You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today.

Advanced Threat Protection

( FortiSandbox, FortiDeceptor, FortiIsolator, FortiAI & FortiInsight )


Zero-day Threat Protection, An AI-powered, top-rated, integrated sandbox

What is a Malware Sandbox?

Unlike previous generation of viruses that were non-sophisticated and low in volume, antivirus tools were sufficient to provide reasonable protection with their database of signatures.

However, today’s modern malware entails new techniques such as use of exploits. Exploiting a vulnerability in a legitimate application can cause anomalous behavior and it’s this behavior that attackers take advantage of to compromise computer systems. The process of an attack by exploiting an unknown software vulnerability is what is known as a zero-day attack aka 0-day attack, and before sandboxing there was no effective means to stop it.

A malware sandbox, within the computer security context, is a system that confines the actions of an application, such as opening a Word document, to an isolated environment. Within this safe environment the sandbox analyzes the dynamic behavior of an object and its various application interactions in a pseudo-user environment and uncovers any malicious intent. So if something unexpected or wanton happens, it affects only the sandbox and not the other computers and devices on the network. In parallel, any malicious intent is captured, leading to an alert and relevant threat intelligence generated to stop this zero-day attack.

Typical characteristics found in a malware sandbox:

  • Detection engine consisting of static and dynamic analysis to capture both malware attributes and techniques
  • Emulation of various device OS including Windows, macOS, Linux, and SCADA/ICS, and associated applications and protocols
  • Accepts a multitude of sources including network packets, file shares, on-demand submission and automated submissions by NGFW, SEG, EPP/EDR, and WAF, other integrated security controls
  • Reporting and automated sharing of threat intelligence
  • Flexible deployment modes such as appliance, VM, SaaS and Public Cloud to fit various on-prem and cloud environments

Fortinet Sandbox Videos

Fortinet Malware Sandbox Solution

  • First-in-the-industry patent-pending Machine Learning (ML)-based static analysis, and ML-based dynamic analysis
  • MITRE ATT&CK standards-based reporting
  • Automated 0-day breach protection with integration to both Fortinet and non-Fortinet solutions

FortiSandbox Models and Specifications

FortiSandbox broad form factor offering including physical, virtual appliance to public cloud and as a hosted service that supports various deployment options to fit any environment.


Form Factor | 1 RU

Effective real-world throughput (files/hr) | 600

Ports | 4x GE RJ45 ports


Form Factor | 1 RU

Effective real-world throughput (files/hr) | 1,400

Ports | 4x GE RJ45 ports, 4x GE SFP slots


Form Factor | 2 RU

Effective real-world throughput (files/hr) | 2,400

Ports | 4x GE RJ45 ports, 2x 10 GE SFP+ slot


Form Factor | 2 RU

Effective real-world throughput (files/hr) | 5,600

Ports | 4x GE RJ45 ports, 2x 10 GE SFP+ slots

FortiSandbox-VM (Local VMs)

Effective real-world throughput (files/hr) | Hardware dependent

Ports | 6 (minimum) virtual network interfaces

FortiSandbox-VM (Cloud VMs)

Effective real-world throughput (files/hr) | 20,000

Ports | 6 (minimum) virtual network interfaces

As businesses move to the cloud, it is imperative to extend a seamless security infrastructure to protect workloads and assets in the cloud against sophisticated threats. FortiSandbox native support of public cloud includes Amazon Web Services (AWS) and Microsoft Azure, allows organizations to build a comprehensive cloud security architecture that integrates FortiSandbox (sandbox) with FortiGate (NGFW), FortMail (SEG), FortiWeb (WAF), FortiClient (EPP), FortiSIEM (SIEM), and 3rd party solutions.

FortiSandbox Cloud offers an alternate deployment option to the FortiSandbox appliance for organizations searching for a turnkey solution. It delivers the same rapid detection and automated response, but in the cloud. This provides unlimited flexibility to complement FortiGate in any deployment scenario such as distributed enterprise, data center, and more.

FortiSandbox Cloud is available with the FortiGate next-generation firewall, FortiMail secure email gateway, FortiWeb web application firewall, FortiProxy secure web gateway, and FortiClient endpoint protection.


