Fortinet black logo

Integrating Security Fabric

Copy Link
Copy Doc ID 6c60bfa3-7ffd-11ee-a142-fa163e15d75b:758779
Download PDF

Integrating Security Fabric

FortiSandbox PaaS uses port TCP/514 for client connectivity (FortiGate and FortiMail). Ensure any firewall in between allows for that.

For devices connected to Security Fabric, ensure they are configured properly. Do all related configuration from either the root Fabric or FortiManager.

To integrate with Security Fabric in FortiGate:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.
    Tooltip

    If the FortiSandbox PaaS option is grayed out or not visible, enter the following in the CLI:

    config system global

    set gui-fortigate-cloud-sandbox enable

    end

  4. Click OK.
To integrate with Security Fabric in the CLI:

config system fortisandbox

set status enable

set forticloud enable

set server <string>

end

If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.

If the FortiSandbox PaaS is running version 4.0.0 and later, the FortiGate will automatically connect to fortisandboxcloud.com, and then discover the specific region and server to connect to based on which region you selected to deploy you FortiSandbox PaaS instance. The FortiGate must have a FortiCloud premium account license and a FortiSandbox Cloud VM license for this functionality.

To integrate with Security Fabric in FortiMail:
  1. In FortiMail, go to System > FortiSandbox.
  2. For FortiSandbox PaaS type, click Enhanced Cloud.
  3. In FortiSandbox PaaS, go to Security Fabric > Device, click the Authorize icon on the FortiMail so that it can establish Fabric connectivity. Verify that the Status is updated.

    Note

    Specific firmware versions of FortiMail models support the above Security Fabric connectivity. See Requirements.

To troubleshoot the connection on FortiMail:

Run the following CLI command:

diagnose debug application sandboxclid <ID>

Example:

In the example below, the connection failed due to a firewall policy on the client side to block connectivity to port 514.

insidemail02 # diagnose debug application sandboxclid 65
System Time: 2023-04-12 09:02:43 JST (Uptime: 5d 8h 48m)
 
insidemail02 # diagnose debug application sandboxclid display
System Time: 2023-04-12 09:03:07 JST (Uptime: 5d 8h 48m)
sandboxclid:2023-04-12T09:03:00:SandboxJob.cpp:145:process():use configured FortiSandbox server
sandboxclid:2023-04-12T09:03:00:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:03:00:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:03:00:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:03:00:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:04:02:Connection.cpp:171:Connect():connect() failed, errno = 115
sandboxclid:2023-04-12T09:04:02:Session.cpp:248:ConnectImpl():FortiSandbox server is not available at the moment. Connection block time: 1 seconds
sandboxclid:2023-04-12T09:04:02:Session.cpp:101:Connect0():connection broken
sandboxclid:2023-04-12T09:04:10:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:10:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:04:10:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:10:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:04:15:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:15:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:04:15:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:15:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:04:20:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:20:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:04:20:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:20:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:05:11:Connection.cpp:171:Connect():connect() failed, errno = 115
sandboxclid:2023-04-12T09:05:11:Session.cpp:248:ConnectImpl():FortiSandbox server is not available at the moment. Connection block time: 1 seconds
sandboxclid:2023-04-12T09:05:11:Session.cpp:101:Connect0():connection broken
sandboxclid:2023-04-12T09:05:11:Session.cpp:72:Connect0():connection is blocked for 1 seconds
 
^C
insidemail02 # execute telnettest fortisandboxcloud.com:514
Connection timed out in 30 seconds.
 
Connection status to fortisandboxcloud.com port 514:
Connecting to remote host failed.
 
insidemail02 #

Integrating Security Fabric

FortiSandbox PaaS uses port TCP/514 for client connectivity (FortiGate and FortiMail). Ensure any firewall in between allows for that.

For devices connected to Security Fabric, ensure they are configured properly. Do all related configuration from either the root Fabric or FortiManager.

To integrate with Security Fabric in FortiGate:
  1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.
  2. Set Status to Enable.
  3. For Type, select FortiSandbox Cloud.
    Tooltip

    If the FortiSandbox PaaS option is grayed out or not visible, enter the following in the CLI:

    config system global

    set gui-fortigate-cloud-sandbox enable

    end

  4. Click OK.
To integrate with Security Fabric in the CLI:

config system fortisandbox

set status enable

set forticloud enable

set server <string>

end

If the FortiGate does not detect the proper entitlement, a warning is displayed and the CLI configuration will not save.

If the FortiSandbox PaaS is running version 4.0.0 and later, the FortiGate will automatically connect to fortisandboxcloud.com, and then discover the specific region and server to connect to based on which region you selected to deploy you FortiSandbox PaaS instance. The FortiGate must have a FortiCloud premium account license and a FortiSandbox Cloud VM license for this functionality.

To integrate with Security Fabric in FortiMail:
  1. In FortiMail, go to System > FortiSandbox.
  2. For FortiSandbox PaaS type, click Enhanced Cloud.
  3. In FortiSandbox PaaS, go to Security Fabric > Device, click the Authorize icon on the FortiMail so that it can establish Fabric connectivity. Verify that the Status is updated.

    Note

    Specific firmware versions of FortiMail models support the above Security Fabric connectivity. See Requirements.

To troubleshoot the connection on FortiMail:

Run the following CLI command:

diagnose debug application sandboxclid <ID>

Example:

In the example below, the connection failed due to a firewall policy on the client side to block connectivity to port 514.

insidemail02 # diagnose debug application sandboxclid 65
System Time: 2023-04-12 09:02:43 JST (Uptime: 5d 8h 48m)
 
insidemail02 # diagnose debug application sandboxclid display
System Time: 2023-04-12 09:03:07 JST (Uptime: 5d 8h 48m)
sandboxclid:2023-04-12T09:03:00:SandboxJob.cpp:145:process():use configured FortiSandbox server
sandboxclid:2023-04-12T09:03:00:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:03:00:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:03:00:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:03:00:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:04:02:Connection.cpp:171:Connect():connect() failed, errno = 115
sandboxclid:2023-04-12T09:04:02:Session.cpp:248:ConnectImpl():FortiSandbox server is not available at the moment. Connection block time: 1 seconds
sandboxclid:2023-04-12T09:04:02:Session.cpp:101:Connect0():connection broken
sandboxclid:2023-04-12T09:04:10:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:10:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:04:10:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:10:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:04:15:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:15:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:04:15:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:15:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:04:20:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:20:Connection.cpp:321:ConnectionSecure__():remote address is fortisandbox cloud, user_id=1423794
sandboxclid:2023-04-12T09:04:20:Connection.cpp:31:__s2ip():'fortisandboxcloud.com' is not an IP, try to resolve it
sandboxclid:2023-04-12T09:04:20:Connection.cpp:167:Connect():connecting to 66.35.19.98
sandboxclid:2023-04-12T09:05:11:Connection.cpp:171:Connect():connect() failed, errno = 115
sandboxclid:2023-04-12T09:05:11:Session.cpp:248:ConnectImpl():FortiSandbox server is not available at the moment. Connection block time: 1 seconds
sandboxclid:2023-04-12T09:05:11:Session.cpp:101:Connect0():connection broken
sandboxclid:2023-04-12T09:05:11:Session.cpp:72:Connect0():connection is blocked for 1 seconds
 
^C
insidemail02 # execute telnettest fortisandboxcloud.com:514
Connection timed out in 30 seconds.
 
Connection status to fortisandboxcloud.com port 514:
Connecting to remote host failed.
 
insidemail02 #