatures
- Intelligent adaptive scan profile that optimizes sandbox resources based on submissions
- Parallel scan to run multiple distinct VM types simultaneously
- Extracts URLs embedded in QR Code
- Scan URLs embedded inside document files
- Integrate option for third partyYara rules
- Cloud query for latest known Malware and clean files
- Scan URLs from submitted emails and files
- Files checksum whitelist and blacklist option
- Rating Engine Plus that leverages the latest FortiGuard ML rating
- VM scan ratio for efficient utilization of VMs
Monitoring and Report
- Configuration via GUI and CLI
- Multiple administrator accounts supporting full or view only access
- Radius authentication for administrators
- Single Sign-On via SAML
- Cluster management page for administering the HA and cluster nodes
- Centralized search page allowing administrators to build customized search conditions
- Upload any license from a single convenient page
- Self-Check widget for configurations, connectivity, and services
- VM status monitoring
- Automatic engine and signature updates
- Automatic check for new VM image availability
- System health check alerting system
- NTP via FortiGuard support
- Backup, restore, and revision of system configuration
- Consolidated CLI for troubleshooting
- Option to auto-submit suspicious files to cloud service for manual analysis and signature
creation
- Option on NetShare scan mode to prioritize and forward files to a third-party scanning for
further scanning
Sandboxing (Dynamic AI Scan) Support
- AI-powered behavioral analysis constantly learning new malware and ransomware
techniques
- Concurrent Sandbox instances
- OS type supported: Windows 11/10/8.1/7, macOS, Linux, Android, and ICS systems
- Customizable VMs for Windows and Linux OS
- Configurable internet browser supporting Internet Explorer, Microsoft Edge, Google Chrome,
and Mozilla Firefox
- Sandbox interactive mode
- Video-recording of malware interaction
- Anti-evasion detection techniques
- API Obfuscation
- Bare-metal Detection
- Command and Control
- Direct System Calls
- Execution Delay
- Memory Only Payload
- Process Hollowing/Injection
- Runtime Encryption/Packing
- System Fingerprinting
- Time Bomb
- User Files Check
- User Interaction Check
- VM/Sandbox Detection
- Callback detection. Malicious URL visit, botnet C&C communication, and attacker traffic from
activated malware
- Downloadable captured packets, tracer logs, and screenshots
- User-defined extensions
- File Types Support
- Windows Executables: .bat, .cab, .cmd,
.dll, .exe, .js, .msi, .ps1, .vbs, wsf
- Microsoft Office: .doc, .docm, .docx, .dot,
.dotm, .dotx, .iqy, .one, .pot, .potm, .potx,
.ppt, .pptm, .pptx, .ppam, .pps, .ppsm,
.ppsx, .pub, .rtf, .sldm, .sldx, .xlam, .xls,
.xlsb, .xlsm, .xlsx, .xlt, .xltm, xltx
- Document/Email files: .eml, .pdf, .rl
- Android files: .apk
- Linux files: .elf
- MacOS files: .app, .dmg, Mach-O
- Web files: .htm, html, .lnk, WEBLink
- Compress files: .7z, .ace, .arj, .bz2, .gz,
.iso, .jar, .kgb, .lzh, .rar, .swf, .tar, .tgz,
.upx, .xz, .z, .zip
* a real time IoC check for emerging threats (known good and bad) within the FortiGuard intelligence community
Specifications:
|
FSA-VM |
FSA-500G |
