Best Practices – Environmental Specifications

Environmental specifications

Keep the following environmental specifications in mind when installing and setting up your FortiGate unit.

  • Operating temperature: 32 to 104°F (0 to 40°C). Temperatures may vary, depending on the FortiGate model.
  • If you install the FortiGate unit in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient temperature.

Therefore, make sure to install the equipment in an environment compatible with the manufacturer’s maximum rated ambient temperature.

  • Storage temperature: -13 to 158°F (-25 to 70°C). Temperatures may vary, depending on the FortiGate model. l Humidity: 5 to 90% non-condensing.
  • Air flow – For rack installation, make sure that the amount of air flow required for safe operation of the equipment is not compromised.
  • For free-standing installation, make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling.

Depending on your device, the FortiGate may generate, use, and even radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If the equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

  • Reorient or relocate the receiving antenna. l Increase the separation between the equipment and receiver.
  • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. l Consult the dealer or an experienced radio/TV technician for help.

Explosion is a serious risk if the battery is replaced by an incorrect type. Dispose of used batteries according to the instructions. To reduce the risk of fire, use only No. 26 AWG or larger UL Listed or CSA Certified Telecommunication Line Cord.

Grounding

  • Ensure the FortiGate unit is connected and properly grounded to a lightning and surge protector. WAN or LAN connections that enter the premises from outside the building should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
  • Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than Unshielded Twisted Pair (UTP).
  • Do not connect or disconnect cables during lightning activity to avoid damage to the FortiGate unit or personal injury.

Rack mounting                                                                                                             Environmental specifications

Rack mounting

  • Elevated Operating Ambient – If installed in a closed or multi-unit rack assembly, the operating ambient temperature of the rack environment may be greater than room ambient.

Therefore, consideration should be given to installing the equipment in an environment compatible with the maximum ambient temperature (Tmax) specified by the manufacturer.

  • Reduced Air Flow – Installation of the equipment in a rack should be such that the amount of air flow required for safe operation of the equipment is not compromised.
  • Mechanical Loading – Mounting of the equipment in the rack should be such that a hazardous condition is not achieved due to uneven mechanical loading.
  • Circuit Overloading – Consideration should be given to the connection of the equipment to the supply circuit and the effect that overloading of the circuits might have on overcurrent protection and supply wiring. Appropriate consideration of equipment nameplate ratings should be used when addressing this concern. l Reliable Earthing – Reliable earthing of rack-mounted equipment should be maintained.

Particular attention should be given to supply connections other than direct connections to the branch circuit (e.g. use of power strips).

 

Firmware change management

Best Practices For Firewall Migration

Migration

Network administrators are often reluctant to change firewall vendors due to the perception that the migration process is difficult. Indeed, there is no point hiding the fact that moving to a new vendor requires careful consideration. But concern over the potential pain of migration should not stand in the way of adopting new security technologies. The purpose of this chapter is to describe the best practices for performing such migrations and ultimately to ease the migration process itself.

Information gathering

It is always best practice to perform a full network audit prior to any migration. This should include:

  • Full back up of all security systems (including switches, routers) in case a back-out needs to be performed. l Physical and logical network diagram with visual audit

Understanding exactly where cables run in the network and verifying they are all correctly labeled is essential to avoid mistakes and unnecessary downtime during the upgrade. Don’t overlook simple things such as:

  • Do I have enough spare interfaces on my switches? l Do I have the right fiber (single/multi mode) and right connectors (LC, FC, MTRJ, SC, ST)?
  • Do I have spare cables? (in the heat of the moment, it is a simple mistake to break an RJ-45 connector or damage a fiber) l Do I have space in the rack for the new equipment? l Do I have enough power sockets?

No matter how securely a FortiGate is configured in the network, it cannot help if it has been bypassed; visually checking where the device sits in the network in relation to other devices will ensure you are maintaining security and verify the network diagram is ‘as built’. Details of all networks including subnet masks should be documented at this point to ensure that the replacement device is configured with the correct information.

