Fortinet black logo

2.0 Administration Guide

Home FortiGate Cloud 23.4.0 2.0 Administration Guide

Sandbox

23.4.0
24.1.0
23.4.0
Copy Link
Copy Doc ID c686ef16-7759-11ee-a142-fa163e15d75b:473478
Download PDF

Sandbox

Sandbox is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator configures Send files to FortiSandbox for inspection to enable a FortiGate to upload suspicious files to FortiSandbox for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated Sandbox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Premium Analytics considers suspicious change depending on the current threat climate and other factors.

The FortiGate Cloud Premium console enables administrators to view the status of any suspicious files uploaded: pending, clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic analysis.

The Sandbox tab collects information that the FortiSandbox SaaS service compiles. FortiSandbox SaaS submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

FortiSandbox SaaS regions include Global, Europe, U.S., and Japan.

For devices with a paid FortiSandbox SaaS license, FortiGate Cloud supports 365 days of records and file submission limits, based on the model. For devices without a paid FortiSandbox SaaS license, FortiGate Cloud supports limited file submissions (100 per day/2 per minute) and up to seven days of records for FortiGates running FortiOS 6.2 and earlier versions.

To set up Sandbox:
  1. Complete the FortiSandbox SaaS steps.
  2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox for inspection configured.
  3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
  4. Once devices have uploaded some files to FortiSandbox SaaS, log in to the FortiGate Cloud Premium portal to see the results.
To upload a sample to Sandbox:
  1. Go to Sandbox > Scan results.
  2. Click Upload sample.
  3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan results displays the results.
To configure Sandbox settings:
  1. Go to Sandbox > Sandbox settings.
  2. In the Days to retain data field, configure the number of days to retain log data.
  3. Click Apply.
Previous
Next

Sandbox

Sandbox is a service that uploads and analyzes files that FortiGate antivirus (AV) marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator configures Send files to FortiSandbox for inspection to enable a FortiGate to upload suspicious files to FortiSandbox for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated Sandbox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Premium Analytics considers suspicious change depending on the current threat climate and other factors.

The FortiGate Cloud Premium console enables administrators to view the status of any suspicious files uploaded: pending, clean, malware, or unknown. The console also provides data on time, user, and location of the infected file for forensic analysis.

The Sandbox tab collects information that the FortiSandbox SaaS service compiles. FortiSandbox SaaS submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

FortiSandbox SaaS regions include Global, Europe, U.S., and Japan.

For devices with a paid FortiSandbox SaaS license, FortiGate Cloud supports 365 days of records and file submission limits, based on the model. For devices without a paid FortiSandbox SaaS license, FortiGate Cloud supports limited file submissions (100 per day/2 per minute) and up to seven days of records for FortiGates running FortiOS 6.2 and earlier versions.

To set up Sandbox:
  1. Complete the FortiSandbox SaaS steps.
  2. In Security Profiles > AntiVirus, create a profile that has Send files to FortiSandbox for inspection configured.
  3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
  4. Once devices have uploaded some files to FortiSandbox SaaS, log in to the FortiGate Cloud Premium portal to see the results.
To upload a sample to Sandbox:
  1. Go to Sandbox > Scan results.
  2. Click Upload sample.
  3. Browse to and select a file to upload, then click Submit. Once analysis completes, Scan results displays the results.
To configure Sandbox settings:
  1. Go to Sandbox > Sandbox settings.
  2. In the Days to retain data field, configure the number of days to retain log data.
  3. Click Apply.
Previous
Next