Fortinet white logo
Fortinet white logo

Configuring FortiAnalyzer to detect FortiSandbox devices

Configuring FortiAnalyzer to detect FortiSandbox devices

You can use FortiAnalyzer to monitor FortiSandbox devices. Some configurations are required on FortiSandbox to add the device to FortiAnalyzer. After you add the device, go to FortiView > Threats > FortiSandbox Detection to view the scanned files.

To detect FortiSandbox on FortiAnalyzer:
  1. Create a firewall policy on FortiSandbox.
  2. Create a log server on FortiSandbox.
  3. Add FortiSandbox to FortiAnalyzer.

Creating a firewall policy on FortiSandbox

You can use the CLI console in FortiSandbox to configure a firewall policy, then specify the IP address of the FortiAnalyzer you want to monitor the FortiSandbox.

To create a firewall policy on FortiSandbox:
  1. In the FortiGate device, click the CLI Console icon on the right-side of the banner on any page.
  2. Specify the FortiSandbox in the global configuration:

    config antivirus profile

    edit "test"

    set ftgd-analytics everything config http

    set options scan avmonitor

    end config ftp

    set options scan avmonitor

    end config imap

    set options scan

    end config pop3

    set options scan

    end config smtp

    set options scan

    end config nntp

    set options scan

    end

    next

    end

  3. Create an antivirus profile to allow FortiGate to submit all files scanned by AntiVirus to FortiSandbox. The following is a sample AntiVirus profile:

    config firewall policy

    edit 13

    set name "to-server1"

    set uuid 5107b480-3d19-51e8-f1c1-571602a6375b

    set srcintf "lan"

    set dstintf "wan1"

    set srcaddr "net-local"

    set dstaddr "server1"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set logtraffic all

    set fsso disable

    set av-profile "test"

    set ssl-ssh-profile "certificate-inspection"

    set nat enable

    next

    end

  4. Use the antivirus profile in the firewall policy. The following is a sample firewall policy:

    config firewall policy

    edit 13

    set name "to-server1"

    set uuid 5107b480-3d19-51e8-f1c1-571602a6375b

    set srcintf "lan"

    set dstintf "wan1"

    set srcaddr "net-local"

    set dstaddr "server1"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set logtraffic all

    set fsso disable

    set av-profile "test"

    set ssl-ssh-profile "certificate-inspection"

    set nat enable

    next

    end

  5. Specify the IP address of the FortiAnalyzer unit for FortiGate to send logs.

    configure log fortianalyzer setting

    set status enable

    set server <ip address of FortiAnalyzer> set upload-option realtime

    end

Creating a log server for FortiAnalyzer

Use FortiSandbox to create a log server to specify the FortiAnalyzer that will monitor the scanned files.

To create a log server on FortiSandbox:
  1. On FortiSandbox, go to Log & Report > Log Servers.
  2. Click Create New in the toolbar and configure the following settings:
    Name Enter a name for the new server entry.
    Type Select FortiAnalyzer from the dropdown list.
    Log Server Address Enter the log server IP address for the FortiAnalyzer device.
    Port Enter the port number. The default port is 514.
    Status Select Enable to send logs to the server.
    Log Level
    • Set the logging levels to be forwarded to the log server. The following options are available:

      Enable Alert Logs. By default, only logs of non-Clean rated jobs are sent. Users can choose to send Clean Job Alert Logs by selecting Include job with Clean Rating.
    • Enable Critical Logs
    • Enable Error Logs
    • Enable Warning Logs
    • Enable Information Logs
    • Enable Debug Logs

Adding FortiSandbox to FortiAnalyzer

You can use the IP address of the configured FortiSandbox to add it to FortiAnalyzer with Device Manager.

To add the FortiSandbox:
  1. In FortiAnalyzer, go to Device Manager.
  2. Click Add Device, and enter the FortiSandbox information into the dialog box.
    Device Name Type a name for the FortiSandbox device.

    Link Device By

    Serial Number.

    Serial Number Type the serial number for the FortiSandbox device.
    Device Model Select the model of the FortiSandbox device.
    Description Type a description of the FortiSandbox device (optional).
  3. Click Next.
    The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.
  4. Click Finish.
  5. In Device Manager, select the FortiSandbox you added, and click Edit in the toolbar.
  6. Enter the Admin User and Password to allow FortiAnalyzer to access the FortiSandbox, then click OK.
To view FortiSandbox scanned files:
  1. Go to FortiView > FortiView > Threats > FortiSandbox Detection to view the files scanned by FortiSandbox.
  2. Click a file to view the Drilldown Panel.

