Fortinet FortiSandbox 500G
Next Generation AI Powered Sandbox

Features Summary:

FortiSandbox is the most flexible threat-analysis appliance available as it offers various deployment options for unique configurations and requirements. Organizations can choose to combine these options.

Security Fabric Integration

FortiSandbox natively integrates with FortiGate, FortiMail, FortiWeb, FortiADC, FortiProxy, FortiClient (ATP agent), Fabric-Ready Partner solutions, and via JSON API or ICAP with third party security vendors. The integration provides suspicious content submission, timely remediation, and reporting capabilities.

This integration extends to other FortiSandbox solutions allowing instantaneous sharing of real-time intelligence. This feature benefits large enterprises that deploy multiple FortiSandbox solutions in different geo-locations. This zero touch automated model is ideal for holistic protection across different borders and time zones.

Threat Mitigation

FortiSandbox uniquely integrates with various products through the Security Fabric platform that automates your breach protection strategy with an incredibly simple setup. Once malicious code is identified, FortiSandbox will return risk ratings and the local intelligence is shared in real time with Fortinet, Fabric-Ready Partners, and third-party security solutions to mitigate and immunize against new advanced threats. The local intelligence can optionally be shared with the FortiGuard Labs, to help protect organizations globally. The diagram following describes the automated mitigation process flow.

1. Submit file and URL for analysis from the FortiGate, FortiMail, client or file server.
2. Block suspicious file and URL inline on the device or quarantine on the client.
3. Share IoCs to the FortiGate devices (optional to FortiGuard) for intelligence sharing.

MITRE ATT&CK-based Reporting and Investigative Tools

FortiSandbox provides a detailed analysis report that maps discovered malware techniques to MITRE ATT&CK framework with built-in powerful investigative tools that allows Security Operations (SecOps) teams to download captured packets, original file, tracer log, malware screenshot. STIX 2.0 compliant IOCs provide rich threat intelligence and actionable insight after files are examined (see image below).

FortiSandbox also allows SecOps teams to optionally record a video or interact with the malware in a simulated environment.

NetShare Scan

The FortiSandbox facilitates scanning of file repositories via CIFs, NFS, AWS S3 Buckets, and Azure Blob. This feature allows system admin and web hosting to sanitize any file sharing. It is the ideal option for enhancing an existing multi-vendor threat protection approach.

HA-Cluster

The FortiSandbox natively supports clustering to expand the throughput capacity of up to 99 worker nodes. The HA feature provides redundancy for uninterrupted critical operation.

Platform as a Service (PaaS)

Hosted FortiSandbox services offer the same Fortinet Security Fabric integration as FortiSandbox appliances. FortiSandbox (PaaS) can easily scale to facilitate current and future business needs without big upfront investments, offering lower operational costs. Fortinet maintains, updates, and operates the platform on your behalf.

Real Time Anti-Phishing

The FortiSandbox v4.4 provides protection against zero-day phishing. The URLs extracted from emails and embedded from documents are processed in the FortiGuard cloud. The web pages are downloaded in real-time and analyze using patented technologies to determine any phishing signs.

Features Summary

Advanced Threat Protection

• Inline blocking to detect and protect against Zero-day Malware including ransomware
• Real-time identification of Zero-day Phishing sites including spam and malware-hosted sites
• AI-powered static code analysis identifying possible threats within non-running code
• Deep learning powered VM-Less emulation of Windows executable codes (PEXBox)
• Network threat detection in sniffer mode. Identify botnet activities and network attacks, malicious URL visits
• Sandbox Community Cloud for shared analysis within the worldwide community of FortiSandbox deployments

Systems Integration Support

• File and URL submission by Security Fabric devices
  • Integrated mode with FortiGate. HTTP, SMTP, POP3, IMAP, MAPI, FTP, IM, and their equivalent SSL-encrypted versions
  • Integrated mode with FortiMail. SMTP, POP3, IMAP
  • Integrated mode with FortiClient EMS. HTTP, FTP, SMB
  • Integrated mode with FortiWeb. HTTP
• Sniffer mode. HTTP, FTP, POP3, IMAP, SMTP, SMB
• Proxy inspection via ICAP
• MTA/BCC mode via SMTP
• NetShare Scan mode via CIFs, NFS, AWS S3, and Azure Blob
• JSON API to automate the process of uploading samples and downloading actionable malware indicators to remediate
• Dynamic Threat Intelligence DB update of malicious file checksum and URL
• Remote and secured logging with FortiAnalyzer, FortiSIEM, CEF servers and syslog servers