Deception-based Breach Protection

Deceive, Expose and Eliminate External and Internal Threats

A New Breach Protection Approach with FortiDeceptor

FortiDeceptor: Deception-based Breach Protection Overview

According to Verizon’s 2019 Data Breach Investigation Report, two-thirds of breaches found were from external actors while the remaining one-third involved internal actors. Unfortunately, today’s reactive security solutions are narrowly focused in either protecting external or internal threats but not both.

FortiDeceptor is based on deception technology that complements an organization’s existing breach protection strategy, designed to deceive, expose and eliminate attacks originating from either external or internal sources before any real damage occurs.

FortiDeceptor: Deception-based Breach Protection Product Details

FortiDeceptor, a Fabric-enabled deception approach allows organizations to rapidly create a fabricated deception network through the automatic deployment of decoys and lures that seamlessly integrate with an existing IT/OT infrastructure to lure attackers into revealing themselves. FortiDeceptor helps serve as an early warning system by providing accurate detection that correlates an attacker’s activity details and lateral movement that feeds up to a broader threat campaign. Threat intelligence captured from decoys is shared within the Security Fabric so automatic protection can be applied, disrupting attacks before any real damage is done.

FortiDeceptor Models and Specifications

FortiDeceptor offers both hardware and virtual appliance that allows flexibility for any organization to deploy in the campus and into the cloud.

FortiDeceptor 1000F

Form Factor | 1 RU

Max Decoys | 16

Ports | 4 x GbE (RJ45), 4 x GbE (SFP)

RAID level | 0/1

Power Supply Unit | Dual PSU optional

FortiDeceptor VM

Max Decoys | 16

Ports | 6 virtual network interfaces


Access the web securely with browser isolation

FortiIsolator Overview

FortiIsolator, Fortinet’s browser isolation platform, adds an additional advanced threat protection capability to the Fortinet Security Fabric and protects critical business data from sophisticated threats out on the web. Content and files from the web are accessed in a remote container and then risk-free content is rendered to users.

Sophisticated threats on the web multiply by the day. It’s nearly impossible to stay current about what threats reside on which pages, and what objects are good or malicious. It can be intimidating to keep up with the proliferation of advanced attacks.

FortiIsolator allows organizations to keep their most critical, high-value targets secure from the onslaught of threats. It allows users to browse the web in an isolated environment, which renders safe content in a remote container. FortiIsolator is a completely remote environment that does not require an install on a user’s computer or device.

FortiIsolator Models and Specifications

FortiIsolator can be deployed as either a high-performance physical or virtual appliance for either a fixed form factor for plug and play deployment or a flexible one to easily scale to meet your needs.

FortiIsolator 1000F

Browser Sessions | 250

Form Factor| 1RU

Interfaces | 4 Copper, RJ45

FortiIsolator VM

Maximum Virtual CPUs supported | Unlimited

VM Storage (min/max) | 500MB/4TB

Virtual Machine Memory (min/max) | 8GB/128GB

AI Powered Cybersecurity FortiAI

Virtual Security Analyst

Threat Investigation and Response

Discover FortiAI, a self-learning AI for SecOps

What is AI-Powered Cybersecurity?

Among its many benefits to cybersecurity, Artificial Intelligence (AI) can identify patterns in massive amounts of data, enabling it to detect trends in malware features and make threat classifications much more rapidly than humans can. An AI-based virtual security operations (SecOps) analyst can rapidly detect and respond to security incidents, assisting human analysts and enabling them to operate at a higher level. AI-powered cybersecurity technologies such as this can be a boon to short-staffed security teams affected by the global cybersecurity skills gap.

While Machine Learning (ML) is the most common type of AI used in cybersecurity designed to solve linear problems e.g. perform a task more efficiently and effectively for a specific situation, Deep Learning (DL) is designed to solve larger complex, non-linear problems by modelling the operation of neurons in the human brain.

AI-based learning algorithms fall into three categories: supervised, reinforced and unsupervised. A supervised ML algorithm must be trained on a large dataset of samples labeled as either benign or malicious. In contrast, Deep Neural Networks (DNN), a Deep Learning model uses reinforced learning i.e. an award-based system of learning, during its pre-training and later transitions to unsupervised learning i.e. self-learning, that does not require a labeled dataset for training and maturity. More importantly, lies in its ability to correlate various category of datasets to make decisions.

