This guide describes how to configure and manage your FortiSandbox system and the connected Fortinet Security Fabric devices. For documentation on Fortinet devices, such as FortiGate and FortiClient, see Fortinet Document Library.
Fighting today’s Advanced Persistent Threats (APTs) requires a multi-layer approach. FortiSandbox offers the ultimate combination of proactive mitigation, advanced threat visibility, and comprehensive reporting. More than just a sandbox, FortiSandbox deploys Fortinet’s award-winning, dynamic antivirus and threat scanning technology, dual level sandboxing, and optional integrated FortiGuard cloud queries to beat Advanced Evasion Techniques (AETs) and deliver state-of-the-art threat protection.
FortiSandbox utilizes advanced detection, dynamic antivirus scanning, and threat scanning technology to detect viruses and APTs. It leverages the FortiGuard web filtering database to inspect and flag malicious URL requests, and is able to identify threats that standalone antivirus solutions may not detect.
FortiSandbox works with your existing devices, like FortiGate, FortiWeb, FortiClient and FortiMail, to identify malicious and suspicious files and network traffic. It has a complete extreme antivirus database that will catch viruses that may have been missed.
FortiSandbox can be configured to sniff traffic from the network, scan files on a network share with a predefined schedule, quarantine malicious files, and receive files from FortiGate, FortiWeb, FortiMail, and FortiClient. For example, FortiMail 5.2.0 and later allows you to forward email attachments to FortiSandbox for advanced inspection and analysis. Files can also be uploaded directly to it for sandboxing through the web GUI or JSON API. You can also submit a website URL to scan to help you identify web pages hosting malicious content before users attempt to open the pages on their host machines.
FortiSandbox executes suspicious files in the VM host module to determine if the file is High, Medium, or Low Risk based on the behavior observed in the VM sandbox module. The rating engine scores each file from its behavior log (tracer log) that is gathered in the VM module and, if the score falls within a certain range, a risk level is determined.
FortiSandbox v4.4.0 has been rated with up to 10x in Effective Sandboxing Throughput. This increase provides the following benefits:
- More files are processed and rated over time
- Fewer Pending Files
- Faster Scan Time
In Networking, this is comparable to a higher Network Bandwidth where the bigger the bandwidth the more traffic that can pass through. Note that the actual processing scan time remains the same as rating evaluation accuracy are kept the same.
For more information, see the FortiSandbox Datasheet (Specifications > Effective Sandboxing Throughput).
- Introduced Custom VM upload and updates directly via GUI. See, Setting up a custom VM
- Enhanced and re-organized the setting-related configurations on System and Scan Profile settings to easily navigate through the menus. See, Scan Profile and Settings.
- Enhanced Settings page on Log & Report. See, Settings (Log & Report).
- Enhanced the System Resource widget of the dashboard. See, System Resources Usage.
- Enhanced File/URL On Demand page to support adjustable columns. See, File On-Demand and URL On-Demand.
- Enhanced the FortiClient Security Fabric page by adding filtering and sorting functions and Last Seen column. See, FortiClient.
- Enhanced the VM Settings page for usability and improved status indicators. See, VM Settings.
- Enhanced Custom VM to upload meta information for installed applications list. See, Configuring VM Images
- Enhanced VM Setting page to combine Windows and MacOS Cloud and separate key counts for local and remote. See, VM Settings
- Enhanced the Admin Profile page layout. See, Admin Profiles.
- Enhanced configuration and field labels on ICAP Adapter pages. See, ICAP adapter.
- Enhanced the Device Security Fabric and FortiClient Security Fabric page by adding filtering and sorting functions and Last Seen column. See, Device
Enhanced ICAP Adapter to support imported certificate. See, ICAP adapter.
Enhanced ICAP Adapter to support modification of default profile for the multiple ICAP feature. See, ICAP adapter.
Upgraded SMB support to v3.1.1 for NetShare Scan feature. See, Network Share
- Introduced Real-Time Anti-Phishing service to identify 0-day Phishing sites. See, Scan Profile Advanced Tab.
- Introduced prioritization of Netshare Scan jobs including proper user-rights and groupings. See, Netshare Groups.
- Introduced QR Code analysis of embedded URLs in PDFs, Office and HTML files. See, Appendix B - Job Details page reference.
- Introduced configurable filetype list for the Inline Block Scan to select and optimize deployment. See, Inline Block Policy.
- Introduced hold feature on Dynamic Scan for submissions from ICAP adapter. See, ICAP adapter.
- Introduced Inline Block via TCP reset on Network Alert feature of Sniffer mode. See, Sniffer.
- Introduced Office 2021 support via a new Optional VM. See, VM Settings.
- Enhanced Custom VM setup to allow configuration of CPU and memory settings. See, Setting up a custom VM.
- Introduced Self-Check to automatically detect the status of key configurations, connectivity, and services. See, System configuration checklist .
- Introduced Single Sign On for admin authentication. See, SAML.
- Enhanced hardware status on MIB and CLI to include the internal temperature, fan, disk and power supply status. See, Diagnose Commands > hardware-info in the CLI Reference Guide.
Enhanced display settings and renamed fields of the Job Details. See, Appendix B - Job Details page reference
Enhanced Job Detail report on URL Scan to display the Web Filtering category rating and if available the redirected URL. See, Appendix B - Job Details page reference.