This guide describes how to configure and manage your FortiSandbox system and the connected Fortinet Security Fabric devices. For documentation on Fortinet devices, such as FortiGate and FortiClient, see Fortinet Document Library.
Fighting today’s Advanced Persistent Threats (APTs) requires a multi-layer approach. FortiSandbox offers the ultimate combination of proactive mitigation, advanced threat visibility, and comprehensive reporting. More than just a sandbox, FortiSandbox deploys Fortinet’s award-winning, dynamic antivirus and threat scanning technology, dual level sandboxing, and optional integrated FortiGuard cloud queries to beat Advanced Evasion Techniques (AETs) and deliver state-of-the-art threat protection.
FortiSandbox utilizes advanced detection, dynamic antivirus scanning, and threat scanning technology to detect viruses and APTs. It leverages the FortiGuard web filtering database to inspect and flag malicious URL requests, and is able to identify threats that standalone antivirus solutions may not detect.
FortiSandbox works with your existing devices, like FortiGate, FortiWeb, FortiClient and FortiMail, to identify malicious and suspicious files and network traffic. It has a complete extreme antivirus database that will catch viruses that may have been missed.
FortiSandbox can be configured to sniff traffic from the network, scan files on a network share with a predefined schedule, quarantine malicious files, and receive files from FortiGate, FortiWeb, FortiMail, and FortiClient. For example, FortiMail 5.2.0 and later allows you to forward email attachments to FortiSandbox for advanced inspection and analysis. Files can also be uploaded directly to it for sandboxing through the web GUI or JSON API. You can also submit a website URL to scan to help you identify web pages hosting malicious content before users attempt to open the pages on their host machines.
FortiSandbox executes suspicious files in the VM host module to determine if the file is High, Medium, or Low Risk based on the behavior observed in the VM sandbox module. The rating engine scores each file from its behavior log (tracer log) that is gathered in the VM module and, if the score falls within a certain range, a risk level is determined.
FortiSandbox rating can be performed by either the standard method or by using artificial intelligence (AI) mode. The default is AI mode, where the AI engine uses machine learning technology to analyze the behavior of thousands of known malware. FortiSandbox uses this engine to inspect file behavior inside a VM to detect indicators of new malware.
Key features of FortiSandbox include:
- Dynamic Anti-malware updates/Cloud query: Receives updates from FortiGuard Labs and send queries to the FortiSandbox Community Cloud in real time, helping to intelligently and immediately detect existing and emerging threats.
- Code emulation: Performs lightweight sandbox inspection in real time for best performance, including certain malware that uses sandbox evasion techniques and/or only executes with specific software versions.
- Full virtual environment: Provides a contained runtime environment to analyze high risk or suspicious code and explore the full threat life cycle.
- Advanced visibility: Delivers comprehensive views into a wide range of network, system and file activity, categorized by risk, to help speed up incident response.
- Network Alert: Inspects network traffic for requests to visit malicious sites, establish communications with C&C servers, and other activity indicative of a compromise. It provides a complete picture of the victim host's infection cycle.
- Manual analysis: Allows security administrators to manually upload malware samples via the FortiSandbox web GUI or JSON API to perform virtual sandboxing without the need for a separate appliance.
- Optional submission to FortiSandbox Community Cloud: Tracer reports, malicious files and other information may be submitted to FortiSandbox Community Cloud in order to receive remediation recommendations and updated in line protections.
- Schedule scan of network shares: Perform a schedule scan of network shares in Network File System (NFS) v2 to v4 and Common Internet File System (CIFS) formats to quarantine suspicious files.
- Scan job archive: You can archive scan jobs to a network share for backup and further analysis.
- Website URL scan: Scan websites to a certain depth for a predefined time period.
- Cluster supporting High Availability: Provide a non-interruption, high performance system for malware detection.
Windows XP is no longer supported. If you currently use Windows XP, migrate to a later Windows version.
You can create custom VMs using pre-configured VMs, your own ISO image, or Red Hat VMs on VirtualBox. For more information, contact Fortinet Customer Service & Support.
For information on hard disk hot-swapping procedure, system recovery procedure using Rescue Mode, and password reset procedure, see the FortiSandbox Best Practices and Troubleshooting Guide in the Fortinet Document Library.
In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service. For more information, see https://docs.fortinet.com/product/fortisandbox-cloud/.