Using FortiSandbox with antivirus
Antivirus profiles can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiGate can supplement its own antivirus database with FortiSandbox's database to detect files determined as malicious or risky by FortiSandbox. This helps the FortiGate antivirus detect zero-day viruses and malware whose signatures are not found in the antivirus database.
FortiSandbox can be used with antivirus in both proxy-based and flow-based inspection modes. When FortiSandbox is enabled, full scan mode antivirus can submit the following for inspection: only suspicious files, all supported file, or no files. Quick scan mode antivirus cannot submit suspicious files to FortiSandbox, so either all files or no files are submitted for inspection.
For more information, see FortiSandbox.
Configuring FortiSandbox
There are three steps to configure FortiSandbox inspection in an antivirus profile:
- Enable FortiSandbox on the FortiGate.
- Authorize the FortiGate in FortiSandbox.
- Enable FortiSandbox inspection options in the antivirus profile.
To enable FortiSandbox on the FortiGate:
- Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
- For status, click Enable.
- For Type, click On-Premise.
- Enter the IP address of the FortiSandbox, and enter an optional Notifier email.
At this point, clicking Test connectivity returns an unreachable status. This is expected, because the FortiGate is not yet authorized by FortiSandbox.
- Click OK.
To authorize the FortiGate in FortiSandbox:
- In the FortiSandbox GUI, go to Scan Input > Device.
- Search using the FortiGate serial number to locate the FortiGate. In the Auth column, click the link icon to authorize the FortiGate.
- Repeat this step to authorize the VDOMs if required.
The link icon changes from an open to a closed link, which indicates that the FortiGate is authorized.
- In the FortiGate GUI, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
- Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.
To enable FortiSandbox inspection options in the antivirus profile:
- Go to Security Profiles > AntiVirus.
- Edit an antivirus profile, or create a new one.
- Under APT Protection Options, select either Suspicious Files Only or All Supported Files.
- For Do not submit files matching types, click the + to exclude certain file types from being sent to FortiSandbox.
- For Do not submit files matching file name patterns, click the + to enter a wildcard pattern to exclude files from being sent to FortiSandbox.
- Enable Use FortiSandbox Database.
- Click OK.
FortiGate diagnostics
To run the quarantine daemon:
FGT_PROXY (global) # diagnose debug application quarantined -1 FGT_PROXY (global) # diagnose debug enable quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0 __quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=99 quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0 __quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0 __quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0 __quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0 __quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=98 ... __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default) [551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0 __quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name= __quar_send()-470: dev buffer -- pos=0, len=93 quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_status=1, buflen=12 quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735 quar_store_analytics_report()-597: The request '83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0 __quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1) [193] __ssl_data_ctx_free: Done [805] ssl_free: Done [185] __ssl_cert_ctx_free: Done [815] ssl_ctx_free: Done [796] ssl_disconnect: Shutdown
To run the FortiSandbox diagnostics:
FGT_PROXY (global) # diagnose test application quarantined 1 Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2 xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0 License=0, content_archive=0, arch_pause=0. global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.
To run the FortiSandbox analysis statistics:
FGT_PROXY (global) # diagnose test application quarantined 7 Total: 0 Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0 vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
FortiSandbox diagnostics
To run the OFTP debug:
# diagnose-debug device FG101E4Q17000000 [2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17000000), HOSTNAME(FGT_PROXY) [2019/01/31 00:48:21] FG101E4Q17000000 VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17000000 suspicious stats START_TIME: 1548290749 [2019/01/31 00:48:21] FG101E4Q17000000 suspicious stats END_TIME: 1548895549 [2019/01/31 00:48:21] FG101E4Q17000000 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_med=0 risk_high=0 sus_limit=0 [2019/01/31 00:48:21] FG101E4Q17000000 ENTERING->HANDLE_SEND_FILE. [2019/01/31 00:48:21] FG101E4Q17000000 ENTERING->HANDLE_SEND_FILE. [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->FGT->VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->FGT->VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->IMG_VERSION: 6.2.0.0818 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->IMG_VERSION: 6.2.0.0818 [2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17000000, VDOM: vdom1 [2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17000000, VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->TYPE: 0 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->TYPE: 1 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->VERSION: 3 . 1795 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->VERSION: 3 . 595 [2019/01/31 00:48:21] FG101E4Q17000000 VDOM: root [2019/01/31 00:48:21] FG101E4Q17000000 ENTERING->HANDLE_SEND_FILE. [2019/01/31 00:48:21] FG101E4Q17000000 suspicious stats START_TIME: 1548290749 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->FGT->VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17000000 suspicious stats END_TIME: 1548895549 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->IMG_VERSION: 6.2.0.0818 [2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17000000, VDOM: vdom1 [2019/01/31 00:48:21] FG101E4Q17000000 INCOMING->TYPE: 4 [2019/01/31 00:48:21] FG101E4Q17000000 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_med=0 risk_high=0 sus_limit=0 [2019/01/31 00:48:22] FG101E4Q17000000 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795, PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg [2019/01/31 00:48:22] FG101E4Q17000000 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595, PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz [2019/01/31 00:48:29] LOGIN->SUCCEED: Serial(FG101E4Q17000000), HOSTNAME(FGT_PROXY) [2019/01/31 00:48:32] LOGIN->SUCCEED: Serial(FG101E4Q17000000), HOSTNAME(FGT_PROXY) [2019/01/31 00:48:59] LOGIN->SUCCEED: Serial(FG101E4Q17000000), HOSTNAME(FGT_PROXY) [2019/01/31 00:49:03] LOGIN->SUCCEED: Serial(FG101E4Q17000000), HOSTNAME(FGT_PROXY)