Using FortiSandbox with a FortiGate
Connecting a FortiGate to FortiSandbox
The procedures for connecting a FortiGate to FortiSandbox differ depending whether you are using FortiSandbox Appliance or FortiSandbox Cloud.
If you are using FortiSandbox in a Security Fabric, consult the Fortinet Cookbook site for the Security Fabric collection of recipes.
Once the FortiGate is connected to FortiSandbox, an AntiVirus profile can be configured to send suspicious files for inspection. Sandbox integration can also be configured, for more information see “Sandbox Integration” on page 11.
Connecting to FortiSandbox Appliance
- Connect the FortiSandbox Appliance to your FortiGate so that port 1 and port 3 on the FortiSandbox are on different subnets.
FortiSandbox port 3 is used for outgoing communication triggered by the execution of the files under analysis. While the FortiSandbox can accept files through any port, it is recommended to connect port 3 to a dedicated interface on your FortiGate to protect the rest of the network from threats currently being investigated by the FortiSandbox. Note too that port 1 can be
used to accept files but is generally reserved for managing the FortiSandbox.
- FortiSandbox port 3 must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4 Policy and create a policy allowing connections from the FortiSandbox to the Internet (using the isolated interface on the FortiGate mentioned above). On FortiSandbox, network settings for port3 can be configured by going to Scan Policy > General.
- On the FortiSandbox, go to Network > System Routing and add static routes for port 1.
- On the FortiSandbox, go to Dashboard and locate the System Information Now that the FortiSandbox has Internet access, it can activate its VM licenses. Wait until a green arrow shows up beside Windows VM before continuing to the next step.
- On the FortiGate, go to Security Fabric > Settings. Select Enable Sandbox Inspection and select FortiSandbox Appliance. Set the IP Address and enter a Notifier Email. If you select Test Connectivity, the Status shows as Service is not configured because the FortiGate has not been authorized to connect to the FortiSandbox.
FortiSandbox Console Using FortiSandbox with a FortiGate
- On the FortiSandbox, go to Scan Input > Device. Edit the entry for the FortiGate. Under Permissions & Policy > Authorized, select the checkbox and click OK to authorize the FortiGate.
- On the FortiGate, go to Security Fabric > Settings and select Test Connectivity for the FortiSandbox. The Status now shows that Service is online.
Connecting to FortiSandbox Cloud
Before you can connect a FortiGate to FortiSandbox Cloud, you need an active FortiCloud account. For more information, see the FortiCloud documentation.
Once you have created a FortiCloud account, sandbox inspection should be enabled by default. To verify this, go to Security Fabric > Settings, enable Sandbox Inspection, and set to FortiSandbox Cloud.
To see the results from FortiSandbox Cloud in the FortiGate logs, go to Log & Report > Log Settings and enable Send Logs to FortiCloud and set GUI Preferences is to display logs from FortiCloud.
FortiSandbox Console
The FortiSandbox console is available at FortiView > FortiSandbox. The console displays all samples submitted for inspection. Information on the console can be filtered by checksum, file name, result, source, status, and user name.
If you right-click on an entry, you can choose to Drill Down to Details, Quarantine Source Address, or Quarantine FortiClient Device.
Information about the FortiSandbox database and sandboxing statistics are available at Security Fabric > Settings once sandbox inspection is enabled. The Advanced Threat Protection dashboard widget shows you the number of files that your FortiGate unit has uploaded or submitted to FortiSandbox.
Refer to FortiSandbox documentation for details on what you can access through the FortiSandbox GUI .