Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Global Network

The FortiSandbox can generate antivirus database packages (malware packages) and blacklist URL packages from scan results, and distribute them to FortiGate devices and FortiClient end points for antispyware/antivirus scan and web filtering extension to block and quarantine malware.

This feature requires that:

  • The FortiGate device, running FortiOS 5.4 or later, is authorized on the FortiSandbox.
  • The FortiClient endpoint is running version 5.4 or later and has successfully connected to the FortiSandbox, and
  • FortiSandbox is running version 2.1 or later.

The FortiGate or FortiClient sends a malware package request to FortiSandbox every two minutes that includes its installed version (or 0.0, if none exists). The FortiSandbox receives the request then compares the version with the latest local version number. If the received version is different, FortiSandbox sends the latest package to the FortiGate or FortiClient. If the versions are the same, then FortiSandbox will send an already-up-to-date message.

Multiple FortiSandbox units can work together to build up a Global Threat Network to share threat information. One unit works as a Collector to collect threat information from other units, while other units work as Contributors to upload locally detected threat information to the Collector, then download a full copy. A new package is generated on a unit when:

  • The FortiSandbox has a new malware detection, either from local detection, or detected on another unit inside the Global Threat Network, whose rating falls into configured rating range.
  • Malware in the current malware package is older than the time set in the malware package configuration.
  • The malware package generation condition is changed in the configuration page.
  • The malware's rating has been overwritten manually.

The Collector can also manage the Scan Profile of all units in the network. However, only a Standalone unit or Master node in a cluster can join the network.

To join the global network to share threat information and scan profiles:
  1. Go to Scan Policy > Global Network.
  2. Enable Join global network to share threat information and manage scan profiles.
  3. You have the following two options:

    1. Work as threat information collector and scan profile manager.

      If the unit works as a Collector, configure the following:

      Alias

      Enter the network Alias name.

      Authentication Code

      Enter the authentication code for Contributor to join the network.

      Contributors

      List the units who are in the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information.

      Please refer to Local Packages for more information.

      Local URL Package Options

       

      Enable Local STIX IOC Package

       

    2. Work as threat information contributor. Scan profile is managed by manager.

      If the unit works as a Contributor, configure the following:

      Collector IP Address

      Enter the Collector's IP address.

      Alias

      Enter the global network Alias name.

      Authentication Code

      Enter the authentication code to join the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information.

      Please refer to Local Packages for more information.

      Local URL Package Options

       

      Enable Local STIX IOC Package

       

      Scan Profile is Managed by Manager

      By enabling this option, the unit can choose to allow its scan profile to be managed by the Collector. The Collector will combine all VM types from the Contributors. After the user configures a scan profile on the Collector, the configurations will be downloaded by each Contributor. On the Contributor unit, its Scan Profile page will become Read-Only.

  4. Click OK to save the settings.

Global Network

The FortiSandbox can generate antivirus database packages (malware packages) and blacklist URL packages from scan results, and distribute them to FortiGate devices and FortiClient end points for antispyware/antivirus scan and web filtering extension to block and quarantine malware.

This feature requires that:

  • The FortiGate device, running FortiOS 5.4 or later, is authorized on the FortiSandbox.
  • The FortiClient endpoint is running version 5.4 or later and has successfully connected to the FortiSandbox, and
  • FortiSandbox is running version 2.1 or later.

The FortiGate or FortiClient sends a malware package request to FortiSandbox every two minutes that includes its installed version (or 0.0, if none exists). The FortiSandbox receives the request then compares the version with the latest local version number. If the received version is different, FortiSandbox sends the latest package to the FortiGate or FortiClient. If the versions are the same, then FortiSandbox will send an already-up-to-date message.

Multiple FortiSandbox units can work together to build up a Global Threat Network to share threat information. One unit works as a Collector to collect threat information from other units, while other units work as Contributors to upload locally detected threat information to the Collector, then download a full copy. A new package is generated on a unit when:

  • The FortiSandbox has a new malware detection, either from local detection, or detected on another unit inside the Global Threat Network, whose rating falls into configured rating range.
  • Malware in the current malware package is older than the time set in the malware package configuration.
  • The malware package generation condition is changed in the configuration page.
  • The malware's rating has been overwritten manually.

The Collector can also manage the Scan Profile of all units in the network. However, only a Standalone unit or Master node in a cluster can join the network.

To join the global network to share threat information and scan profiles:
  1. Go to Scan Policy > Global Network.
  2. Enable Join global network to share threat information and manage scan profiles.
  3. You have the following two options:

    1. Work as threat information collector and scan profile manager.

      If the unit works as a Collector, configure the following:

      Alias

      Enter the network Alias name.

      Authentication Code

      Enter the authentication code for Contributor to join the network.

      Contributors

      List the units who are in the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information.

      Please refer to Local Packages for more information.

      Local URL Package Options

       

      Enable Local STIX IOC Package

       

    2. Work as threat information contributor. Scan profile is managed by manager.

      If the unit works as a Contributor, configure the following:

      Collector IP Address

      Enter the Collector's IP address.

      Alias

      Enter the global network Alias name.

      Authentication Code

      Enter the authentication code to join the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information.

      Please refer to Local Packages for more information.

      Local URL Package Options

       

      Enable Local STIX IOC Package

       

      Scan Profile is Managed by Manager

      By enabling this option, the unit can choose to allow its scan profile to be managed by the Collector. The Collector will combine all VM types from the Contributors. After the user configures a scan profile on the Collector, the configurations will be downloaded by each Contributor. On the Contributor unit, its Scan Profile page will become Read-Only.

  4. Click OK to save the settings.