FortiSandBox PoC Evalution Indicators.

sdiomande · ‎08-01-2017

Hi team,
I'm doing a PoC with the FortiSandBox with a customer and we need to have indicators for evaluating the test results.

Do you have any idea about which indicators could be used ??

The customer has in its environment: 4 FortiGate (2x1000D and 2x800C), two FortiMail 400C, two FortiWeb 400C.

Best regards.

DrWolfgangBeneicke1 · ‎08-04-2017

Hi,

I've just finished a FSA PoC with an FSA-3000E and a FML-400C.

In my mind it's important to supply reliable statistics to the customer, that is, have a sizeable number of files scanned. And watch the CPU and memory consumption of the FSA, plus the max. number of queued scan jobs, to get a feeling for the right size of the FSA in this environment.

For example, in this PoC the FSA scanned about 110.000 files of which 60 were malicious and 80 more of high risk. I agree with the customer that only one malicious file was too much, yet alone 60 in 4 weeks (2 per day). The huge number of detected, unique trojans was astonishing as the network stream had already been AV scanned by their Fortigates.

"unique" because immediately after categorizing a file as malicious the FSA created a signature which prevented subsequent occurrences of the same file to pass the Fortigate (or be scanned again by the FSA).

Another observation to point out: half of the bad files cames from the FortiMail as attachments but the other half came in by web via the FGT. I would have thought that ratio be 10:1 before we measured it.

Additionally, half ot fhe malicious objects were files, the other half were URLs (well, not 'malicious' but 'high risk'). As URLs in eMails are not scanned at all in a FGT this is worth pointing out.

So, it's quite apparent that a FSA is effective, easy to integrate with FGT, FML and FWB and worth the investment. Finally, the right sizing was no easy task. Ask your FTNT SE to help you with this. At this point I would prefer an appliance over a VM for sheer performance.

HTH,

ede_pfau

View solution in original post

sdiomande · ‎08-02-2017

Hi All

Any idea ?

DrWolfgangBeneicke1 · ‎08-04-2017

Hi,

I've just finished a FSA PoC with an FSA-3000E and a FML-400C.

In my mind it's important to supply reliable statistics to the customer, that is, have a sizeable number of files scanned. And watch the CPU and memory consumption of the FSA, plus the max. number of queued scan jobs, to get a feeling for the right size of the FSA in this environment.

For example, in this PoC the FSA scanned about 110.000 files of which 60 were malicious and 80 more of high risk. I agree with the customer that only one malicious file was too much, yet alone 60 in 4 weeks (2 per day). The huge number of detected, unique trojans was astonishing as the network stream had already been AV scanned by their Fortigates.

"unique" because immediately after categorizing a file as malicious the FSA created a signature which prevented subsequent occurrences of the same file to pass the Fortigate (or be scanned again by the FSA).

Another observation to point out: half of the bad files cames from the FortiMail as attachments but the other half came in by web via the FGT. I would have thought that ratio be 10:1 before we measured it.

Additionally, half ot fhe malicious objects were files, the other half were URLs (well, not 'malicious' but 'high risk'). As URLs in eMails are not scanned at all in a FGT this is worth pointing out.

So, it's quite apparent that a FSA is effective, easy to integrate with FGT, FML and FWB and worth the investment. Finally, the right sizing was no easy task. Ask your FTNT SE to help you with this. At this point I would prefer an appliance over a VM for sheer performance.

HTH,

ede_pfau

sdiomande · ‎08-04-2017

Hi Wolfgang,

thank you !

GeerVan · ‎01-14-2018

Hi all,

Apart from the proposed sizing checks, I'm also looking for some more functional evaluation indicators, that we could use as "acceptance criteria" during a FSA PoC: what would you recommend?

Thanks,

Geert