OCI environment setup
Before deploying a FortiSandbox instance, some basic steps are required to setup in OCI platform
Create a virtual cloud network (VCN)
To create a VCN:
- In OCI, go to Networking > Virtual Cloud Networks, and click Create VCN.
- In the Name field, enter the VCN name, In the IPv4 CIDR Blocks, enter the IPv4 subnet.
- Click Create VCN at the bottom of the screen.
Create a security list
The security list works as the Firewall for the virtual cloud network (VCN).
To create a security list:
- Go to the VCN you just created and click Security Lists, then click Default Security List for xxx (VCN name) . By default, port 22 is allowed.
- Click Add Ingress Rules > Add Rule. Manually add some rules to allow TCP/UDP port. FortiSandbox requires the following Ingress rules:
IP Protocol
Destination Port Range
TCP
22 (SSH access)
TCP
443 (HTTPS)
TCP
80 (HTTP)
TCP
2015, 2018( Cluster)
TCP
514
(OFTPD Fortinet Fabric devices such as FortiGate and FortiMail need to submit jobs)
For a complete list of ports that you must allow for the FortiSandbox-VM instance, see Port and access control information.
More rules can be added. For example, you can add a rule to allow access to FortiSandbox MTA adapter. For more port information, see Port and access control information section of the FortiSandbox Administration Guide.
Create a Gateway and Route table
Some of the FortiSandbox features need access to the Internet, so you will need to set up a Gateway and Route table that allows subnets in the Virtual Cloud Network (VCN) to access the Internet. There are two type of gateways to set up:
|
Interface |
Type |
|---|---|
|
Port1 |
Internet Gateways |
|
Port3 |
NAT Gateways (A NAT gateway lets instances that do not have public IP addresses access the internet.) |
To create a Gateway and Route table:
- Go to the VCN you created previously, and click Internet Gateways, then click Create Internet Gateway.
- Go to the VCN you created previously, and click NAT Gateways, then click Create NAT Gateway.
- Go to the VCN you created previously, and click Route Tables, then click Create Route Table. Configure the following fields and click Create.
Port1 Route settings:
Name Enter a name for the Port 1 route policy, then click Another Route Rule. Target Type Select Internet Gateway. Destination CIDR Block Enter the 0.0.0.0/0.Target Internet Gateway
Select the gateway you created previously.
- Go to the VCN you created previously and click Route Tables, then click Create Route Table. Configure the following settings and click Create.
Port3 Route settings:
Name Enter a name for the Port 3 route policy, then click Another Route Rule Target Type Select NAT Gateway. Destination CIDR Block Enter 0.0.0.0/0.Target NAT Gateway Select the gateway you created previously. 
Create Subnets
OCI FortiSandbox needs at least one subnet to use Windows Cloud VM. If you need to configure a Cluster and Customized VM, you will need at least three subnets.
|
OCI FortiSandbox needs at least three subnets for the Customized VM feature:
|
|
Interface |
Services |
|---|---|
|
port1 (administration port) |
Port1 is hard-coded as the administration interface. You can enable or disable HTTP, SSH, or Telnet access rights on port1. HTTPS is enabled by default. You can use port1 for Device mode, although a different, dedicated port is recommended. |
|
Port2 |
You can use port2 for Sniffer mode, Device mode, or inter-node communication within a cluster. |
|
port3 (VM outgoing interface) |
Port3 is reserved for outgoing communication triggered by the execution of the files under analysis. FortiSandbox uses port3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious. As malicious files are infectious, ensure that the connection for port3 is isolated but can also access the Internet. Do not allow this connection to belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall. FortiSandbox VM accesses external networks through port3. Configure the next hop gateway and DNS settings in Scan Policy and Object > General Settings > Allow Virtual Machines to access external network through outgoing port3. This allows files running inside VMs to access the external network. One special type of outgoing communication from a guest VM is to connect to the Microsoft activation server to activate the Windows Sandbox VM product keys. Office licenses are verified through VM machines so internet access via port3 is required to contact Microsoft for license activation. If the VM cannot access the outside network, a simulated network (SIMNET) starts by default. SIMNET provides responses to popular network services like HTTP where some malware is expected. If the VM internet access is down, the SIMNET status is displayed beside the down icon. Click that icon to go to the VM network configuration page.
|
To create the subnets:
- Go to the VCN you created previously, click Subnets then click Create Subnet.
- Create the subnet for port1 with the following configurations and click Create Subnet. You can use the default settings for the DHCP Options and Security List.
Name Enter a name for the subnet. IPv4 CIDR Block Enter the subnet for port1. Route table compartment in xxxx Select the policy you created for port1. Subnet access Port1 subnet: Select Public subnet.
Port 2 and Port 3 subnet: Select Private subnet
- Repeat Steps 1-2 to create the other subnets and select the corresponding route table.