Fortinet black logo

Administration Guide

Appendix B - FortiCloud Sandbox

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:430085
Download PDF

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service, integrated with FortiGate, FortiMail, and FortiWeb, called FortiCloud Sandbox. FortiCloud Sandbox requires an active FortiCloud account for use with FortiGate, FortiMail, and FortiWeb. Below, you can see a comparison of the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment set up on-premises (FortiSandbox Appliance).

Deployment

Deployment options

FortiSandbox Appliance

FortiCloud Sandbox

FortiGate integration

Yes

Yes

FortiMail and FortiWeb integration

Yes

Yes

Fabric integration (FortiClient, FortiWeb, FortiADC, FortiManager, FortiAnalyzer, FortiSIEM)

Yes

Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM)

Yes

On-site deployment (centralized or distributed)

Yes

Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API)

Yes

Detection

Detection capabilities

FortiSandbox Appliance

FortiCloud Sandbox

Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others)

Yes

Yes

File based detection

Yes

Yes

On-demand scanning - manual upload of suspicious files

Yes

Yes

URL detection - host traffic to malicious sites

Yes

Yes*

Adapters for third-party products

Yes

API input (REST API)

Yes

BotNet detection via sniffer

Yes

Network attack detection via sniffer

Yes

Network share input (file share scanning CIFS and NFS)

Yes

On-demand scanning - manual upload of URL list

Yes

Sniffer input via TAP or Mirror/Span port

Yes

URL detection - ICAP client integration

Yes

URL detection - REST API integration for web scanning

Yes

*Available with FortiCloud 3.1.x onwards.

File type and protocol support

Profiling, file type, and protocol support

FortiSandbox Appliance

FortiCloud Sandbox

A/V and CPRL pre-filter support for all file types regardless of operating system

Yes

Yes

Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .and arj

Yes

Yes

Executable - .exe, .dll, PDF, Windows Office, and Javascript

Yes

Yes

FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL and encrypted equivalent

Yes

Yes

Media - .avi, .mpeg, .mp3, and .mp4

Yes

Yes

Share threat intelligence among distributed installations

Yes

Yes

Virtual machine sandboxing

Yes

Yes

FortiMail integrated - SMTP, POP3, and IMAP

Yes

Yes*

Ability to fine tune the scanning environment

Yes

Scan user-defined file types

Yes

Utilize customized virtual machines

Yes

*FortiMail integration supported from version 5.3.x onwards.

Alerting, reporting and monitoring

Alerting, reporting, monitoring and logging

FortiSandbox Appliance

FortiCloud Sandbox

Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean)

Yes

Yes

On-demand summary and threat detail reporting by date range

Yes

Yes

FortiAnalyzer integration

Yes

Yes *

Syslog to remote log server

Yes

Yes *

At-a-glance view submission by device (easily see if one site is submitting more than others)

Yes

Common event format to remote log server

Yes

Consolidated or separate views of input by device, network, sniffer, or on-demand submission

Yes

Detailed alerting with source, destination, protocol, file name and forensic/incident response info

Yes

Filtering and search capabilities - granular drill down and export to detailed report in .PDF format

Yes

Scheduled summary and threat detail reporting delivered via email

Yes

File submission summary web view

Yes

Limited daily canned report

Yes

Separate views for each device (not reportable or monitored in aggregate)

Yes

Summary email alerting with source, destination, protocol, and file name

Yes

*Available through FortiGate.

Forensic, auditing, and third-party tools

Forensic, auditing, and third-party tools

FortiSandbox Appliance

FortiCloud Sandbox

Forensic/incident response information

Yes

Yes

Source and destination IP address for tracking IOC

Yes

Yes

Export suspicious files for further analysis or inspection by third-party applications

Yes

PCAP, TracerLog, and screen captures

Yes

In addition to physical and virtual deployments, FortiSandbox is also available as a cloud-based advanced threat protection service, integrated with FortiGate, FortiMail, and FortiWeb, called FortiCloud Sandbox. FortiCloud Sandbox requires an active FortiCloud account for use with FortiGate, FortiMail, and FortiWeb. Below, you can see a comparison of the features, deployments, and capabilities of the FortiCloud Sandboxing service compared to a physical or virtual deployment set up on-premises (FortiSandbox Appliance).

