Fortinet black logo

Administration Guide

Home FortiSandbox 4.4.3 Administration Guide
4.4.3
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

Sniffer

Sniffer

Sniffer mode is a suitable deployment option for adding protection capabilities to existing threat protection systems from various vendors. It allows you to configure your FortiSandbox to sniff all network traffic on the specified interfaces.

FortiSandbox extracts files and URLs from the network traffic for file-based and network-alert detections. The files and URLs are scanned and may enter the Dynamic Scan as configured. When rated as suspicious, the FortiSandbox can send either TCP reset packets or replacement messages as configured and supported.

Sniffer mode supports the following protocols: HTTP, FTP, POP3, IMAP, SMTP, SMB, DNS and raw TCP. It relies on network traffic received from spanned switch ports even from multiple interfaces. For example, when FortiSandbox is deployed with a network tap device, you can sniff both the incoming and outgoing traffic on separate FortiSandbox interfaces. Both port1 and port3 interfaces cannot be used for this feature since those are for device management and VM access to the Internet, respectively.

To enable and configure sniffer mode:
  1. Go to Security Fabric > Sniffer.
  2. Configure the following settings:

    Sniffed Interfaces

    Select the interface to monitor.

    Limit the number for TCP RST request

    This setting determines the maximum number of TCP RST packets that the FortiSandbox unit will send to terminate a TCP session. Acceptable values range from 1 to 255. By default, the setting is 0, indicating no limit on the number of packets.

    This option is only visible when the TCP RST feature is enabled under either Enable file based detection or Enable network alert detection.

    Network interfaces to send out TCP RST traffic

    As an administrator, you can define the policy for dispatching RST traffic.

    • Follow system routing settings: Adhere to the static routing table in System > Static Route
    • Through dedicated ports: When opting for dedicated ports, multiple selections are permitted.

    This option is only visible when the TCP RST feature is enabled under either Enable file based detection or Enable network alert detection.

    Dedicated ports sending TCP RST packets will be based on the network traffic. For optimal performance, it is recommended to connect the ports you select directly to the client or server's LAN.

    Enable file based detection

    Select the checkbox to enable file based detection.

    Enable support TCP RST

    View Sniffer generated TCP RST packages from Scan Policy and Object > TCP RST Package.

    Only HTTP URLs are supported.

    Enable Send client a warning message with a comfort page when TCP is disconnected to notify the user the URL is blocked and cannot be downloaded. Click the edit icon to customize the font size, background and font color with the HTML editor. Source code must contain “%%URL%%” to display the blocked URL.

    Enable logging for TCP RST option will record whether FSA has sent RST packets in Log & Events > Events > Job Events.

    Keep incomplete filesKeep files without completed TCP sessions. Select the checkbox to keep incomplete files. Sometimes incomplete files can be useful to detect known viruses.
    Enable Conserve mode

    When conserve mode is enabled, the sniffer might enter conserve mode if it is too busy, such as when there are too many jobs in the pending queue (250K), sniffed traffic exceeds optimal throughput, or HDD/RAM disk usage is too high.

    In conserve mode, the sniffer only extracts executable (.exe) and MS Office files.

    Optimal traffic throughput:

    • FSA-3000F: 9.6Gbps
    • FSA-3000E: 8 Gbps
    • FSA-2000E: 4 Gbps
    • FSA-1500G: 4 Gbps
    • FSA-1000F: 1 Gbps
    • FSA-1000F-DC: 1 Gbps
    • FSA-500G: 500 Mbps
    • FSA-500F: 500 Mbps
    • FSA-VM00: 1 Gbps
    Max file size

    The maximum size of files captured by the sniffer. Enter a value in the text box. The default and maximum file size value are 2 MB and 200 MB, respectively.

    Files that exceed the maximum file size are not sent to FortiSandbox.

    Service Types

    Select the traffic protocol that the sniffer will work on. Options include: FTP, HTTP, IMAP, POP3, SMB, OTHER and SMTP.

    The OTHER service type is for raw TCP protocol traffic.

    File Types

    Select the file types to extract from traffic. When All is checked. all files in the traffic will be extracted. Users can also add extra file extensions by entering it in the File Types field and clicking Add > OK. The user can delete it later by clicking the Trash can icon beside it and clicking OK.

    When URLs in Email type is selected, URLs embedded inside the Email body will be extracted and scanned as WEBLink type. Users can define the number of URLs to extract for each Email, from 1 to 5.

    Enable network alert detection

    Select the checkbox to enable network alerts detection. This feature detects sniffed live traffic for connections to botnet servers and intrusion attacks and visited suspicious web sites with Fortinet IPS and Web Filtering technologies.

    Alerts can be viewed in the Network Alerts page.

    For URL visits, certain categories can be treated as benign in Scan Policy and Object > Web Category.

    Enable TCP RST for IPSThe "Enable TCP RST for IPS" option blocks traffic from URLs detected by the attack and botnet systems. If a TCP connection is terminated, a notification informs the user that the URL is blocked and cannot be accessed.

