FortiGate Cloud – SandBox

SandBox

FortiSandbox Cloud is a service that uploads and analyzes files that FortiGate AV marks as suspicious.

In a proxy-based AV profile on a FortiGate, the administrator selects Inspect Suspicious Files with FortiGuard Analytics to enable a FortiGate to upload suspicious files to FortiGuard for analysis. Once uploaded, the file is executed and the resulting behavior analyzed for risk. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard AV signature database. The next time the FortiGate updates its AV database it will have the new signature. The turnaround time on Cloud SandBoxing and AV submission ranges from ten minutes (automated SandBox detection) to ten hours (if FortiGuard Labs is involved).

FortiGuard Labs considers a file suspicious if it exhibits some unusual behavior, yet does not contain a known virus (the behaviors that FortiGate Cloud Analytics considers suspicious change depending on the current threat climate and other factors).

The FortiGate Cloud console enables administrators to view the status of any suspicious files uploaded: Pending, Clean, Malware, or Unknown. The console also provides data on time, user, and location of the infected file for forensic analysis. SandBoxing is available in both free and paid FortiGate Cloud subscriptions.

You can view the FortiSandbox Cloud Service Description for details.

The SandBox tab collects information that the FortiSandbox Cloud service compiles. FortiSandbox Cloud submits files to FortiGuard for threat analysis. You can configure your use of the service and view analyzed files’ results.

You must enable Cloud SandBoxing on the FortiGate and submit a suspicious file for the SandBox tab to become visible.

The SandBox homepage provides the following information about devices. You can select a device’s serial number or name to access SandBox tools for that device:

  • Model/serial number l Fortinet product type l Firmware version
  • Status (If the device is connected through a management tunnel) l Service the device is currently active in l Last compiled report and last log uploaded l Subscription expiry date

You can use the gear icon to access additional functions:

To undeploy the FortiGate:

  1. Click the Config icon for the desired device.
  2. Click Undeploy.
  3. In the confirmation dialog, click YES.
  4. You have the option to place a unit where the FortiGate was deployed. The unit contains historical data and a serial number that starts with U.

To rename the FortiGate:

  1. Click the Config icon for the desired device, then click Rename.
  2. In the Device Name field, enter the desired name. Click Submit.

To set up FortiSandbox:

  1. Go to Security Fabric > Settings and enable SandBox Inspection. Set SandBox type to FortiSandbox Cloud. The associated FortiGate Cloud account appears.
  2. In Security Profiles > AntiVirus, create a profile that has Send Files To FortiSandbox Cloud ForInspection
  3. Create a firewall policy with logging enabled that uses the FortiSandbox-enabled AV profile.
  4. Once devices have uploaded some files to FortiSandbox Cloud, log in to the FortiGate Cloud portal to see the results.

To go to the device list:

You can return to the device list from the Analysis, Management, or Sandbox page for an individual device.

  1. In the upper left corner, click Show Device List.

Dashboard

You can see an overview of the FortiSandbox results on the Dashboard.

The Dashboard contains the following widgets:

Widget Description
System Status Quick view of the current state of the AV databases and load.
Top 5 Targeted Hosts (Last 24 Hours) Displays which hosts received the most threats during the last 24 hours.
Scan Result (Today and Past 7 Days) Shows the last eight days of results and their risk levels. You can toggle the display of clean files in the chart by selecting the checkmark in the lower right of the widget.
Top 20 File Types (Last 24 Hours) Displays the most commonly analyzed file types in the last 24 hours of scanning.

Records and On-Demand

Records displays files that your connected device’s AV has flagged as suspicious, which have been uploaded to FortiGate Cloud for FortiGuard analysis. In On-Demand, you can manually upload files for FortiGuard analysis, and view the analysis results. These pages may not appear if you do not have the FortiSandbox Cloud service enabled on the connected device.

You can select an analysis level and click the file names for more information. On-Demand also has an Export option, which allows you to export a CSV or PDF of on-demand results, and Upload File, where you can manually upload a file for analysis.

The maximum file size is 10 MB. The processing time may vary based on the file size.

Setting

In Setting, you can configure FortiSandbox Cloud settings:

  • Enable Alert Setting: to enable alert emails, enter multiple emails (one per line) to receive alerts, and set which severity level triggers sending alert emails.
  • Log Retention: set number of days to retain log data.
  • Malware Package Options and URL Package Options: select the risk level of data that will be automatically submitted to FortiGuard to further antithreat research.

To configure FortiSandbox alert emails:

  1. Go to SandBox > Setting.
  2. Select Enable Alert Setting.
  3. Enter emails into the list to contact in the event of a FortiSandbox alert.
  4. Select the severity levels to trigger an alert.

 

This entry was posted in Administration Guides, FortiGate, FortiGate Cloud on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.