Using FortiSandbox appliance with antivirus
Antivirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always under the threat of zero-day attacks.
Antivirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiGate can supplement its own antivirus database with FortiSandbox's database to detect files determined as malicious or risky by FortiSandbox. This helps FortiGate antivirus detect zero-day viruses and malware whose signatures are not found in the FortiGate antivirus database.
Support and limitations
- FortiSandbox can be used with antivirus in both proxy-based and flow-based inspection modes.
- Default scan mode antivirus cannot submit only suspicious files to FortiSandbox. It can only do the following:
- Submit every file to FortiSandbox for inspection.
- Not submit anything.
- With FortiSandbox enabled, legacy scan mode antivirus can do the following:
- Submit only suspicious files to FortiSandbox for inspection.
- Submit every file to FortiSandbox for inspection.
- Not submit anything.
Network topology example
Configuring the feature
To configure antivirus to work with an external block list, the following steps are required:
- Enable FortiSandbox on the FortiGate.
- Authorize FortiGate on the FortiSandbox.
- Enable FortiSandbox inspection.
- Enable use of the FortiSandbox database.
To enable FortiSandbox on the FortiGate:
- Go to Global > Security Fabric > Settings.
- Enable Sandbox Inspection.
- Enter the IP address of the FortiSandbox.
- Add an optional Notifier email if desired.
- At this point, selecting Test connectivity will return an unreachable status. This is expected, because the FortiGate is not yet authorized by the FortiSandbox.
- Click Apply to save the settings.
To authorize FortiGate on the FortiSandbox:
- In the FortiSandbox Appliance GUI, go to Scan Input > Device.
- Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the FortiGate.
- Enable the desired VDOM in the same manner.
- The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this FortiGate.
- In the FortiGate GUI, go to Global > Security Fabric > Settings.
- Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.
- FortiSandbox options are now displayed in the AV Profile page.
To enable FortiSandbox inspection:
- Go to Security Profiles > AntiVirus.
- Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
- Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
- Files can also be excluded from being sent to FortiSandbox by using wildcard patterns.
- Click Apply.
To enable use of the FortiSandbox database:
- Go to Security Profiles > AntiVirus
- Enable Use FortiSandbox Database.
- Click Apply.
Diagnostics and Debugging
Debug on the FortiGate side
- Update daemon:
FGT_PROXY (global) # diagnose debug application quarantined -1 FGT_PROXY (global) # diagnose debug enable quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0 __quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=99 quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0 __quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0 __quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0 __quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0 __quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=98 ... __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0 __quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735 quar_store_analytics_report()-597: The request '83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1) [193] __ssl_data_ctx_free: Done [805] ssl_free: Done [185] __ssl_cert_ctx_free: Done [815] ssl_ctx_free: Done [796] ssl_disconnect: Shutdown
- Appliance FortiSandbox diagnostics:
FGT_PROXY # config global FGT_PROXY (global) # diagnose test application quarantined 1 Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2 xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0 License=0, content_archive=0, arch_pause=0. global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.
- Checking FortiSandbox analysis statistics:
FGT_PROXY (global) # diagnose test application quarantine 7 Total: 0 Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0 vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0 FGT_PROXY (global) #
Debug on the FortiSandbox side
- Appliance FortiSandbox OFTP debug:
# diagnose-debug device FG101E4Q17002429 [2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY) [2019/01/31 00:48:21] FG101E4Q17002429 VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749 [2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549 [2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_med=0 risk_high=0 sus_limit=0 [2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE. [2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE. [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818 [2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1 [2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 0 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 1 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 1795 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 595 [2019/01/31 00:48:21] FG101E4Q17002429 VDOM: root [2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE. [2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818 [2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 4 [2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_med=0 risk_high=0 sus_limit=0 [2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795, PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg [2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595, PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz [2019/01/31 00:48:29] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY) [2019/01/31 00:48:32] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY) [2019/01/31 00:48:59] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY) [2019/01/31 00:49:03] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)