Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Device

In Device mode, you can configure your FortiGate, FortiWeb, FortiClient, or FortiMail devices to send files to FortiSandbox. For FortiGate, you can send all files for inspection. For FortiMail, you can send email attachments or URLs in the email body to FortiSandbox for inspection, or just send the suspicious ones. When FortiSandbox receives the files or URLs, they are executed and scanned within the VM modules. FortiSandbox sends statistics back to the FortiGate, FortiWeb, and FortiMail. When integrated with FortiGate, supported protocols include: HTTP, FTP, POP3, IMAP, SMTP, MAPI, IM, and their equivalent SSL encrypted versions.

A FortiSandbox system, either a standalone unit or in a cluster, has no limit on the number of authorized devices and FortiClients. However, the concurrent connections of all client devices is limited to 30000.

Use the Scan Input > Device page to view, edit, and authorize devices.

Devices such as FortiGate can query a file's verdict and retrieve detailed information from FortiSandbox. FortiGate can also download malware and URL packages from FortiSandbox as complimentary AV signatures and web filtering black lists. These packages contain detected malware signatures and their downloading URLs.

The default file size scanned and forwarded by FortiGate is 10MB and the maximum size depends on the FortiGate memory size. To change the file size on the FortiGate side, use the following CLI commands:

config firewall profile-protocol-options

edit <name_str>

config http

set oversize-limit <size_int>

end

end

The profile-protocol-options setting controls the maximum file size that is AV scanned on the FortiGate. After a virus scan verdict has been made (clean or suspicious), if the file size is less than the analytics-max-upload size, it is sent to FortiSandbox using the Send All/Suspicious Only setting on the FortiGate.

For information on configuring the oversize limit for profile-protocol-options and analytics-max-upload, see the FortiOS CLI Reference in the Fortinet Document Library.

In Scan Input > Device, the following options are available:

Refresh

Refresh display after applying search filters.

Device Filter

Filter devices by entering part of device name or serial number.

Clear all removable filters

Click the trash can icon to remove all filters.

This page displays the following:

Device Name

Name of the device and the VDOM or protected email domain that send files to FortiSandbox. For a device, it has the format of: Device Name. For a VDOM, it has the format of: Device Name: VDOM Name. For a FortiMail protected domain, it has the format: Device Name : Domain Name.

Serial

The FortiGate, FortiWeb, FortiClient, FortiClient EMS, or FortiMail serial number.

Malicious, High, Medium, Low

The number of malicious, high risk, medium risk, or low risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Clean

Number of clean files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of clean files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Others

Number of other files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of other rating files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Mal Pkg

Malware package version currently on the device.

URL Pkg

URL package versions currently on the device.

Auth

Shows if the device or VDOM/Protected Domain is authorized to submit files. Only authorized device or VDOM/Protected Domain can submit files to FortiSandbox.

Limit

Shows if this device has a submission limit.

Status

Status of the device. An icon shows that the device is up or connected, down, or disconnected. If a device, its VDOM, or protected domain does not contact FortiSandbox for more than 15 minutes, the status changes to disconnected.

Delete

Click to delete the device, VDOM, or protect domain. When you delete a device, all its VDOMs and protected domains are also deleted. If the device is FortiClient EMS, its managed FortiClient endpoints are kept. If the device connects to FortiSandbox again, it appears as a new device.

FortiSandbox uses a Fortinet proprietary traffic protocol (OFTP) to communicate with connected devices. This is encrypted communication using TCP port 514.

Device

In Device mode, you can configure your FortiGate, FortiWeb, FortiClient, or FortiMail devices to send files to FortiSandbox. For FortiGate, you can send all files for inspection. For FortiMail, you can send email attachments or URLs in the email body to FortiSandbox for inspection, or just send the suspicious ones. When FortiSandbox receives the files or URLs, they are executed and scanned within the VM modules. FortiSandbox sends statistics back to the FortiGate, FortiWeb, and FortiMail. When integrated with FortiGate, supported protocols include: HTTP, FTP, POP3, IMAP, SMTP, MAPI, IM, and their equivalent SSL encrypted versions.

A FortiSandbox system, either a standalone unit or in a cluster, has no limit on the number of authorized devices and FortiClients. However, the concurrent connections of all client devices is limited to 30000.

Use the Scan Input > Device page to view, edit, and authorize devices.

Devices such as FortiGate can query a file's verdict and retrieve detailed information from FortiSandbox. FortiGate can also download malware and URL packages from FortiSandbox as complimentary AV signatures and web filtering black lists. These packages contain detected malware signatures and their downloading URLs.

The default file size scanned and forwarded by FortiGate is 10MB and the maximum size depends on the FortiGate memory size. To change the file size on the FortiGate side, use the following CLI commands:

config firewall profile-protocol-options

edit <name_str>

config http

set oversize-limit <size_int>

end

end

The profile-protocol-options setting controls the maximum file size that is AV scanned on the FortiGate. After a virus scan verdict has been made (clean or suspicious), if the file size is less than the analytics-max-upload size, it is sent to FortiSandbox using the Send All/Suspicious Only setting on the FortiGate.

For information on configuring the oversize limit for profile-protocol-options and analytics-max-upload, see the FortiOS CLI Reference in the Fortinet Document Library.

In Scan Input > Device, the following options are available:

Refresh

Refresh display after applying search filters.

Device Filter

Filter devices by entering part of device name or serial number.

Clear all removable filters

Click the trash can icon to remove all filters.

This page displays the following:

Device Name

Name of the device and the VDOM or protected email domain that send files to FortiSandbox. For a device, it has the format of: Device Name. For a VDOM, it has the format of: Device Name: VDOM Name. For a FortiMail protected domain, it has the format: Device Name : Domain Name.

Serial

The FortiGate, FortiWeb, FortiClient, FortiClient EMS, or FortiMail serial number.

Malicious, High, Medium, Low

The number of malicious, high risk, medium risk, or low risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Clean

Number of clean files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of clean files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Others

Number of other files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of other rating files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Mal Pkg

Malware package version currently on the device.

URL Pkg

URL package versions currently on the device.

Auth

Shows if the device or VDOM/Protected Domain is authorized to submit files. Only authorized device or VDOM/Protected Domain can submit files to FortiSandbox.

Limit

Shows if this device has a submission limit.

Status

Status of the device. An icon shows that the device is up or connected, down, or disconnected. If a device, its VDOM, or protected domain does not contact FortiSandbox for more than 15 minutes, the status changes to disconnected.

Delete

Click to delete the device, VDOM, or protect domain. When you delete a device, all its VDOMs and protected domains are also deleted. If the device is FortiClient EMS, its managed FortiClient endpoints are kept. If the device connects to FortiSandbox again, it appears as a new device.

FortiSandbox uses a Fortinet proprietary traffic protocol (OFTP) to communicate with connected devices. This is encrypted communication using TCP port 514.