Fortinet white logo
Fortinet white logo

Administration Guide

Configuring Sandboxing

Configuring Sandboxing

The Security Fabric supports the following FortiSandbox deployments.

Type

Description

Requirements

FortiGate Cloud Sandbox

Files are sent to Fortinet’s Cloud Sandbox cluster for processing.

  • The FortiGate must have a valid AV license.
  • The FortiCloud account provides access to a portal to view submissions. This is not required for the Security Fabric.

FortiSandbox Cloud

Files are sent to a dedicated FortiCloud hosted instance of FortiSandbox for processing.

  • FortiCloud premium license
  • FortiSandbox Cloud entitlement
  • The FortiGate and FortiCloud license are registered to the same account.

FortiSandbox appliance

Files are sent to a physical appliance or VM, typically residing on premise, for processing.

  • None

To apply sandboxing in a Security Fabric, connect one of the FortiSandbox deployments, then configure an antivirus profile to submit files for dynamic analysis. The submission results supplement the AV signatures on the FortiGate. FortiSandbox inspection can also be used in web filter profiles.

In a Security Fabric environment, sandbox settings are configured on the root FortiGate. Once configured, the root FortiGate pushes the settings to other FortiGates in the Security Fabric.

FortiGate Cloud Sandbox

FortiGate Cloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It also allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliance needs regarding data storage locations.

Users are not required to have a FortiCloud account to use FortiGate Sandbox Cloud.

The submission to the cloud with a valid FortiGuard Antivirus (AVDB) license is rate limited per FortiGate model. Refer to the Service Description for details. For those without any AVDB license, the submission is limited to only 100 per day.

To configure FortiGate Cloud Sandbox, you must first activate the connection from the CLI. Note that FortiGate Cloud Sandbox is decoupled from FortiGate Cloud logging, so you do not need to have a FortiCloud account or have cloud logging enabled.

To activate the FortiGate Cloud Sandbox connection:
# execute forticloud-sandbox region
0  Europe
1  Global
2  Japan
3  US
Please select cloud sandbox region[0-3]:3

After a region is selected, the following configuration is added:

config system fortiguard
    set sandbox-region {0 | 1 | 2 | 3}
end
Tooltip

Alternatively, using the execute forticloud-sandbox update command also works.

To obtain or renew a FortiGuard antivirus license:
  1. See the How to Purchase or Renew FortiGuard Services video for FortiGuard antivirus license purchase instructions.
  2. Once a FortiGuard license is purchased and activated, users are provided with a paid FortiSandbox Cloud license.
    1. Go to Dashboard > Status to view the FortiSandbox Cloud license indicator.

    2. Alternatively, go to System > FortiGuard to view the FortiSandbox Cloud license indicator.
To enable FortiGate Cloud Sandbox in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiGate Cloud.
  4. Select a Region from the dropdown.

  5. Click OK.

FortiSandbox Cloud

FortiSandbox Cloud offers more features and better detection capability. Connecting to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the dedicated FortiSandbox Cloud instance. The FortiGate automatically detects if there is a valid entitlement.

The following items are required to initialize FortiSandbox Cloud:

  • A FortiCloud premium account.
  • A valid FortiSandbox Cloud contract on the FortiGate. To view contract information in the CLI, enter diagnose test update info. The User ID at the end of the output shows FortiCloud which FortiSandbox Cloud account the FortiGate is connected to.
  • A provisioned FortiSandbox Cloud. See Deploying FortiSandbox Cloud for information.
To configure FortiSandbox Cloud in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.

    Tooltip

    If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:

    config system global
        set gui-fortigate-cloud-sandbox enable
    end
  4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox
    set status enable
    set forticloud enable
    set server <string>
end

If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.

If the FortiSandbox Cloud is running version 4.0.0 and later, the FortiGate will automatically connect to fortisandboxcloud.com, and then discover the specific region and server to connect to based on which region the customer selected to deploy their FortiSandbox Cloud instance. The FortiGate must have a FortiCloud premium account license and a FortiSandbox Cloud VM license for this functionality.

FortiSandbox appliance

FortiSandbox appliance is the on-premise option for a full featured FortiSandbox. Connecting to a FortiSandbox appliance requires that Cloud Sandbox is disabled.

To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Disabled.
  3. Click OK.
To enable FortiSandbox appliance in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  2. Set Status to Enable.
  3. In the Server field, enter the FortiSandbox device's IP address.
  4. Optionally, enter a Notifier email.
  5. Click OK.
To enable FortiSandbox appliance in the CLI:
config system fortisandbox
    set status enable
    set forticloud disable
    set server <address>
end

Authorizing the FortiGate from FortiSandbox Cloud and a FortiSandbox appliance

Once the FortiGate makes a connection to the FortiSandbox Cloud or appliance, the FortiGate must be authorized.

