Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Adapter

FortiSandbox uses adapters to connect to third-party products such as Carbon Black/Bit9 server, ICAP, and mail gateway clients.

With an adapter, FortiSandbox can analyze files downloaded from the Carbon Black server to send notifications of file verdict back to the server, or receive HTTP messages from an ICAP client and return a response to it.

FortiSandbox supports mail adapters to receive forwarded emails from an upstream email gateway and scan them. FortiSandbox extracts email attachments and URLs in an email body and sends them to the job queue.

You can use the MTA adapter to inspect and quarantine suspicious emails. For more information, see Configure MTA adapter and the FortiSandbox user guide in the AWS marketplace.

The BCC adapter is for information only, it does not block emails.

FortiSandbox creates the ICAP, BCC, and MTA adapters which cannot be deleted. They are disabled by default.

The following options are available:

Create New

Create a new adapter.

Edit

Edit an adapter.

Delete

Delete an adapter.

You cannot delete the ICAP, BCC, or MTA adapter.

This page displays the following information:

Adapter Name

Adapter name.

Vendor Name

Vendor name.

Serial

Serial number.

FQDN/IP

FQDN/IP address.

This field is empty when for the ICAP, BCC, and MTA adapter.

Malicious

File and URL count of Malicious rating from this adapter in the last seven days.

High

File and URL count of High Risk rating from this adapter in the last seven days.

Medium

File and URL count of Medium Risk rating from this adapter in the last seven days.

Low

File and URL count of Low Risk rating from this adapter in the last seven days.

Clean

File and URL count of Clean rating from this adapter in the last seven days.

Other

File and URL count of Other rating from this adapter in the last seven days.

To create an adapter:
  1. Go to Scan Input > Adapter.
  2. Click the Create New button from the toolbar.
  3. Configure the following and click OK.

    Vendor Name

    Select Carbon Blaclk/Bit9.

    Adapter Name

    Enter the adapter name.

    Server FQDN/IP

    Enter the FQDN/IP address of the Carbon Black server.

    Token

    Enter the token string. Authentication token is assigned by the Carbon Black or ICAP server.

    Timeout (seconds)

    Enter the timeout value.

    Serial

    Auto-generated serial number for this adapter. It works as a device serial number to denote file's input device.

After you create a Carbon Black adapter, FortiSandbox tries to communicate with the Carbon Black server. If the connection and authentication is successful, the status column shows a green icon, otherwise it shows a red icon.

To configure the ICAP adapter:
  1. Go to Scan Input > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the adapter.
  4. Configure the Connection settings.
  5. You can select the interface port that FortiSandbox listens to. The default is port1.
  6. In the Methods section, you can enable Receive URL and Receive File and set the rating to block files and URLs.
  7. For faster response of a known virus before a file is put into the job queue, enable Realtime AV Scan.

  8. Click Apply.
  9. To enable file submission from the ICAP adapter to create log events:
    1. Go to Scan Policy > General.
    2. Under Enable log event of file submission, select ICAP.
    3. Click OK.
  10. To view ICAP adapter debug logs in run time, execute the following CLI command:

    diagnose-debug adapter_icap

    For more information about the diagnose-debug command, see the FortiSandbox CLI Reference.

To configure the BCC adapter:
  1. Go to Scan Input > Adapter.
  2. Select the BCC adapter and click Edit.
  3. Enable the adapter.
  4. Enable Parse URL to allow FortiSandbox to extract the first three URLs in an email.
  5. Configure the Connection settings.

  6. Click Apply.
To troubleshoot communication problems with an adapter, use this CLI command:

diagnose-debug [adapter_cb | adapter_icap | adapter_bcc | adapter_mta_relay | adapter_mta_mail]

Adapter

FortiSandbox uses adapters to connect to third-party products such as Carbon Black/Bit9 server, ICAP, and mail gateway clients.

With an adapter, FortiSandbox can analyze files downloaded from the Carbon Black server to send notifications of file verdict back to the server, or receive HTTP messages from an ICAP client and return a response to it.

FortiSandbox supports mail adapters to receive forwarded emails from an upstream email gateway and scan them. FortiSandbox extracts email attachments and URLs in an email body and sends them to the job queue.

You can use the MTA adapter to inspect and quarantine suspicious emails. For more information, see Configure MTA adapter and the FortiSandbox user guide in the AWS marketplace.

The BCC adapter is for information only, it does not block emails.

FortiSandbox creates the ICAP, BCC, and MTA adapters which cannot be deleted. They are disabled by default.

The following options are available:

Create New

Create a new adapter.

Edit

Edit an adapter.

Delete

Delete an adapter.

You cannot delete the ICAP, BCC, or MTA adapter.

This page displays the following information:

Adapter Name

Adapter name.

Vendor Name

Vendor name.

Serial

Serial number.

FQDN/IP

FQDN/IP address.

This field is empty when for the ICAP, BCC, and MTA adapter.

Malicious

File and URL count of Malicious rating from this adapter in the last seven days.

High

File and URL count of High Risk rating from this adapter in the last seven days.

Medium

File and URL count of Medium Risk rating from this adapter in the last seven days.

Low

File and URL count of Low Risk rating from this adapter in the last seven days.

Clean

File and URL count of Clean rating from this adapter in the last seven days.

Other

File and URL count of Other rating from this adapter in the last seven days.

To create an adapter:
  1. Go to Scan Input > Adapter.
  2. Click the Create New button from the toolbar.
  3. Configure the following and click OK.

    Vendor Name

    Select Carbon Blaclk/Bit9.

    Adapter Name

    Enter the adapter name.

    Server FQDN/IP

    Enter the FQDN/IP address of the Carbon Black server.

    Token

    Enter the token string. Authentication token is assigned by the Carbon Black or ICAP server.

    Timeout (seconds)

    Enter the timeout value.

    Serial

    Auto-generated serial number for this adapter. It works as a device serial number to denote file's input device.

After you create a Carbon Black adapter, FortiSandbox tries to communicate with the Carbon Black server. If the connection and authentication is successful, the status column shows a green icon, otherwise it shows a red icon.

To configure the ICAP adapter:
  1. Go to Scan Input > Adapter.
  2. Select the ICAP adapter and click Edit.
  3. Enable the adapter.
  4. Configure the Connection settings.
  5. You can select the interface port that FortiSandbox listens to. The default is port1.
  6. In the Methods section, you can enable Receive URL and Receive File and set the rating to block files and URLs.
  7. For faster response of a known virus before a file is put into the job queue, enable Realtime AV Scan.

  8. Click Apply.
  9. To enable file submission from the ICAP adapter to create log events:
    1. Go to Scan Policy > General.
    2. Under Enable log event of file submission, select ICAP.
    3. Click OK.
  10. To view ICAP adapter debug logs in run time, execute the following CLI command:

    diagnose-debug adapter_icap

    For more information about the diagnose-debug command, see the FortiSandbox CLI Reference.

To configure the BCC adapter:
  1. Go to Scan Input > Adapter.
  2. Select the BCC adapter and click Edit.
  3. Enable the adapter.
  4. Enable Parse URL to allow FortiSandbox to extract the first three URLs in an email.
  5. Configure the Connection settings.

  6. Click Apply.
To troubleshoot communication problems with an adapter, use this CLI command:

diagnose-debug [adapter_cb | adapter_icap | adapter_bcc | adapter_mta_relay | adapter_mta_mail]