Fortinet black logo

Administration Guide

Sniffer

Copy Link
Copy Doc ID 14b43c77-e163-11ea-96b9-00505692583a:205899
Download PDF

Sniffer

Sniffer mode relies on inputs from spanned switch ports. It is the most suitable infrastructure for adding protection capabilities to existing threat protection systems from various vendors.

Sniffer mode enables you to configure your FortiSandbox to sniff all traffic on specified interfaces. When FortiSandbox receives files, they are executed and scanned within the VM modules. Sniffer mode supports these protocols: HTTP, FTP, POP3, IMAP, SMTP, SMB, DNS and raw TCP. To enable and configure sniffer settings, go to Scan Input > Sniffer.

You can sniff multiple interfaces. For example, when FortiSandbox is deployed with a network tap device, you can sniff both the incoming and outgoing traffic on separate FortiSandbox interfaces.

FortiSandbox reserves port1 for device management and port3 for scanned files to access the Internet. You cannot use these ports as a sniffed interface: port1, the admin port, and the port used for cluster internal communication.

Configure the following settings:

Enable file based detection

Select the checkbox to enable file based detection.

Enable network alert detection

Select the checkbox to enable network alerts detection. This feature detects sniffed live traffic for connections to botnet servers and intrusion attacks and visited suspicious web sites with Fortinet IPS and Web Filtering technologies.

Alerts can be viewed in the Network Alerts page.

For URL visits, certain categories can be treated as benign in Scan Policy > URL Category.

Keep incomplete files

Keep files without completed TCP sessions. Select the checkbox to keep incomplete files. Sometimes incomplete files can be useful to detect known viruses.

Enable Conserve mode

When conserve mode is enabled, the sniffer might enter conserve mode if it is too busy, such as when there are too many jobs in the pending queue (250K), sniffed traffic exceeds optimal throughput, or HDD/RAM disk usage is too high.

In conserve mode, the sniffer only extracts executable (.exe) and MS Office files.

Optimal traffic throughput:

  • FSA-1000D: 1Gbps
  • FSA-2000E: 4 Gbps
  • FSA-3000D: 4.6 Gbps
  • FSA-3000E: 8 Gbps
  • FSA-3500D: 2 Gbps
  • FSA-VM00: 1Gbps
  • FSA-VM-BASE: 4.6Gbps

Max file size

The maximum size of files captured by sniffer. Enter a value in the text box. The default value is 2048kB and the maximum file size is 200000kB.

Files that exceed the maximum file size are not sent to FortiSandbox.

Sniffed Interfaces

Select the interface to monitor.

Service Types

Select the traffic protocol that the sniffer will work on. Options include: FTP, HTTP, IMAP, POP3, SMB, OTHER and SMTP.

The OTHER service type is for raw TCP protocol traffic.

File Types

Select the file types to extract from traffic. When All is checked. all files in the traffic will be extracted. Users can also add extra file extensions by putting it in File Types field and clicking Add > OK. The user can delete it later by clicking the Trash can icon beside it and clicking OK.

When URLs in Email type is selected, URLs embedded inside Email body will be extracted and scanned as WEBLink type. User can define the number of URLs to extract for each Email, from 1 to 5.

When an interface is used in sniffer mode, it will lose its IP address. The interface settings cannot be changed.

Sniffer

Sniffer mode relies on inputs from spanned switch ports. It is the most suitable infrastructure for adding protection capabilities to existing threat protection systems from various vendors.

Sniffer mode enables you to configure your FortiSandbox to sniff all traffic on specified interfaces. When FortiSandbox receives files, they are executed and scanned within the VM modules. Sniffer mode supports these protocols: HTTP, FTP, POP3, IMAP, SMTP, SMB, DNS and raw TCP. To enable and configure sniffer settings, go to Scan Input > Sniffer.

You can sniff multiple interfaces. For example, when FortiSandbox is deployed with a network tap device, you can sniff both the incoming and outgoing traffic on separate FortiSandbox interfaces.

FortiSandbox reserves port1 for device management and port3 for scanned files to access the Internet. You cannot use these ports as a sniffed interface: port1, the admin port, and the port used for cluster internal communication.

Configure the following settings:

Enable file based detection

Select the checkbox to enable file based detection.

Enable network alert detection

Select the checkbox to enable network alerts detection. This feature detects sniffed live traffic for connections to botnet servers and intrusion attacks and visited suspicious web sites with Fortinet IPS and Web Filtering technologies.

Alerts can be viewed in the Network Alerts page.

For URL visits, certain categories can be treated as benign in Scan Policy > URL Category.

Keep incomplete files

Keep files without completed TCP sessions. Select the checkbox to keep incomplete files. Sometimes incomplete files can be useful to detect known viruses.

Enable Conserve mode

When conserve mode is enabled, the sniffer might enter conserve mode if it is too busy, such as when there are too many jobs in the pending queue (250K), sniffed traffic exceeds optimal throughput, or HDD/RAM disk usage is too high.

In conserve mode, the sniffer only extracts executable (.exe) and MS Office files.

Optimal traffic throughput:

  • FSA-1000D: 1Gbps
  • FSA-2000E: 4 Gbps
  • FSA-3000D: 4.6 Gbps
  • FSA-3000E: 8 Gbps
  • FSA-3500D: 2 Gbps
  • FSA-VM00: 1Gbps
  • FSA-VM-BASE: 4.6Gbps

Max file size

The maximum size of files captured by sniffer. Enter a value in the text box. The default value is 2048kB and the maximum file size is 200000kB.

Files that exceed the maximum file size are not sent to FortiSandbox.

Sniffed Interfaces

Select the interface to monitor.

Service Types

Select the traffic protocol that the sniffer will work on. Options include: FTP, HTTP, IMAP, POP3, SMB, OTHER and SMTP.

The OTHER service type is for raw TCP protocol traffic.

File Types

Select the file types to extract from traffic. When All is checked. all files in the traffic will be extracted. Users can also add extra file extensions by putting it in File Types field and clicking Add > OK. The user can delete it later by clicking the Trash can icon beside it and clicking OK.

When URLs in Email type is selected, URLs embedded inside Email body will be extracted and scanned as WEBLink type. User can define the number of URLs to extract for each Email, from 1 to 5.

When an interface is used in sniffer mode, it will lose its IP address. The interface settings cannot be changed.