Fortinet black logo

Administration Guide

General

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:342320
Download PDF

General

Go to Scan Policy > General to view and configure the General Options.

The following options are available:

Upload malicious and suspicious file information to Sandbox community Cloud

Enable to upload malicious and suspicious file information to the Sandbox community Cloud. If enabled, the file checksum, tracer log, verdict, submitting device serial number, downloading URL, and original files are uploaded.

Submit suspicious URL to Fortinet WebFilter Service

Enable to submit malware downloading URL to the FortiGuard Web Filter Service.

Allow Virtual Machines to access external network through outgoing port3

Enable to allow Virtual Machines to access external network through the outgoing port3.

If the VM cannot access the outside network, a simulated network (SIMNET) will start by default. SIMNET provides responses of popular network services, like http where certain malware is expected. If the VM internet access is down, beside the down icon, SIMNET status is displayed. Clicking it will enter the VM network configuration page. Note: SIMNET is not a real internet. This can affect catch rate. Do not to have an IP from the production IP pool for the IP assignment on port3 because there is a chance it will get blacklisted.

FortiSandbox VM accesses external network through port3. The next-hop gateway and DNS settings can be configured in Scan Policy > General > Allow Virtual Machines to access external network through outgoing port3.

Status

Port3 status to access the Internet.

Gateway

Enter the next hop gateway IP address.

Disable SIMNET if Virtual Machines are not able to access external network through outgoing port3

Enable to disable SIMNET when Virtual Machines are not able to access external network through the outgoing port3.

DNS

DNS server used by VM images when a file is scanned.

Use Proxy

Enable to use the proxy. Configure the Proxy Type, Server Name/IP, Port, Proxy Username, and Proxy Password.

When the proxy server is enabled, all the non UDP outgoing traffic started from Sandbox VM will be directed to the proxy server.

When a proxy server is used, if the proxy server type is not SOCKS, the system level DNS server is used. If the type is SOCKS5, users need to configure an external DNS server that port3 can access.

For other traffic started by FortiSandbox firmware, such as FortiGuard Distribution Network (FDN) upgrades, the configurations should be done under the Network menu.

Proxy Type

Select the proxy type from the drop-down list. The following options are available:

  • HTTP Connect
  • HTTP Relay
  • SOCKS v4
  • SOCKS v5; requires DNS

UDP protocol is not supported.

Server Name/IP

Enter the proxy server name or IP address.

Port

Enter the proxy server port number.

Proxy Username

Enter a proxy username.

Proxy Password

Enter the proxy password.

Apply default passwords to extract archive files

User can define a list of passwords that can be tried to extract archive files. Input passwords line by line.

Disable Community Cloud Query

By default the Cloud Query is enabled. Disable the Cloud Query in the following scenarios:

  • You have an enclosed environment. Disabling the Cloud Query will improve the scan speed.
  • You receive an incorrect verdict from the Cloud Query and before Fortinet fixes it, you can turn it off temporarily.

Disable AV Rescan of finished Jobs

AV signature updates are frequent (every hour). Running an AV rescan against finished jobs of the last 48 hours could hinder performance. You have the option to disable the AV Rescan to improve performance.

Enable URL call back detection

Enable URL call back detection. When enabled, previously detected clean URLs in sniffered traffic are frequently queried against Web Filtering service.

Enable log event of file submission

Enable to log the file submission events of an input source.

Devices

Select to log the file submission events of a device, like FortiGate, FortiMail or FortiClient.

Adapter

Select to log the file submission events from an adapter like a Carbon Black server.

Network Share

Select to log the file submission events when they are from a network share.

BCC Adapter

Select to log the file submission events from a BCC client.

ICAP

Select to log the file submission events from an ICAP client.

Reject duplicate file from device

Enable to reject duplicate files from devices.

Delete original files of Clean or Other rating after

Enable to delete original files of Clean or Other ratings after a specified time. If the time is 0, the original files with either Clean or Other ratings will not be kept on the system. Original files of Clean or Other rating can be kept in system for a maximum of 4 weeks.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

Delete original files of Malicious or Suspicious rating after

Enable to delete original files of Malicious or Suspicious ratings after a specified time.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

Delete all traces of jobs of Clean or Other rating after

Enable to delete all traces of jobs of Clean or Other ratings after a specified time. Traces of jobs with Clean or Other rating can be kept in system for a maximum of 4 weeks.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

Delete all traces of jobs of Malicious or Suspicious after

Enable to delete all traces of jobs of Malicious or Suspicious ratings after a specified time.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

By default, job traces of files with a Clean or Other rating will be kept for three days.

