ORDERING GUIDE

FortiSandbox
Product Offerings

AI-powered sandbox malware analysis

Available in:
Automated and inline block breach
protection
MITRE ATT&CK-based report
Appliance Virtual Hosted Cloud
Machine

FortiSandbox is a third-generation malware sandbox powered by machine learning and deep learning that integrates to any
existing security infrastructure and enables automated protection across both IT and OT environments.

FortiSandbox is offered from different cloud services and on-premise appliances:

• Sandbox As-a-service: subscription services for FortiGate (and FortiMail and FortiClient) to support either:

• Detection: out-of-band sandboxing, alerting, reporting, and log enrichment for SOC response

• Detection and Prevention: prioritized and high capacity to support inline sandboxing plus SOCaaS log ingestion

• SOC Platforms: multiple form factors to aid SOC teams in detection, prevention, and threat hunting:

• Fortinet-hosted Cloud: subscription service (platform as-a-service (PaaS)) FortiSandbox with dedicated VM resource
for dedicated performance and centralization of reports and threat intelligence across Fortinet estate

• Private/Public Cloud: cloud-based FortiSandbox on Azure/AWS cloud or on-premise VM deployment

• Dedicated Hardware: on-premise FortiSandbox with guaranteed response time and detection

AS-A-SERVICE SOC PLATFORMS

FORTIGUARD ANTIMALWARE FORTIGUARD ADVANCED SANDBOX CLOUD/APPLIANCES
FortiGate Integration
Detection   
(Visibility and Log Enrichment)
Accelerated AI Prefilter   Supported

Prevention  
(Inline Blocking)
Security Operations
Advanced sandbox GUI including MITRE
SaaS monitoring of threats plus data (log) Inline blocking of detected threats plus data
SOC Integration ATT&CK techniques, sandbox execution
enrichment (log) enrichment
timelines, and more

STRICTLY CONFIDENTIAL 1
ORDERING GUIDE | FortiSandbox

AS-A-SERVICE

Flexible FortiGate, FortiClient, and FortiMail Offerings

Sandbox Detection Service is bundled with the FortiGate's Advanced Malware Protection (AMP) service, including antivirus,
mobile malware, and other components. This service provides out-of-band sandbox detection and log enrichment with a cloud-
based SaaS portal for SOC admins.
Sandbox Detection and Prevention Service is a new a la carte service, which includes inline blocking for sandbox and AI/NDR
detections, plus log enrichment for SOC teams.
Both services are currently available in the North America, Europe, and Asia regions. Similar service offerings are available for
FortiClient and FortiMail products.
AS-A-SERVICE
FORTIGUARD ANTIMALWARE FORTIGUARD ADVANCED SANDBOX
FortiGate Integration
Detection  
(Visibility and Log Enrichment)
Accelerated AI Prefilter 

Prevention 
(Inline Blocking)
Security Operations

SOC Integration SaaS monitoring of threats, plus data (log) enrichment. Inline blocking of detected threats, plus data (log) enrichment

System Performance

Sandboxing Throughput
TBC
(Files/Hr)

Total Capacity (Files/Hr) TBC

Detection Capabilities

AI-based Static Behavior Analysis  Accelerated1

Antievasion Detection  

C&C Detection  

AV, IPS, Web Filtering  

Sandboxing VMs

Cloud VMs   Prioritized

Supported OS

Windows2  

Additional Services

24x7 Support  

1 Integrated with FortiNDR’s Artificial Neural Network capability for fast pre-filtering.
2 Based on configured file types on the antivirus profile.

Order Information
The following table shows an example of the a la carte SKUs for the FortiGate-60F. The same SKUs are available for FortiGate
models.

