Fortinet black logo

Handbook

Sandbox inspection

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:159458
Download PDF

Sandbox inspection

This section explains how to set up sandbox inspection using FortiSandbox with a FortiGate.

What is sandbox inspection?

Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be inspected without risking network security. This allows the detection of threats capable of bypassing other security measures, including zero-day threats.

You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a complementary AV signature database to block future intrusions by the same malware and download URL packages as complementary web-filtering blocklists.

The FortiSandbox uses virtual machines (VMs) running different operating systems to test a file and to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the FortiGuard AntiVirus signature database.

When a FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine the host, if it is registered to a FortiClient.

FortiSandbox has a VM pool and processes multiple files simultaneously. The amount of time to process a file depends on hardware and the number of sandbox VMs used to scan the file. For example, it can take 60 seconds to five minutes to process a file. FortiSandbox has a robust prefiltering process that, if enabled, reduces the need to inspect every file and reduces processing time. For more information on enabling prefiltering, refer to the FortiSandbox documentation.

FortiSandbox Appliance or FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud).

To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to Security Fabric > Settings.

The table below highlights the supported features of both types of FortiSandbox:

Feature

FortiSandbox Appliance

(including VM)

FortiSandbox Cloud

Sandbox inspection for FortiGate

Yes (FortiOS 5.0.4+)

Yes (FortiOS 5.2.3+)

Sandbox inspection for FortiMail

Yes (FortiMail OS 5.1+)

Yes (FortiMail OS 5.3+)

Sandbox inspection for FortiWeb

Yes (FortiWeb OS 5.4+)

Yes (FortiWeb OS 5.5.3+)

Sandbox inspection for FortiClient

Yes (FortiClient 5.4+ for Windows only)

No

Sandbox inspection for network share

Yes

No

Sandbox inspection for ICAP client

Yes

No

Manual File upload for analysis

Yes

Yes

Sniffer mode

Yes

Yes

File Status Feedback and Report

Yes

Yes

Dynamic Threat Database updates for FortiGate

Yes (FortiOS 5.4+)

Yes (FortiOS 5.4+)

Dynamic Threat Database updates for FortiClient

Yes (FortiClient 5.4 for Windows only)

Yes (FortiClient 5.6+ for Windows only)

Note that a separate Dynamic Threat Database is maintained for FortiMail.

Sending files for sandbox inspection

Sandbox inspection assists in the discovery of new threats and the creation of new signatures to be added to the global FortiGuard AntiVirus database. Files deemed malicious are immediately added to a custom Malware Package, which the FortiGate downloads every two minutes for live detection.

To enable Sandbox Inspection, go to Security Fabric > Settings. You can also configure the FortiSandbox type, server, and notifier email.

To view options for sending files for sandbox inspection, follow these steps:

  1. Go to Security Profiles > AntiVirus.
  2. Enable Content Disarm and Reconstruction. Under Original File Destination, select FortiSandbox.
  3. Enable Treat Windows Executables in Email Attachments as Viruses. Three options are available for sending files: None, Suspicious Files Only or All Supported Files. The All Supported Files option enables users to withhold files from being submitted for inspection by type or name pattern.

To learn how to connect the FortiSandbox, go to Using FortiSandbox with a FortiGate.

Sandbox inspection

This section explains how to set up sandbox inspection using FortiSandbox with a FortiGate.

What is sandbox inspection?

Sandbox inspection is a network process that allows files to be sent to a separate device, such as FortiSandbox, to be inspected without risking network security. This allows the detection of threats capable of bypassing other security measures, including zero-day threats.

You can configure your FortiGate device to send suspicious files to FortiSandbox for inspection and analysis. The FortiGate queries scan results and retrieves scan details. The FortiGate can also download malware packages as a complementary AV signature database to block future intrusions by the same malware and download URL packages as complementary web-filtering blocklists.

The FortiSandbox uses virtual machines (VMs) running different operating systems to test a file and to determine if it is malicious. If the file exhibits risky behavior, or is found to contain a virus, a new signature can be added to the FortiGuard AntiVirus signature database.

When a FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can quarantine the host, if it is registered to a FortiClient.

FortiSandbox has a VM pool and processes multiple files simultaneously. The amount of time to process a file depends on hardware and the number of sandbox VMs used to scan the file. For example, it can take 60 seconds to five minutes to process a file. FortiSandbox has a robust prefiltering process that, if enabled, reduces the need to inspect every file and reduces processing time. For more information on enabling prefiltering, refer to the FortiSandbox documentation.

FortiSandbox Appliance or FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud).

To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to Security Fabric > Settings.

The table below highlights the supported features of both types of FortiSandbox:

Feature

FortiSandbox Appliance

(including VM)

FortiSandbox Cloud

Sandbox inspection for FortiGate

Yes (FortiOS 5.0.4+)

Yes (FortiOS 5.2.3+)

Sandbox inspection for FortiMail

Yes (FortiMail OS 5.1+)

Yes (FortiMail OS 5.3+)

Sandbox inspection for FortiWeb

Yes (FortiWeb OS 5.4+)

Yes (FortiWeb OS 5.5.3+)

Sandbox inspection for FortiClient

Yes (FortiClient 5.4+ for Windows only)

No

Sandbox inspection for network share

Yes

No

Sandbox inspection for ICAP client

Yes

No

Manual File upload for analysis

Yes

Yes

Sniffer mode

Yes

Yes

File Status Feedback and Report

Yes

Yes

Dynamic Threat Database updates for FortiGate

Yes (FortiOS 5.4+)

Yes (FortiOS 5.4+)

Dynamic Threat Database updates for FortiClient

Yes (FortiClient 5.4 for Windows only)

Yes (FortiClient 5.6+ for Windows only)

Note that a separate Dynamic Threat Database is maintained for FortiMail.

Sending files for sandbox inspection

Sandbox inspection assists in the discovery of new threats and the creation of new signatures to be added to the global FortiGuard AntiVirus database. Files deemed malicious are immediately added to a custom Malware Package, which the FortiGate downloads every two minutes for live detection.

To enable Sandbox Inspection, go to Security Fabric > Settings. You can also configure the FortiSandbox type, server, and notifier email.

To view options for sending files for sandbox inspection, follow these steps:

  1. Go to Security Profiles > AntiVirus.
  2. Enable Content Disarm and Reconstruction. Under Original File Destination, select FortiSandbox.
  3. Enable Treat Windows Executables in Email Attachments as Viruses. Three options are available for sending files: None, Suspicious Files Only or All Supported Files. The All Supported Files option enables users to withhold files from being submitted for inspection by type or name pattern.

To learn how to connect the FortiSandbox, go to Using FortiSandbox with a FortiGate.