Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 3.1.2 Administration Guide
    3.1.2
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Device

    Device

    In Device mode, you can configure your FortiGate, FortiWeb, FortiClient, or FortiMail devices to send files to your FortiSandbox. For FortiGate, you can select to send all files for inspection. For FortiMail, you can select to send email attachments or URLs in the email body to FortiSandbox for inspections or just the Suspicious ones. When files or URLs are received by FortiSandbox, they are executed and scanned within the VM modules. FortiSandbox also sends statistics back to the FortiGate, FortiWeb and FortiMail. When integrated with FortiGate, the following protocols are supported: HTTP, FTP, POP3, IMAP, SMTP, MAPI, IM, and their equivalent SSL encrypted versions. To view, edit, and authorize devices, go to Scan Input > Device.

    For FortiOS 5.2.3 and later, the FortiGate can query a file's verdict, and retrieve detailed information from FortiSandbox.

    For FortiOS 5.4.0 and later, the FortiGate can download Malware packages and URL packages from FortiSandbox as complimentary AV signatures and web filtering black lists, respectively. These packages contain detected malware signatures and their downloading URLs.

    The default file size scanned and forwarded by FortiGate is 10MB and the maximum depends on the memory size of the FortiGate. You can change the file size on the FortiGate side using the following CLI command:

    config firewall profile-protocol-options

    edit <name_str>

    config http

    set oversize-limit <size_int>

    end

    end

    Note: The profile-protocol-options setting decides the maximum file size that will be AV scanned on the FortiGate. After a virus scan verdict has been made (Clean or Suspicious), if the file's size is less than analytics-max-upload size, it will be set over to FortiSandbox according to Send All/Suspicious Only settings on the FortiGate.

    For more information on configure the oversize limit for profile-protocol-options and analytics-max-upload, see the FortiOS CLI Reference in the Fortinet Document Library.

    The following options are available:

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Device Filter

    Users can filter devices by entering part of device name or serial number.

    Clear all removable filters

    Click the Trash can icon to clear all removable filters.

    This page displays the following:

    Device Name

    The name of the device and the VDOM or protected email domain that send files to FortiSandbox. For device, it has the format of: Device Name. For VDOM, it has the format of: Device Name: VDOM Name. For a FortiMail protected domain, it has the format: Device Name : Domain Name.

    Serial

    The FortiGate, FortiWeb, FortiClient, FortiClient EMS, or FortiMail serial number.

    Malicious

    The number of malicious files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of malicious files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    High

    The number of high risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of high risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Medium

    The number of medium risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of medium risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Low

    The number of low risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of low risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Clean

    The number of clean files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of clean files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Others

    The number of other files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of other rating files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Malware Pkg

    The malware package version currently on the device.

    URL Pkg

    The URL package versions currently on the device.

    Authorized

    If the device or VDOM/Protected Domain is authorized to submit files. Only authorized device or VDOM/Protected Domain is allowed to submit files to FortiSandbox.

    Limit

    If a submission limit is set for this device.

    Status

    The status of the device. This field displays an Up icon when the device is connected and a Down icon for devices which are disconnected. If a device, its VDOM, or protected domain does not contact FortiSandbox for more than 15 minutes, the status will change to Disconnected.

    Delete

    Click to delete the device or VDOM/Protect Domain. If a device is deleted, all its VDOMs/Protected Domains will also be deleted. If the device is FortiClient EMS, its managed FortiClient endpoints are still kept. If the device connects to FortiSandbox later, it will show up again as a new device.

    FortiSandbox uses a Fortinet proprietary traffic protocol (OFTP) to communicate with connected devices. This communication occurs on TCP port 514. The traffic is encrypted.
    Previous
    Next

    Device

    Device

    In Device mode, you can configure your FortiGate, FortiWeb, FortiClient, or FortiMail devices to send files to your FortiSandbox. For FortiGate, you can select to send all files for inspection. For FortiMail, you can select to send email attachments or URLs in the email body to FortiSandbox for inspections or just the Suspicious ones. When files or URLs are received by FortiSandbox, they are executed and scanned within the VM modules. FortiSandbox also sends statistics back to the FortiGate, FortiWeb and FortiMail. When integrated with FortiGate, the following protocols are supported: HTTP, FTP, POP3, IMAP, SMTP, MAPI, IM, and their equivalent SSL encrypted versions. To view, edit, and authorize devices, go to Scan Input > Device.

    For FortiOS 5.2.3 and later, the FortiGate can query a file's verdict, and retrieve detailed information from FortiSandbox.

    For FortiOS 5.4.0 and later, the FortiGate can download Malware packages and URL packages from FortiSandbox as complimentary AV signatures and web filtering black lists, respectively. These packages contain detected malware signatures and their downloading URLs.

    The default file size scanned and forwarded by FortiGate is 10MB and the maximum depends on the memory size of the FortiGate. You can change the file size on the FortiGate side using the following CLI command:

    config firewall profile-protocol-options

    edit <name_str>

    config http

    set oversize-limit <size_int>

    end

    end

    Note: The profile-protocol-options setting decides the maximum file size that will be AV scanned on the FortiGate. After a virus scan verdict has been made (Clean or Suspicious), if the file's size is less than analytics-max-upload size, it will be set over to FortiSandbox according to Send All/Suspicious Only settings on the FortiGate.

    For more information on configure the oversize limit for profile-protocol-options and analytics-max-upload, see the FortiOS CLI Reference in the Fortinet Document Library.

    The following options are available:

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Device Filter

    Users can filter devices by entering part of device name or serial number.

    Clear all removable filters

    Click the Trash can icon to clear all removable filters.

    This page displays the following:

    Device Name

    The name of the device and the VDOM or protected email domain that send files to FortiSandbox. For device, it has the format of: Device Name. For VDOM, it has the format of: Device Name: VDOM Name. For a FortiMail protected domain, it has the format: Device Name : Domain Name.

    Serial

    The FortiGate, FortiWeb, FortiClient, FortiClient EMS, or FortiMail serial number.

    Malicious

    The number of malicious files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of malicious files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    High

    The number of high risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of high risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Medium

    The number of medium risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of medium risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Low

    The number of low risk files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of low risk files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Clean

    The number of clean files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of clean files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Others

    The number of other files submitted by the device to FortiSandbox in the last seven days. FortiClient EMS displays the number of other rating files submitted to FortiSandbox by FortiClient endpoints that are managed by EMS.

    Malware Pkg

    The malware package version currently on the device.

    URL Pkg

    The URL package versions currently on the device.

    Authorized

    If the device or VDOM/Protected Domain is authorized to submit files. Only authorized device or VDOM/Protected Domain is allowed to submit files to FortiSandbox.

    Limit

    If a submission limit is set for this device.

    Status

    The status of the device. This field displays an Up icon when the device is connected and a Down icon for devices which are disconnected. If a device, its VDOM, or protected domain does not contact FortiSandbox for more than 15 minutes, the status will change to Disconnected.

    Delete

    Click to delete the device or VDOM/Protect Domain. If a device is deleted, all its VDOMs/Protected Domains will also be deleted. If the device is FortiClient EMS, its managed FortiClient endpoints are still kept. If the device connects to FortiSandbox later, it will show up again as a new device.

    FortiSandbox uses a Fortinet proprietary traffic protocol (OFTP) to communicate with connected devices. This communication occurs on TCP port 514. The traffic is encrypted.
    Previous
    Next