  3. Click the FortiSandbox Scan link to view the Sandbox Execution Details panel.

Configuring FortiAnalyzer to detect FortiSandbox devices

Configuring FortiAnalyzer to detect FortiSandbox devices

You can use FortiAnalyzer to monitor FortiSandbox devices. Some configurations are required on FortiSandbox to add the device to FortiAnalyzer. After you add the device, go to FortiView > Threats > FortiSandbox Detection to view the scanned files.

To detect FortiSandbox on FortiAnalyzer:
  1. Create a firewall policy on FortiSandbox.
  2. Create a log server on FortiSandbox.
  3. Add FortiSandbox to FortiAnalyzer.

Creating a firewall policy on FortiSandbox

You can use the CLI console in FortiSandbox to configure a firewall policy, then specify the IP address of the FortiAnalyzer you want to monitor the FortiSandbox.

To create a firewall policy on FortiSandbox:
  1. In the FortiGate device, click the CLI Console icon on the right-side of the banner on any page.
  2. Specify the FortiSandbox in the global configuration:

    config antivirus profile

    edit "test"

    set ftgd-analytics everything config http

    set options scan avmonitor

    end config ftp

    set options scan avmonitor

    end config imap

    set options scan

    end config pop3

    set options scan

    end config smtp

    set options scan

    end config nntp

    set options scan

    end

    next

    end

  3. Create an antivirus profile to allow FortiGate to submit all files scanned by AntiVirus to FortiSandbox. The following is a sample AntiVirus profile:

    config firewall policy

    edit 13

    set name "to-server1"

    set uuid 5107b480-3d19-51e8-f1c1-571602a6375b

    set srcintf "lan"

    set dstintf "wan1"

    set srcaddr "net-local"

    set dstaddr "server1"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set logtraffic all

    set fsso disable

    set av-profile "test"

    set ssl-ssh-profile "certificate-inspection"

    set nat enable

    next

    end

  4. Use the antivirus profile in the firewall policy. The following is a sample firewall policy:

    config firewall policy

    edit 13

    set name "to-server1"

    set uuid 5107b480-3d19-51e8-f1c1-571602a6375b

    set srcintf "lan"

    set dstintf "wan1"

    set srcaddr "net-local"

    set dstaddr "server1"

    set action accept

    set schedule "always"

    set service "ALL"

    set utm-status enable

    set logtraffic all

    set fsso disable

    set av-profile "test"

    set ssl-ssh-profile "certificate-inspection"

    set nat enable

    next

    end

  5. Specify the IP address of the FortiAnalyzer unit for FortiGate to send logs.

    configure log fortianalyzer setting

    set status enable

    set server <ip address of FortiAnalyzer> set upload-option realtime

    end

Creating a log server for FortiAnalyzer

Use FortiSandbox to create a log server to specify the FortiAnalyzer that will monitor the scanned files.

To create a log server on FortiSandbox:
  1. On FortiSandbox, go to Log & Report > Log Servers.
  2. Click Create New in the toolbar and configure the following settings:
    Name Enter a name for the new server entry.
    Type Select FortiAnalyzer from the dropdown list.
    Log Server Address Enter the log server IP address for the FortiAnalyzer device.
    Port Enter the port number. The default port is 514.
    Status Select Enable to send logs to the server.
    Log Level
    • Set the logging levels to be forwarded to the log server. The following options are available:

      Enable Alert Logs. By default, only logs of non-Clean rated jobs are sent. Users can choose to send Clean Job Alert Logs by selecting Include job with Clean Rating.
    • Enable Critical Logs
    • Enable Error Logs
    • Enable Warning Logs
    • Enable Information Logs
    • Enable Debug Logs

Adding FortiSandbox to FortiAnalyzer

You can use the IP address of the configured FortiSandbox to add it to FortiAnalyzer with Device Manager.

To add the FortiSandbox:
  1. In FortiAnalyzer, go to Device Manager.
  2. Click Add Device, and enter the FortiSandbox information into the dialog box.
    Device Name Type a name for the FortiSandbox device.

    Link Device By

    Serial Number.

    Serial Number Type the serial number for the FortiSandbox device.
    Device Model Select the model of the FortiSandbox device.
    Description Type a description of the FortiSandbox device (optional).
  3. Click Next.
    The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit.
  4. Click Finish.
  5. In Device Manager, select the FortiSandbox you added, and click Edit in the toolbar.
  6. Enter the Admin User and Password to allow FortiAnalyzer to access the FortiSandbox, then click OK.
To view FortiSandbox scanned files:
  1. Go to FortiView > FortiView > Threats > FortiSandbox Detection to view the files scanned by FortiSandbox.
  2. Click a file to view the Drilldown Panel.

  3. Click the FortiSandbox Scan link to view the Sandbox Execution Details panel.