Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Device

In Device mode, you can configure your FortiGate, FortiWeb, FortiClient EMS, FortiClient or FortiMail devices to send files to your FortiSandbox. For FortiGate, you can select to send all files for inspection. For FortiMail, you can select to send email attachments or URLs in the email body to FortiSandbox for inspections or just the Suspicious ones. When files or URLs are received by FortiSandbox, they are executed and scanned within the VM modules. FortiSandbox also sends statistics back to the FortiGate, FortiWeb and FortiMail. When integrated with FortiGate, the following protocols are supported: HTTP, FTP, POP3, IMAP, SMTP, MAPI, IM, and their equivalent SSL encrypted versions. To view, edit, and authorize devices, go to Scan Input > Device.

For FortiOS 5.2.3 and later, the FortiGate can query a file's verdict, and retrieve detailed information from FortiSandbox.

For FortiOS 5.4.0 and later, the FortiGate can download Malware packages and URL packages from FortiSandbox as complimentary AV signatures and web filtering black lists, respectively. These packages contain detected malware signatures and their downloading URLs.

The default file size scanned and forwarded by FortiGate is 10MB and the maximum depends on the memory size of the FortiGate. You can change the file size on the FortiGate side using the following CLI command:  

config firewall profile-protocol-options

edit <name_str>

config http

set oversize-limit <size_int>

end

end

Note: The profile-protocol-options setting decides the maximum file size that will be AV scanned on the FortiGate. After a virus scan verdict has been made (Clean or Suspicious), if the file's size is less than analytics-max-upload size, it will be set over to FortiSandbox according to Send All/Suspicious Only settings on the FortiGate.

For more information on configure the oversize limit for profile-protocol-options and analytics-max-upload, see the FortiOS CLI Reference in the Fortinet Document Library.

The following options are available:

Refresh

Click the Refresh icon to refresh the entries displayed after applying search filters.

Device Filter

Users can filter devices by entering part of device name or serial number.

Clear all removable filters

Click the Trash can icon to clear all removable filters.

This page displays the following:

Device Name

The name of the device and the VDOM or protected email domain that send files to FortiSandbox. For device, it has the format of: Device Name. For VDOM, it has the format of: Device Name: VDOM Name. For a FortiMail protected domain, it has the format: Device Name : Domain Name.

Serial

The FortiGate, FortiWeb, FortiClient, FortiClient EMS, or FortiMail serial number.

Malicious

The number of malicious files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of malicious files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

High

The number of high risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of high risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Medium

The number of medium risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of medium risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Low

The number of low risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of low risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Clean

The number of clean files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of clean files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Others

The number of other files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of other rating files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Malware Pkg

The malware package version currently on the device.

URL Pkg

The URL package versions currently on the device.

Authorized

If the device or VDOM/Protected Domain is authorized to submit files. Only authorized device or VDOM/Protected Domain is allowed to submit files to FortiSandbox.

Limit

If a submission limit is set for this device.

Status

The status of the device. This field displays an Up icon when the device is connected and a Down icon for devices which are disconnected. If a device, its VDOM, or protected domain does not contact FortiSandbox for more than 15 minutes, the status will change to Disconnected.

Delete

Click to delete the device or VDOM/Protect Domain. If a device is deleted, all its VDOMs/Protected Domains will also be deleted. If the device is FortiClient EMS, its managed FortiClient endpoints are still kept. If the device connects to FortiSandbox later, it will show up again as a new device.

FortiSandbox uses a Fortinet proprietary traffic protocol (OFTP) to communicate with connected devices. This communication occurs on TCP port 514. The traffic is encrypted.

Device

In Device mode, you can configure your FortiGate, FortiWeb, FortiClient EMS, FortiClient or FortiMail devices to send files to your FortiSandbox. For FortiGate, you can select to send all files for inspection. For FortiMail, you can select to send email attachments or URLs in the email body to FortiSandbox for inspections or just the Suspicious ones. When files or URLs are received by FortiSandbox, they are executed and scanned within the VM modules. FortiSandbox also sends statistics back to the FortiGate, FortiWeb and FortiMail. When integrated with FortiGate, the following protocols are supported: HTTP, FTP, POP3, IMAP, SMTP, MAPI, IM, and their equivalent SSL encrypted versions. To view, edit, and authorize devices, go to Scan Input > Device.

For FortiOS 5.2.3 and later, the FortiGate can query a file's verdict, and retrieve detailed information from FortiSandbox.

For FortiOS 5.4.0 and later, the FortiGate can download Malware packages and URL packages from FortiSandbox as complimentary AV signatures and web filtering black lists, respectively. These packages contain detected malware signatures and their downloading URLs.

The default file size scanned and forwarded by FortiGate is 10MB and the maximum depends on the memory size of the FortiGate. You can change the file size on the FortiGate side using the following CLI command:  

config firewall profile-protocol-options

edit <name_str>

config http

set oversize-limit <size_int>

end

end

Note: The profile-protocol-options setting decides the maximum file size that will be AV scanned on the FortiGate. After a virus scan verdict has been made (Clean or Suspicious), if the file's size is less than analytics-max-upload size, it will be set over to FortiSandbox according to Send All/Suspicious Only settings on the FortiGate.

For more information on configure the oversize limit for profile-protocol-options and analytics-max-upload, see the FortiOS CLI Reference in the Fortinet Document Library.

The following options are available:

Refresh

Click the Refresh icon to refresh the entries displayed after applying search filters.

Device Filter

Users can filter devices by entering part of device name or serial number.

Clear all removable filters

Click the Trash can icon to clear all removable filters.

This page displays the following:

Device Name

The name of the device and the VDOM or protected email domain that send files to FortiSandbox. For device, it has the format of: Device Name. For VDOM, it has the format of: Device Name: VDOM Name. For a FortiMail protected domain, it has the format: Device Name : Domain Name.

Serial

The FortiGate, FortiWeb, FortiClient, FortiClient EMS, or FortiMail serial number.

Malicious

The number of malicious files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of malicious files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

High

The number of high risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of high risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Medium

The number of medium risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of medium risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Low

The number of low risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of low risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Clean

The number of clean files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of clean files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Others

The number of other files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of other rating files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

Malware Pkg

The malware package version currently on the device.

URL Pkg

The URL package versions currently on the device.

Authorized

If the device or VDOM/Protected Domain is authorized to submit files. Only authorized device or VDOM/Protected Domain is allowed to submit files to FortiSandbox.

Limit

If a submission limit is set for this device.

Status

The status of the device. This field displays an Up icon when the device is connected and a Down icon for devices which are disconnected. If a device, its VDOM, or protected domain does not contact FortiSandbox for more than 15 minutes, the status will change to Disconnected.

Delete

Click to delete the device or VDOM/Protect Domain. If a device is deleted, all its VDOMs/Protected Domains will also be deleted. If the device is FortiClient EMS, its managed FortiClient endpoints are still kept. If the device connects to FortiSandbox later, it will show up again as a new device.

FortiSandbox uses a Fortinet proprietary traffic protocol (OFTP) to communicate with connected devices. This communication occurs on TCP port 514. The traffic is encrypted.