Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 5.0.0 Administration Guide
    5.0.0
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Global Network

    Global Network

    FortiSandbox can generate antivirus database packages (malware packages) and add URL packages from scan results into the blocklist, and distribute them to FortiGate devices and FortiClient endpoints for antispyware/antivirus scan and web filtering extension to block and quarantine malware.

    This feature requires that the FortiGate and/or FortiClient EMS have successfully connected.

    FortiGate or FortiClient sends a malware package request to FortiSandbox every two minutes that includes its installed version (or 0.0, if none exists). The FortiSandbox receives the request then compares the version with the latest local version number. If the received version is different, FortiSandbox sends the latest package to the FortiGate or FortiClient. If the versions are the same, then FortiSandbox will send an already-up-to-date message.

    Multiple FortiSandbox units can work together to build a Global Threat Network to share threat information. One unit works as a Collector to collect threat information from other units while other units work as Contributors to upload locally detected threat information to the Collector, then download a full copy. A new package is generated on a unit when:

    • The FortiSandbox has a new malware detection, either from local detection, or detected on another unit inside the Global Threat Network, whose rating falls into configured rating range.
    • Malware in the current malware package is older than the time set in the malware package configuration.
    • The malware package generation condition is changed in the configuration page.
    • The malware's rating has been overwritten manually.

    The Collector can also manage the Scan Profile of all units in the network. However, only a standalone unit or primary node in a cluster can join the network.

    To join the global network to share threat information and scan profiles:
    1. Go to Scan Policy and Object > Global Network.
    2. Enable Join global network to share threat information and manage scan profiles.

    3. You have the following two options:

      1. Work as threat information collector and scan profile manager.

        If the unit works as a Collector, configure the following:

        Alias

        Enter the network Alias name.

        Authentication Code

        Enter the authentication code for Contributor to join the network.

        Contributors

        List the units who are in the network.

        Local Malware Package Options

        These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

        Local URL Package Options

        Enable Local STIX IOC Package

      2. Work as threat information contributor. Scan profile is managed by manager.

        Only a standalone unit or cluster primary node can join global threat network as Contributor.

        If the unit works as a Contributor, configure the following:

        Collector IP Address

        Enter the Collector's IP address.

        Alias

        Enter the global network Alias name.

        Authentication Code

        Enter the authentication code to join the network.

        Local Malware Package Options

        These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

        Local URL Package Options

        Enable Local STIX IOC Package

        Scan Profile is Managed by Manager

        When a unit joins the global threat network as a Contributor and enables this option, the scan profile will no longer be managed locally; instead, it will be managed on the global threat network Collector. Changes made on the Collector will be downloaded to the corresponding Contributor.

        Note: When the scan profile is managed by the Collector, scan profile related CLI commands will also be disabled locally.
    4. Click OK to save the settings.
    Note

    When the Contributor’s scan profile is managed by the Collector, the Collector must have network access to the Contributor’s HTTPS port, which is port 443.
    Previous
    Next

    Global Network

    Global Network

    FortiSandbox can generate antivirus database packages (malware packages) and add URL packages from scan results into the blocklist, and distribute them to FortiGate devices and FortiClient endpoints for antispyware/antivirus scan and web filtering extension to block and quarantine malware.

    This feature requires that the FortiGate and/or FortiClient EMS have successfully connected.

    FortiGate or FortiClient sends a malware package request to FortiSandbox every two minutes that includes its installed version (or 0.0, if none exists). The FortiSandbox receives the request then compares the version with the latest local version number. If the received version is different, FortiSandbox sends the latest package to the FortiGate or FortiClient. If the versions are the same, then FortiSandbox will send an already-up-to-date message.

    Multiple FortiSandbox units can work together to build a Global Threat Network to share threat information. One unit works as a Collector to collect threat information from other units while other units work as Contributors to upload locally detected threat information to the Collector, then download a full copy. A new package is generated on a unit when:

    • The FortiSandbox has a new malware detection, either from local detection, or detected on another unit inside the Global Threat Network, whose rating falls into configured rating range.
    • Malware in the current malware package is older than the time set in the malware package configuration.
    • The malware package generation condition is changed in the configuration page.
    • The malware's rating has been overwritten manually.

    The Collector can also manage the Scan Profile of all units in the network. However, only a standalone unit or primary node in a cluster can join the network.

    To join the global network to share threat information and scan profiles:
    1. Go to Scan Policy and Object > Global Network.
    2. Enable Join global network to share threat information and manage scan profiles.

    3. You have the following two options:

      1. Work as threat information collector and scan profile manager.

        If the unit works as a Collector, configure the following:

        Alias

        Enter the network Alias name.

        Authentication Code

        Enter the authentication code for Contributor to join the network.

        Contributors

        List the units who are in the network.

        Local Malware Package Options

        These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

        Local URL Package Options

        Enable Local STIX IOC Package

      2. Work as threat information contributor. Scan profile is managed by manager.

        Only a standalone unit or cluster primary node can join global threat network as Contributor.

        If the unit works as a Contributor, configure the following:

        Collector IP Address

        Enter the Collector's IP address.

        Alias

        Enter the global network Alias name.

        Authentication Code

        Enter the authentication code to join the network.

        Local Malware Package Options

        These options define how each unit generates local packages after it has threat information. For more information, see Threat Intelligence.

        Local URL Package Options

        Enable Local STIX IOC Package

        Scan Profile is Managed by Manager

        When a unit joins the global threat network as a Contributor and enables this option, the scan profile will no longer be managed locally; instead, it will be managed on the global threat network Collector. Changes made on the Collector will be downloaded to the corresponding Contributor.

        Note: When the scan profile is managed by the Collector, scan profile related CLI commands will also be disabled locally.
    4. Click OK to save the settings.
    Note

    When the Contributor’s scan profile is managed by the Collector, the Collector must have network access to the Contributor’s HTTPS port, which is port 443.
    Previous
    Next