FSA-1500G |
FSA-3000F |
Form |
Virtual Machine |
1RU Appliance |
1RU Appliance |
2RU Appliance |
Network Interfaces |
4 |
4x GE RJ45 ports |
4x GE RJ45 ports,
2x 10 GE SFP+ slots |
4x GE RJ45 ports,
2x 10 GE SFP+ slots |
Storage Capacity |
200 GB (min) |
1x 960 GB |
2x 960 GB RAID1 |
4x 2 TB RAID-10 |
Hot Swappable |
|
No |
Yes |
Yes |
Trusted Platform
Module (TPM) |
|
Yes |
Yes |
No |
Height x Width x Length (inches) |
|
1.73 x 17.24 x 14.96 |
1.73 x 17.24 x 24.02 |
3.5 x 17.2 x 23.7 |
Height x Width x Length (mm) |
|
44 x 438 x 380 |
44 x 438 x 610 |
88 x 438 x 601 |
Weight |
|
11.42 lbs (5.18 kg) |
24.92 lbs (11.30 kg) |
44 lbs (20 kg) |
Form Factor |
|
1 RU |
1 RU |
2 RU |
Power Supplies |
|
1x PSU |
2x Redundant PSU (Hot-Swappable) |
2x Redundant PSU (Hot-Swappable) |
Power Supply (AC/DC) |
|
100–240V AC, 50/60 Hz |
100–240V AC, 50/60 Hz |
100–240V AC, 50/60 Hz |
Maximum Current |
|
100V/6A,
240V/3A |
100V/7.5A,
240V/3.9A |
100V/10A,
240V/5A |
Power Consumption (Average / Maximum) |
|
71.8 / 87.8 W |
238.1 W / 291.06 W |
418.3 W / 511.3 W |
Heat Dissipation |
|
333.63 BTU/h |
1027.22 BTU/h |
1778.61 BTU/h |
Forced Airflow |
|
Front to Back |
Front to Back |
Front to Back |
Humidity |
|
10%–90% non-condensing |
10%–90% non-condensing |
10%–90% non-condensing |
Operation Temperature Range |
|
32–104°F (0–40°C) |
50–95°F (10– 35°C |
32–104°F (0– 40°C) |
Storage Temperature Range |
|
-4–158°F (-20–70°C) |
-40 –158°F (-40–70°C |
-40–158°F (-40–70°C) |
Certifications |
FCC Part 15 Class A, RCM, VCCI, CE, BSMI, KC, UL/cUL, CB, GOST |
24 x 7 Support |
Yes |
1 FortiSandbox pre-filtering is powered by FortiGuard Intelligence.
2 Measured based on real-world web and email traffic when both pre-filter and dynamic analysis are working consecutively.
3 Measured based on real-world email traffic when both pre-filter and dynamic analysis are working consecutively.
* 2(FSA-500F)/2(FSA-1000F)/4(FSA-2000E)/8(FSA-3000E) Windows VM licenses included with hardware, remaining are sold
as an upgrade license.
|
|
FortiGate |
FortiClient |
FortiMail |
FortiWeb |
FortiADC |
FortiProxy |
FSA Appliance and VM |
File Submission |
*FortiOS V5.0.4+ |
FortiClient for Windows OS V5.4+ |
FortiMail OS V5.1+ |
FortiWeb OS V5.4+ |
FortiADC OS V5.0+ |
FortiProxy OS V1.0+ |
File Status Feedback |
*FortiOS V5.0.4+ |
FortiClient for Windows OS V5.4+ |
FortiMail OS V5.1+ |
FortiWeb OS V5.4+ |
FortiADC OS V5.0+ |
FortiProxy OS V1.0+ |
File Detailed Report |
*FortiOS V5.4+ |
FortiClient for Windows OS V5.4+ |
FortiMail OS V5.1+ |
– |
FortiADC OS V5.0+ |
FortiProxy OS V1.0+ |
Dynamic Threat DB Update |
*FortiOS V5.4+ |
FortiClient for Windows OS V5.4+ |
FortiMail OS V5.3+ |
FortiWeb OS V5.4+ |
FortiADC OS V5.0+ |
FortiProxy OS V1.0+ |
FortiSandbox Cloud |
File Submission |
*FortiOS V5.2.3+ |
– |
FortiMail OS V5.3+ |
FortiWeb OS 5.5.3+ |
– |
FortiProxy OS V1.0+ |
File Status Feedback |
*FortiOS V5.2.3+ |
– |
FortiMail OS V5.3+ |
FortiWeb OS 5.5.3+ |
– |
FortiProxy OS V1.0+ |
File Detailed Report |
*FortiOS V5.2.3+ |
– |
– |
– |
– |
FortiProxy OS V1.0+ |
Dynamic Threat DB Update |
*FortiOS V5.4+ |
– |
FortiMail OS V5.3+ |
FortiWeb OS 5.5.3+ |
– |
FortiProxy OS V1.0+ |
*some models may require CLI configuration