Object and policy migration

Whilst we have suggested some level of manual review is included in the policy migration, it can be useful to be able to automatically migrate simply between another vendor’s format and the FortiGate format. The FortiGate policy format is text based and can easily be cut and pasted into from other vendor formats however, responding to the high customer demand to migrate away from other vendors, Fortinet have released an automatic configuration migration tool at http://convert.fortinet.com to simplify this process. Supporting Cisco ACLs, PIX, ASA, Check Point, and Juniper, the Converter can securely upload and convert the policy into the Fortinet format.

Testing and validation

This is an important process and should be tested offline first wherever possible i.e. configure the policy in the lab or on a test network and verify that the required access permissions are being implemented. To really test the Going live and obtaining feedback       Migration

solution out, the FortiGate can be implemented on the live network with a different gateway IP and the selected user pointed to the new gateway. This allows a staged approach to migrating the new platform into the network ensuring that the process does not interrupt day to day operations.

Going live and obtaining feedback

If testing and validation is successful at this point, you can migrate to the new firewall either by switching IP’s and removing the old devices or by changing the default gateway in DHCP. Once the firewall is in place, acceptance testing will of course need to be carried out and an iterative process of tuning undertaken to finalize the configuration.

Adding new services

The Fortinet solution will have a plethora of additional features compared to your previous vendor and it is very tempting to start switching them on but it is a good idea to wait and validate the new firewall as was previously configured before adding new functions as this simplifies testing and problem diagnosis. Finally complete the migration (don’t forget about the Plan Do Check Act Cycle) by adding any new services that were requested and learn about the multiple features you have available with the FortiGate appliance.

Environmental specifications                                                                                                                   Grounding

Best Practices – Shutting Down

Shutting down

Always shut down the FortiGate operating system properly before turning off the power switch to avoid potentially catastrophic hardware problems.

To power off the FortiGate unit – web-based manager:

  1. Go to Dashboard.
  2. In the System Resources widget, select Shutdown.

To power off the FortiGate unit – CLI:

execute shutdown

Once this has been done, you can safely turn off the power switch or disconnect the power cables from the power supply.

Best Practices – Performance

Performance

  • Disable any management features you do not need. If you don’t need SSH or SNMP, disable them. SSH also provides another possibility for would-be hackers to infiltrate your FortiGate unit.
  • Put the most used firewall rules to the top of the interface list.
  • Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows down performance. l Enable only the required application inspections.
  • Keep alert systems to a minimum. If you send logs to a syslog server, you may not need SNMP or email alerts, making for redundant processing.
  • Establish scheduled FortiGuard updates at a reasonable rate. Daily updates occurring every 4-5 hours are sufficient for most situations. In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.
  • Keep security profiles to a minimum. If you do not need a profile on a firewall rule, do not include it. l Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible. l Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition, slows down traffic.

Best Practices – General Considerations

General Considerations

  1. For security purposes, NAT mode is preferred because all of the internal or DMZ networks can have secure private addresses. NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone.
  2. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs will partition networks and create added security by limiting the scope of threats.
  3. Use Transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.

Recipes for Sandbox inspection

Recipes for Sandbox inspection

AntiVirus

The following recipes provide information about Sandbox inspection with AntiVirus:

Use FortiSandbox Appliance with AntiVirus

Feature overview

AntiVirus can use FortiSandbox to supplement its detection capabilities. In real-world situations, networks are always under the threat of zero-day attacks.

AntiVirus can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox’s analysis, the FortiGate can supplement its own antivirus database with FortiSandbox’s database to detect files determined as malicious/risky by FortiSandbox. This helps FortiGate’s AntiVirus to detect zero-day virus and malware whose signatures are not found in the FortiGate’s antivirus Database.

