FortiSandbox database
The Use FortiSandbox database setting in the Antivirus profile enables the FortiGate’s antivirus engine to receive the latest malware signatures discovered by FortiSandbox that is stored inside FortiSandbox’s malware database. By enabling Use FortiSandbox database, FortiGate uses these signatures from the malware database along with its existing antivirus signature database for scanning.The antivirus engine scan searches for the malware signature database and antivirus signature database in tandem to check for a match. Once a signature match is discovered, the FortiGate determines if the file is infected and takes action.
The malware signature database supplements the existing antivirus signature database on the FortiGate. This setting is useful if a FortiSandbox solution (either FortiGate Sandbox Cloud, FortiSandbox Cloud, or the FortiSandbox appliance) is deployed.
If you have multiple FortiGates deployed and FortiSandbox is in use, if Use FortiSandbox database is enabled in the Antivirus profile, it will enable all FortiGates to download the malware signature database from your FortiSandbox. This can prevent zero-day attacks discovered by the FortiSandbox. FortiSandbox can also be configured to submit its malware signature database with Fortinet Inc. Community by enabling the required Contribute settings under your scan profile. See Scan Profile Advanced Tab in the FortiSandbox Administration Guide for information on the scan profile.
FortiGuard labs later release the required submitted signatures in the form of Antivirus updates which can be downloaded by the FortiGates worldwide through FortiGuard updates. See Configuring FortiGuard updates.
To enable using the FortiSandbox database in an antivirus profile in the GUI:
-
Go to Security Profile > AntiVirus.
-
Select the default profile and click Edit.
-
Under the APT Protection Options, enable Use FortiSandbox database.
-
Click OK to save the changes.
-
Apply this default profile to the respective firewall policy.
To enable using the FortiSandbox database in an antivirus profile in the CLI:
config antivirus profile edit “default” set analytics-db enable next end
It is best practice to keep the |
To use the antivirus profile in a firewall policy:
config firewall policy edit 1 set name "policyid-1" set srcintf "lan" set dstintf "wan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set ssl-ssh-profile "certificate-inspection" set av-profile "default" set nat enable next end
Once the Antivirus profile is configured to use the FortiSandbox database and submit files to FortiSandbox, and the antivirus profile is used in a firewall policy, the sharing of malware database from the FortiSandbox to the FortiGate needs to be configured. For information on submitting files to FortiSandbox, see Using FortiSandbox with antivirus.
The configuration depends on the type of FortiSandbox in use. The table below shows key differences in configuration:
Type of FortiSandbox |
Malware database sharing with the FortiGate |
---|---|
FortiSandbox Appliance/FortiSandbox VM (On-Premise) | Enabled using the Global network. See Global Network in the FortiSandbox Administration Guide. |
FortiSandbox Cloud (PaaS) | Enabled by default. |
FortiGate Cloud Sandbox (SaaS) | Enabled by default. |