When an interface is used in sniffer mode, it will lose its IP address. The interface settings cannot be changed.
Note

Currently file-based detection selected TCP RST dedicated ports will be the same as network alert TCP RST dedicated ports. If one side changes, another side will change automatically.
Previous
Next

Sniffer

Sniffer mode is a suitable deployment option for adding protection capabilities to existing threat protection systems from various vendors. It allows you to configure your FortiSandbox to sniff all network traffic on the specified interfaces.

FortiSandbox extracts files and URLs from the network traffic for file-based and network-alert detections. The files and URLs are scanned and may enter the Dynamic Scan as configured. When rated as suspicious, the FortiSandbox can send either TCP reset packets or replacement messages as configured and supported.

Sniffer mode supports the following protocols: HTTP, FTP, POP3, IMAP, SMTP, SMB, DNS and raw TCP. It relies on network traffic received from spanned switch ports even from multiple interfaces. For example, when FortiSandbox is deployed with a network tap device, you can sniff both the incoming and outgoing traffic on separate FortiSandbox interfaces. Both port1 and port3 interfaces cannot be used for this feature since those are for device management and VM access to the Internet, respectively.

To enable and configure sniffer mode:
  1. Go to Security Fabric > Sniffer.
  2. Configure the following settings:

    Sniffed Interfaces

    Select the interface to monitor.

    Limit the number for TCP RST request

    This setting determines the maximum number of TCP RST packets that the FortiSandbox unit will send to terminate a TCP session. Acceptable values range from 1 to 255. By default, the setting is 0, indicating no limit on the number of packets.

    This option is only visible when the TCP RST feature is enabled under either Enable file based detection or Enable network alert detection.

    Network interfaces to send out TCP RST traffic

    As an administrator, you can define the policy for dispatching RST traffic.

    • Follow system routing settings: Adhere to the static routing table in System > Static Route
    • Through dedicated ports: When opting for dedicated ports, multiple selections are permitted.

    This option is only visible when the TCP RST feature is enabled under either Enable file based detection or Enable network alert detection.

    Dedicated ports sending TCP RST packets will be based on the network traffic. For optimal performance, it is recommended to connect the ports you select directly to the client or server's LAN.

    Enable file based detection

    Select the checkbox to enable file based detection.

    Enable support TCP RST

    View Sniffer generated TCP RST packages from Scan Policy and Object > TCP RST Package.

    Only HTTP URLs are supported.

    Enable Send client a warning message with a comfort page when TCP is disconnected to notify the user the URL is blocked and cannot be downloaded. Click the edit icon to customize the font size, background and font color with the HTML editor. Source code must contain “%%URL%%” to display the blocked URL.

    Enable logging for TCP RST option will record whether FSA has sent RST packets in Log & Events > Events > Job Events.

    Keep incomplete filesKeep files without completed TCP sessions. Select the checkbox to keep incomplete files. Sometimes incomplete files can be useful to detect known viruses.
    Enable Conserve mode

    When conserve mode is enabled, the sniffer might enter conserve mode if it is too busy, such as when there are too many jobs in the pending queue (250K), sniffed traffic exceeds optimal throughput, or HDD/RAM disk usage is too high.

    In conserve mode, the sniffer only extracts executable (.exe) and MS Office files.

    Optimal traffic throughput:

    • FSA-3000F: 9.6Gbps
    • FSA-3000E: 8 Gbps
    • FSA-2000E: 4 Gbps
    • FSA-1500G: 4 Gbps
    • FSA-1000F: 1 Gbps
    • FSA-1000F-DC: 1 Gbps
    • FSA-500G: 500 Mbps
    • FSA-500F: 500 Mbps
    • FSA-VM00: 1 Gbps
    Max file size

    The maximum size of files captured by the sniffer. Enter a value in the text box. The default and maximum file size value are 2 MB and 200 MB, respectively.

    Files that exceed the maximum file size are not sent to FortiSandbox.

    Service Types

    Select the traffic protocol that the sniffer will work on. Options include: FTP, HTTP, IMAP, POP3, SMB, OTHER and SMTP.

    The OTHER service type is for raw TCP protocol traffic.

    File Types

    Select the file types to extract from traffic. When All is checked. all files in the traffic will be extracted. Users can also add extra file extensions by entering it in the File Types field and clicking Add > OK. The user can delete it later by clicking the Trash can icon beside it and clicking OK.

    When URLs in Email type is selected, URLs embedded inside the Email body will be extracted and scanned as WEBLink type. Users can define the number of URLs to extract for each Email, from 1 to 5.

    Enable network alert detection

    Select the checkbox to enable network alerts detection. This feature detects sniffed live traffic for connections to botnet servers and intrusion attacks and visited suspicious web sites with Fortinet IPS and Web Filtering technologies.

    Alerts can be viewed in the Network Alerts page.

    For URL visits, certain categories can be treated as benign in Scan Policy and Object > Web Category.

    Enable TCP RST for IPSThe "Enable TCP RST for IPS" option blocks traffic from URLs detected by the attack and botnet systems. If a TCP connection is terminated, a notification informs the user that the URL is blocked and cannot be accessed.

When an interface is used in sniffer mode, it will lose its IP address. The interface settings cannot be changed.
Note

Currently file-based detection selected TCP RST dedicated ports will be the same as network alert TCP RST dedicated ports. If one side changes, another side will change automatically.
Previous
Next