Support and limitations

  • FortiSandbox can be used with AntiVirus in both proxy-based and flow-based inspection modes.
  • With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
  • Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
  • Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
  • Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

  1. Enable FortiSandbox on the FortiGate.
  2. Authorize FortiGate on the FortiSandbox.
  3. Enable FortiSandbox inspection.
  4. Enable use of the FortiSandbox database.

To enable FortiSandbox on the FortiGate:

  1. Go to Global > Security Fabric > Settings.
  2. Set the Sandbox Inspection toggle to the On
  3. Enter the IP address of the FortiSandbox.
  4. Add an optional NotifierEmail if desired.
  5. At this point, selecting Test connectivity will return an unreachable status.

This is expected behavior because the FortiGate is not yet authorized by the FortiSandbox.

  1. Select Apply to save the settings.

To authorize FortiGate on the FortiSandbox:

  1. In the FortiSandbox Appliance GUI, go to Scan Input > Device.
  2. Use the FortiGate serial number to quickly locate the desired FortiGate and select the link icon to authorize the FortiGate.
  3. Enable the desired VDOM in the same manner.
  4. The link icon changes from an open to closed link. This indicates that the FortiSandbox has authorized this FortiGate.
  5. In the FortiGate GUI, go to Global > Security Fabric > Settings.
  6. Select Test connectivity. FortiGate is now authorized and the status now displays as Connected.
  7. FortiSandbox options are now displayed in the AV Profile

To enable FortiSandbox inspection:

  1. Go to Security Profiles > AntiVirus.
  2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
  3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
  4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
  5. Select Apply.

To enable use of the FortiSandbox database:

  1. Go to Security Profiles > AntiVirus
  2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
  3. Select Apply.

Diagnostics and Debugging

Debug on the FortiGate side l Update daemon:

FGT_PROXY (global) # diagnose debug application quarantined -1 FGT_PROXY (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18′ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled. l Checking FortiSandbox analysis statistics:

FGT_PROXY (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_PROXY (global) #

Debug on the FortiSandbox side l Appliance FortiSandbox OFTP debug:

> diagnose-debug device FG101E4Q17002429

[2019/01/31 00:48:21] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=2 detected=2 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 0

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 1795

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->VERSION: 3 . 595

[2019/01/31 00:48:21] FG101E4Q17002429 VDOM: root

[2019/01/31 00:48:21] FG101E4Q17002429 ENTERING->HANDLE_SEND_FILE.

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats START_TIME: 1548290749

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->FGT->VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 suspicious stats END_TIME: 1548895549

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->IMG_VERSION: 6.2.0.0818

[2019/01/31 00:48:21] INCOMING->FGT: FG101E4Q17002429, VDOM: vdom1

[2019/01/31 00:48:21] FG101E4Q17002429 INCOMING->TYPE: 4

[2019/01/31 00:48:21] FG101E4Q17002429 opd_data_len=37 clean=0 detected=0 risk_low=0 risk_ med=0 risk_high=0 sus_limit=0

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: av, ENTRY_VERSION: 1795,

PACKAGE_PATH: /Storage/malpkg/pkg/avsig/avsigrel_1795.pkg

[2019/01/31 00:48:22] FG101E4Q17002429 RETRIEVE->PKG: TYPE: url, ENTRY_VERSION: 595,

PACKAGE_PATH: /Storage/malpkg/pkg/url/urlrel_595.pkg.gz

[2019/01/31 00:48:29] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:32] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:48:59] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

[2019/01/31 00:49:03] LOGIN->SUCCEED: Serial(FG101E4Q17002429), HOSTNAME(FGT_PROXY)

Use FortiSandbox Cloud with AntiVirus

Feature overview

FortiCloud Sandbox allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance.

FortiCloud Sandbox works the same way as the physical FortiSandbox appliance.

Starting from FortiOS 6.2, the FortiCloud Sandbox allows users to control the region where their traffic is sent to for analysis. This allows users to meet their country’s compliances regarding data’s storage location.

