Fortinet black logo

Handbook

Overview

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:793599
Download PDF

Overview

FortiSandbox integration involves three FortiGate security profiles: AntiVirus, Web Filtering, and FortiClient Profiles.

A FortiGate can retrieve scan results and details from FortiSandbox, and receive antivirus and web-filtering signatures to supplement the current signature database. When FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine that endpoint, provided it is registered to a FortiClient host.

When integrated with a FortiGate unit, the following protocols are supported by FortiSandbox: HTTP, HTTPS, FTP, FTPS, POP3, POP3S, IMAP, IMAPS, SMTPS, MAPI, MAPIS, SMB, and supported IM protocols.

AntiVirus

When FortiSandbox discovers a malicious file, it can create an AntiVirus signature for that file and add the signature to both the local FortiGate malware database and the FortiGuard AntiVirus signature database. Through FortiSandbox integration, this signature can be sent to a FortiGate to block the file from re-entering the network.

Use of the FortiSandbox AntiVirus database is enabled in an AntiVirus profile, found at Security Profiles > AntiVirus. It can also be configured using the following CLI commands:

config antivirus profile

edit <profile>

set analytics-db enable

end

Web Filtering

FortiSandbox integration can also be used to allow FortiSandbox to add a URL filter blocking the source of a discovered malicious file to the FortiGate's blocked URL list.

Blocking malicious URLs discovered by FortiSandbox is enabled in a Web Filter profile, found at Security Profiles > Web Filter. It can also be configured using the following CLI commands:

config webfilter profile

edit <profile>

config web

set blacklist enable

end

FortiClient Profiles

note icon Extended FortiSandbox scanning is currently only supported by FortiClient 5.4 for Windows. It can also only be used with FortiSandbox Appliance.

When extended FortiSandbox scanning is enabled for FortiClient, files downloaded by FortiClient can be sent to the FortiSandbox for inspection. Also, FortiClient can be configured to wait until sandbox inspection is complete before allowing a suspicious file to be accessed.

AntiVirus signatures can also be pushed by the FortiGate to FortiClient.

If a FortiClient device attempts to download a file that FortiSandbox discovers is malicious, the FortiSandbox notifies the FortiGate. The administrator can take action to protect the local network and quarantine the device. While the device is under quarantine, FortiClient cannot be shutdown or uninstalled and a user can neither deregister from the FortiGate that quarantined them, nor register to another FortiGate unit. Only the administrator of the FortiGate where the FortiClient device is registered can lift the quarantine.

To configure extended FortiSandbox scanning, go to Security Profiles > FortiClient Compliance, or use the following CLI commands:

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

set forticlient-av enable

set av-realtime-protection enable

set sandbox-analysis enable

set sandbox-address <address>

end

You can also configure extended FortiSandbox scanning directly in the FortiClient AntiVirus settings. If you are using FortiClient version 5.6+, the Sandbox Detection feature can be used to send files to FortiSandbox for analysis without having to install the AntiVirus feature. See the FortiClient Administration Guide for details.

Configuring the submission limit on the FortiSandbox lets you limit the number of files sent from a single device to FortiSandbox. This allows you to prioritize which devices get the greater share of FortiSandbox resources.

Overview

FortiSandbox integration involves three FortiGate security profiles: AntiVirus, Web Filtering, and FortiClient Profiles.

A FortiGate can retrieve scan results and details from FortiSandbox, and receive antivirus and web-filtering signatures to supplement the current signature database. When FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine that endpoint, provided it is registered to a FortiClient host.

When integrated with a FortiGate unit, the following protocols are supported by FortiSandbox: HTTP, HTTPS, FTP, FTPS, POP3, POP3S, IMAP, IMAPS, SMTPS, MAPI, MAPIS, SMB, and supported IM protocols.

AntiVirus

When FortiSandbox discovers a malicious file, it can create an AntiVirus signature for that file and add the signature to both the local FortiGate malware database and the FortiGuard AntiVirus signature database. Through FortiSandbox integration, this signature can be sent to a FortiGate to block the file from re-entering the network.

Use of the FortiSandbox AntiVirus database is enabled in an AntiVirus profile, found at Security Profiles > AntiVirus. It can also be configured using the following CLI commands:

config antivirus profile

edit <profile>

set analytics-db enable

end

Web Filtering

FortiSandbox integration can also be used to allow FortiSandbox to add a URL filter blocking the source of a discovered malicious file to the FortiGate's blocked URL list.

Blocking malicious URLs discovered by FortiSandbox is enabled in a Web Filter profile, found at Security Profiles > Web Filter. It can also be configured using the following CLI commands:

config webfilter profile

edit <profile>

config web

set blacklist enable

end

FortiClient Profiles

note icon Extended FortiSandbox scanning is currently only supported by FortiClient 5.4 for Windows. It can also only be used with FortiSandbox Appliance.

When extended FortiSandbox scanning is enabled for FortiClient, files downloaded by FortiClient can be sent to the FortiSandbox for inspection. Also, FortiClient can be configured to wait until sandbox inspection is complete before allowing a suspicious file to be accessed.

AntiVirus signatures can also be pushed by the FortiGate to FortiClient.

If a FortiClient device attempts to download a file that FortiSandbox discovers is malicious, the FortiSandbox notifies the FortiGate. The administrator can take action to protect the local network and quarantine the device. While the device is under quarantine, FortiClient cannot be shutdown or uninstalled and a user can neither deregister from the FortiGate that quarantined them, nor register to another FortiGate unit. Only the administrator of the FortiGate where the FortiClient device is registered can lift the quarantine.

To configure extended FortiSandbox scanning, go to Security Profiles > FortiClient Compliance, or use the following CLI commands:

config endpoint-control profile

edit <profile>

config forticlient-winmac-settings

set forticlient-av enable

set av-realtime-protection enable

set sandbox-analysis enable

set sandbox-address <address>

end

You can also configure extended FortiSandbox scanning directly in the FortiClient AntiVirus settings. If you are using FortiClient version 5.6+, the Sandbox Detection feature can be used to send files to FortiSandbox for analysis without having to install the AntiVirus feature. See the FortiClient Administration Guide for details.

Configuring the submission limit on the FortiSandbox lets you limit the number of files sent from a single device to FortiSandbox. This allows you to prioritize which devices get the greater share of FortiSandbox resources.