Fortinet black logo

Administration Guide

Sniffer

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:205899
Download PDF

Sniffer

Sniffer mode relies on inputs from spanned switch ports. It is the most suitable infrastructure for adding protection capabilities to existing threat protection systems from various vendors.

Sniffer mode enables you to configure your FortiSandbox to sniff all traffic on specified interfaces. When files are received by FortiSandbox, they are executed and scanned within the VM modules. Sniffer mode supports the following protocols: HTTP, FTP, POP3, IMAP, SMTP, SMB, DNS, and raw TCP protocol. To enable and configure sniffer settings, go to Scan Input > Sniffer.

FortiSandbox reserves port1 for device management and port3 for scanned files to access the Internet. Port1, , admin port, and the port used for cluster internal communication can not be used as a sniffed interface.

In FortiSandbox you can select to sniff multiple interfaces. For example, when FortiSandbox is deployed with a network tap device you can sniff both the incoming and outgoing traffic on separate FortiSandbox interfaces.

Configure the following settings:

Enable file based detection

Select the checkbox to enable file based detection.

Enable network alert detection

Select the checkbox to enable network alerts detection. This feature detects sniffed live traffic for connections to botnet servers and intrusion attacks and visited suspicious web sites with Fortinet IPS and Web Filtering technologies.

Alerts can be viewed in the Network Alerts page.

For URL visits, certain categories can be treated as benign in Scan Policy > URL Category.

Keep incomplete files

Keep files without completed TCP sessions. Select the checkbox to keep incomplete files. Sometimes incomplete files can be useful to detect known viruses.

Enable Conserve mode

When conserve mode is enabled, if there are already too many jobs in the pending queue (250K, or sniffed traffic throughput exceeds optimal throughput), sniffer will enter conserve mode, during which time only executable (.exe) and MS Office files are extracted.

Optimal traffic throughput values for different models:

  • FSA-1000D: 1Gbps
  • FSA-2000E: 4 Gbps
  • FSA-3000D: 4.6 Gbps
  • FSA-3000E: 8 Gbps
  • FSA-3500D: 2 Gbps
  • FSA-VM00: 1Gbps
  • FSA-VM-BASE: 4.6Gbps

Maximum file size

The maximum size of files captured by sniffer. Enter a value in the text box. The default value is 2048kB and the maximum file size is 200,000kB.

Note: Files that exceed the maximum file size will not be sent to FortiSandbox.

Sniffed Interfaces

Select the interface to monitor.

Service Types

Select the traffic protocol that the sniffer will work on. Options include: FTP, HTTP, IMAP, POP3, SMB, OTHER and SMTP.

The OTHER service type is for raw TCP protocol traffic.

File Types

Select the file types to extract from traffic. When All is checked. all files in the traffic will be extracted. Users can also add extra file extensions by putting it in File Types field and clicking Add > OK. The user can delete it later by clicking the Trash can icon beside it and clicking OK.

When URLs in Email type is selected, URLs embedded inside Email body will be extracted and scanned as WEBLink type. User can define the number of URLs to extract for each Email, from 1 to 5.

When an interface is used in sniffer mode, it will lose its IP address. The interface settings cannot be changed.

Sniffer

Sniffer mode relies on inputs from spanned switch ports. It is the most suitable infrastructure for adding protection capabilities to existing threat protection systems from various vendors.

Sniffer mode enables you to configure your FortiSandbox to sniff all traffic on specified interfaces. When files are received by FortiSandbox, they are executed and scanned within the VM modules. Sniffer mode supports the following protocols: HTTP, FTP, POP3, IMAP, SMTP, SMB, DNS, and raw TCP protocol. To enable and configure sniffer settings, go to Scan Input > Sniffer.

FortiSandbox reserves port1 for device management and port3 for scanned files to access the Internet. Port1, , admin port, and the port used for cluster internal communication can not be used as a sniffed interface.

In FortiSandbox you can select to sniff multiple interfaces. For example, when FortiSandbox is deployed with a network tap device you can sniff both the incoming and outgoing traffic on separate FortiSandbox interfaces.

Configure the following settings:

Enable file based detection

Select the checkbox to enable file based detection.

Enable network alert detection

Select the checkbox to enable network alerts detection. This feature detects sniffed live traffic for connections to botnet servers and intrusion attacks and visited suspicious web sites with Fortinet IPS and Web Filtering technologies.

Alerts can be viewed in the Network Alerts page.

For URL visits, certain categories can be treated as benign in Scan Policy > URL Category.

Keep incomplete files

Keep files without completed TCP sessions. Select the checkbox to keep incomplete files. Sometimes incomplete files can be useful to detect known viruses.

Enable Conserve mode

When conserve mode is enabled, if there are already too many jobs in the pending queue (250K, or sniffed traffic throughput exceeds optimal throughput), sniffer will enter conserve mode, during which time only executable (.exe) and MS Office files are extracted.

Optimal traffic throughput values for different models:

  • FSA-1000D: 1Gbps
  • FSA-2000E: 4 Gbps
  • FSA-3000D: 4.6 Gbps
  • FSA-3000E: 8 Gbps
  • FSA-3500D: 2 Gbps
  • FSA-VM00: 1Gbps
  • FSA-VM-BASE: 4.6Gbps

Maximum file size

The maximum size of files captured by sniffer. Enter a value in the text box. The default value is 2048kB and the maximum file size is 200,000kB.

Note: Files that exceed the maximum file size will not be sent to FortiSandbox.

Sniffed Interfaces

Select the interface to monitor.

Service Types

Select the traffic protocol that the sniffer will work on. Options include: FTP, HTTP, IMAP, POP3, SMB, OTHER and SMTP.

The OTHER service type is for raw TCP protocol traffic.

File Types

Select the file types to extract from traffic. When All is checked. all files in the traffic will be extracted. Users can also add extra file extensions by putting it in File Types field and clicking Add > OK. The user can delete it later by clicking the Trash can icon beside it and clicking OK.

When URLs in Email type is selected, URLs embedded inside Email body will be extracted and scanned as WEBLink type. User can define the number of URLs to extract for each Email, from 1 to 5.

When an interface is used in sniffer mode, it will lose its IP address. The interface settings cannot be changed.