To authorize a FortiGate from FortiSandbox:
  1. In the FortiSandbox GUI, go to Scan Input > Device in 3.2 or Security Fabric > Device in 4.0.
  2. Search using the FortiGate serial number to locate the FortiGate. In the Auth column, click the link icon to authorize the FortiGate.
  3. Repeat this step to authorize the VDOMs if required.

    The link icon changes from an open to a closed link, which indicates that the FortiGate is authorized.

  4. In the FortiGate GUI, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  5. Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.

Antivirus profiles

An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox post-transfer scanning with antivirus for more information.

FortiSandbox inline scanning is supported on FortiSandbox appliances in proxy inspection mode. When inline scanning is enabled, the client's file is held while it is sent to FortiSandbox for inspection. Once a verdict is returned, the appropriate action is performed on the held file. If there is an error or timeout on the FortiSandbox, the FortiGate's configuration determines what to do with the held file. See Using FortiSandbox inline scanning with antivirus for more information.

Note

Inline scanning requires a FortiSandbox appliance running version 4.2 later, or FortiGate Sandbox Cloud (SaaS). This feature is not supported on FortiSandbox Cloud (PaaS).

Web filter profiles

Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.

Top FortiSandbox Files FortiView monitor

In the Top FortiSandbox Files FortiView monitor, users can select a submitted file and drill down to view its static and dynamic file analysis. The full FortiSandbox report can be downloaded in PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox Cloud, and FortiSandbox appliance. FortiSandbox must be running version 3.2.1 and later.

Prerequisites:
  1. Add FortiSandbox to the Security Fabric.
  2. Configure an AV profile with Send files to FortiSandbox for inspection enabled (see Using FortiSandbox post-transfer scanning with antivirus).
  3. Configure a firewall policy with the AV profile that allows traffic to the internet.
  4. Add the Top FortiSandbox Files FortiView monitor (see Adding FortiView monitors).
  5. On a client PC, attempt to download a suspicious file.
To view the FortiSandbox analysis and download the PDF:
  1. Go to Dashboard > Top FortiSandbox Files. The entry appears in the table, but the analysis is not available yet.

  2. After about five to ten minutes, refresh the table. The analysis is available.

  3. Select the entry, then right-click and select Drill Down to Details.
  4. In the dropdown, select Static File Analysis to view the static file analysis.

  5. In the dropdown, select the client device to view the dynamic file analysis.

  6. Click Download full report to download the detailed PDF report. The reports contains FortiSandbox job information, detailed file information, static analysis results, and dynamic analysis results.

Configuring Sandboxing

Configuring Sandboxing

The Security Fabric supports the following FortiSandbox deployments.

Type

Description

Requirements

FortiGate Cloud Sandbox

Files are sent to Fortinet’s Cloud Sandbox cluster for processing.

  • The FortiGate must have a valid AV license.
  • The FortiCloud account provides access to a portal to view submissions. This is not required for the Security Fabric.

FortiSandbox Cloud

Files are sent to a dedicated FortiCloud hosted instance of FortiSandbox for processing.

  • FortiCloud premium license
  • FortiSandbox Cloud entitlement
  • The FortiGate and FortiCloud license are registered to the same account.

FortiSandbox appliance

Files are sent to a physical appliance or VM, typically residing on premise, for processing.

  • None

To apply sandboxing in a Security Fabric, connect one of the FortiSandbox deployments, then configure an antivirus profile to submit files for dynamic analysis. The submission results supplement the AV signatures on the FortiGate. FortiSandbox inspection can also be used in web filter profiles.

In a Security Fabric environment, sandbox settings are configured on the root FortiGate. Once configured, the root FortiGate pushes the settings to other FortiGates in the Security Fabric.

FortiGate Cloud Sandbox

FortiGate Cloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It also allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliance needs regarding data storage locations.

Users are not required to have a FortiCloud account to use FortiGate Sandbox Cloud.

The submission to the cloud with a valid FortiGuard Antivirus (AVDB) license is rate limited per FortiGate model. Refer to the Service Description for details. For those without any AVDB license, the submission is limited to only 100 per day.

To configure FortiGate Cloud Sandbox, you must first activate the connection from the CLI. Note that FortiGate Cloud Sandbox is decoupled from FortiGate Cloud logging, so you do not need to have a FortiCloud account or have cloud logging enabled.

To activate the FortiGate Cloud Sandbox connection:
# execute forticloud-sandbox region
0  Europe
1  Global
2  Japan
3  US
Please select cloud sandbox region[0-3]:3

After a region is selected, the following configuration is added:

config system fortiguard
    set sandbox-region {0 | 1 | 2 | 3}
end
Tooltip

Alternatively, using the execute forticloud-sandbox update command also works.

To obtain or renew a FortiGuard antivirus license:
  1. See the How to Purchase or Renew FortiGuard Services video for FortiGuard antivirus license purchase instructions.
  2. Once a FortiGuard license is purchased and activated, users are provided with a paid FortiSandbox Cloud license.
    1. Go to Dashboard > Status to view the FortiSandbox Cloud license indicator.

