Fortinet black logo

Administration Guide

Home FortiSandbox 4.2.7 Administration Guide
4.2.7
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

Appendix A - Advanced deployment scenarios

Appendix A - Advanced deployment scenarios

Deploying primary and secondary nodes without VM Clones

When the primary and secondary node are using a FortiSandbox VM00 model, you have the option of deploying without VM Clones (i.e. dispatcher). That VM00 deployment dedicates its full VM resources for HA support, receiving incoming files and distribution of files to the worker nodes. There is no scan performed on the VM00. On this type of VM00 deployment, only the FortiCare Premium Support subscription is necessary as all the scans are performed on the worker nodes.

Deploying for Static Scan

The Static Scan only deployment type provides the highest available performance and lowest scan time to process the samples. Static Scan is comprised of pre-filtering, full antivirus scan, cloud query and Static AI scan. Without the Dynamic Scan, the detection rate is expected to be lower. This mode can be considered when throughput is more important than detection precision. Otherwise, considerthe regular operating mode to ensure the highest available detection precision.

When deploying FortiSandbox VM00 for Static Scan only, use firmware version 4.2.2 or later. You can leave the clone number at zero. For this deployment, the Sandbox Threat Intelligence plus FortiCare Premium subscriptions are required. Windows expansion licenses are not required.

Deploying for OT Industry

The OT Malware scans for presence of OT related applications and networking protocols. The LinuxOT is a Linux VM to simulate the OT industry deployment. The VM supports the Siemens application and simulates:

  • Modbus
  • SNMP
  • IPMI
  • FTP
  • TFTP protocols

The Sandbox Threat Intelligence subscription already includes the Industrial Security subscription which allows you to enable the simulation. To scan files, submit them through any Windows VM. If it is an OT Malware, the LinuxOT will capture that lateral movement behavior and access to those application and protocols.

For information, see Simulator VMs.

Previous
Next

Appendix A - Advanced deployment scenarios

Deploying primary and secondary nodes without VM Clones

When the primary and secondary node are using a FortiSandbox VM00 model, you have the option of deploying without VM Clones (i.e. dispatcher). That VM00 deployment dedicates its full VM resources for HA support, receiving incoming files and distribution of files to the worker nodes. There is no scan performed on the VM00. On this type of VM00 deployment, only the FortiCare Premium Support subscription is necessary as all the scans are performed on the worker nodes.

Deploying for Static Scan

The Static Scan only deployment type provides the highest available performance and lowest scan time to process the samples. Static Scan is comprised of pre-filtering, full antivirus scan, cloud query and Static AI scan. Without the Dynamic Scan, the detection rate is expected to be lower. This mode can be considered when throughput is more important than detection precision. Otherwise, considerthe regular operating mode to ensure the highest available detection precision.

When deploying FortiSandbox VM00 for Static Scan only, use firmware version 4.2.2 or later. You can leave the clone number at zero. For this deployment, the Sandbox Threat Intelligence plus FortiCare Premium subscriptions are required. Windows expansion licenses are not required.

Deploying for OT Industry

The OT Malware scans for presence of OT related applications and networking protocols. The LinuxOT is a Linux VM to simulate the OT industry deployment. The VM supports the Siemens application and simulates:

  • Modbus
  • SNMP
  • IPMI
  • FTP
  • TFTP protocols

The Sandbox Threat Intelligence subscription already includes the Industrial Security subscription which allows you to enable the simulation. To scan files, submit them through any Windows VM. If it is an OT Malware, the LinuxOT will capture that lateral movement behavior and access to those application and protocols.

For information, see Simulator VMs.

Previous
Next