Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiSandbox VM on GCP

    Home FortiSandbox Public Cloud 5.0.0 FortiSandbox VM on GCP
    5.0.0
    5.0.0
    4.4.0
    4.2.3

    Prepare the GCP environment

    Prepare the GCP environment

    Before deploying a FortiSandbox instance, some basic steps are required to setup and run the GCP environment.

    Start by logging into the GCP management console with a user account that has enough privileges to create new Virtual Private Cloud (VPC) and Instances.

    Set up the basic GCP environment for FortiSandbox

    Create Virtual Private Cloud (VPC)

    To create a VPC:
    1. Go to VPC network > VPC networks.

    2. Click CREATE VPC NETWORK.

    3. Enter the VPC Name, and click New Subnet to create a subnet for FortiSandbox port1.

    4. Click Done and continue to configure the Firewall rules.
    5. Select any of the firewall rules below that you would like to apply to this VPC network. Once the VPC network is created, you can manage all firewall rules on the Firewall rules page.

    6. Set Maximum transmission unit (MTU) to 1500 and click CREATE.
    7. Once the VPC is created, click Done.
    8. Go back to the VPC networks page and select the new VPC item. Click the Firewalls tab, then modify the firewall policy as required.

    9. FortiSandbox requires the following Inbound rules:

      Details

      Value

      Type

      Custom TCP.

      Protocol

      TCP

      Port Range

      Allow the following ports to be accessible:

      • 443 (HTTPS)

      • 22 (if SSH access is needed)

      • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)

      • 9833 (for on-demand interactive scans)

      • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

      More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port and access control information in the FortiSandbox Administration Guide.

    10. Repeat Steps 1-9 to create the VPC for port2, Port3 and other required VPCs and subnets

      Note

      FortiSandbox VM for GCP requires a minimum of 3 VPCs and 3 Subnets in Nested running mode. The Non-Nested running mode requires a minimum of 2 VPCs and 2 Subnets, If you plan to configure a Cluster, you will need at least three VPCs.

      • Port1 is used to access and manage FortiSandbox.

      • Port2 is used for HA-Cluster communication in Nested mode and local CUSTOM VM communication in Non-Nested mode.

      • Port3 is used for Guest VM Network in Nested mode and HA-Cluster communication in Non-Nested mode.

      Example:

      VPC:vpc-port1 > Subnet: vpc-port1-subnet(10.0.1.0/24)

      VPC:vpc-port2 > Subnet: vpc-port2-subnet(10.0.2.0/24)

      VPC:vpc-port3> Subnet: vpc-port3-subnet(10.0.3.0/24)

    Create a Cloud NAT Gateway and Cloud Router

    If an instance in a VPC subnet does not have an Internet address but still needs to access the Internet, you will need to create a corresponding Cloud NAT Gateway and Cloud Router for this VPC.

    Tooltip

    It is highly recommended to set up internet access for the Non-Nested unit’s Port2 and the Nested unit’s Port3. No Internet access will affect the detection of harmful URLs and other Network-related dangerous behaviors.
    To create a Cloud NAT Gateway:
    1. Go to Network Services > Cloud Nat, and click CREATE CLOUD NAT GATEWAY.
      1. In the Name field, enter a descriptive name for the gateway. For example, vpc-port2-gw
      2. Under Select Cloud Router , select the correct Network (for example, vpc-port2) and Region.

    2. Select or create a new Cloud Router to attach to the gateway.

    3. Click CREATE to create the Cloud Nat Gateway.

    4. Note

      If the local CUSTOM VM requires Internet connectivity when performing scanning jobs,you will need to set up a Cloud Nat Gateway and Cloud Router for the VPC and subnet where the Port2 is located.

    Generate GCP access key for FortiSandbox

    Generate a GCP access key from your GCP account to allow the FortiSandbox instance to access GCP resources.

    To generate an access key
    1. Go to IAM & Admin > Service accounts and click the item next to Compute Engine default service account.

    2. On the Compute Engine default service account page, click the KEYS tab.

    3. Click ADD KEY > Create to create a new key.
    4. For the Key Type select JSON, and click Create.

    The Private key will be saved to your computer automatically. Please save it in a secure place, as it will be needed for subsequent installations of FortiSandbox

    Previous
    Next

    Prepare the GCP environment

    Prepare the GCP environment

    Before deploying a FortiSandbox instance, some basic steps are required to setup and run the GCP environment.