SKU
Hardware and Support
FG-60F FG-60F
24x7 FortiCare Support FC-10-0060F-247-02-DD

A la Carte - FortiGuard Security Services

FortiGuard Advanced Malware Protection (AMP) Service FC-10-0060F-100-02-DD

FortiGuard AI-based Inline Sandbox Service FC-10-0060F-577-02-DD

STRICTLY CONFIDENTIAL 2 2
 ORDERING GUIDE | FortiSandbox

SOC AUGMENTATION

On-premise, Cloud, and Hosted Options

FortiSandbox Cloud is a Fortinet-hosted platform available on a subscription basis, providing the same capabilities as hardware
and virtual appliances. It is currently available in the North America and Europe regions.
FortiSandbox Virtual Appliances are available for public cloud and private cloud deployments.
FortiSandbox Hardware is available in a range of performance levels for different size organizations.
PAAS VM HARDWARE
FORTISANDBOX
PRIVATE/PUBLIC CLOUD 500F 1000F 2000E 3000F
CLOUD
FortiGate Capabilities
Detection      
(Visibility and Log Enrichment)
Accelerated AI Prefilter   Supported 1  Supported 1  Supported 1  Supported 1  Supported1

Prevention      
(Inline Blocking)
System Performance

Effective Sandboxing Throughput1

20 - 4,000 100 - 4,000 600 1,400 2,400 6,720
(Files/Hr)

  Static Analysis Throughput2

5,000 7,000 10,000 60,000
(Files/Hr)

Dynamic Analysis Throughput3

180 320 600 2,500
(Files/Hr)

FortiMail Throughput4
200 - 40,000 1,000 - 40,000 10,000 14,000 24,000 67,200
(emails/hour)

Number of Users5 8 - 1,600 40 - 1,600 400 560 960 2,688

MTA Adapter Throughput

5,000 10,000 15,000 60,000
(emails/hour)

Sniffer Mode Throughput (Gbps) 1 0.5 1 4 9.6

Detection Capabilities

AI-based Static Behavior Analysis      

Antievasion Detection      

C&C Detection      

AV, IPS, Web Filtering      

Sandboxing VMs

Default Local VMs 0 2 2 4 8

Local or Custom VM Expansion 8 (Private/BYOL)

+4 +12 +20 +64
Capacity 128 (PAYG)6

Cloud VM Expansion Capacity 1 - 200 1 - 200 5-2007

Supported OS

Windows      

MacOS, Linux, Android  Limited8     

Custom OS     

OT Simulation /—    

User-Defined     

System Information

Type Cloud Subscription Virtual Machine 1RU Appliance 1RU Appliance 2RU Appliance 2RU Appliance

1G RJ45 N/A Hardware Dependent    

1G SFP N/A Hardware Dependent   

10G SFP+ N/A Hardware Dependent  

1 Tested based on files with 80% documents and 20% executables. Includes both Static and Dynamic analysis with pre-filtering enabled.
2 Includes receiving, job handling, AV engine, Yara engine, Cloud Query.
3 Previously called “Sandboxing VM Throughput“.
4 Based on a ratio of one email with attachment to 10 emails.
5 Based on a ratio of one user per 25 emails.
6 Based on number of cores multiplied by 4.
7 Local Static Scan capacity can limit overall throughput for full cloud expansion.
8 Limited to Static Analysis only

3
STRICTLY CONFIDENTIAL
ORDERING GUIDE | FortiSandbox

Note that all form factors include the same set of advanced detection capabilities below:
PAAS VM SUBSCRIPTION HARDWARE
FORTISANDBOX CLOUD PRIVATE/PUBLIC CLOUD 500F 1000F 2000E 3000F
Security Services

Fortinet Security Fabric Integration Centralized Centralized Centralized Centralized Centralized Centralized

Fabric Partners     

Adapters, API, Network Share, and     

Via API only
Sniffer

Dynamic Analysis Time 3-5 minutes 3-5 minutes 3-5 minutes 3-5 minutes 3-5 minutes 3-5 minutes

AI-based Static Behavior Analysis      

Antievasion Detection      

C&C Detection      

AV, IPS, Web Filtering      

Additional Services
24x7 Support      

ORDER INFORMATION
The following table shows the SKUs for PaaS, VM subscriptions, and hardware appliances.