    2. Alternatively, go to System > FortiGuard to view the FortiSandbox Cloud license indicator.
To enable FortiGate Cloud Sandbox in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiGate Cloud.
  4. Select a Region from the dropdown.

  5. Click OK.

FortiSandbox Cloud

FortiSandbox Cloud offers more features and better detection capability. Connecting to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the dedicated FortiSandbox Cloud instance. The FortiGate automatically detects if there is a valid entitlement.

The following items are required to initialize FortiSandbox Cloud:

  • A FortiCloud premium account.
  • A valid FortiSandbox Cloud contract on the FortiGate. To view contract information in the CLI, enter diagnose test update info. The User ID at the end of the output shows FortiCloud which FortiSandbox Cloud account the FortiGate is connected to.
  • A provisioned FortiSandbox Cloud. See Deploying FortiSandbox Cloud for information.
To configure FortiSandbox Cloud in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.

    Tooltip

    If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:

    config system global
        set gui-fortigate-cloud-sandbox enable
    end
  4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox
    set status enable
    set forticloud enable
    set server <string>
end

If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.

If the FortiSandbox Cloud is running version 4.0.0 and later, the FortiGate will automatically connect to fortisandboxcloud.com, and then discover the specific region and server to connect to based on which region the customer selected to deploy their FortiSandbox Cloud instance. The FortiGate must have a FortiCloud premium account license and a FortiSandbox Cloud VM license for this functionality.

FortiSandbox appliance

FortiSandbox appliance is the on-premise option for a full featured FortiSandbox. Connecting to a FortiSandbox appliance requires that Cloud Sandbox is disabled.

To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Disabled.
  3. Click OK.
To enable FortiSandbox appliance in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  2. Set Status to Enable.
  3. In the Server field, enter the FortiSandbox device's IP address.
  4. Optionally, enter a Notifier email.
  5. Click OK.
To enable FortiSandbox appliance in the CLI:
config system fortisandbox
    set status enable
    set forticloud disable
    set server <address>
end

Authorizing the FortiGate from FortiSandbox Cloud and a FortiSandbox appliance

Once the FortiGate makes a connection to the FortiSandbox Cloud or appliance, the FortiGate must be authorized.

To authorize a FortiGate from FortiSandbox:
  1. In the FortiSandbox GUI, go to Scan Input > Device in 3.2 or Security Fabric > Device in 4.0.
  2. Search using the FortiGate serial number to locate the FortiGate. In the Auth column, click the link icon to authorize the FortiGate.
  3. Repeat this step to authorize the VDOMs if required.

    The link icon changes from an open to a closed link, which indicates that the FortiGate is authorized.

  4. In the FortiGate GUI, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  5. Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.

Antivirus profiles

An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox post-transfer scanning with antivirus for more information.

FortiSandbox inline scanning is supported on FortiSandbox appliances in proxy inspection mode. When inline scanning is enabled, the client's file is held while it is sent to FortiSandbox for inspection. Once a verdict is returned, the appropriate action is performed on the held file. If there is an error or timeout on the FortiSandbox, the FortiGate's configuration determines what to do with the held file. See Using FortiSandbox inline scanning with antivirus for more information.

Note

Inline scanning requires a FortiSandbox appliance running version 4.2 later, or FortiGate Sandbox Cloud (SaaS). This feature is not supported on FortiSandbox Cloud (PaaS).

Web filter profiles

Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.

Top FortiSandbox Files FortiView monitor

In the Top FortiSandbox Files FortiView monitor, users can select a submitted file and drill down to view its static and dynamic file analysis. The full FortiSandbox report can be downloaded in PDF format. This feature works with FortiGate Cloud Sandbox, FortiSandbox Cloud, and FortiSandbox appliance. FortiSandbox must be running version 3.2.1 and later.

Prerequisites:
  1. Add FortiSandbox to the Security Fabric.
  2. Configure an AV profile with Send files to FortiSandbox for inspection enabled (see Using FortiSandbox post-transfer scanning with antivirus).
  3. Configure a firewall policy with the AV profile that allows traffic to the internet.
  4. Add the Top FortiSandbox Files FortiView monitor (see Adding FortiView monitors).
  5. On a client PC, attempt to download a suspicious file.
To view the FortiSandbox analysis and download the PDF:
  1. Go to Dashboard > Top FortiSandbox Files. The entry appears in the table, but the analysis is not available yet.

  2. After about five to ten minutes, refresh the table. The analysis is available.

  3. Select the entry, then right-click and select Drill Down to Details.
  4. In the dropdown, select Static File Analysis to view the static file analysis.

  5. In the dropdown, select the client device to view the dynamic file analysis.

  6. Click Download full report to download the detailed PDF report. The reports contains FortiSandbox job information, detailed file information, static analysis results, and dynamic analysis results.