Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Appendix F - FortiCloud Sandbox

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service, integrated with FortiGate, FortiMail, and FortiWeb, called FortiCloud Sandbox. FortiCloud Sandbox requires an active FortiCloud account for use with FortiGate, FortiMail, and FortiWeb. Below, you can see a comparison of the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment set up on-premises (FortiSandbox Appliance).

Deployment

Deployment options

FortiSandbox Appliance

FortiCloud Sandbox

FortiGate integration

Yes

Yes

FortiMail and FortiWeb integration

Yes

Yes

Fabric integration (FortiClient, FortiWeb, FortiADC, FortiManager, FortiAnalyzer, FortiSIEM)

Yes

 

Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM)

Yes

 

On-site deployment (centralized or distributed)

Yes

 

Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API)

Yes

 

Detection

Detection capabilities

FortiSandbox Appliance

FortiCloud Sandbox

Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others)

Yes

Yes

File based detection

Yes

Yes

On-demand scanning - manual upload of suspicious files

Yes

Yes

URL detection - host traffic to malicious sites

Yes

Yes*

Adapters for third-party products

Yes

 

API input (REST API)

Yes

 

BotNet detection via sniffer

Yes

 

Network attack detection via sniffer

Yes

 

Network share input (file share scanning CIFS and NFS)

Yes

 

On-demand scanning - manual upload of URL list

Yes

 

Sniffer input via TAP or Mirror/Span port

Yes

 

URL detection - ICAP client integration

Yes

 

URL detection - REST API integration for web scanning

Yes

 

*Available with FortiCloud 3.1.x onwards.

File type and protocol support

Profiling, file type, and protocol support

FortiSandbox Appliance

FortiCloud Sandbox

A/V and CPRL pre-filter support for all file types regardless of operating system

Yes

Yes

Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .and arj

Yes

Yes

Executable - .exe, .dll, PDF, Windows Office, and Javascript

Yes

Yes

FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL and encrypted equivalent

Yes

Yes

Media - .avi, .mpeg, .mp3, and .mp4

Yes

Yes

Share threat intelligence among distributed installations

Yes

Yes

Virtual machine sandboxing

Yes

Yes

FortiMail integrated - SMTP, POP3, and IMAP

Yes

Yes*

Ability to fine tune the scanning environment

Yes

 

Scan user-defined file types

Yes

 

Utilize customized virtual machines

Yes

 

*FortiMail integration supported from version 5.3.x onwards.

Alerting, reporting and monitoring

Alerting, reporting, monitoring and logging

FortiSandbox Appliance

FortiCloud Sandbox

Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean)

Yes

Yes

On-demand summary and threat detail reporting by date range

Yes

Yes

FortiAnalyzer integration

Yes

Yes *

Syslog to remote log server

Yes

Yes *

At-a-glance view submission by device (easily see if one site is submitting more than others)

Yes

 

Common event format to remote log server

Yes

 

Consolidated or separate views of input by device, network, sniffer, or on-demand submission

Yes

 

Detailed alerting with source, destination, protocol, file name and forensic/incident response info

Yes

 

Filtering and search capabilities - granular drill down and export to detailed report in .PDF format

Yes

 

Scheduled summary and threat detail reporting delivered via email

Yes

 

File submission summary web view

 

Yes

Limited daily canned report

 

Yes

Separate views for each device (not reportable or monitored in aggregate)

 

Yes

Summary email alerting with source, destination, protocol, and file name

 

Yes

*Available through FortiGate.

Forensic, auditing, and third-party tools

Forensic, auditing, and third-party tools

FortiSandbox Appliance

FortiCloud Sandbox

Forensic/incident response information

Yes

Yes

Source and destination IP address for tracking IOC

Yes

Yes

Export suspicious files for further analysis or inspection by third-party applications

Yes

 

PCAP, TracerLog, and screen captures

Yes

 

Appendix F - FortiCloud Sandbox

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service, integrated with FortiGate, FortiMail, and FortiWeb, called FortiCloud Sandbox. FortiCloud Sandbox requires an active FortiCloud account for use with FortiGate, FortiMail, and FortiWeb. Below, you can see a comparison of the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment set up on-premises (FortiSandbox Appliance).

Deployment

Deployment options

FortiSandbox Appliance

FortiCloud Sandbox

FortiGate integration

Yes

Yes

FortiMail and FortiWeb integration

Yes

Yes

Fabric integration (FortiClient, FortiWeb, FortiADC, FortiManager, FortiAnalyzer, FortiSIEM)

Yes

 

Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM)

Yes

 

On-site deployment (centralized or distributed)

Yes

 

Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API)

Yes

 

Detection

Detection capabilities

FortiSandbox Appliance

FortiCloud Sandbox

Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others)

Yes

Yes

File based detection

Yes

Yes

On-demand scanning - manual upload of suspicious files

Yes

Yes

URL detection - host traffic to malicious sites

Yes

Yes*

Adapters for third-party products

Yes

 

API input (REST API)

Yes

 

BotNet detection via sniffer

Yes

 

Network attack detection via sniffer

Yes

 

Network share input (file share scanning CIFS and NFS)

Yes

 

On-demand scanning - manual upload of URL list

Yes

 

Sniffer input via TAP or Mirror/Span port

Yes

 

URL detection - ICAP client integration

Yes

 

URL detection - REST API integration for web scanning

Yes

 

*Available with FortiCloud 3.1.x onwards.

File type and protocol support

Profiling, file type, and protocol support

FortiSandbox Appliance

FortiCloud Sandbox

A/V and CPRL pre-filter support for all file types regardless of operating system

Yes

Yes

Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .and arj

Yes

Yes

Executable - .exe, .dll, PDF, Windows Office, and Javascript

Yes

Yes

FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL and encrypted equivalent

Yes

Yes

Media - .avi, .mpeg, .mp3, and .mp4

Yes

Yes

Share threat intelligence among distributed installations

Yes

Yes

Virtual machine sandboxing

Yes

Yes

FortiMail integrated - SMTP, POP3, and IMAP

Yes

Yes*

Ability to fine tune the scanning environment

Yes

 

Scan user-defined file types

Yes

 

Utilize customized virtual machines

Yes

 

*FortiMail integration supported from version 5.3.x onwards.

Alerting, reporting and monitoring

Alerting, reporting, monitoring and logging

FortiSandbox Appliance

FortiCloud Sandbox

Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean)

Yes

Yes

On-demand summary and threat detail reporting by date range

Yes

Yes

FortiAnalyzer integration

Yes

Yes *

Syslog to remote log server

Yes

Yes *

At-a-glance view submission by device (easily see if one site is submitting more than others)

Yes

 

Common event format to remote log server

Yes

 

Consolidated or separate views of input by device, network, sniffer, or on-demand submission

Yes

 

Detailed alerting with source, destination, protocol, file name and forensic/incident response info

Yes

 

Filtering and search capabilities - granular drill down and export to detailed report in .PDF format

Yes

 

Scheduled summary and threat detail reporting delivered via email

Yes

 

File submission summary web view

 

Yes

Limited daily canned report

 

Yes

Separate views for each device (not reportable or monitored in aggregate)

 

Yes

Summary email alerting with source, destination, protocol, and file name

 

Yes

*Available through FortiGate.

Forensic, auditing, and third-party tools

Forensic, auditing, and third-party tools

FortiSandbox Appliance

FortiCloud Sandbox

Forensic/incident response information

Yes

Yes

Source and destination IP address for tracking IOC

Yes

Yes

Export suspicious files for further analysis or inspection by third-party applications

Yes

 

PCAP, TracerLog, and screen captures

Yes