Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Appendix F - FortiCloud Sandbox

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service, integrated with FortiGate, FortiMail, and FortiWeb, called FortiCloud Sandbox. FortiCloud Sandbox requires an active FortiCloud account for use with FortiGate, FortiMail, and FortiWeb. Below, you can see a comparison of the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment set up on-premises (FortiSandbox Appliance).

Deployment

Deployment options

FortiSandbox Appliance

FortiCloud Sandbox

FortiGate integration

"–

"–

FortiMail and FortiWeb integration

"–

"–

Fabric integration (FortiClient, FortiWeb, FortiADC, FortiManager, FortiAnalyzer, FortiSIEM)

"–

 

Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM)

"–

 

On-site deployment (centralized or distributed)

"–

 

Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API)

"–

 

Detection

Detection capabilities

FortiSandbox Appliance

FortiCloud Sandbox

Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others)

"–

"–

File based detection

"–

"–

On-demand scanning - manual upload of suspicious files

"–

"–

URL detection - host traffic to malicious sites

"–

"–*

Adapters for third-party products

"–

 

API input (REST API)

"–

 

BotNet detection via sniffer

"–

 

Network attack detection via sniffer

"–

 

Network share input (file share scanning CIFS and NFS)

"–

 

On-demand scanning - manual upload of URL list

"–

 

Sniffer input via TAP or Mirror/Span port

"–

 

URL detection - ICAP client integration

"–

 

URL detection - REST API integration for web scanning

"–

 

*Available with FortiCloud 3.1.x onwards.

File type and protocol support

Profiling, file type, and protocol support

FortiSandbox Appliance

FortiCloud Sandbox

A/V and CPRL pre-filter support for all file types regardless of operating system

"–

"–

Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .and arj

"–

"–

Executable - .exe, .dll, PDF, Windows Office, and Javascript

"–

"–

FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL and encrypted equivalent

"–

"–

Media - .avi, .mpeg, .mp3, and .mp4

"–

"–

Share threat intelligence among distributed installations

"–

"–

Virtual machine sandboxing

"–

"–

FortiMail integrated - SMTP, POP3, and IMAP

"–

"–*

Ability to fine tune the scanning environment

"–

 

Scan user-defined file types

"–

 

Utilize customized virtual machines

"–

 

*FortiMail integration supported from version 5.3.x onwards.

Alerting, reporting and monitoring

Alerting, reporting, monitoring and logging

FortiSandbox Appliance

FortiCloud Sandbox

Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean)

"–

"–

On-demand summary and threat detail reporting by date range

"–

"–

FortiAnalyzer integration

"–

"– *

Syslog to remote log server

"–

"– *

At-a-glance view submission by device (easily see if one site is submitting more than others)

"–

 

Common event format to remote log server

"–

 

Consolidated or separate views of input by device, network, sniffer, or on-demand submission

"–

 

Detailed alerting with source, destination, protocol, file name and forensic/incident response info

"–

 

Filtering and search capabilities - granular drill down and export to detailed report in .PDF format

"–

 

Scheduled summary and threat detail reporting delivered via email

"–

 

File submission summary web view

 

"–

Limited daily canned report

 

"–

Separate views for each device (not reportable or monitored in aggregate)

 

"–

Summary email alerting with source, destination, protocol, and file name

 

"–

*Available through FortiGate.

Forensic, auditing, and third-party tools

Forensic, auditing, and third-party tools

FortiSandbox Appliance

FortiCloud Sandbox

Forensic/incident response information

"–

"–

Source and destination IP address for tracking IOC

"–

"–

Export suspicious files for further analysis or inspection by third-party applications

"–

 

PCAP, TracerLog, and screen captures

"–

 

 

Appendix F - FortiCloud Sandbox

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service, integrated with FortiGate, FortiMail, and FortiWeb, called FortiCloud Sandbox. FortiCloud Sandbox requires an active FortiCloud account for use with FortiGate, FortiMail, and FortiWeb. Below, you can see a comparison of the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment set up on-premises (FortiSandbox Appliance).

Deployment

Deployment options

FortiSandbox Appliance

FortiCloud Sandbox

FortiGate integration

"–

"–

FortiMail and FortiWeb integration

"–

"–

Fabric integration (FortiClient, FortiWeb, FortiADC, FortiManager, FortiAnalyzer, FortiSIEM)

"–

 

Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM)

"–

 

On-site deployment (centralized or distributed)

"–

 

Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API)

"–

 

Detection

Detection capabilities

FortiSandbox Appliance

FortiCloud Sandbox

Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others)

"–

"–

File based detection

"–

"–

On-demand scanning - manual upload of suspicious files

"–

"–

URL detection - host traffic to malicious sites

"–

"–*

Adapters for third-party products

"–

 

API input (REST API)

"–

 

BotNet detection via sniffer

"–

 

Network attack detection via sniffer

"–

 

Network share input (file share scanning CIFS and NFS)

"–

 

On-demand scanning - manual upload of URL list

"–

 

Sniffer input via TAP or Mirror/Span port

"–

 

URL detection - ICAP client integration

"–

 

URL detection - REST API integration for web scanning

"–

 

*Available with FortiCloud 3.1.x onwards.

File type and protocol support

Profiling, file type, and protocol support

FortiSandbox Appliance

FortiCloud Sandbox

A/V and CPRL pre-filter support for all file types regardless of operating system

"–

"–

Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .and arj

"–

"–

Executable - .exe, .dll, PDF, Windows Office, and Javascript

"–

"–

FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL and encrypted equivalent

"–

"–

Media - .avi, .mpeg, .mp3, and .mp4

"–

"–

Share threat intelligence among distributed installations

"–

"–

Virtual machine sandboxing

"–

"–

FortiMail integrated - SMTP, POP3, and IMAP

"–

"–*

Ability to fine tune the scanning environment

"–

 

Scan user-defined file types

"–

 

Utilize customized virtual machines

"–

 

*FortiMail integration supported from version 5.3.x onwards.

Alerting, reporting and monitoring

Alerting, reporting, monitoring and logging

FortiSandbox Appliance

FortiCloud Sandbox

Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean)

"–

"–

On-demand summary and threat detail reporting by date range

"–

"–

FortiAnalyzer integration

"–

"– *

Syslog to remote log server

"–

"– *

At-a-glance view submission by device (easily see if one site is submitting more than others)

"–

 

Common event format to remote log server

"–

 

Consolidated or separate views of input by device, network, sniffer, or on-demand submission

"–

 

Detailed alerting with source, destination, protocol, file name and forensic/incident response info

"–

 

Filtering and search capabilities - granular drill down and export to detailed report in .PDF format

"–

 

Scheduled summary and threat detail reporting delivered via email

"–

 

File submission summary web view

 

"–

Limited daily canned report

 

"–

Separate views for each device (not reportable or monitored in aggregate)

 

"–

Summary email alerting with source, destination, protocol, and file name

 

"–

*Available through FortiGate.

Forensic, auditing, and third-party tools

Forensic, auditing, and third-party tools

FortiSandbox Appliance

FortiCloud Sandbox

Forensic/incident response information

"–

"–

Source and destination IP address for tracking IOC

"–

"–

Export suspicious files for further analysis or inspection by third-party applications

"–

 

PCAP, TracerLog, and screen captures

"–