Support and limitations

  • Starting from FortiOS 6.2, users no longer require a FortiCloud account to use FortiCloud Sandbox. l Without a valid AVDB license, FortiGate devices are limited to 100 FortiCloud submissions per day.
  • Unlimited FortiCloud submissions are allowed if the FortiGate has a valid AVDB license.
  • There is a limit on how many submissions are sent per minute.
  • Per minute submission rate is based on the FortiGate model.
  • FortiSandbox can be used with AntiVirus in both proxy-based and flow-based policy inspection modes.
  • With FortiSandbox enabled, Full Scan mode AntiVirus can do the following:
  • Submit only suspicious files to FortiSandbox for inspection. l Submit every file to FortiSandbox for inspection.
  • Do not submit anything. l Quick Scan mode AntiVirus cannot submit suspicious files to FortiSandbox. It can only do the following:
  • Submit every file to FortiSandbox for inspection. l Do not submit anything.

Network topology example

Configuring the feature

To configure AntiVirus to work with an external block list, the following steps are required:

  1. Through FortiCare/FortinetOne, registerthe FortiGate device and purchase a FortiGuard AntiVirus license.
  2. Enable FortiCloud Sandbox on the FortiGate.
  3. Enable FortiSandbox inspection.
  4. Enable the use of the FortiSandbox database.

To obtain or renew an AVDB license:

  1. Please see the video How to Purchase orRenew FortiGuard Services for FortiGuard AntiVirus license purchase instructions.
  2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud license.
    1. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.
    2. Users can also view this indicator at Global > System > FortiGuard.

Enable FortiCloud Sandbox on the FortiGate:

  1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On
  2. Select FortiSandbox Cloud and choose a region from the dropdown list.
  3. Select Apply to save the settings.
  4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox’s current database version is displayed.

Enable FortiSandbox inspection:

  1. Go to Security Profiles > AntiVirus.
  2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.
  3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.
  4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.
  5. Select Apply.

Enable the use of the FortiSandbox database:

  1. Go to Security Profiles > AntiVirus.
  2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On
  3. Select Apply.

Diagnostics and debugging

Debug on FortiGate side

l Checking FortiCloud controller status:

FGT_FL_FULL (global) # diagnose test application forticldd 2

Server: log-controller, task=0/10, watchdog is off

Domain name: logctrl1.fortinet.com

Address of log-controller: 1

172.16.95.168:443

Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago http connection: is not in progress

Current address: 172.16.95.168:443

Calls: connect=9, rxtx=12

Current tasks number: 0

Account: name=empty, status=0, type=basic

Current volume: 0B

Current tasks number: 0

Update timer fires in 74240 secs l Checking Cloud APT server status:

FGT_FL_FULL (global) # diagnose test application forticldd 3 Debug zone info:

Domain:

Home log server: 0.0.0.0:0

Alt log server: 0.0.0.0:0

Active Server IP:      0.0.0.0

Active Server status: down

Log quota:      0MB

Log used:       0MB

Daily volume: 0MB

fams archive pause: 0

APTContract : 1                           <====

APT server: 172.16.102.51:514            <====

APT Altserver: 172.16.102.52:514          <====

Active APTServer IP:       172.16.102.51 <====

Active APTServer status: up  <==== l Cloud FortiSandbox diagnostics:

FGT_FL_FULL (global) # diagnose test application quarantine 1

Total remote&local devices: 4, any task full? 0 System have disk, vdom is enabled, mgmt=3, ha=1

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=1, hmac_alg=0 fortisandbox-fsb1 is disabled. fortisandbox-fsb2 is disabled. fortisandbox-fsb3 is disabled. fortisandbox-fsb4 is disabled.

fortisandbox-fsb5 is disabled. fortisandbox-fsb6 is disabled. global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

l Checking FortiSandbox Cloud submission statistics:

FGT_FL_FULL (global) # diagnose test application quarantined 2 Quarantine daemon state:

