Configuring FortiAnalyzer to detect FortiSandbox devices
You can use FortiAnalyzer to monitor FortiSandbox devices. Some configurations are required on FortiSandbox to add the device to FortiAnalyzer. After you add the device, go to FortiView > Threats > FortiSandbox Detection to view the scanned files.
To detect FortiSandbox on FortiAnalyzer:
- Create a firewall policy on FortiSandbox.
- Create a log server on FortiSandbox.
- Add FortiSandbox to FortiAnalyzer.
Creating a firewall policy on FortiSandbox
You can use the CLI console in FortiSandbox to configure a firewall policy, then specify the IP address of the FortiAnalyzer you want to monitor the FortiSandbox.
To create a firewall policy on FortiSandbox:
- In the FortiGate device, click the CLI Console icon on the right-side of the banner on any page.
- Specify the FortiSandbox in the global configuration:
config antivirus profile
edit "test"
set ftgd-analytics everything config http
set options scan avmonitor
end config ftp
set options scan avmonitor
end config imap
set options scan
end config pop3
set options scan
end config smtp
set options scan
end config nntp
set options scan
end
next
end
- Create an antivirus profile to allow FortiGate to submit all files scanned by AntiVirus to FortiSandbox. The following is a sample AntiVirus profile:
config firewall policy
edit 13
set name "to-server1"
set uuid 5107b480-3d19-51e8-f1c1-571602a6375b
set srcintf "lan"
set dstintf "wan1"
set srcaddr "net-local"
set dstaddr "server1"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set fsso disable
set av-profile "test"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
- Use the antivirus profile in the firewall policy. The following is a sample firewall policy:
config firewall policy
edit 13
set name "to-server1"
set uuid 5107b480-3d19-51e8-f1c1-571602a6375b
set srcintf "lan"
set dstintf "wan1"
set srcaddr "net-local"
set dstaddr "server1"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set fsso disable
set av-profile "test"
set ssl-ssh-profile "certificate-inspection"
set nat enable
next
end
- Specify the IP address of the FortiAnalyzer unit for FortiGate to send logs.
configure log fortianalyzer setting
set status enable
set server <ip address of FortiAnalyzer> set upload-option realtime
end
Creating a log server for FortiAnalyzer
Use FortiSandbox to create a log server to specify the FortiAnalyzer that will monitor the scanned files.
To create a log server on FortiSandbox:
- On FortiSandbox, go to Log & Report > Log Servers.
- Click Create New in the toolbar and configure the following settings:
Name Enter a name for the new server entry. Type Select FortiAnalyzer from the dropdown list. Log Server Address Enter the log server IP address for the FortiAnalyzer device. Port Enter the port number. The default port is 514. Status Select Enable to send logs to the server. Log Level -
Set the logging levels to be forwarded to the log server. The following options are available:
Enable Alert Logs. By default, only logs of non-Clean rated jobs are sent. Users can choose to send Clean Job Alert Logs by selecting Include job with Clean Rating. - Enable Critical Logs
- Enable Error Logs
- Enable Warning Logs
- Enable Information Logs
- Enable Debug Logs
-
Adding FortiSandbox to FortiAnalyzer
You can use the IP address of the configured FortiSandbox to add it to FortiAnalyzer with Device Manager.
To add the FortiSandbox:
- In FortiAnalyzer, go to Device Manager.
- Click Add Device, and enter the FortiSandbox information into the dialog box.
Device Name Type a name for the FortiSandbox device. Link Device By
Serial Number.
Serial Number Type the serial number for the FortiSandbox device. Device Model Select the model of the FortiSandbox device. Description Type a description of the FortiSandbox device (optional). - Click Next.
The device is added to the ADOM and, if successful, is ready to begin sending logs to the FortiAnalyzer unit. - Click Finish.
- In Device Manager, select the FortiSandbox you added, and click Edit in the toolbar.
- Enter the Admin User and Password to allow FortiAnalyzer to access the FortiSandbox, then click OK.
To view FortiSandbox scanned files:
- Go to FortiView > FortiView > Threats > FortiSandbox Detection to view the files scanned by FortiSandbox.
- Click a file to view the Drilldown Panel.
- Click the FortiSandbox Scan link to view the Sandbox Execution Details panel.