Fortinet black logo

Sandbox

23.4.0
Copy Link
Copy Doc ID ce71c0e4-7759-11ee-a142-fa163e15d75b:473478
Download PDF

Sandbox

FortiSandbox SaaS is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated SandBox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors.

The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: pending, clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic analysis.

The SandBox tab collects information that the FortiSandbox SaaS service compiles. FortiSandbox SaaS submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

FortiSandbox SaaS regions include Global, Europe, U.S., and Japan.

The FortiSandbox SaaS feature allows the following file upload sources:

  • File uploads from FortiGate:
    • For a FortiGate without a FortiSandbox SaaS subscription (see License types), FortiSandbox SaaS supports up to 100 uploads per day or two uploads per minute.

    • For FortiGates with a FortiSandbox SaaS subscription, the below upload limits apply:

      FortiGate model

      Per minute

      Per day

      FortiGate 30-90/VM00

      5

      7 200

      FortiGate 100-400/VM01

      10

      14 400

      FortiGate 500-900/VM02, VM04

      20

      28 880

      FortiGate 1000-2000/VM08, VM16

      50

      72 000

      FortiGate 3000/VM32 and higher models

      100

      144 000

  • For manual uploads from FortiGate Cloud, FortiSandbox SaaS supports up to 50 uploads per day per account.
To set up Sandbox:
  1. Complete the FortiGate Cloud Sandbox steps.
  2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox Cloud for inspection configured.
  3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
  4. Once devices have uploaded some files to FortiSandbox SaaS, log in to the FortiGate Cloud portal to see the results.
To upload a sample to Sandbox:
  1. Go to Sandbox > Scan Results.
  2. Click Upload Sample.
  3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan Results displays the results.

Dashboard

You can see an overview of the Sandbox results on the Dashboard.

The Dashboard contains the following widgets:

Widget

Description

System Status

Quick view of the current state of the AV databases and load.

Top 5 Targeted Hosts (Last 24 Hours)

Displays which hosts received the most threats during the last 24 hours.

Scan Result (Today and Past 7 Days)

Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.

Top 20 File Types (Last 24 Hours)

Displays the most commonly analyzed file types in the last 24 hours of scanning.

Files and On-Demand Records

Files Records displays files that your connected device's AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox SaaS service enabled on the connected device.

You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

The maximum file size is 10 MB. The processing time may vary based on the file size.

Setting

In Configuration > Sandbox Setting, you can configure FortiSandbox SaaS settings:

Setting

Description

Enable Alert Setting
  • Enable alert emails
  • Enter multiple emails (one per line) to receive alerts
  • Set which severity level triggers sending alert emails
Log Retention Set number of days to retain log data.
Malware Package Options Select the risk level of data that is automatically submitted to FortiGuard to further antithreat research.

URL Package Options

If multitenancy is enabled, you ca also configure the target subaccount to apply Sandbox settings to. You can also choose to apply the Sandbox settings to all lower-level subaccounts of that subaccount, or not.

To configure Sandbox alert emails:
  1. Go to Configuration > Sandbox Setting.
  2. Select Enable Alert Setting.
  3. Enter emails into the list to contact in the event of a Sandbox alert.
  4. Select the severity levels to trigger an alert.
  5. Click Save.

Sandbox

FortiSandbox SaaS is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated SandBox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors.

The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: pending, clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic analysis.

The SandBox tab collects information that the FortiSandbox SaaS service compiles. FortiSandbox SaaS submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

FortiSandbox SaaS regions include Global, Europe, U.S., and Japan.

The FortiSandbox SaaS feature allows the following file upload sources:

  • File uploads from FortiGate:
    • For a FortiGate without a FortiSandbox SaaS subscription (see License types), FortiSandbox SaaS supports up to 100 uploads per day or two uploads per minute.

    • For FortiGates with a FortiSandbox SaaS subscription, the below upload limits apply:

      FortiGate model

      Per minute

      Per day

      FortiGate 30-90/VM00

      5

      7 200

      FortiGate 100-400/VM01

      10

      14 400

      FortiGate 500-900/VM02, VM04

      20

      28 880

      FortiGate 1000-2000/VM08, VM16

      50

      72 000

      FortiGate 3000/VM32 and higher models

      100

      144 000

  • For manual uploads from FortiGate Cloud, FortiSandbox SaaS supports up to 50 uploads per day per account.
To set up Sandbox:
  1. Complete the FortiGate Cloud Sandbox steps.
  2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox Cloud for inspection configured.
  3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
  4. Once devices have uploaded some files to FortiSandbox SaaS, log in to the FortiGate Cloud portal to see the results.
To upload a sample to Sandbox:
  1. Go to Sandbox > Scan Results.
  2. Click Upload Sample.
  3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan Results displays the results.

Dashboard

You can see an overview of the Sandbox results on the Dashboard.

The Dashboard contains the following widgets:

Widget

Description

System Status

Quick view of the current state of the AV databases and load.

Top 5 Targeted Hosts (Last 24 Hours)

Displays which hosts received the most threats during the last 24 hours.

Scan Result (Today and Past 7 Days)

Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.

Top 20 File Types (Last 24 Hours)

Displays the most commonly analyzed file types in the last 24 hours of scanning.

Files and On-Demand Records

Files Records displays files that your connected device's AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox SaaS service enabled on the connected device.

You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

The maximum file size is 10 MB. The processing time may vary based on the file size.

Setting

In Configuration > Sandbox Setting, you can configure FortiSandbox SaaS settings:

Setting

Description

Enable Alert Setting
  • Enable alert emails
  • Enter multiple emails (one per line) to receive alerts
  • Set which severity level triggers sending alert emails
Log Retention Set number of days to retain log data.
Malware Package Options Select the risk level of data that is automatically submitted to FortiGuard to further antithreat research.

URL Package Options

If multitenancy is enabled, you ca also configure the target subaccount to apply Sandbox settings to. You can also choose to apply the Sandbox settings to all lower-level subaccounts of that subaccount, or not.

To configure Sandbox alert emails:
  1. Go to Configuration > Sandbox Setting.
  2. Select Enable Alert Setting.
  3. Enter emails into the list to contact in the event of a Sandbox alert.
  4. Select the severity levels to trigger an alert.
  5. Click Save.