Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

FortiSandbox

The Security Fabric supports FortiSandbox appliances and FortiSandbox Cloud. A FortiGate Cloud account is not required.

To use FortiSandbox in a Security Fabric, connect the FortiSandbox to the Security Fabric, then configure an antivirus profile to send files to the FortiSandbox. Sandbox inspection can also be used in web filter profiles.

FortiSandbox settings are configured on the root FortiGate of the Security Fabric. After configuration, the root FortiGate pushes the settings to other FortiGate devices in the Security Fabric.

Note

Either a FortiSandbox appliance or FortiSandbox Cloud can be configured. If one is configured, then the other will not be available.

The following items are required to initialize FortiSandbox Cloud:

  • A FortiCloud premium account.
  • A valid FSAC contract on the FortiGate. To view contract information in the CLI, enter diagnose test update info. The User ID at the end of the output lets FortiCloud to know which FortiSandbox Cloud account the FortiGate is connected to.

FortiSandbox Cloud requires the following licenses:

  • FortiCloud premium license
  • FortiSandbox Cloud entitlement
  • FortiGate license (register the FortiGate on the same account as the FortiCloud license)
To add a FortiSandbox appliance to the Security Fabric:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  2. Set Status to Enable.
  3. In the Server field, enter the FortiSandbox device's IP address.

  4. Optionally, enter a Notifier email.
  5. Click OK.
  6. On the FortiSandbox device, go to Scan Input > Device.
  7. Edit the root FortiGate.
  8. Under Permissions, check the Authorized box.
  9. Click OK.
  10. Authorize the rest of the FortiGate devices that are in the Security Fabric.
To add a FortiSandbox Cloud instance to the Security Fabric in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.

    Tooltip

    If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:

    config system global
        set gui-fortigate-cloud-sandbox enable
    end
  4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox 
    set status enable
    set forticloud enable
    set server "fortisandboxcloud.com"
end
To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Disabled.
  3. Click OK.
  4. In the CLI, enter the following.
    config system fortisandbox
        set status enable
        set forticloud disable
        set server <address>
    end

    The FortiSandbox card is now visible in the Other Fortinet Products section.

Antivirus profiles

An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox with antivirus and Using FortiSandbox Cloud with antivirus for more information.

Web filter profiles

Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.

FortiSandbox

The Security Fabric supports FortiSandbox appliances and FortiSandbox Cloud. A FortiGate Cloud account is not required.

To use FortiSandbox in a Security Fabric, connect the FortiSandbox to the Security Fabric, then configure an antivirus profile to send files to the FortiSandbox. Sandbox inspection can also be used in web filter profiles.

FortiSandbox settings are configured on the root FortiGate of the Security Fabric. After configuration, the root FortiGate pushes the settings to other FortiGate devices in the Security Fabric.

Note

Either a FortiSandbox appliance or FortiSandbox Cloud can be configured. If one is configured, then the other will not be available.

The following items are required to initialize FortiSandbox Cloud:

  • A FortiCloud premium account.
  • A valid FSAC contract on the FortiGate. To view contract information in the CLI, enter diagnose test update info. The User ID at the end of the output lets FortiCloud to know which FortiSandbox Cloud account the FortiGate is connected to.

FortiSandbox Cloud requires the following licenses:

  • FortiCloud premium license
  • FortiSandbox Cloud entitlement
  • FortiGate license (register the FortiGate on the same account as the FortiCloud license)
To add a FortiSandbox appliance to the Security Fabric:
  1. On the root FortiGate, go to Security Fabric > Fabric Connectors and double-click the FortiSandbox card.
  2. Set Status to Enable.
  3. In the Server field, enter the FortiSandbox device's IP address.

  4. Optionally, enter a Notifier email.
  5. Click OK.
  6. On the FortiSandbox device, go to Scan Input > Device.
  7. Edit the root FortiGate.
  8. Under Permissions, check the Authorized box.
  9. Click OK.
  10. Authorize the rest of the FortiGate devices that are in the Security Fabric.
To add a FortiSandbox Cloud instance to the Security Fabric in the GUI:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.

    Tooltip

    If the FortiSandbox Cloud option is grayed out or not visible, enter the following in the CLI:

    config system global
        set gui-fortigate-cloud-sandbox enable
    end
  4. Click OK.
To configure FortiSandbox Cloud in the CLI:
config system fortisandbox 
    set status enable
    set forticloud enable
    set server "fortisandboxcloud.com"
end
To switch from Cloud Sandbox to FortiSandbox in the Security Fabric:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Disabled.
  3. Click OK.
  4. In the CLI, enter the following.
    config system fortisandbox
        set status enable
        set forticloud disable
        set server <address>
    end

    The FortiSandbox card is now visible in the Other Fortinet Products section.

Antivirus profiles

An antivirus profile must be configured to send files to the sandbox. Once submitted, sandbox inspection is performed on the file to detect malicious activities. The FortiGate can use the dynamic malware detection database from the sandbox to supplement the AV signature database. See Using FortiSandbox with antivirus and Using FortiSandbox Cloud with antivirus for more information.

Web filter profiles

Sandbox inspection can be used in web filter profiles. The FortiGate uses URL threat detection database from the sandbox to block malicious URLs. See Block malicious URLs discovered by FortiSandbox for more information.