Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Supported Devices

FortiSandbox supports the following devices:

FortiGate

FortiSandbox can perform additional analysis on files that have been AV scanned by FortiGate. You can configure FortiGate to send all files or only suspicious files passing through the AV scan.

FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database.

When FortiGate learns from FortiSandbox that a terminal is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

FortiMail

You can configure FortiMail to send suspicious, high risk files and suspicious attachments to FortiSandbox. FortiSandbox can perform additional analysis on files that have been scanned by your FortiMail email gateway.

Suspicious email attachments include:

  • Suspicious files detected by heuristic scan of the AV engine.
  • Executable files and executable files embedded in archive files.
  • Type 6 hashes (binary hashes) of spam email detected by FortiGuard AntiSpam service.

FortiMail can send suspicious URLs in the email body to FortiSandbox for URL scans and then block suspicious emails based on the scan result.

FortiWeb

You can use a file upload restriction policy to submit uploaded files to FortiSandbox for evaluation. If FortiSandbox determines that the file is malicious, FortiWeb performs the following tasks:

  • Generate an attack log message that contains the result, for example, messages with the Alert action.
  • For 10 minutes after it receives the FortiSandbox results, take the action specified by the file upload restriction policy. During this time, it does not re-submit the file to FortiSandbox, for example, messages with the Alert_Deny action.

FortiClient EMS

You can configure a FortiSandbox IP address in an endpoint profile. FortiClient EMS attempts to submit an authorization request to FortiSandbox. FortiSandbox administrators can authorize it and set limitations about submission speed. Subsequently, all FortiClient endpoints managed by FortiClient EMS are considered authorized by the same FortiSandbox and follow the submission speed limit.

FortiClient

FortiSandbox can accept files from FortiClient to perform additional analysis while FortiClient holds the files until the scan results are received. FortiClient can also receive additional antivirus signatures from FortiSandbox, generated from scan results, to supplement current signatures.

Supported Devices

FortiSandbox supports the following devices:

FortiGate

FortiSandbox can perform additional analysis on files that have been AV scanned by FortiGate. You can configure FortiGate to send all files or only suspicious files passing through the AV scan.

FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database.

When FortiGate learns from FortiSandbox that a terminal is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

FortiMail

You can configure FortiMail to send suspicious, high risk files and suspicious attachments to FortiSandbox. FortiSandbox can perform additional analysis on files that have been scanned by your FortiMail email gateway.

Suspicious email attachments include:

  • Suspicious files detected by heuristic scan of the AV engine.
  • Executable files and executable files embedded in archive files.
  • Type 6 hashes (binary hashes) of spam email detected by FortiGuard AntiSpam service.

FortiMail can send suspicious URLs in the email body to FortiSandbox for URL scans and then block suspicious emails based on the scan result.

FortiWeb

You can use a file upload restriction policy to submit uploaded files to FortiSandbox for evaluation. If FortiSandbox determines that the file is malicious, FortiWeb performs the following tasks:

  • Generate an attack log message that contains the result, for example, messages with the Alert action.
  • For 10 minutes after it receives the FortiSandbox results, take the action specified by the file upload restriction policy. During this time, it does not re-submit the file to FortiSandbox, for example, messages with the Alert_Deny action.

FortiClient EMS

You can configure a FortiSandbox IP address in an endpoint profile. FortiClient EMS attempts to submit an authorization request to FortiSandbox. FortiSandbox administrators can authorize it and set limitations about submission speed. Subsequently, all FortiClient endpoints managed by FortiClient EMS are considered authorized by the same FortiSandbox and follow the submission speed limit.

FortiClient

FortiSandbox can accept files from FortiClient to perform additional analysis while FortiClient holds the files until the scan results are received. FortiClient can also receive additional antivirus signatures from FortiSandbox, generated from scan results, to supplement current signatures.