Sandbox Integration

Sandbox Integration

Sandbox integration adds another level to sandbox inspection, allowing you allows you to set up automatic actions to protect your network from files FortiSandbox determines are malicious. These actions include:

receiving AntiVirus signature updates from FortiSandbox, adding the originating URL of any malicious file to a blocked URL list, and extending sandbox scanning to FortiClient devices.

Overview

FortiSandbox integration involves three different FortiGate security profiles: AntiVirus, Web Filtering, and FortiClient Profiles.

A FortiGate can retrieve scan results and details from FortiSandbox, and also receive antivirus and web filtering signatures to supplement the current signature database. When FortiGate learns from FortiSandbox that an endpoint is infected, the administrator can push instruction for self-quarantine on a registered FortiClient host.

When integrated with a FortiGate unit, the following protocols are supported by FortiSandbox: HTTP, HTTPS, FTP, FTPS, POP3, POP3S, IMAP, IMAPS, SMTPS, MAPI, MAPIS, SMB, and supported IM protocols.

AntiVirus

When FortiSandbox discovers a malicious file, it can create an AntiVirus signature for that file and add that signature to both the local FortiGate malware database and the FortiGuard AntiVirus signature database. Through FortiSandbox integration, this signature can be sent to a FortiGate to block the file from re-entering the network and to prevent the future retransmission of that file to FortiSandbox.

Use of the FortiSandbox AntiVirus database is enabled in an AntiVirus profile, found at Security Profiles > AntiVirus. It can also be configured using the following CLI commands:

config antivirus profile edit <profile> set analytics-db enable

end

Web Filtering

FortiSandbox integration can also be used to allow FortiSandbox to add a URL filter blocking the source of a discovered malicious file to the FortiGate’s blocked URL list.

Blocking malicious URLs discovered by FortiSandbox is enabled in a Web Filter profile, found at Security Profiles > Web Filter. It can also be configured using the following CLI commands:

config webfilter profile edit <profile> config web

set blacklist enable

end

FortiClient Profiles

When extended FortiSandbox scanning is enabled for FortiClient, files downloaded by FortiClient can be sent to the FortiSandbox for inspection. Also, if a suspicious file is discovered, FortiClient can be configured to wait until sandbox inspection is complete before allowing that file to be accessed.

AntiVirus signatures can also be pushed by the FortiGate to FortiClient.

If a FortiClient device attempts to download a file that FortiSandbox discovers is malicious, the FortiSandbox notifies the FortiGate. The administrator can take action to quarantine the device. When a quarantine is in effect, FortiClient cuts off other network traffic from the device directly, preventing it from infecting or scanning the local network. When a device is under quarantine, FortiClient cannot be shutdown or uninstalled. A user is also unable to unregister from the FortiGate that quarantined them, or register to another FortiGate unit. A quarantine can only be lifted by the administrator of the FortiGate where the FortiClient device is registered.

Extending FortiSandbox scanning can by configured in the Security settings of a FortiClient Profile, found at Security Profiles > FortiClient Compliance Profiles. It can also be configured using the following CLI commands:

config endpoint-control profile edit <profile> config forticlient-winmac-settings set forticlient-av enable set av-realtime-protection enable set sandbox-analysis enable set sandbox-address <address>

end

Extending FortiSandbox scanning can also be configured directly in the FortiClient AntiVirus settings. If you are using FortiClient version 5.6+, the Sandbox Detection feature can be used to send files to FortiSandbox for analysis without having to install the AntiVirus feature. See the FortiClient 5.6 Administration Guide for details.

The number of files sent from a single device to FortiSandbox can be limited by configuring the submission limit on the FortiSandbox. This allows users to prioritize which devices get the greater share of FortiSandbox resources.

Example Configuration

The following example configuration sets up FortiSandbox integration using AntiVirus, Web Filtering, and a FortiClient profile. This configuration assumes that a connection has already been established between the FortiSandbox Appliance and the FortiGate.

  1. Go to Security Fabric > Settings and confirm that Sandbox Inspection is enabled and the FortiSandbox Appliance is connected.
  2. Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, select All Supported Files to be sent for inspection and enable Use FortiSandbox Database. You have the option of withholding files by name or pattern. Select Apply.
  3. Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. Select Apply.
  4. Go to Security Profiles > FortiClient Compliance Profiles and edit the default profile. Under Security Posture Check, enable Realtime Protection. Next, enable Scan with FortiSandbox. Select Apply.
  5. Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and Web Filtering profiles scanning applied, the profiles will be listed in the Security Profiles If scanning needs to be added to any security policy (excluding the Implicit Deny policy) select the + button in the Security Profiles column for that policy, then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and select the deep-inspection profile for SSL/SSH Inspection (to ensure that encrypted traffic is inspected).
  6. Select OK.

Results

If your FortiGate discovers a suspicious file, it will be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to FortiView > FortiSandbox to see a list of file names and current status.

To view results on the FortiSandbox, go to the Dashboardand view the Scanning Statistics widget. There may be a delay before results appear on the FortiSandbox.

Open FortiClient using a Windows PC on the internal network. Make sure it is registered to your FortiGate. Go to the AntiVirus tab and open Settings. You will see that the Realtime Protection settings match the FortiClient profile configured on the FortiGate. These settings cannot be changed using FortiClient.

If a PC running FortiClient downloads a suspicious file that the FortiSandbox determined was malicious, a quarantine would be applied automatically. While the quarantine is in effect, FortiClient cannot be shutdown on the PC. It can not be uninstalled or unregistered from the FortiGate. The quarantine can only be released from the FortiClient Monitor on the FortiGate.

This entry was posted in Administration Guides, FortiSandbox on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.