Fortinet white logo
Fortinet white logo

Administration Guide

Global Network

Global Network

FortiSandbox can generate antivirus database packages (malware packages) and add URL packages from scan results into the blocklist, and distribute them to FortiGate devices and FortiClient endpoints for antispyware/antivirus scan and web filtering extension to block and quarantine malware.

This feature requires that the FortiGate and/or FortiClient EMS have successfully connected.

FortiGate or FortiClient sends a malware package request to FortiSandbox every two minutes that includes its installed version (or 0.0, if none exists). The FortiSandbox receives the request then compares the version with the latest local version number. If the received version is different, FortiSandbox sends the latest package to the FortiGate or FortiClient. If the versions are the same, then FortiSandbox will send an already-up-to-date message.

Multiple FortiSandbox units can work together to build a Global Threat Network to share threat information. One unit works as a Collector to collect threat information from other units while other units work as Contributors to upload locally detected threat information to the Collector, then download a full copy. A new package is generated on a unit when:

  • The FortiSandbox has a new malware detection, either from local detection, or detected on another unit inside the Global Threat Network, whose rating falls into configured rating range.
  • Malware in the current malware package is older than the time set in the malware package configuration.
  • The malware package generation condition is changed in the configuration page.
  • The malware's rating has been overwritten manually.

The Collector can also manage the Scan Profile of all units in the network. However, only a standalone unit or primary node in a cluster can join the network.

To join the global network to share threat information and scan profiles:
  1. Go to Scan Policy and Object > Global Network.
  2. Enable Join global network to share threat information and manage scan profiles.
  3. You have the following two options:

    1. Work as threat information collector and scan profile manager.

      If the unit works as a Collector, configure the following:

      Alias

      Enter the network Alias name.

      Authentication Code

      Enter the authentication code for Contributor to join the network.

      Contributors

      List the units who are in the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

      Local URL Package Options

      Enable Local STIX IOC Package

    2. Work as threat information contributor. Scan profile is managed by manager.

      If the unit works as a Contributor, configure the following:

      Collector IP Address

      Enter the Collector's IP address.

      Alias

      Enter the global network Alias name.

      Authentication Code

      Enter the authentication code to join the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

      Local URL Package Options

      Enable Local STIX IOC Package

      Scan Profile is Managed by Manager

      By enabling this option, the unit can choose to allow its scan profile to be managed by the Collector. The Collector will combine all VM types from the Contributors. After you configure a scan profile on the Collector, the configurations will be downloaded by each Contributor.

      A unit can join global threat network as Contributor to allow the Collector to control its Scan Profile, or it can work as Collector to manage Scan Profile of all units in the network. Only a standalone unit or primary node in a cluster can join the network.

  4. Click OK to save the settings.
Note

When the Contributor’s scan profile is managed by the Collector, the Collector must have network access to the Contributor’s HTTPS port, which is port 443.

Global Network

Global Network

FortiSandbox can generate antivirus database packages (malware packages) and add URL packages from scan results into the blocklist, and distribute them to FortiGate devices and FortiClient endpoints for antispyware/antivirus scan and web filtering extension to block and quarantine malware.

This feature requires that the FortiGate and/or FortiClient EMS have successfully connected.

FortiGate or FortiClient sends a malware package request to FortiSandbox every two minutes that includes its installed version (or 0.0, if none exists). The FortiSandbox receives the request then compares the version with the latest local version number. If the received version is different, FortiSandbox sends the latest package to the FortiGate or FortiClient. If the versions are the same, then FortiSandbox will send an already-up-to-date message.

Multiple FortiSandbox units can work together to build a Global Threat Network to share threat information. One unit works as a Collector to collect threat information from other units while other units work as Contributors to upload locally detected threat information to the Collector, then download a full copy. A new package is generated on a unit when:

  • The FortiSandbox has a new malware detection, either from local detection, or detected on another unit inside the Global Threat Network, whose rating falls into configured rating range.
  • Malware in the current malware package is older than the time set in the malware package configuration.
  • The malware package generation condition is changed in the configuration page.
  • The malware's rating has been overwritten manually.

The Collector can also manage the Scan Profile of all units in the network. However, only a standalone unit or primary node in a cluster can join the network.

To join the global network to share threat information and scan profiles:
  1. Go to Scan Policy and Object > Global Network.
  2. Enable Join global network to share threat information and manage scan profiles.
  3. You have the following two options:

    1. Work as threat information collector and scan profile manager.

      If the unit works as a Collector, configure the following:

      Alias

      Enter the network Alias name.

      Authentication Code

      Enter the authentication code for Contributor to join the network.

      Contributors

      List the units who are in the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

      Local URL Package Options

      Enable Local STIX IOC Package

    2. Work as threat information contributor. Scan profile is managed by manager.

      If the unit works as a Contributor, configure the following:

      Collector IP Address

      Enter the Collector's IP address.

      Alias

      Enter the global network Alias name.

      Authentication Code

      Enter the authentication code to join the network.

      Local Malware Package Options

      These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

      Local URL Package Options

      Enable Local STIX IOC Package

      Scan Profile is Managed by Manager

      By enabling this option, the unit can choose to allow its scan profile to be managed by the Collector. The Collector will combine all VM types from the Contributors. After you configure a scan profile on the Collector, the configurations will be downloaded by each Contributor.

      A unit can join global threat network as Contributor to allow the Collector to control its Scan Profile, or it can work as Collector to manage Scan Profile of all units in the network. Only a standalone unit or primary node in a cluster can join the network.

  4. Click OK to save the settings.
Note

When the Contributor’s scan profile is managed by the Collector, the Collector must have network access to the Contributor’s HTTPS port, which is port 443.