Fortinet Document Library

Version:


Table of Contents

21.2.0
Download PDF
Copy Link

SandBox

Cloud Sandbox is a service that uploads and analyzes files that FortiGate AV marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated SandBox detection to ten hours if FortiGuard Labs is involved.

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors.

The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensic analysis. SandBoxing is available in both free and paid FortiGate Cloud subscriptions.

The SandBox tab collects information that the Cloud Sandbox service compiles. Cloud Sandbox submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

To set up Sandbox:
  1. Complete the To add a FortiSandbox cloud instance to the Security Fabric: steps.
  2. In Security Profiles > AntiVirus, create a profile that has Send Files to FortiSandbox Cloud For Inspection configured.
  3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
  4. Once devices have uploaded some files to Cloud Sandbox, log in to the FortiGate Cloud portal to see the results.

Dashboard

You can see an overview of the Sandbox results on the Dashboard.

The Dashboard contains the following widgets:

Widget

Description

System Status

  • Quick view of the current state of the AV databases and load.
  • Top 5 Targeted Hosts (Last 24 Hours)

    Displays which hosts received the most threats during the last 24 hours.

    Scan Result (Today and Past 7 Days)

  • Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.
  • Top 20 File Types (Last 24 Hours)

    Displays the most commonly analyzed file types in the last 24 hours of scanning.

    Files and On-Demand Records

    Files Records displays files that your connected device's AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the Cloud Sandbox service enabled on the connected device.

    You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

    The maximum file size is 10 MB. The processing time may vary based on the file size.

    Setting

    In Setting, you can configure Cloud Sandbox settings:

    • Enable Alert Setting: to enable alert emails, enter multiple emails (one per line) to receive alerts, and set which severity level triggers sending alert emails.
    • Log Retention: set number of days to retain log data.
    • Malware Package Options and URL Package Options: select the risk level of data that is automatically submitted to FortiGuard to further antithreat research.
    To configure Sandbox alert emails:
    1. Go to SandBox > Setting.
    2. Select Enable Alert Setting.
    3. Enter emails into the list to contact in the event of a Sandbox alert.
    4. Select the severity levels to trigger an alert.

    SandBox

    Cloud Sandbox is a service that uploads and analyzes files that FortiGate AV marks as suspicious.

    In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it has the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes for automated SandBox detection to ten hours if FortiGuard Labs is involved.

    FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus. The behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors.

    The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensic analysis. SandBoxing is available in both free and paid FortiGate Cloud subscriptions.

    The SandBox tab collects information that the Cloud Sandbox service compiles. Cloud Sandbox submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files' results.

    You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

    To set up Sandbox:
    1. Complete the To add a FortiSandbox cloud instance to the Security Fabric: steps.
    2. In Security Profiles > AntiVirus, create a profile that has Send Files to FortiSandbox Cloud For Inspection configured.
    3. Create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile.
    4. Once devices have uploaded some files to Cloud Sandbox, log in to the FortiGate Cloud portal to see the results.

    Dashboard

    You can see an overview of the Sandbox results on the Dashboard.

    The Dashboard contains the following widgets:

    Widget

    Description

    System Status

  • Quick view of the current state of the AV databases and load.
  • Top 5 Targeted Hosts (Last 24 Hours)

    Displays which hosts received the most threats during the last 24 hours.

    Scan Result (Today and Past 7 Days)

  • Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.
  • Top 20 File Types (Last 24 Hours)

    Displays the most commonly analyzed file types in the last 24 hours of scanning.

    Files and On-Demand Records

    Files Records displays files that your connected device's AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the Cloud Sandbox service enabled on the connected device.

    You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

    The maximum file size is 10 MB. The processing time may vary based on the file size.

    Setting

    In Setting, you can configure Cloud Sandbox settings:

    • Enable Alert Setting: to enable alert emails, enter multiple emails (one per line) to receive alerts, and set which severity level triggers sending alert emails.
    • Log Retention: set number of days to retain log data.
    • Malware Package Options and URL Package Options: select the risk level of data that is automatically submitted to FortiGuard to further antithreat research.
    To configure Sandbox alert emails:
    1. Go to SandBox > Setting.
    2. Select Enable Alert Setting.
    3. Enter emails into the list to contact in the event of a Sandbox alert.
    4. Select the severity levels to trigger an alert.