Fortinet black logo

Administration Guide

FortiSandbox integration (FortiSandbox 4.0.1 and higher)

Copy Link
Copy Doc ID 328ad77a-50a4-11ed-9d74-fa163e15d75b:43951
Download PDF

FortiSandbox integration (FortiSandbox 4.0.1 and higher)

The FortiSandbox deployment with an integrated FortiNDR can increase detection coverage and overall throughput. Submitted files goes through the following logic:

  1. FortiSandbox performs its pre-filtering and Static Scan analysis. If any known malware is found, the result is returned.
  2. When FortiAI Entrust is enabled under FortiSandbox Scan Profile, FortiSandbox sends the files to FortiNDR via API for FortiNDR's verdict of malware or absolute clean, and the result is returned. If a file is not absolute clean, then the next step is performed.
  3. FortiSandbox performs its Dynamic Scan analysis to capture any IOC.

With this integration, FortiNDR reduces the load on FortiSandbox's Dynamic Scan and assists FortiSandbox with determining malware type, such as banking trojan, coinminer, and so on, based on the features observed.

High level configuration steps are as follows:

  1. Generate a FortiNDR API token associated with a user. You can use the GUI in System > Administrator or use the CLI command execute api-key <user-name> .

    For details, see Appendix A - API guide.

  2. In FortiSandbox, configure FortiSandbox FortiAI settings using the FortiNDR IP address, token generated, and other parameters.
  3. Click Test Connection and check that you get a message that FortiNDR is accessible.
  4. Configure FortiSandbox scan profile to enable FortiNDR Entrust.
  5. When file submission begins, FortiSandbox appears in FortiNDR in Security Fabric > Device Input in the Other Devices tab.

    You can review FortiNDR logs for submission details.

This is an example of the FortiSandbox FortiNDR setting.

This is an example of FortiSandbox Scan profile configuration with FortiNDR Entrust. When FortiSandbox is configured, it appears in FortiNDR under Device Input.

FortiSandbox integration (FortiSandbox 4.0.1 and higher)

The FortiSandbox deployment with an integrated FortiNDR can increase detection coverage and overall throughput. Submitted files goes through the following logic:

  1. FortiSandbox performs its pre-filtering and Static Scan analysis. If any known malware is found, the result is returned.
  2. When FortiAI Entrust is enabled under FortiSandbox Scan Profile, FortiSandbox sends the files to FortiNDR via API for FortiNDR's verdict of malware or absolute clean, and the result is returned. If a file is not absolute clean, then the next step is performed.
  3. FortiSandbox performs its Dynamic Scan analysis to capture any IOC.

With this integration, FortiNDR reduces the load on FortiSandbox's Dynamic Scan and assists FortiSandbox with determining malware type, such as banking trojan, coinminer, and so on, based on the features observed.

High level configuration steps are as follows:

  1. Generate a FortiNDR API token associated with a user. You can use the GUI in System > Administrator or use the CLI command execute api-key <user-name> .

    For details, see Appendix A - API guide.

  2. In FortiSandbox, configure FortiSandbox FortiAI settings using the FortiNDR IP address, token generated, and other parameters.
  3. Click Test Connection and check that you get a message that FortiNDR is accessible.
  4. Configure FortiSandbox scan profile to enable FortiNDR Entrust.
  5. When file submission begins, FortiSandbox appears in FortiNDR in Security Fabric > Device Input in the Other Devices tab.

    You can review FortiNDR logs for submission details.

This is an example of the FortiSandbox FortiNDR setting.

This is an example of FortiSandbox Scan profile configuration with FortiNDR Entrust. When FortiSandbox is configured, it appears in FortiNDR under Device Input.