Professional Documents
Culture Documents
What is Sandbox?
FortiSandbox Cloud Options
FortiSandbox On-premise
FortiSandbox On-premise File Submission
Sniffer Mode
FortiSandbox On-Premise Device Mode
FortiSandbox On-premise FortiClient Integration
HA & Sizing Details
2
1. What is SandBox
Sandbox
What is Sandboxing?
Virtual analysis – nothing new
• Infection of processes
4
Why a Customer looks for ATP?
5
Breaking the Kill Chain of Advanced Attacks
Spam Spam
Malicious
Antispam Email
Malicious Malicious
Link Link
Web Filtering
Malicious
Exploit Exploit Web Site
Intrusion Prevention
Malware Malware
Antivirus
6
Breaking the Kill Chain of Advanced Attacks
Spam Spam
Malicious
Antispam Email
Malicious Malicious
Link Link
Sandbox
Web Filtering
Malicious
Exploit Exploit Web Site
Intrusion Prevention
Malware Malware
Antivirus
7
Lateral Movement
-Two Approaches
ISFW in Transparent Mode (Pro-active) FortiClient (Reactive)
8
Spear Phishing Prevention
- Two Approaches
Ineffective
Agaist encrypted
attacks
9
10
Advanced Threat Protection Framework
Access Control Threat Prevention
Stateful Firewall IPS/Application Control
Vulnerability Management AntiMalware
2-Factor Authentication Email/Web Filtering
Anti-bot
Incident Response
Professional Services, Device Quarantine, FortiGuard Updates
11
ATP Framework in Action
Extended and fast protection
FortiClient
FortiSandbox
Web Server
Internet
FortiMail
FortiGate
Mail Server
FortiWeb
12
FortiSandbox- key components
• Multi-tiered file processing optimizes resources to improve security, capacity and performance
Call Back Detection • Identifies the ultimate aim, call back and exfiltration
• FortiGuard verified
13
Products
14
2.FortiSandbox Cloud
FortiOS 5.4
16
FortiCloud
17
Register your device
18
New Tab of FortiSandbox
19
Tune AV Profile on FortiGate
20
Select AV Profile in Policy
21
FortiSandbox Cloud for FortiMail & FortiWeb
FortiMail
FortiSanbox Cloud
FortiWeb
22
FortiMail Sandbox
23
Select Sandbox in AV Profile
24
FortiWeb Sandbox Cloud Configuration
25
Select Sandbox Cloud in File Upload Policy
26
3.FortiSandbox On-premise
Status Page
28
FortiGuard Updates
29
Pre-requisite
30
It Appears in Scan Profile
31
FSA SimNet - Open or Closed Environment?
port1 port3
port2
INTERNET
32
Why Internet Access is Important for Detection?
Execution Time
Sandbox VM Rating Engine
IP Reputation: 192.168.250.1
HTTP Response
AV Inspection dummy.exe
dummy.exe
33
Why Internet Access is Important for Detection?
Execution Time
Sandbox VM Rating Engine
IP Reputation: a.b.c.d
HTTP Response
AV Inspection:
Callback connection: C2
IP Reputation: C2
34
simnet disabled vs simnet enabled
35
simnet disabled vs simnet enabled
36
For Networks Using Proxy
37
Alert Email Setting
38
Scheduled Reports on Mail
39
SNMP Settings
40
3.a. Advance Setup On-Premise Mode
Configuring VM’s
42
Maximum Number of VM’s
43
Scan Profile
44
Configuring a VM to Scan File type
45
Flexibility to add User-Define File Types
46
What if we don’t have WindowsXP
47
New Virtual Machines Support
new source and type
48
Blacklist & Whitelist
49
4. File-On Demand
On-Demand: Manual Input Method
51
How to check
52
53
Flexibility to choose Scan Engine
54
4.a. URL Submission
56
57
5. Sniffer Mode
Sniffer Input Method
Switch with
mirroring/monitoring/SPAN Monitoring traffic
capabilities.
TAP Device
Monitoring traffic
59
60
6.Device Mode
Devices Input Method
514/tcp
SSL encrypted
- File submission
FortiGate, FortiMai or - Get statistics back
FortiWeb Devices.
62
Registering FortiGate on FortiSandbox for File
Submission
63
Device should appear in FortiSandbox
64
Device Authorization
65
Configure AV Profile with FortiSandbox
66
Tune WCF Profile to use FortiSandbox
67
Policy
68
FortiView
69
6.a Device Mode-FortiWeb
If FGT is integrated with FSA why I need to Integrate
FWEB with FSA?
71
Encrypted Traffic
FGT
72
FSA Integration
» Configure FSA
Authorise and test connectivity
Setup Admin mail
73
FortiWeb Configuration
FortiWeb
» Configure File Upload
Restriction Policy
74
6.c Device Mode-FortiMail
Threat Vectors
76
Integrate with FortiSandbox
77
Enable Sandbox in AV-Profile
78
Select AV-Profile in Recipient Policy
79
7. FortiClient Integration
Part of the Fortinet ATP Framework
81
FortiSandbox Integration
82
FortiSandbox Integration
Execution or Access Hold during the Inspection
1 3
2
83
Create a Profile with FortiSandbox IP
84
Register FortiClient on FGT
85
Test FCT FSA Communication
86
Check FCT is registered on FSA & FGT
FortiClient
87
Process Next Level
AV-Scan Engine
Network Share
Cloud-Query Engine
On-demand Local DB
VM-Scan Engine
URL Detection
Rating Engine
88
FortiGuard Threat Research & Response
Analysis
FortiGuard File Filter
Antivirus Service
Anti-botnet
89
The Fortinet ATP Solution
FortiClient
FortiMail
FortiSandbox
FortiGate FortiWeb
FortiGuard Lab
FortiGuard Services
90
Sizing & Clustering
FortiSandbox Scaling
FortiSandbox
Supported
File Type
File Filter
Most files types scanned by Static Scan
Clean File Or
AV-Scan Engine
New / Known Malware
Cloud-Query Engine
up to
+ 2 ½ minutes ✓
VM-Scan Engine
Rating
Clean OrEngineMalware
File
Unknown
92
Confidential
File Sizing Summary
93
Clustering and Load Balancing
Master and Primary Slave have to the same appliance (can be any model)
Regular Slaves can be any appliance
Up to 100 nodes in a cluster
PRIMARY
MASTER
SLAVE
94
Thank You!