Fortinet white logo
Fortinet white logo

Administration Guide

Interfaces

Interfaces

To view and manage interfaces, go to Network > Interfaces.

This page displays the following information and options:

Interface

The interface name and description, where applicable.

Failover IP will be listed under this field with the following descriptor:(cluster external port).

port1 (administration port)

port1 is hard-coded as the administration interface. You can select to enable or disable HTTP, SSH, Telnet access rights on port1. HTTPS is enabled by default. port1 can be used for Device mode, although a different, dedicated port is recommended.

port2

port2 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

port3 (VM outgoing interface)

port3 is reserved for outgoing communication triggered by the execution of the files under analysis. It is recommended to put this interface on an isolated network behind a firewall.

One special type of outgoing communication from a guest VM is used to connect to the Microsoft Windows activation server to activate the Windows Sandbox VM product keys. You must enable Allow Virtual Machines to access external network through outgoing port and setup the next hop gateway and DNS server to allow files running inside VMs to access the external network. Office licenses are verified through the VM machines, so internet access via port3 is required to contact Microsoft for the license activation.

If the VM cannot access the outside network, a simulated network (SIMNET) will start by default. SIMNET provides responses of popular network services, like http where certain malware is expected. If the VM internet access is down, beside the down icon, SIMNET status is displayed. Clicking it will enter the VM network configuration page. Note: SIMNET is not a real internet. This can affect catch rate. Do not to have an IP from the production IP pool for the IP assignment on port3 because there is a chance it will get blacklisted.

FortiSandbox VM accesses external network through port3. The next-hop gateway and DNS settings can be configured in Scan Policy > General > Allow Virtual Machines to access external network through outgoing port3.

Note: It is not recommended to have an IP from the production IP pool for the IP assignment on port3, since there is a chance it will get blacklisted.

port4

port4 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

port5/port6

port5 and port 6 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster. On FortiSandbox 2000E, 3000E and 3500D devices, port5 and port6 are 10G fiber ports. It is recommended that they be used on a master node/primary slave as communications ports with the cluster slaves.

port7/port8

port7 and port8 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

On FortiSandbox 3000D devices, port7 and port8 are 10G fiber ports. It is therefore recommended that they be used on a master node/primary slave as communications ports with the cluster slaves.

IPv4

The IPv4 IP address and subnet mask of the interface.

IPv6

The IPv6 IP address and subnet mask of the interface.

Interface Status

The state of the interface; one of the following states:
  • Interface is up
  • Interface is down
  • Interface is being used by sniffer

Link Status

The link status.
  • Link up
  • Link down

Access Rights

The access rights associated with the interface. HTTPS is enabled by default on port1 or any other administrative port set through the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

PCAP

Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds then download the PCAP file in a ZIP format (maximum 100MB file size).

Users can define the tcpdump filter to use, such as host 172.10.1.1 and TCP port 443.

Only one capture is allowed to run at a time for each port. Sniffing ports are combined and treated as a single port.

Edit

Select the interface and click Edit from the toolbar to edit the interface.

The FortiSandbox uses port 3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious.

As malicious files are infectious, you should ensure that the connection for port 3 is able to both access the Internet and be isolated. The connection should not belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

For more information on FSA-1000D, FSA-3000D, FSA-2000E, FSA-3500D, FSA-3000E ports, see Default Port Information .

tooltip icon

You can setup more administration ports with CLI command set admin-port.

Note

The following subnets are reserved for use by FortiSandbox. Do not configure interface IP addresses as one falling into this range.

  • 192.168.56.0/24
  • 192.168.57.0/24
  • 192.168.250.0/24

Interfaces

Interfaces

To view and manage interfaces, go to Network > Interfaces.

This page displays the following information and options:

Interface

The interface name and description, where applicable.

Failover IP will be listed under this field with the following descriptor:(cluster external port).

port1 (administration port)

port1 is hard-coded as the administration interface. You can select to enable or disable HTTP, SSH, Telnet access rights on port1. HTTPS is enabled by default. port1 can be used for Device mode, although a different, dedicated port is recommended.

port2

port2 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

port3 (VM outgoing interface)

port3 is reserved for outgoing communication triggered by the execution of the files under analysis. It is recommended to put this interface on an isolated network behind a firewall.

One special type of outgoing communication from a guest VM is used to connect to the Microsoft Windows activation server to activate the Windows Sandbox VM product keys. You must enable Allow Virtual Machines to access external network through outgoing port and setup the next hop gateway and DNS server to allow files running inside VMs to access the external network. Office licenses are verified through the VM machines, so internet access via port3 is required to contact Microsoft for the license activation.

If the VM cannot access the outside network, a simulated network (SIMNET) will start by default. SIMNET provides responses of popular network services, like http where certain malware is expected. If the VM internet access is down, beside the down icon, SIMNET status is displayed. Clicking it will enter the VM network configuration page. Note: SIMNET is not a real internet. This can affect catch rate. Do not to have an IP from the production IP pool for the IP assignment on port3 because there is a chance it will get blacklisted.

FortiSandbox VM accesses external network through port3. The next-hop gateway and DNS settings can be configured in Scan Policy > General > Allow Virtual Machines to access external network through outgoing port3.

Note: It is not recommended to have an IP from the production IP pool for the IP assignment on port3, since there is a chance it will get blacklisted.

port4

port4 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

port5/port6

port5 and port 6 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster. On FortiSandbox 2000E, 3000E and 3500D devices, port5 and port6 are 10G fiber ports. It is recommended that they be used on a master node/primary slave as communications ports with the cluster slaves.

port7/port8

port7 and port8 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

On FortiSandbox 3000D devices, port7 and port8 are 10G fiber ports. It is therefore recommended that they be used on a master node/primary slave as communications ports with the cluster slaves.

IPv4

The IPv4 IP address and subnet mask of the interface.

IPv6

The IPv6 IP address and subnet mask of the interface.

Interface Status

The state of the interface; one of the following states:
  • Interface is up
  • Interface is down
  • Interface is being used by sniffer

Link Status

The link status.
  • Link up
  • Link down

Access Rights

The access rights associated with the interface. HTTPS is enabled by default on port1 or any other administrative port set through the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

PCAP

Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds then download the PCAP file in a ZIP format (maximum 100MB file size).

Users can define the tcpdump filter to use, such as host 172.10.1.1 and TCP port 443.

Only one capture is allowed to run at a time for each port. Sniffing ports are combined and treated as a single port.

Edit

Select the interface and click Edit from the toolbar to edit the interface.

The FortiSandbox uses port 3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious.

As malicious files are infectious, you should ensure that the connection for port 3 is able to both access the Internet and be isolated. The connection should not belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

For more information on FSA-1000D, FSA-3000D, FSA-2000E, FSA-3500D, FSA-3000E ports, see Default Port Information .

tooltip icon

You can setup more administration ports with CLI command set admin-port.

Note

The following subnets are reserved for use by FortiSandbox. Do not configure interface IP addresses as one falling into this range.

  • 192.168.56.0/24
  • 192.168.57.0/24
  • 192.168.250.0/24