Integrating Security Fabric
FortiSandbox PaaS uses port TCP/514 for client connectivity (FortiGate and FortiMail). Ensure any firewall in between allows for that.
For devices connected to Security Fabric, ensure they are configured properly. Do all related configuration from either the root Fabric or FortiManager.
To integrate with Security Fabric in FortiGate:
- Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
- Set Status to Enable.
- For Type, select FortiSandbox Cloud.
If the FortiSandbox PaaS option is grayed out or not visible, enter the following in the CLI:
config system global
set gui-fortigate-cloud-sandbox enable
end
- Click OK.
To integrate with Security Fabric in the CLI:
config system fortisandbox
set status enable
set forticloud enable
set server <string>
end
If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.
If the FortiSandbox PaaS is running version 4.0.0 and later, the FortiGate will automatically connect to fortisandboxcloud.com, and then discover the specific region and server to connect to based on which region you selected to deploy you FortiSandbox PaaS instance. The FortiGate must have a FortiCloud premium account license and a FortiSandbox Cloud VM license for this functionality.
To integrate with Security Fabric in FortiMail:
- In FortiMail, go to System > FortiSandbox.
- For FortiSandbox PaaS type, click Enhanced Cloud.
- In FortiSandbox PaaS, go to Security Fabric > Device, click the Authorize icon on the FortiMail so that it can establish Fabric connectivity. Verify that the Status is updated.
Specific firmware versions of FortiMail models support the above Security Fabric connectivity. See Requirements.
To troubleshoot the connection on FortiMail:
Run the following CLI command:
diagnose debug application sandboxclid <ID>
Example:
In the example below, the connection failed due to a firewall policy on the client side to block connectivity to port 514.
insidemail02 # diagnose debug application sandboxclid 65 System Time: 2023-04-12 09:02:43 JST (Uptime: 5d 8h 48m) insidemail02 # diagnose debug application sandboxclid display System Time: 2023-04-12 09:03:07 JST (Uptime: 5d 8h 48m) sandboxclid:2023-04-12T09:03:00:SandboxJob.cpp:145:process():use configured FortiSandbox server sandboxclid:2023-04-12T09:03:00:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:03:00:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794 sandboxclid:2023-04-12T09:03:00:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:03:00:Connection.cpp:167:Connect():connecting to 66.35.19.98 sandboxclid:2023-04-12T09:04:02:Connection.cpp:171:Connect():connect() failed, errno = 115 sandboxclid:2023-04-12T09:04:02:Session.cpp:248:ConnectImpl():FortiSandbox server is not available at the moment. Connection block time: 1 seconds sandboxclid:2023-04-12T09:04:02:Session.cpp:101:Connect0():connection broken sandboxclid:2023-04-12T09:04:10:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:04:10:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794 sandboxclid:2023-04-12T09:04:10:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:04:10:Connection.cpp:167:Connect():connecting to 66.35.19.98 sandboxclid:2023-04-12T09:04:15:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:04:15:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794 sandboxclid:2023-04-12T09:04:15:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:04:15:Connection.cpp:167:Connect():connecting to 66.35.19.98 sandboxclid:2023-04-12T09:04:20:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:04:20:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794 sandboxclid:2023-04-12T09:04:20:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it sandboxclid:2023-04-12T09:04:20:Connection.cpp:167:Connect():connecting to 66.35.19.98 sandboxclid:2023-04-12T09:05:11:Connection.cpp:171:Connect():connect() failed, errno = 115 sandboxclid:2023-04-12T09:05:11:Session.cpp:248:ConnectImpl():FortiSandbox server is not available at the moment. Connection block time: 1 seconds sandboxclid:2023-04-12T09:05:11:Session.cpp:101:Connect0():connection broken sandboxclid:2023-04-12T09:05:11:Session.cpp:72:Connect0():connection is blocked for 1 seconds ^C insidemail02 # execute telnettest fortisandboxcloud.com:514 Connection timed out in 30 seconds. Connection status to fortisandboxcloud.com port 514: Connecting to remote host failed. insidemail02 #