Fortinet black logo

Handbook

Example configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:337061
Download PDF

The following example configuration sets up FortiSandbox integration using AntiVirus, Web Filtering, and a FortiClient profile. It assumes that a connection between the FortiSandbox Appliance and the FortiGate is established.

  1. Go to Security Fabric > Settings and confirm that Sandbox Inspection is enabled and the FortiSandbox Appliance is connected.
  2. Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, select All Supported Files to be sent for inspection and enable Use FortiSandbox Database. You have the option of withholding files by name or pattern. Select Apply.
  3. Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. Select Apply.
  4. Go to Security Profiles > FortiClient Compliance and edit the default profile. Under Security Posture Check, enable Realtime Protection. Next, enable Scan with FortiSandbox. Select Apply.
  5. Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and Web Filtering profiles scanning applied, the profiles will be listed in the Security Profiles column. To add scanning to any security policy (excluding the Implicit Deny policy), select the + button in the Security Profiles column for that policy and then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and the deep-inspection profile for SSL/SSH Inspection (to ensure that encrypted traffic is inspected).

Results

Suspicious files will be sent from the FortiGate to the FortiSandbox. To view information about suspicious files, go to FortiView > FortiSandbox. A list of file names and current status is displayed.

To view results on the FortiSandbox, go to the Dashboard and view the Scanning Statistics widget. There could be a delay before results appear on the FortiSandbox.

Using a Windows PC connected to the internal network, open the FortiClient registered to your FortiGate. Go to the AntiVirus tab and open Settings. The Realtime Protection settings match the FortiClient profile configured on the FortiGate. These settings can't be changed using FortiClient.

If a PC running FortiClient downloads a suspicious file that the FortiSandbox determined was malicious, a quarantine is applied automatically. While the quarantine is in effect, FortiClient can't be shutdown, uninstalled, or deregistered from the FortiGate. The quarantine can only be released from the FortiClient Monitor on the FortiGate.

The following example configuration sets up FortiSandbox integration using AntiVirus, Web Filtering, and a FortiClient profile. It assumes that a connection between the FortiSandbox Appliance and the FortiGate is established.

  1. Go to Security Fabric > Settings and confirm that Sandbox Inspection is enabled and the FortiSandbox Appliance is connected.
  2. Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, select All Supported Files to be sent for inspection and enable Use FortiSandbox Database. You have the option of withholding files by name or pattern. Select Apply.
  3. Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. Select Apply.
  4. Go to Security Profiles > FortiClient Compliance and edit the default profile. Under Security Posture Check, enable Realtime Protection. Next, enable Scan with FortiSandbox. Select Apply.
  5. Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and Web Filtering profiles scanning applied, the profiles will be listed in the Security Profiles column. To add scanning to any security policy (excluding the Implicit Deny policy), select the + button in the Security Profiles column for that policy and then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and the deep-inspection profile for SSL/SSH Inspection (to ensure that encrypted traffic is inspected).

Results

Suspicious files will be sent from the FortiGate to the FortiSandbox. To view information about suspicious files, go to FortiView > FortiSandbox. A list of file names and current status is displayed.

To view results on the FortiSandbox, go to the Dashboard and view the Scanning Statistics widget. There could be a delay before results appear on the FortiSandbox.

Using a Windows PC connected to the internal network, open the FortiClient registered to your FortiGate. Go to the AntiVirus tab and open Settings. The Realtime Protection settings match the FortiClient profile configured on the FortiGate. These settings can't be changed using FortiClient.

If a PC running FortiClient downloads a suspicious file that the FortiSandbox determined was malicious, a quarantine is applied automatically. While the quarantine is in effect, FortiClient can't be shutdown, uninstalled, or deregistered from the FortiGate. The quarantine can only be released from the FortiClient Monitor on the FortiGate.