Fortinet black logo

Administration Guide

Sandboxing

Sandboxing

The Security Fabric supports the following FortiSandbox deployments.

Type

Description

Requirements

FortiGate Cloud Sandbox

Files are sent to Fortinet’s Cloud Sandbox cluster for processing.

  • The FortiGate must have a valid AV license.
  • The FortiCloud account provides access to a portal to view submissions. This is not required for the Security Fabric.

FortiSandbox Cloud

Files are sent to a dedicated FortiCloud hosted instance of FortiSandbox for processing.

  • FortiCloud premium license
  • FortiSandbox Cloud entitlement
  • The FortiGate and FortiCloud license are registered to the same account.

FortiSandbox appliance

Files are sent to a physical appliance or VM, typically residing on premise, for processing.

  • None

To apply sandboxing in a Security Fabric, connect one of the FortiSandbox deployments, then configure an antivirus profile to submit files for dynamic analysis. The submission results supplement the AV signatures on the FortiGate. FortiSandbox inspection can also be used in web filter profiles.

In a Security Fabric environment, sandbox settings are configured on the root FortiGate. Once configured, the root FortiGate pushes the settings to other FortiGates in the Security Fabric.

FortiGate Cloud Sandbox

FortiGate Cloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It also allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliance needs regarding data storage locations.

Users are not required to have a FortiCloud account to use FortiGate Sandbox Cloud.

The submission to the cloud with a valid FortiGuard Antivirus (AVDB) license is rate limited per FortiGate model. Refer to the Service Description for details. For those without any AVDB license, the submission is limited to only 100 per day.

To configure FortiGate Cloud Sandbox, you must first activate the connection from the CLI. Note that FortiGate Cloud Sandbox is decoupled from FortiGate Cloud logging, so you do not need to have a FortiCloud account or have cloud logging enabled.

To activate the FortiGate Cloud Sandbox connection:
# execute forticloud-sandbox region
0  Europe
1  Global
2  Japan
3  US
Please select cloud sandbox region[0-3]:3

After a region is selected, the following configuration is added:

config system fortiguard
    set sandbox-region {0 | 1 | 2 | 3}
end
Tooltip

Alternatively, using the execute forticloud-sandbox update command also works.

To obtain or renew a FortiGuard antivirus license:
  1. See the How to Purchase or Renew FortiGuard Services video for FortiGuard antivirus license purchase instructions.
  2. Once a FortiGuard license is purchased and activated, users are provided with a paid FortiSandbox Cloud license.
    1. Go to Dashboard > Status to view the FortiSandbox Cloud license indicator.

    2. Alternatively, go to System > FortiGuard to view the FortiSandbox Cloud license indicator.
To enable FortiGate Cloud Sandbox in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiGate Cloud.
  4. Select a Region from the dropdown.

  5. Click OK.

FortiSandbox Cloud

FortiSandbox Cloud offers more features and better detection capability. Connecting to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the dedicated FortiSandbox Cloud instance. The FortiGate automatically detects if there is a valid entitlement.

The following items are required to initialize FortiSandbox Cloud:

  • A FortiCloud premium account.
  • A valid FSAC contract on the FortiGate. To view contract information in the CLI, enter diagnose test update info. The User ID at the end of the output lets FortiCloud to know which FortiSandbox Cloud account the FortiGate is connected to.
To configure FortiSandbox Cloud in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.

    Tooltip

    If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:

    config system global
        set gui-fortigate-cloud-sandbox enable
    end
  4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox 
    set status enable
    set forticloud enable
end

If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.

FortiSandbox appliance

FortiSandbox appliance is the on-premise option for a full featured FortiSandbox. Connecting to a FortiSandbox appliance requires that Cloud Sandbox is disabled.

To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Disabled.
  3. Click OK.
To enable FortiSandbox appliance in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  2. Set Status to Enable.
  3. In the Server field, enter the FortiSandbox device's IP address.
  4. Optionally, enter a Notifier email.
  5. Click OK.
To enable FortiSandbox appliance in the CLI:
config system fortisandbox
    set status enable
    set forticloud disable
    set server <address>
end

Authorizing the FortiGate from FortiSandbox Cloud and a FortiSandbox appliance

Once the FortiGate makes a connection to the FortiSandbox Cloud or appliance, the FortiGate must be authorized.

To authorize a FortiGate from FortiSandbox:
  1. In the FortiSandbox GUI, go to Scan Input > Device in 3.2 or Security Fabric > Device in 4.0.
  2. Search using the FortiGate serial number to locate the FortiGate. In the Auth column, click the link icon to authorize the FortiGate.
  3. Repeat this step to authorize the VDOMs if required.

    The link icon changes from an open to a closed link, which indicates that the FortiGate is authorized.

  4. In the FortiGate GUI, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  5. Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.

Antivirus profiles

An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox with antivirus for more information.

Web filter profiles

Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.

Sandboxing

The Security Fabric supports the following FortiSandbox deployments.

