Fortinet black logo

Administration Guide

Sandbox integration

Copy Link
Copy Doc ID 30b84173-e130-11ec-bb32-fa163e15d75b:606396
Download PDF

Sandbox integration

When a sandbox such as FortiSandbox is configured and the Sandbox Analysis Policy rule is enabled, files that meet several conditions and that have not been previously analyzed trigger a sandbox analysis event on FortiEDR and are sent to the sandbox. The conditions are a combination of several items, such as the file was downloaded from the Internet and was not signed by a known vendor. If the file is found to be clean, the event is automatically classified as safe and is archived. If the file is determined by the sandbox to be suspicious or malicious, then the event is classified as non-safe and any future execution attempt of the file in the environment is blocked by one of the Pre-execution (NGAV) Policy rules. Note that in all cases the first file execution is not delayed or blocked.

Before you start sandbox configuration, make sure that:

  • Your FortiEDR deployment includes a JumpBox that has connectivity to the sandbox.

    Details about how to install a FortiEDR Core and configure it as a JumpBox are described in Setting up the FortiEDR Core. You may refer to Cores for more information about configuring a JumpBox.

  • The FortiEDR Central Manager has connectivity to Fortinet Cloud Services (FCS).
  • You have a valid API user with access to the sandbox.
To set up a sandbox connector with FortiEDR:
  1. Click the Add Connector button and select Sandbox in the Connectors dropdown list. The following displays:

  2. Fill in the following fields:

    Field

    Definition

    JumpBoxSelect the FortiEDR JumpBox that will communicate with this sandbox.
    NameSpecify a name of your choice which will be used to identify this sandbox.
    TypeSelect the type of sandbox to be used in the dropdown list, for example: FortiSandbox.
    HostSpecify the IP or DNS address of you sandbox.
    PortSpecify the port that is used for API communication with your sandbox.
    API Key

    Specify authentication details of your sandbox. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external NAC system API username and password.

  3. Click Save.

    In order to complete sandbox integration, the Sandbox Scan rule must be enabled with the FortiEDR Central Manager.

To enable the Sandbox scan rule:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the Execution Prevention policy that is applied on devices for which you want the sandbox scan to apply and click the Disabled button next to the Sandbox Analysis rule to enable it, as shown below:

FortiEDR is now configured to send unknown files to the sandbox.

You can check file analysis on your sandbox console.

In addition, you can see sandbox analysis events in the Events page. Events of files that were found to be clean appear under the Archived Events filter and events of files that were found to be risky are displayed under the All filter, such as shown below. A sandbox analysis digest is added to the security event’s handling comment.

Sandbox integration

When a sandbox such as FortiSandbox is configured and the Sandbox Analysis Policy rule is enabled, files that meet several conditions and that have not been previously analyzed trigger a sandbox analysis event on FortiEDR and are sent to the sandbox. The conditions are a combination of several items, such as the file was downloaded from the Internet and was not signed by a known vendor. If the file is found to be clean, the event is automatically classified as safe and is archived. If the file is determined by the sandbox to be suspicious or malicious, then the event is classified as non-safe and any future execution attempt of the file in the environment is blocked by one of the Pre-execution (NGAV) Policy rules. Note that in all cases the first file execution is not delayed or blocked.

Before you start sandbox configuration, make sure that:

  • Your FortiEDR deployment includes a JumpBox that has connectivity to the sandbox.

    Details about how to install a FortiEDR Core and configure it as a JumpBox are described in Setting up the FortiEDR Core. You may refer to Cores for more information about configuring a JumpBox.

  • The FortiEDR Central Manager has connectivity to Fortinet Cloud Services (FCS).
  • You have a valid API user with access to the sandbox.
To set up a sandbox connector with FortiEDR:
  1. Click the Add Connector button and select Sandbox in the Connectors dropdown list. The following displays:

  2. Fill in the following fields:

    Field

    Definition

    JumpBoxSelect the FortiEDR JumpBox that will communicate with this sandbox.
    NameSpecify a name of your choice which will be used to identify this sandbox.
    TypeSelect the type of sandbox to be used in the dropdown list, for example: FortiSandbox.
    HostSpecify the IP or DNS address of you sandbox.
    PortSpecify the port that is used for API communication with your sandbox.
    API Key

    Specify authentication details of your sandbox. To use an API token, click the API Key radio button and copy the token value into the text box. To use API credentials, click the Credentials radio button and fill in the external NAC system API username and password.

  3. Click Save.

    In order to complete sandbox integration, the Sandbox Scan rule must be enabled with the FortiEDR Central Manager.

To enable the Sandbox scan rule:
  1. Navigate to the SECURITY SETTINGS > Security Policies page.
  2. Open the Execution Prevention policy that is applied on devices for which you want the sandbox scan to apply and click the Disabled button next to the Sandbox Analysis rule to enable it, as shown below:

FortiEDR is now configured to send unknown files to the sandbox.

You can check file analysis on your sandbox console.

In addition, you can see sandbox analysis events in the Events page. Events of files that were found to be clean appear under the Archived Events filter and events of files that were found to be risky are displayed under the All filter, such as shown below. A sandbox analysis digest is added to the security event’s handling comment.