Deployment

• File submission from integrated device(s)
• Sniffer mode deployment with TCP RST support to reset client’s connection with the suspicious server
• Network Share Scan with large file support (e.g., ISO images, network shared folders, SMB/ NFS, AWS S3, and Azure Blob)
• Proxy adapter submission with multi-tenancy support
• Port monitoring for fail-over in a cluster
• OT deployment with supported services: BACnet, HTTP, IPMI, Modbus, S7comm, SNMP, TFTP
• High-availability with Primary and Secondary nodes for redundancy
• Clustering up to 99 worker nodes for higher throughput
• Air-gapped networks support
• Aggregate interface support for increased bandwidth and redundancy
• Isolated administrative traffic from VM image traffic

Advanced Scan (Static AI Scan) Features

• Integrated with the full FortiGuard Antivirus database of heuristic and checksum signatures
• Intelligent adaptive scan profile that optimizes sandbox resources based on submissions
• Parallel scan to run multiple distinct VM types simultaneously
• Extracts URLs embedded in QR Code
• Scan URLs embedded inside document files
• Integrate option for third partyYara rules
• Cloud query for latest known Malware and clean files
• Scan URLs from submitted emails and files
• Files checksum whitelist and blacklist option
• Rating Engine Plus that leverages the latest FortiGuard ML rating
• VM scan ratio for efficient utilization of VMs

Monitoring and Report

• Configuration via GUI and CLI
• Multiple administrator accounts supporting full or view only access
• Radius authentication for administrators
• Single Sign-On via SAML
• Cluster management page for administering the HA and cluster nodes
• Centralized search page allowing administrators to build customized search conditions
• Upload any license from a single convenient page
• Self-Check widget for configurations, connectivity, and services
• VM status monitoring
• Automatic engine and signature updates
• Automatic check for new VM image availability
• System health check alerting system
• NTP via FortiGuard support
• Backup, restore, and revision of system configuration
• Consolidated CLI for troubleshooting
• Option to auto-submit suspicious files to cloud service for manual analysis and signature creation
• Option on NetShare scan mode to prioritize and forward files to a third-party scanning for further scanning

Sandboxing (Dynamic AI Scan) Support

• AI-powered behavioral analysis constantly learning new malware and ransomware techniques
• Concurrent Sandbox instances
• OS type supported: Windows 11/10/8.1/7, macOS, Linux, Android, and ICS systems
• Customizable VMs for Windows and Linux OS
• Configurable internet browser supporting Internet Explorer, Microsoft Edge, Google Chrome, and Mozilla Firefox
• Sandbox interactive mode
• Video-recording of malware interaction
• Anti-evasion detection techniques
  • API Obfuscation
  • Bare-metal Detection
  • Command and Control
  • Direct System Calls
  • Execution Delay
  • Memory Only Payload
  • Process Hollowing/Injection

  • Runtime Encryption/Packing
  • System Fingerprinting
  • Time Bomb
  • User Files Check
  • User Interaction Check
  • VM/Sandbox Detection
• Callback detection. Malicious URL visit, botnet C&C communication, and attacker traffic from activated malware
• Downloadable captured packets, tracer logs, and screenshots
• User-defined extensions
• File Types Support
  • Windows Executables: .bat, .cab, .cmd, .dll, .exe, .js, .msi, .ps1, .vbs, wsf
  • Microsoft Office: .doc, .docm, .docx, .dot, .dotm, .dotx, .iqy, .one, .pot, .potm, .potx, .ppt, .pptm, .pptx, .ppam, .pps, .ppsm, .ppsx, .pub, .rtf, .sldm, .sldx, .xlam, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, xltx
  • Document/Email files: .eml, .pdf, .rl

  • Android files: .apk
  • Linux files: .elf
  • MacOS files: .app, .dmg, Mach-O
  • Web files: .htm, html, .lnk, WEBLink
  • Compress files: .7z, .ace, .arj, .bz2, .gz, .iso, .jar, .kgb, .lzh, .rar, .swf, .tar, .tgz, .upx, .xz, .z, .zip

* a real time IoC check for emerging threats (known good and bad) within the FortiGuard intelligence community

Specifications:

¹ FortiSandbox pre-filtering is powered by FortiGuard Intelligence.
² Measured based on real-world web and email traffic when both pre-filter and dynamic analysis are working consecutively.
³ Measured based on real-world email traffic when both pre-filter and dynamic analysis are working consecutively.
* 2(FSA-500F)/2(FSA-1000F)/4(FSA-2000E)/8(FSA-3000E) Windows VM licenses included with hardware, remaining are sold as an upgrade license.

*some models may require CLI configuration

Documentation:

Download the FortiSandbox Data Sheet (PDF).