Business & Technology

Go from Zero-Day Threats to Zero Threats with Inline Sandboxing

By Karin Shopen | March 09, 2023

Even if you have extensive security in place, unknown and suspicious code and files continue to present serious threats. Until recently, no vendor has been able to deliver in-line sandboxing on the network because of the astronomical performance demands. Fortinet’s dedication to innovation had led to the industry’s first inline sandbox on a next-generation firewall (NGFW), which holds suspicious files and analyzes them in near real-time without impacting productivity or network performance. Unlike a traditional offline sandbox, known file-based threats such as malware are never allowed to enter the network, reducing risk and time to mitigate significantly. Inline sandboxing is one of many examples of Fortinet’s dedication to industry-first cybersecurity innovation to help our customers reduce risk and stay ahead of cyber adversaries.

Why AV with Sandbox Technology Matters

Sandbox technology has been around for years because it is so effective at discovering if an unknown file or code is malicious. By analyzing unknown files in a simulated environment, a sandbox acts as a safeguard against potential malware. The sandbox is also responsible for delivering an updated set of threat data and protections against the analyzed sample, enhancing your organization’s security posture to defend against newly discovered threats in real time.

Sandboxing is often used as one of the defenses against zero-day threats, which are threats that have not been seen before or match any known malware patterns. These types of threats can be missed by security solutions, and sandboxing offers another level of protection.

Detecting malware goes through three phases:

  • Advanced antivirus solutions catch and block known and unknown malware in real time. 
  • Proactive signature-detection technology with signatures for polymorphic threats is used to narrow down the number of files. This technology takes advantage of global threat data from large networks in combination with content pattern recognition language (CPRL).
  • Malware that isn’t identified in the first two steps is then sent to the inline sandbox for analysis. Traditionally, this threat will be held on endpoints and mail technologies and let in on the NGFW.

Sandbox solutions then provide a verdict as to whether a file is malicious or not. The solution also generates new threat updates for antivirus, intrusion protection systems, and specific DNS and URL data. Then the malware can be identified and stopped without needing to be reanalyzed the next time it appears within an organization’s network, endpoint, or cloud environments.  

The Old Trade-Off Between Security and Performance

Although sandboxing is an effective technology for detecting threats, sandboxing solutions have often suffered from an inability to keep up with the speed of today’s enterprise traffic, so there has traditionally been a trade-off between security and performance. To avoid performance problems, sandboxing solutions have typically let all files pass into the organization while analysis for threats occurs offline.

Although the sandbox holds a suspicious file until a verdict is reached on the endpoint and email security solutions, files are let into the network to avoid slow-downs. With this type of reactive approach, if the file does turn out to be malicious, tracking down the file as it spreads and moves deeper into the organization’s network and systems creates additional work for security teams. And there’s always the chance that a malicious file causes damage before it can be recovered or has moved laterally into adjacent networks and systems, compounding the security threat.

Inline Sandboxing Powered by Artificial Intelligence

To further reduce the risk presented by the old method of offline sandboxing, Fortinet released the industry’s first inline sandbox on a next-generation firewall, which holds suspicious files without performance impact. This subscription service can be enabled in Fortinet FortiGate firewalls running FortiOS version 7.2+ and also in version 4.2+ of the FortiSandbox product line.

Backed by FortiGuard Labs, the Fortinet inline sandbox is powered by artificial intelligence (AI), which enables the proactive and predictive identification and classification of a threat in real-time while providing quicker time to verdicts. Suspicious and at-risk files are subjected to the first-stage analysis that quickly identifies known and unknown malware through the inline sandbox’s static analysis, which is powered by machine learning (ML).

The second-stage dynamic analysis is performed in a contained environment to uncover the full attack lifecycle. It takes advantage of behavior-based ML which is constantly learning new malware techniques and automatically adapting malware behavioral indicators. Once a file has been cleared, it is allowed into the network without impacting performance or security. Malicious files are dropped, as the process continues to create and distribute new prevention across the Fortinet Security Fabric.

Having the hold, evaluate, and release capabilities of the inline sandbox on the firewall eliminates the need for security teams to track down malicious file-based threats that previously would have been allowed in. The inline sandbox provides protection across both information technology (IT) and operational technology (OT) environments and can be deployed at multiple locations including the cloud, data center, branch, campus, email, and endpoints. Because the inline sandbox is fully integrated with other security products within the Fortinet Security Fabric, it helps close gaps in the attack surface, and its scalability makes it ideal for any sized organization.

Move into the Sandbox of the Future

In the past, sandboxing has been a performance-intensive offline task that has resulted in bottlenecks and extra work for security staff. It also did not stop malicious files from getting into the network. But now, with the Fortinet inline sandbox, organizations gain real-time, in-network protection capabilities. This technology can stop both known and unknown malware with no impact on operations and provide real-time intelligence across the entire Fortinet Security Fabric.


Learn more about inline sandboxing. Download the FortiGuard Inline Sandbox Service data sheet.

Hear Fortinet experts discuss the expanding attack surface and why inline sandbox and deception tools are must-haves to protect against zero-day threats in this webcast.