General

Go to Scan Policy > General to view and configure the General Options.

The following options are available:

Upload malicious and suspicious file information to Sandbox community Cloud

Enable to upload malicious and suspicious file information to the Sandbox community Cloud. If enabled, the file checksum, tracer log, verdict, submitting device serial number, downloading URL, and original files are uploaded.

Submit suspicious URL to Fortinet WebFilter Service

Enable to submit malware downloading URL to the FortiGuard Web Filter Service.

Allow Virtual Machines to access external network through outgoing port3

Enable to allow Virtual Machines to access external network through the outgoing port3.

If the VM cannot access the outside network, a simulated network (SIMNET) will start by default. SIMNET provides responses of popular network services, like http where certain malware is expected. If the VM internet access is down, beside the down icon, SIMNET status is displayed. Clicking it will enter the VM network configuration page. Note: SIMNET is not a real internet. This can affect catch rate. Do not to have an IP from the production IP pool for the IP assignment on port3 because there is a chance it will get blacklisted.

FortiSandbox VM accesses external network through port3. The next-hop gateway and DNS settings can be configured in Scan Policy > General > Allow Virtual Machines to access external network through outgoing port3.

Status

Port3 status to access the Internet.

Gateway

Enter the next hop gateway IP address.

Disable SIMNET if Virtual Machines are not able to access external network through outgoing port3

Enable to disable SIMNET when Virtual Machines are not able to access external network through the outgoing port3.

DNS

DNS server used by VM images when a file is scanned.

Use Proxy

Enable to use the proxy. Configure the Proxy Type, Server Name/IP, Port, Proxy Username, and Proxy Password.

When the proxy server is enabled, all the non UDP outgoing traffic started from Sandbox VM will be directed to the proxy server.

When a proxy server is used, if the proxy server type is not SOCKS, the system level DNS server is used. If the type is SOCKS5, users need to configure an external DNS server that port3 can access.

For other traffic started by FortiSandbox firmware, such as FortiGuard Distribution Network (FDN) upgrades, the configurations should be done under the Network menu.

Proxy Type

Select the proxy type from the drop-down list. The following options are available:

  • HTTP Connect
  • HTTP Relay
  • SOCKS v4
  • SOCKS v5; requires DNS

UDP protocol is not supported.

Server Name/IP

Enter the proxy server name or IP address.

Port

Enter the proxy server port number.

Proxy Username

Enter a proxy username.

Proxy Password

Enter the proxy password.

Apply default passwords to extract archive files

User can define a list of passwords that can be tried to extract archive files. Input passwords line by line.

Disable Community Cloud Query

By default the Cloud Query is enabled. Disable the Cloud Query in the following scenarios:

  • You have an enclosed environment. Disabling the Cloud Query will improve the scan speed.
  • You receive an incorrect verdict from the Cloud Query and before Fortinet fixes it, you can turn it off temporarily.

Disable AV Rescan of finished Jobs

AV signature updates are frequent (every hour). Running an AV rescan against finished jobs of the last 48 hours could hinder performance. You have the option to disable the AV Rescan to improve performance.

Enable URL call back detection

Enable URL call back detection. When enabled, previously detected clean URLs in sniffered traffic are frequently queried against Web Filtering service.

Enable log event of file submission

Enable to log the file submission events of an input source.

Devices

Select to log the file submission events of a device, like FortiGate, FortiMail or FortiClient.

Adapter

Select to log the file submission events from an adapter like a Carbon Black server.

Network Share

Select to log the file submission events when they are from a network share.

BCC Adapter

Select to log the file submission events from a BCC client.

ICAP

Select to log the file submission events from an ICAP client.

Reject duplicate file from device

Enable to reject duplicate files from devices.

Delete original files of Clean or Other rating after

Enable to delete original files of Clean or Other ratings after a specified time. If the time is 0, the original files with either Clean or Other ratings will not be kept on the system. Original files of Clean or Other rating can be kept in system for a maximum of 4 weeks.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

Delete original files of Malicious or Suspicious rating after

Enable to delete original files of Malicious or Suspicious ratings after a specified time.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

Delete all traces of jobs of Clean or Other rating after

Enable to delete all traces of jobs of Clean or Other ratings after a specified time. Traces of jobs with Clean or Other rating can be kept in system for a maximum of 4 weeks.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

Delete all traces of jobs of Malicious or Suspicious after

Enable to delete all traces of jobs of Malicious or Suspicious ratings after a specified time.

Day

Enter the day.

Hour

Enter the hour.

Minute

Enter the minute.

By default, job traces of files with a Clean or Other rating will be kept for three days.