    Start by logging into the GCP management console with a user account that has enough privileges to create new Virtual Private Cloud (VPC) and Instances.

    Set up the basic GCP environment for FortiSandbox

    Create Virtual Private Cloud (VPC)

    To create a VPC:
    1. Go to VPC network > VPC networks.

    2. Click CREATE VPC NETWORK.

    3. Enter the VPC Name, and click New Subnet to create a subnet for FortiSandbox port1.

    4. Click Done and continue to configure the Firewall rules.
    5. Select any of the firewall rules below that you would like to apply to this VPC network. Once the VPC network is created, you can manage all firewall rules on the Firewall rules page.

    6. Set Maximum transmission unit (MTU) to 1500 and click CREATE.
    7. Once the VPC is created, click Done.
    8. Go back to the VPC networks page and select the new VPC item. Click the Firewalls tab, then modify the firewall policy as required.

    9. FortiSandbox requires the following Inbound rules:

      Details

      Value

      Type

      Custom TCP.

      Protocol

      TCP

      Port Range

      Allow the following ports to be accessible:

      • 443 (HTTPS)

      • 22 (if SSH access is needed)

      • 514 (if Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)

      • 9833 (for on-demand interactive scans)

      • 21 (FortiSandbox hardcoded port2 to communicate with custom VM clones via FTP)

      More rules can be added. For example, you can add a rule to allow access to FortiSandbox's MTA adapter. For more port information, see Port and access control information in the FortiSandbox Administration Guide.

    10. Repeat Steps 1-9 to create the VPC for port2, Port3 and other required VPCs and subnets

      Note

      FortiSandbox VM for GCP requires a minimum of 3 VPCs and 3 Subnets in Nested running mode. The Non-Nested running mode requires a minimum of 2 VPCs and 2 Subnets, If you plan to configure a Cluster, you will need at least three VPCs.

      • Port1 is used to access and manage FortiSandbox.

      • Port2 is used for HA-Cluster communication in Nested mode and local CUSTOM VM communication in Non-Nested mode.

      • Port3 is used for Guest VM Network in Nested mode and HA-Cluster communication in Non-Nested mode.

      Example:

      VPC:vpc-port1 > Subnet: vpc-port1-subnet(10.0.1.0/24)

      VPC:vpc-port2 > Subnet: vpc-port2-subnet(10.0.2.0/24)

      VPC:vpc-port3> Subnet: vpc-port3-subnet(10.0.3.0/24)

    Create a Cloud NAT Gateway and Cloud Router

    If an instance in a VPC subnet does not have an Internet address but still needs to access the Internet, you will need to create a corresponding Cloud NAT Gateway and Cloud Router for this VPC.

    Tooltip

    It is highly recommended to set up internet access for the Non-Nested unit’s Port2 and the Nested unit’s Port3. No Internet access will affect the detection of harmful URLs and other Network-related dangerous behaviors.
    To create a Cloud NAT Gateway:
    1. Go to Network Services > Cloud Nat, and click CREATE CLOUD NAT GATEWAY.
      1. In the Name field, enter a descriptive name for the gateway. For example, vpc-port2-gw
      2. Under Select Cloud Router , select the correct Network (for example, vpc-port2) and Region.

    2. Select or create a new Cloud Router to attach to the gateway.

    3. Click CREATE to create the Cloud Nat Gateway.

    4. Note

      If the local CUSTOM VM requires Internet connectivity when performing scanning jobs,you will need to set up a Cloud Nat Gateway and Cloud Router for the VPC and subnet where the Port2 is located.

    Generate GCP access key for FortiSandbox

    Generate a GCP access key from your GCP account to allow the FortiSandbox instance to access GCP resources.

    To generate an access key
    1. Go to IAM & Admin > Service accounts and click the item next to Compute Engine default service account.

    2. On the Compute Engine default service account page, click the KEYS tab.

    3. Click ADD KEY > Create to create a new key.
    4. For the Key Type select JSON, and click Create.

    The Private key will be saved to your computer automatically. Please save it in a secure place, as it will be needed for subsequent installations of FortiSandbox

    Previous
    Next