Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Interfaces

To view and manage interfaces, go to Network > Interfaces.

This page displays the following information and options:

Interface

The interface name and description, where applicable.

The failover IP includes the description: (cluster external port).

 

port1 (administration port)

port1 is hard-coded as the administration interface. You can enable or disable HTTP, SSH, or Telnet access rights on port1. HTTPS is enabled by default. You can use port1 for Device mode, although a different, dedicated port is recommended.

 

port2

You can use port2 for Sniffer mode, Device mode, or inter-node communication within a cluster.

 

port3 (VM outgoing interface)

port3 is reserved for outgoing communication triggered by the execution of the files under analysis.

FortiSandbox uses port3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious. As malicious files are infectious, ensure that the connection for port3 is isolated but can also access the Internet. Do not allow this connection to belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

FortiSandbox VM accesses external networks through port3. Configure the next hop gateway and DNS settings in Scan Policy > General > Allow Virtual Machines to access external network through outgoing port3. This allows files running inside VMs to access the external network. One special type of outgoing communication from a guest VM is to connect to the Microsoft activation server to activate the Windows Sandbox VM product keys. Office licenses are verified through VM machines so internet access via port3 is required to contact Microsoft for license activation.

If the VM cannot access the outside network, a simulated network (SIMNET) starts by default. SIMNET provides responses to popular network services like http where some malware is expected. If the VM internet access is down, the SIMNET status is displayed beside the down icon. Click that icon to go to the VM network configuration page.

SIMNET is not a real internet. This can affect catch rate. Do not use an IP address from the production IP pool for the IP assignment on port3 because it might get blacklisted.

 

port4

You can use port4 for Sniffer mode, Device mode, or inter-node communication within a cluster.

 

port5/port6

You can use port5 and port6 for Sniffer mode, Device mode, or inter-node communication within a cluster.

On FortiSandbox 2000E, 3000E, and 3500D devices, port5 and port6 are 10G fiber ports. We recommend using these ports on a master node or primary slave as communications ports with cluster slaves.

 

port7/port8

You can use port7 and port8 for Sniffer mode, Device mode, or inter-node communication within a cluster.

On FortiSandbox 3000D devices, port7 and port8 are 10G fiber ports. We recommend using these ports on a master node or primary slave as communications ports with cluster slaves.

IPv4

IPv4 IP address and subnet mask of the interface.

IPv6

IPv6 IP address and subnet mask of the interface.

Interface Status

State of the interface:
  • Interface is up
  • Interface is down
  • Interface is being used by sniffer

Link Status

Link status:
  • Link up
  • Link down

Access Rights

Access rights associated with the interface. HTTPS is enabled by default on port1 and any other administrative port set by the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

PCAP

Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds. Click Capture & Download to download the PCAP file as a zip file. Maximum file size is 100MB file size.

You can define the tcpdump filter such as host 172.10.1.1 or TCP port 443.

You can only run one capture at a time for each port. Sniffing ports are combined and treated as a single port.

Create New

Create an interface.

Edit

Edit the selected interface.

For more information on FSA-1000D, FSA-3000D, FSA-2000E, FSA-3500D, and FSA-3000E ports, see Default port information.

To set up more administration ports, use the CLI command set admin-port.

The following subnets are reserved by FortiSandbox. Do not configure interface IP addresses in this range.

192.168.56.0/24

192.168.57.0/24

192.168.250.0/24

Interfaces

To view and manage interfaces, go to Network > Interfaces.

This page displays the following information and options:

Interface

The interface name and description, where applicable.

The failover IP includes the description: (cluster external port).

 

port1 (administration port)

port1 is hard-coded as the administration interface. You can enable or disable HTTP, SSH, or Telnet access rights on port1. HTTPS is enabled by default. You can use port1 for Device mode, although a different, dedicated port is recommended.

 

port2

You can use port2 for Sniffer mode, Device mode, or inter-node communication within a cluster.

 

port3 (VM outgoing interface)

port3 is reserved for outgoing communication triggered by the execution of the files under analysis.

FortiSandbox uses port3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious. As malicious files are infectious, ensure that the connection for port3 is isolated but can also access the Internet. Do not allow this connection to belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

FortiSandbox VM accesses external networks through port3. Configure the next hop gateway and DNS settings in Scan Policy > General > Allow Virtual Machines to access external network through outgoing port3. This allows files running inside VMs to access the external network. One special type of outgoing communication from a guest VM is to connect to the Microsoft activation server to activate the Windows Sandbox VM product keys. Office licenses are verified through VM machines so internet access via port3 is required to contact Microsoft for license activation.

If the VM cannot access the outside network, a simulated network (SIMNET) starts by default. SIMNET provides responses to popular network services like http where some malware is expected. If the VM internet access is down, the SIMNET status is displayed beside the down icon. Click that icon to go to the VM network configuration page.

SIMNET is not a real internet. This can affect catch rate. Do not use an IP address from the production IP pool for the IP assignment on port3 because it might get blacklisted.

 

port4

You can use port4 for Sniffer mode, Device mode, or inter-node communication within a cluster.

 

port5/port6

You can use port5 and port6 for Sniffer mode, Device mode, or inter-node communication within a cluster.

On FortiSandbox 2000E, 3000E, and 3500D devices, port5 and port6 are 10G fiber ports. We recommend using these ports on a master node or primary slave as communications ports with cluster slaves.

 

port7/port8

You can use port7 and port8 for Sniffer mode, Device mode, or inter-node communication within a cluster.

On FortiSandbox 3000D devices, port7 and port8 are 10G fiber ports. We recommend using these ports on a master node or primary slave as communications ports with cluster slaves.

IPv4

IPv4 IP address and subnet mask of the interface.

IPv6

IPv6 IP address and subnet mask of the interface.

Interface Status

State of the interface:
  • Interface is up
  • Interface is down
  • Interface is being used by sniffer

Link Status

Link status:
  • Link up
  • Link down

Access Rights

Access rights associated with the interface. HTTPS is enabled by default on port1 and any other administrative port set by the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

PCAP

Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds. Click Capture & Download to download the PCAP file as a zip file. Maximum file size is 100MB file size.

You can define the tcpdump filter such as host 172.10.1.1 or TCP port 443.

You can only run one capture at a time for each port. Sniffing ports are combined and treated as a single port.

Create New

Create an interface.

Edit

Edit the selected interface.

For more information on FSA-1000D, FSA-3000D, FSA-2000E, FSA-3500D, and FSA-3000E ports, see Default port information.

To set up more administration ports, use the CLI command set admin-port.

The following subnets are reserved by FortiSandbox. Do not configure interface IP addresses in this range.

192.168.56.0/24

192.168.57.0/24

192.168.250.0/24