A Virtual Security Analyst that can operate in unsupervised mode is a boon to lean SecOps teams that lack the experienced resources to analyze and investigate new threats fully within the shortest period of time. Because of DNN’s innate ability to self-learn, it continuously adapts to the evolving cyber threat landscape including AI-powered cyber attacks (see diagram below).

A virtual security analyst must have certain characteristics:

  • Ability to self-learn i.e. does not rely solely on cloud-based updates for AI maturity
  • Extremely high detection rate of 99% and above
  • Performs at scale with machine speeds
  • Automates detection-investigation-response threat lifecycle
  • Pre-trained AI ready for deployment on day-1

FortiAI: Virtual Security Analyst Overview

There is no question that cyberattacks and threats—ransomware, trojans, cryptomining, worms, etc.—are here to stay, but they are also becoming increasingly sophisticated and dangerous. Cybercriminals are eagerly adopting new innovations such as artificial intelligence (AI) and automation via AI fuzzing, self-learning swarm-based attacks, and expanded Malware-as-a-Service capabilities. Meanwhile, overburdened security operations teams are stuck with traditional security resources and investigation procedures to combat the increasing volume of advanced polymorphic, known, and unknown threats.

AI is paving the way for cybersecurity solutions to stay ahead of evolving threats. Fortinet FortiAI, powered by Deep Neural Networks (DNN), is the industry’s most sophisticated AI security solution. FortiAI is specifically designed to alleviate the tedious manual threat investigation of security alerts and threat response by identifying and classifying threats and malware outbreaks in sub-seconds and blocking them in the network.

FortiAI: Virtual Security Analyst Product Details

FortiGuard Labs, Fortinet’s leading threat intelligence and research team, consists of threat researchers, analysts, and engineers are in the forefront of exposing new threats. This team shares their latest threat intelligence via community blogs, threat playbooks for organizations, as threat protection via intelligence services, and by developing new threat-based technologies. One of the most significant technologies built by FortiGuard Labs in 2012—an AI system to detect and update protection against millions of malware samples seen each day.

FortiAI is the cumulative effort of the AI developed by FortiGuard Labs, and the first solution of its kind that embeds a sophisticated and mature deep learning model via DNN. FortiAI's patent-pending DNN approach learns about new threats on its own and helps organizations to adapt threat protection to new attacks instantaneously. In addition, FortiAI comes pre-trained with more than 6+ million malware features that can identify IT- and OT-based threats and classify them into malware categories. These features can also accurately pinpoint the origin and lateral spread of a malware and its variants by analyzing the entire threat movement. FortiAI integrates with FortiGate to automatically block these threats. Deploying FortiAI on-premises can help security operations teams solve the security resource crisis and rapidly accelerate the response to evolving threats.

FortiAI Models and Specifications

FortiAI is offered as an on-premises hardware appliance designed for deployment at data centers and campuses.

FortiAI 3500F

Form Factor | 2 RU

Performance| 100,000 files/hour with sub-second verdict

Ports | 2 x 10GE (RJ45), 1 xGE (RJ45)


vCPU | 16 cores

Performance | 14,000 files/hr

Memory (Minimum/Recommended) | 128GB/256GB


vCPU | 32 cores

Performance | 22,000 files/hr

Memory (Minimum/Recommended) | 128GB/256GB


Detect and prevent insider threat with user and entity behavior analytics (UEBA)


30 percent of data breaches involve organization insiders acting negligently or maliciously. Insiders pose a unique threat to organizations because they have access to proprietary systems and often are able to bypass security measures creating a security blind spot to the risk and security teams.

Fortinet’s User and Entity Behavior Analytics (UEBA) technology protects organizations from insider threats by continuously monitoring users and endpoints with automated detection and response capabilities. Leveraging machine learning and advanced analytics, FortiInsight automatically identifies non-compliant, suspicious, or anomalous behavior and rapidly alerts any compromised user accounts. This proactive approach to threat detection delivers an additional layer of protection and visibility, whether users are on or off the corporate network.

