The interface name and description, where applicable.

The failover IP includes the description: (cluster external port).

port1 is hard-coded as the administration interface. You can enable or disable HTTP, SSH, or Telnet access rights on port1. HTTPS is enabled by default. You can use port1 for Device mode, although a different, dedicated port is recommended.

You can use port2 for Sniffer mode, Device mode, or inter-node communication within a cluster.

port3 is reserved for outgoing communication triggered by the execution of the files under analysis.

FortiSandbox uses port3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious. As malicious files are infectious, ensure that the connection for port3 is isolated but can also access the Internet. Do not allow this connection to belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

FortiSandbox VM accesses external networks through port3. Configure the next hop gateway and DNS settings in Scan Policy and Object > General Settings > Allow Virtual Machines to access external network through outgoing port3. This allows files running inside VMs to access the external network. One special type of outgoing communication from a guest VM is to connect to the Microsoft activation server to activate the Windows Sandbox VM product keys. Office licenses are verified through VM machines so internet access via port3 is required to contact Microsoft for license activation.

If the VM cannot access the outside network, a simulated network (SIMNET) starts by default. SIMNET provides responses to popular network services like http where some malware is expected. If the VM internet access is down, the SIMNET status is displayed beside the down icon. Click that icon to go to the VM network configuration page.

SIMNET is not a real internet. This can affect catch rate. Do not use an IP address from the production IP pool for the IP assignment on port3 because it might get put on the blocklist.

You can use port4 for Sniffer mode, Device mode, or inter-node communication within a cluster.

You can use port5 and port6 for Sniffer mode, Device mode, or inter-node communication within a cluster.

On FortiSandbox 2000E and 3000E devices, port5 and port6 are 10G fiber ports. We recommend using these ports on a primary or secondary node as communications ports with cluster workers.

You can use port7 and port8 for Sniffer mode, Device mode, or inter-node communication within a cluster.

IPv4 IP address and subnet mask of the interface.

IPv6 IP address and subnet mask of the interface.

• Interface is up
• Interface is down
• Interface is being used by sniffer

• Link up
• Link down

Access rights associated with the interface. HTTPS is enabled by default on port1 and any other administrative port set by the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds. Click Capture & Download to download the PCAP file as a zip file. Maximum file size is 100MB file size.

You can define the tcpdump filter such as host 172.10.1.1 or TCP port 443.

You can only run one capture at a time for each port. Sniffing ports are combined and treated as a single port.

Create an interface.