Deployment

Deployment options

FortiSandbox Appliance

FortiCloud Sandbox

FortiGate integration

Yes

Yes

FortiMail and FortiWeb integration

Yes

Yes

Fabric integration (FortiClient, FortiWeb, FortiADC, FortiManager, FortiAnalyzer, FortiSIEM)

Yes

Multiple appliance options (500F, 1000D, 1000F, 2000E, 3000E, and FSA-VM)

Yes

On-site deployment (centralized or distributed)

Yes

Third-party products NetworkShare integration (CarbonBlack, BBC Mode, ICAP Client, API)

Yes

Detection

Detection capabilities

FortiSandbox Appliance

FortiCloud Sandbox

Device input (FortiGate, FortiMail, FortiWeb, FortiClient, and others)

Yes

Yes

File based detection

Yes

Yes

On-demand scanning - manual upload of suspicious files

Yes

Yes

URL detection - host traffic to malicious sites

Yes

Yes*

Adapters for third-party products

Yes

API input (REST API)

Yes

BotNet detection via sniffer

Yes

Network attack detection via sniffer

Yes

Network share input (file share scanning CIFS and NFS)

Yes

On-demand scanning - manual upload of URL list

Yes

Sniffer input via TAP or Mirror/Span port

Yes

URL detection - ICAP client integration

Yes

URL detection - REST API integration for web scanning

Yes

*Available with FortiCloud 3.1.x onwards.

File type and protocol support

Profiling, file type, and protocol support

FortiSandbox Appliance

FortiCloud Sandbox

A/V and CPRL pre-filter support for all file types regardless of operating system

Yes

Yes

Archived - .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .and arj

Yes

Yes

Executable - .exe, .dll, PDF, Windows Office, and Javascript

Yes

Yes

FortiGate integrated - HTTP, SMTP, POP3, IMAP, MAPI, FTP, SMB, IM and SSL and encrypted equivalent

Yes

Yes

Media - .avi, .mpeg, .mp3, and .mp4

Yes

Yes

Share threat intelligence among distributed installations

Yes

Yes

Virtual machine sandboxing

Yes

Yes

FortiMail integrated - SMTP, POP3, and IMAP

Yes

Yes*

Ability to fine tune the scanning environment

Yes

Scan user-defined file types

Yes

Utilize customized virtual machines

Yes

*FortiMail integration supported from version 5.3.x onwards.

Alerting, reporting and monitoring

Alerting, reporting, monitoring and logging

FortiSandbox Appliance

FortiCloud Sandbox

Filter by rating (Malicious, Suspicious - Low, Medium, High Risk, Clean)

Yes

Yes

On-demand summary and threat detail reporting by date range

Yes

Yes

FortiAnalyzer integration

Yes

Yes *

Syslog to remote log server

Yes

Yes *

At-a-glance view submission by device (easily see if one site is submitting more than others)

Yes

Common event format to remote log server

Yes

Consolidated or separate views of input by device, network, sniffer, or on-demand submission

Yes

Detailed alerting with source, destination, protocol, file name and forensic/incident response info

Yes

Filtering and search capabilities - granular drill down and export to detailed report in .PDF format

Yes

Scheduled summary and threat detail reporting delivered via email

Yes

File submission summary web view

Yes

Limited daily canned report

Yes

Separate views for each device (not reportable or monitored in aggregate)

Yes

Summary email alerting with source, destination, protocol, and file name

Yes

*Available through FortiGate.

Forensic, auditing, and third-party tools

Forensic, auditing, and third-party tools

FortiSandbox Appliance

FortiCloud Sandbox

Forensic/incident response information

Yes

Yes

Source and destination IP address for tracking IOC

Yes

Yes

Export suspicious files for further analysis or inspection by third-party applications

Yes

PCAP, TracerLog, and screen captures

Yes