FortiInsight Videos


Pinsent Masons

FortiInsight Product Details

FortiInsight protects your organization’s sensitive data and high-value intellectual property from loss, theft, and mishandling, whether from a malicious insider or accidental incident.

FortiInsight monitors endpoint activities, resource access, and data movement both on and off the network, offering complete visibility around resources and data. It identifies risky behavior, policy violations, and takes action before they turn into security incidents.

The rule-based engine combined with machine-learning analytics means it can quickly and consistently identify risky activities. In addition, it supports compliance reporting and provides detailed forensics to aid investigation.

A Virtual Security Analyst that can operate in unsupervised mode is a boon to lean SecOps teams that lack the experienced resources to analyze and investigate new threats fully within the shortest period of time. Because of DNN’s innate ability to self-learn, it continuously adapts to the evolving cyber threat landscape including AI-powered cyber attacks (see diagram below).

The FortiInsight Five Factor Model

How Does the 5-factor Model Work?

Data from the FortiInsight endpoint agent is streamed securely from the endpoint to our data store, capturing a standard format that leverages the unique 5-factor model. This one-of-a-kind capability captures the specific machine identifier, the user and application that performed the activity, as well as the type of activity and any specific resources that were affected.

For example, a single entry may contain the following:

A user named Margarette, working on gb-Machine 1, copied a file called customer_details.xlsx to removable media.

And, because the 5-factor model captures the same core pieces of data for every event that occurs, your team is armed with comprehensive information that enables them to configure specific policies to alert.

Reliable, Rapid Insights

  • Complete: You get every record you actually need, no more and no less. Other products don't have that granularity.
  • Consistent: Every field is consistent and in the desired format. There are no issues of data inconsistency, unlike with log file systems.
  • Cohesive: FortiInsight captures the data both on and off network, delivering easy, no-nonsense insights, in a straightforward layout for rapid data analysis.

Lightweight Agent Based Protection

FortiInsight applies patented smart connector technology. Built from the ground-up, it uses core OS functionality and minimizes performance impact, resulting in strengthened security with no impact on endpoints, users, or productivity.

Low Impact, High Performance

  • Hosted solution with minimal performance impact on the endpoint
  • Windows OS support
  • Unrivaled performance through extensive use of native file system drivers
  • Data is collected in real-time and streamed for off-site analysis with complete off-network visibility
  • Strict quality control to ensure stability and reliability of software

Unparalleled Threat Detection Capabilities

Our smart connector consumes less than 0.5% of CPU, 20 MB of RAM memory and 5 KB/s of network traffic with no additional configuration required, and no rules needing to push to the connectors.

The bottom line? With zero-impact on endpoint devices, you can forget about performance degradation, and focus on instant protection for your intellectual property (IP) and sensitive data.

FortiInsight Platform

Protect your organization against unknown threats

FortiInsight automatically learns normal user behavior, and then detects the unknown to alert you in real-time to any anomalous activities, so you can act fast before issues become serious security problems.

The lightweight agent securely streams continuous sequences of activities from monitored endpoints or cloud services to the machine learning engine, where an unsupervised anomaly-detection system identifies events that do not fit the pattern of users’ everyday activities.

These anomalies are then checked for known risk factors, such as the use of removable media, hacking tools, or the accessing of files that violate policies. Combined with previous operator feedback, these risk factors are attributed an overall risk score. Any activities that appear to present risk cause an instant alert, and your team can quickly take the appropriate action.

Efficient, Effective Data Security

  • FortiInsight learns from the anomalies you find most valuable, and then screens out irrelevant detections
  • Scales with your organization, allowing comprehensive investigation at every level of detail
  • Each FortiInsight dashboard visualization clearly expresses the shape of the data, accentuating high-risk anomalies while giving you a bird’s-eye view of user behavior
  • FortiInsight displays data so that you can rapidly prioritize high-risk anomalies, prevent incidents and stay compliant
  • Detailed, dynamic dashboard capabilities enable you to make high-level decisions around your security posture, all in one place and in real-time
  • Quickly answer critical questions such as, who, where, what, and how