Appendix B - FortiCloud Sandbox
In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service. FortiCloud Sandbox can be integrated with FortiGate, FortiClient, FortiMail, FortiWeb, FortiADC, and FortiProxy. FortiCloud Sandbox requires an active FortiCloud account. This topic shows the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment of an on-premise FortiSandbox appliance.
Deployment
Deployment options |
FortiSandbox appliance |
FortiCloud Sandbox |
---|---|---|
FortiGate, FortiClient, FortiMail, FortiWeb, FortiADC, and FortiProxy integration |
Yes |
Yes |
Security Fabric integration for FortiManager, FortiAnalyzer, and FortiSIEM |
Yes |
|
Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM) |
Yes |
|
On-site deployment (centralized or distributed) |
Yes |
|
Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API) |
Yes |
|
Detection
Detection capabilities |
FortiSandbox appliance |
FortiCloud Sandbox |
---|---|---|
Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others) |
Yes |
Yes |
File based detection |
Yes |
Yes |
On-demand scanning - manual upload of suspicious files |
Yes |
Yes |
URL detection - host traffic to malicious sites |
Yes |
Yes* |
Adapters for third-party products |
Yes |
|
API input (REST API) |
Yes |
|
BotNet detection via sniffer |
Yes |
|
Network attack detection via sniffer |
Yes |
|
Network share input (file share scanning CIFS and NFS) |
Yes |
|
On-demand scanning - manual upload of URL list |
Yes |
|
Sniffer input via TAP or Mirror/Span port |
Yes |
|
URL detection - ICAP client integration |
Yes |
|
URL detection - REST API integration for web scanning |
Yes |
|
*Available with FortiCloud 3.1.x onwards.
File type and protocol support
Profiling, file type, and protocol support |
FortiSandbox appliance |
FortiCloud Sandbox |
---|---|---|
A/V and CPRL pre-filter support for all file types regardless of operating system |
Yes |
Yes |
Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, and .arj |
Yes |
Yes |
Executable - .exe, .dll, PDF, Windows Office, and Javascript |
Yes |
Yes |
FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL, and encrypted equivalent |
Yes |
Yes |
Media - .avi, .mpeg, .mp3, and .mp4 |
Yes |
Yes |
Share threat intelligence among distributed installations |
Yes |
Yes |
Virtual machine sandboxing |
Yes |
Yes |
FortiMail integrated - SMTP, POP3, and IMAP |
Yes |
Yes* |
Ability to fine tune the scanning environment |
Yes |
|
Scan user-defined file types |
Yes |
|
Utilize customized virtual machines |
Yes |
|
*FortiMail integration supported from version 5.3.x onwards.
Alerting, reporting, and monitoring
Alerting, reporting, monitoring, and logging |
FortiSandbox appliance |
FortiCloud Sandbox |
---|---|---|
Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean) |
Yes |
Yes |
On-demand summary and threat detail reporting by date range |
Yes |
Yes |
FortiAnalyzer integration |
Yes |
Yes * |
Syslog to remote log server |
Yes |
Yes * |
At-a-glance view submission by device (easily see if one site is submitting more than others) |
Yes |
|
Common event format to remote log server |
Yes |
|
Consolidated or separate views of input by device, network, sniffer, or on-demand submission |
Yes |
|
Detailed alerting with source, destination, protocol, file name, and forensic/incident response info |
Yes |
|
Filtering and search capabilities - granular drill down and export to detailed report in .PDF format |
Yes |
|
Scheduled summary and threat detail reporting delivered via email |
Yes |
|
File submission summary web view |
|
Yes |
Limited daily canned report |
|
Yes |
Separate views for each device (not reportable or monitored in aggregate) |
|
Yes |
Summary email alerting with source, destination, protocol, and file name |
|
Yes |
*Available through FortiGate.
Forensic, auditing, and third-party tools
Forensic, auditing, and third-party tools |
FortiSandbox appliance |
FortiCloud Sandbox |
---|---|---|
Forensic/incident response information |
Yes |
Yes |
Yes |
Yes |
|
Export suspicious files for further analysis or inspection by third-party applications |
Yes |
|
PCAP, TracerLog, and screen captures |
Yes |
|