Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

sdiomande
New Contributor

FortiSandBox PoC Evalution Indicators.

Hi team,
I'm doing a PoC with the FortiSandBox with a customer and we need to have indicators for evaluating the test results.

Do you have any idea about which indicators could be used ??

The customer has in its environment: 4 FortiGate (2x1000D and 2x800C), two FortiMail 400C, two FortiWeb 400C.


Best regards.

1 Solution
DrWolfgangBeneicke1

Hi,

I've just finished a FSA PoC with an FSA-3000E and a FML-400C.

In my mind it's important to supply reliable statistics to the customer, that is, have a sizeable number of files scanned. And watch the CPU and memory consumption of the FSA, plus the max. number of queued scan jobs, to get a feeling for the right size of the FSA in this environment.

For example, in this PoC the FSA scanned about 110.000 files of which 60 were malicious and 80 more of high risk. I agree with the customer that only one malicious file was too much, yet alone 60 in 4 weeks (2 per day). The huge number of detected, unique trojans was astonishing as the network stream had already been AV scanned by their Fortigates.

"unique" because immediately after categorizing a file as malicious the FSA created a signature which prevented subsequent occurrences of the same file to pass the Fortigate (or be scanned again by the FSA).

Another observation to point out: half of the bad files cames from the FortiMail as attachments but the other half came in by web via the FGT. I would have thought that ratio be 10:1 before we measured it.

Additionally, half ot fhe malicious objects were files, the other half were URLs (well, not 'malicious' but 'high risk'). As URLs in eMails are not scanned at all in a FGT this is worth pointing out.

So, it's quite apparent that a FSA is effective, easy to integrate with FGT, FML and FWB and worth the investment. Finally, the right sizing was no easy task. Ask your FTNT SE to help you with this. At this point I would prefer an appliance over a VM for sheer performance.

HTH,

   ede_pfau

View solution in original post

4 REPLIES 4
sdiomande
New Contributor

Hi All

Any idea ?

DrWolfgangBeneicke1

Hi,

I've just finished a FSA PoC with an FSA-3000E and a FML-400C.

In my mind it's important to supply reliable statistics to the customer, that is, have a sizeable number of files scanned. And watch the CPU and memory consumption of the FSA, plus the max. number of queued scan jobs, to get a feeling for the right size of the FSA in this environment.

For example, in this PoC the FSA scanned about 110.000 files of which 60 were malicious and 80 more of high risk. I agree with the customer that only one malicious file was too much, yet alone 60 in 4 weeks (2 per day). The huge number of detected, unique trojans was astonishing as the network stream had already been AV scanned by their Fortigates.

"unique" because immediately after categorizing a file as malicious the FSA created a signature which prevented subsequent occurrences of the same file to pass the Fortigate (or be scanned again by the FSA).

Another observation to point out: half of the bad files cames from the FortiMail as attachments but the other half came in by web via the FGT. I would have thought that ratio be 10:1 before we measured it.

Additionally, half ot fhe malicious objects were files, the other half were URLs (well, not 'malicious' but 'high risk'). As URLs in eMails are not scanned at all in a FGT this is worth pointing out.

So, it's quite apparent that a FSA is effective, easy to integrate with FGT, FML and FWB and worth the investment. Finally, the right sizing was no easy task. Ask your FTNT SE to help you with this. At this point I would prefer an appliance over a VM for sheer performance.

HTH,

   ede_pfau

sdiomande

Hi Wolfgang,

thank you !

GeerVan

Hi all,

Apart from the proposed sizing checks, I'm also looking for some more functional evaluation indicators, that we could use as "acceptance criteria" during a FSA PoC: what would you recommend?

Thanks,

Geert

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.