Configuring Sandboxing
The Security Fabric supports the following FortiSandbox deployments.
Type |
Description |
Requirements |
Next steps |
---|---|---|---|
FortiGate Cloud Sandbox (FortiSandbox SaaS) |
Files are sent to Fortinet’s Cloud Sandbox cluster for post‑processing. |
|
|
FortiSandbox Cloud (FortiSandbox PaaS) |
Files are sent to a dedicated FortiCloud hosted instance of FortiSandbox for processing. |
|
|
FortiSandbox Appliance |
Files are sent to a physical or VM appliance, typically residing on premise, for processing. |
|
|
To apply sandboxing in a Security Fabric, connect one of the FortiSandbox deployments, then configure an antivirus profile to submit files for dynamic analysis. The submission results supplement the AV signatures on the FortiGate. FortiSandbox inspection can also be used in web filter profiles.
In a Security Fabric environment, sandbox settings are configured on the root FortiGate. Once configured, the root FortiGate pushes the settings to other FortiGates in the Security Fabric.
FortiGate Cloud Sandbox (FortiSandbox SaaS)
FortiGate Cloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It also allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliance needs regarding data storage locations.
Users are not required to have a FortiCloud account to use FortiGate Sandbox Cloud.
The submission to the cloud with a valid FortiGuard Antivirus (AVDB) license is rate limited per FortiGate model. Refer to the Service Description for details. For those without any AVDB license, the submission is limited to only 100 per day.
To configure FortiGate Cloud Sandbox, you must first activate the connection from the CLI. Note that FortiGate Cloud Sandbox is decoupled from FortiGate Cloud logging, so you do not need to have a FortiCloud account or have cloud logging enabled.
To activate the FortiGate Cloud Sandbox connection:
To ensure proper connectivity to FortiGate Cloud Sandbox, on the FortiGate in Security Profiles > AntiVirus, create a profile with Send files to FortiSandbox Cloud for inspection configured, and create a firewall policy with logging enabled that uses the Sandbox-enabled AV profile. |
# execute forticloud-sandbox region 0 Europe 1 Global 2 Japan 3 US Please select cloud sandbox region[0-3]:3
After a region is selected, the following configuration is added:
config system fortiguard set sandbox-region {0 | 1 | 2 | 3} end
Alternatively, using the |
To obtain or renew a FortiGuard antivirus license:
-
See the How to Purchase or Renew FortiGuard Services video for FortiGuard antivirus license purchase instructions.
-
Once a FortiGuard license is purchased and activated, users are provided with a paid FortiSandbox Cloud license.
-
Go to Dashboard > Status to view the FortiSandbox Cloud license indicator.
-
Alternatively, go to System > FortiGuard to view the FortiSandbox Cloud license indicator.
-
To enable FortiGate Cloud Sandbox in the GUI:
-
Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
-
Set Status to Enable.
-
For Type, select FortiGate Cloud.
-
Select a Region from the dropdown.
-
Click OK.
FortiSandbox Cloud (FortiSandbox PaaS)
FortiSandbox Cloud offers more features and better detection capability. Connecting to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the dedicated FortiSandbox Cloud instance. The FortiGate automatically detects if there is a valid entitlement.
The following items are required to initialize FortiSandbox Cloud:
-
A FortiCloud premium account.
-
A valid FortiSandbox Cloud contract on the FortiGate. To view contract information in the CLI, enter
diagnose test update info
. TheUser ID
at the end of the output shows FortiCloud which FortiSandbox Cloud account the FortiGate is connected to. -
A provisioned FortiSandbox Cloud. See Deploying FortiSandbox Cloud for information.
To configure FortiSandbox Cloud in the GUI:
-
Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
-
Set Status to Enable.
-
For Type, select FortiSandbox Cloud.
If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:
config system global set gui-fortigate-cloud-sandbox enable end
-
Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox set status enable set forticloud enable end
If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.
FortiSandbox appliance
FortiSandbox appliance is the on-premise option for a full featured FortiSandbox. Connecting to a FortiSandbox appliance requires that Cloud Sandbox is disabled.
To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
-
Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
-
Set Status to Disabled.
-
Click OK.
To enable FortiSandbox appliance in the GUI:
-
Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
-
Set Status to Enable.
-
In the Server field, enter the FortiSandbox device's IP address.
-
Optionally, enter a Notifier email.
-
Click OK.
To enable FortiSandbox appliance in the CLI:
config system fortisandbox set status enable set forticloud disable set server <address> end
Authorizing the FortiGate from FortiSandbox Cloud and a FortiSandbox appliance
Once the FortiGate makes a connection to the FortiSandbox Cloud or appliance, the FortiGate must be authorized.
To authorize a FortiGate from FortiSandbox:
-
In the FortiSandbox GUI, go to Scan Input > Device in 3.2 or Security Fabric > Device in 4.0.
-
Search using the FortiGate serial number to locate the FortiGate. In the Auth column, click the link icon to authorize the FortiGate.
-
Repeat this step to authorize the VDOMs if required.
The link icon changes from an open to a closed link, which indicates that the FortiGate is authorized.
-
In the FortiGate GUI, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
-
Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.
Antivirus profiles
An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox with antivirus for more information.
Web filter profiles
Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.