PaaS is simply licensed based on the capacity needed:

PAAS SKU
Cloud VM Expansion
+1 Cloud Expansion (all supported OS) FC1-10-SACLP-433-01-DD

+5 Cloud Expansion (all supported OS) FC2-10-SACLP-433-01-DD

FortiCloud Premium FC-15-CLDPS-219-02-DD

VM licensing is comprised of the base VM license combined with flexible expansion options:
VIRTUAL MACHINE SKU
Base
Base License FSA-VM00

Local VM Expansion

+1 Microsoft Windows 10 License FSA-VM-WIN10-1

+1 Microsoft Office 2016 License FSA-UPG-OFFICE-1

+1 Microsoft Office 2019 License FSA-UPG-OFFICE2019-1

+8 Custom VMs License FSA-VM00-UPG-LIC-BYOL

Sandbox Threat Intelligence and up to 8 VMs1 FC-10-FSV00-500-02-DD

FortiCare Premium Support Only2 FC-10-FSV00-248-02-DD

Cloud VM Expansion

+5 Cloud Expansion Windows FC-10-FSA01-195-02-DD

+2 Cloud Expansion macOS FC-10-FSA01-192-02-DD

1 Supported by FortiSandbox 4.0.1 and 3.2.3.

2 For HA Cluster deployment setup, configured as a primary or secondary node used as a dispatcher only. Supported by FortiSandbox 4.2.1.

STRICTLY CONFIDENTIAL 4 4
 ORDERING GUIDE | FortiSandbox

Hardware can be purchased as fully-loaded bundles or customized as needed:

HARDWARE
500F 1000F 2000E 3000F
Hardware Bundles

Local or Custom VM Base + Expansion Capacity 2+4 2+12 4+20 8+64

FSA-500F FSA-1000F FSA-2000E FSA-3000F

Hardware Bundle with Licensed VMs FSA-500F-UPG-WIN-LIC-4 FSA-1000F-UPG-WIN-LIC-6 (2) FSA-2000E-UPG-WIN-LIC-10 (2) FSA-3000F-UPG-LIC-32 (2)
FC-10-FS5HF-499-02-DD FC-10-FS1KF-499-02-DD FC-10-SA20K-499-02-DD FC-10-SA3KF-499-02-DD
FSA-500F FSA-1000F FSA-2000E FSA-3000F
Hardware Bundle with Custom VMs1 FSA-500F-UPG-LIC-BYOL FSA-1000F-UPG-LIC-BYOL FSA-2000E-UPG-LIC-BYOL FSA-3000F-UPG-LIC-BYOL
FC-10-FS5HF-499-02-DD FC-10-FS1KF-499-02-DD FC-10-SA20K-499-02-DD FC-10-SA3KF-499-02-DD

Renewal (Sandbox Threat Intelligence)2 FC-10-FS5HF-499-02-DD FC-10-FS1KF-499-02-DD FC-10-SA20K-499-02-DD FC-10-SA3KF-499-02-DD

+1 Microsoft Office 2019 License3 FSA-UPG-OFFICE2019-1

Add-ons

100-1000 Mailbox MTA FC1-10-FSA01-321-02-DD

1001-5000 Mailbox MTA FC2-10-FSA01-321-02-DD

5000+ Mailbox MTA FC3-10-FSA01-321-02-DD

1 Supported by FortiSandbox 4.0.1 and 3.2.3.
2 Sandbox Threat Intelligence is a subscription service for Antivirus, IPS, Web Filtering, File Query, Industrial Security, Sandbox engine, plus 24x7 FortiCare.
3 Supported by FortiSandbox 4.2.1.

FREQUENTLY ASKED QUESTIONS

What is the best strategy for sizing a sandbox deployment?
Following are suggested approaches when sizing the file throughput (files per hour):
• Ideal: determined during POC or CTAP
• Estimate: based on number of files transacted per hour or users
For best results, engage your regional CSEs. FortiSandbox supports clustering up to 99 devices to further increase VM capacity.
See the FortiSandbox Administration Guide.

What additional training services are available?

The following table summarizes training options for FortiSandbox:

TRAINING SERVICES
FNSE7 Advanced Threat Protection Instructor-led Training FT-ATP
NSE7 Advanced Threat Protection On-demand Lab Access FT-ATP-LAB
FNSE7 Advanced Threat Protection Certification Exam Voucher NSE-EX-CERT

www.fortinet.com

Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

FSA-OG-R12-20221017
STRICTLY CONFIDENTIAL