Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Supported Devices

You can configure your Fortinet devices, such as FortiGate to send files to FortiSandbox for inspection and analysis. These devices query scan results and retrieves scan details. Device can also download Malware packages as a complimentary AV signature database to block future appearances of the same malware and download URL packages as complimentary web filtering black list.

FortiSandbox supports the following devices:

FortiGate

FortiSandbox is able to perform additional analysis on files that have been AV scanned by your FortiGate. You can configure your FortiGate to send all files or only suspicious files passing through the AV scan.

FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database.

When FortiGate learns from FortiSandbox that a terminal is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

FortiMail

You can configure your FortiMail to send suspicious, high risk files and suspicious attachments. FortiSandbox is able to perform additional analysis on files that have been scanned by your FortiMail email gateway.

Suspicious email attachments include:

  • Suspicious files detected by heuristic scan of the AV engine.
  • Executable files and executable files embedded in archive files.
  • Type 6 hashes (binary hashes) of spam email detected by FortiGuard AntiSpam service.

Recent release of FortiMail build can send suspicious URLs in the email body to FortiSandbox to do URL scans and block suspicious emails based on the scan result.

FortiWeb

You can now use a file upload restriction policy to submit uploaded files to FortiSandbox for evaluation. FortiSandbox evaluates whether the file poses a threat and returns the result to FortiWeb. If FortiSandbox determines that the file is malicious, FortiWeb performs the following tasks:

  • Generates an attack log message that contains the result (for example, messages with the Alert action in the illustration).
  • For 10 minutes after it receives the FortiSandbox results, takes the action specified by the file upload restriction policy. During this time, it does not re-submit the file to FortiSandbox (for example, messages with the Alert_Deny action in the illustration).

FortiClient EMS

FortiClient EMS administrators can configure a FortiSandbox IP address in an endpoint profile. After the configuration is saved, FortiClient EMS attempts to submit an authorization request to the configured FortiSandbox. FortiSandbox administrators can authorize it and set limitations about submission speed. Subsequently, all FortiClient endpoints managed by FortiClient EMS are considered authorized by the same FortiSandbox and follow the submission speed limit.

FortiClient

FortiSandbox can accept files from FortiClient to perform additional analysis, while FortiClient holds the files until the scan results are received. FortiClient will also receive additional antivirus signatures from FortiSandbox, generated from scan results, to supplement current signatures.

Supported Devices

You can configure your Fortinet devices, such as FortiGate to send files to FortiSandbox for inspection and analysis. These devices query scan results and retrieves scan details. Device can also download Malware packages as a complimentary AV signature database to block future appearances of the same malware and download URL packages as complimentary web filtering black list.

FortiSandbox supports the following devices:

FortiGate

FortiSandbox is able to perform additional analysis on files that have been AV scanned by your FortiGate. You can configure your FortiGate to send all files or only suspicious files passing through the AV scan.

FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database.

When FortiGate learns from FortiSandbox that a terminal is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

FortiMail

You can configure your FortiMail to send suspicious, high risk files and suspicious attachments. FortiSandbox is able to perform additional analysis on files that have been scanned by your FortiMail email gateway.

Suspicious email attachments include:

  • Suspicious files detected by heuristic scan of the AV engine.
  • Executable files and executable files embedded in archive files.
  • Type 6 hashes (binary hashes) of spam email detected by FortiGuard AntiSpam service.

Recent release of FortiMail build can send suspicious URLs in the email body to FortiSandbox to do URL scans and block suspicious emails based on the scan result.

FortiWeb

You can now use a file upload restriction policy to submit uploaded files to FortiSandbox for evaluation. FortiSandbox evaluates whether the file poses a threat and returns the result to FortiWeb. If FortiSandbox determines that the file is malicious, FortiWeb performs the following tasks:

  • Generates an attack log message that contains the result (for example, messages with the Alert action in the illustration).
  • For 10 minutes after it receives the FortiSandbox results, takes the action specified by the file upload restriction policy. During this time, it does not re-submit the file to FortiSandbox (for example, messages with the Alert_Deny action in the illustration).

FortiClient EMS

FortiClient EMS administrators can configure a FortiSandbox IP address in an endpoint profile. After the configuration is saved, FortiClient EMS attempts to submit an authorization request to the configured FortiSandbox. FortiSandbox administrators can authorize it and set limitations about submission speed. Subsequently, all FortiClient endpoints managed by FortiClient EMS are considered authorized by the same FortiSandbox and follow the submission speed limit.

FortiClient

FortiSandbox can accept files from FortiClient to perform additional analysis, while FortiClient holds the files until the scan results are received. FortiClient will also receive additional antivirus signatures from FortiSandbox, generated from scan results, to supplement current signatures.