Type

Description

Requirements

FortiGate Cloud Sandbox

Files are sent to Fortinet’s Cloud Sandbox cluster for processing.

  • The FortiGate must have a valid AV license.
  • The FortiCloud account provides access to a portal to view submissions. This is not required for the Security Fabric.

FortiSandbox Cloud

Files are sent to a dedicated FortiCloud hosted instance of FortiSandbox for processing.

  • FortiCloud premium license
  • FortiSandbox Cloud entitlement
  • The FortiGate and FortiCloud license are registered to the same account.

FortiSandbox appliance

Files are sent to a physical appliance or VM, typically residing on premise, for processing.

  • None

To apply sandboxing in a Security Fabric, connect one of the FortiSandbox deployments, then configure an antivirus profile to submit files for dynamic analysis. The submission results supplement the AV signatures on the FortiGate. FortiSandbox inspection can also be used in web filter profiles.

In a Security Fabric environment, sandbox settings are configured on the root FortiGate. Once configured, the root FortiGate pushes the settings to other FortiGates in the Security Fabric.

FortiGate Cloud Sandbox

FortiGate Cloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It also allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliance needs regarding data storage locations.

Users are not required to have a FortiCloud account to use FortiGate Sandbox Cloud.

The submission to the cloud with a valid FortiGuard Antivirus (AVDB) license is rate limited per FortiGate model. Refer to the Service Description for details. For those without any AVDB license, the submission is limited to only 100 per day.

To configure FortiGate Cloud Sandbox, you must first activate the connection from the CLI. Note that FortiGate Cloud Sandbox is decoupled from FortiGate Cloud logging, so you do not need to have a FortiCloud account or have cloud logging enabled.

To activate the FortiGate Cloud Sandbox connection:
# execute forticloud-sandbox region
0  Europe
1  Global
2  Japan
3  US
Please select cloud sandbox region[0-3]:3

After a region is selected, the following configuration is added:

config system fortiguard
    set sandbox-region {0 | 1 | 2 | 3}
end
Tooltip

Alternatively, using the execute forticloud-sandbox update command also works.

To obtain or renew a FortiGuard antivirus license:
  1. See the How to Purchase or Renew FortiGuard Services video for FortiGuard antivirus license purchase instructions.
  2. Once a FortiGuard license is purchased and activated, users are provided with a paid FortiSandbox Cloud license.
    1. Go to Dashboard > Status to view the FortiSandbox Cloud license indicator.

    2. Alternatively, go to System > FortiGuard to view the FortiSandbox Cloud license indicator.
To enable FortiGate Cloud Sandbox in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiGate Cloud.
  4. Select a Region from the dropdown.

  5. Click OK.

FortiSandbox Cloud

FortiSandbox Cloud offers more features and better detection capability. Connecting to FortiSandbox Cloud will automatically use the cloud user ID of the FortiGate to connect to the dedicated FortiSandbox Cloud instance. The FortiGate automatically detects if there is a valid entitlement.

The following items are required to initialize FortiSandbox Cloud:

  • A FortiCloud premium account.
  • A valid FSAC contract on the FortiGate. To view contract information in the CLI, enter diagnose test update info. The User ID at the end of the output lets FortiCloud to know which FortiSandbox Cloud account the FortiGate is connected to.
To configure FortiSandbox Cloud in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.

    Tooltip

    If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:

    config system global
        set gui-fortigate-cloud-sandbox enable
    end
  4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox 
    set status enable
    set forticloud enable
end

If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.

FortiSandbox appliance

FortiSandbox appliance is the on-premise option for a full featured FortiSandbox. Connecting to a FortiSandbox appliance requires that Cloud Sandbox is disabled.

To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Disabled.
  3. Click OK.
To enable FortiSandbox appliance in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  2. Set Status to Enable.
  3. In the Server field, enter the FortiSandbox device's IP address.
  4. Optionally, enter a Notifier email.
  5. Click OK.
To enable FortiSandbox appliance in the CLI:
config system fortisandbox
    set status enable
    set forticloud disable
    set server <address>
end

Authorizing the FortiGate from FortiSandbox Cloud and a FortiSandbox appliance

Once the FortiGate makes a connection to the FortiSandbox Cloud or appliance, the FortiGate must be authorized.

To authorize a FortiGate from FortiSandbox:
  1. In the FortiSandbox GUI, go to Scan Input > Device in 3.2 or Security Fabric > Device in 4.0.
  2. Search using the FortiGate serial number to locate the FortiGate. In the Auth column, click the link icon to authorize the FortiGate.
  3. Repeat this step to authorize the VDOMs if required.

    The link icon changes from an open to a closed link, which indicates that the FortiGate is authorized.

  4. In the FortiGate GUI, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  5. Click Test connectivity. The FortiGate is now authorized and the status displays as Connected.

Antivirus profiles

An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox with antivirus for more information.

Web filter profiles

Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.