QUAR mem: mem_used=0, mem_limit=97269, threshold=72951

dropped(0 by quard, 0 by callers)

pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1 alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0 tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0 xfer-fas:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0 analytics: total=0, handled=0, accepted=0, local_dups=0 analytics stats: total=0, handled=0, accepted=0 last_rx=0, last_tx=0, error_rx=0, error_tx=0

max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

forticloud-fsb:

ips: total=0, handled=0, accepted=0 quar: total=0, handled=0, accepted=0 archive: total=0, handled=0, accepted=0

analytics: total=0, handled=0, accepted=0, local_dups=0

num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm=’Sun Feb 17 00:00:00 2019

‘ analytics stats: total=24, handled=24, accepted=24 last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0 max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0

l Checking FortiSandbox analysis statistics:

FGT_FL_FULL (global) # diagnose test application quarantine 7 Total: 0

Statistics: vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0 vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_

reached:0

FGT_FL_FULL (global) # l Update Daemon debug:

FGT_FL_FULL (global) # diagnose debug application quarantined -1 FGT_FL_FULL (global) # diagnose debug enable

quar_req_fsa_file()-890: fsa ext list new_version (1547781904) quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1 [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000 upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0

__quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=99

quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0

__quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0

__quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1 quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1 quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2). quar_put_job_req()-332: Job 337 deleted

quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0

__quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name= __quar_send()-470: dev buffer — pos=0, len=98 …

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[]. __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1

[103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca

Fortinet_CA, idx 0 (default)

[551] ssl_ctx_create_new_ex: SSL CTX is created [578] ssl_new: SSL object is created

upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530 upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043 upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230 upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043 upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-

1901281000

quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0

__quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=

__quar_send()-470: dev buffer — pos=0, len=93

quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_ status=1, buflen=12

quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1 quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1

quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1 quar_store_analytics_report()-590: Analytics-report return

file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735

quar_store_analytics_report()-597: The request

’83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18’ score is 1 quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1). quar_put_job_req()-332: Job 2 deleted quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully

__get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0

__quar_req_handler()-127: Request 0 was handled successfully quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1 quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)

[193] __ssl_data_ctx_free: Done

[805] ssl_free: Done

[185] __ssl_cert_ctx_free: Done

[815] ssl_ctx_free: Done

[796] ssl_disconnect: Shutdown l Appliance FortiSandbox diagnostics:

FGT_PROXY # config global

FGT_PROXY (global) # diagnose test application quarantined 1

Total remote&local devices: 8, any task full? 0 System have disk, vdom is enabled, mgmt=1, ha=2

xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=0, hmac_alg=0

License=0, content_archive=0, arch_pause=0.

global-fas is disabled. forticloud-fsb is disabled. fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0

global-faz is disabled. global-faz2 is disabled. global-faz3 is disabled.

FortiSandbox Appliance or FortiSandbox Cloud

FortiSandbox Appliance or FortiSandbox Cloud

FortiSandbox is available as a physical or virtual appliance (FortiSandbox Appliance), or as a cloud advanced threat protection service integrated with FortiGate (FortiSandbox Cloud).

To select the settings for Sandbox Inspection, such as the FortiSandbox type, server, and notifier email, go to Security Fabric > Settings.

The table below highlights the supported features of both types of FortiSandbox:

Feature FortiSandbox Appliance

(including VM)

FortiSandbox Cloud
Sandbox inspection for FortiGate Yes (FortiOS 5.0.4+) Yes (FortiOS 5.2.3+)
Sandbox inspection for FortiMail Yes (FortiMail OS 5.1+) Yes (FortiMail OS 5.3+)
Sandbox inspection for FortiWeb Yes (FortiWeb OS 5.4+) Yes (FortiWeb OS 5.5.3+)
Sandbox inspection for FortiClient Yes (FortiClient 5.4+ for Windows only) No
Feature FortiSandbox Appliance

(including VM)

FortiSandbox Cloud
Sandbox inspection for network share Yes No
Sandbox inspection for ICAP client Yes No
Manual File upload for analysis Yes Yes
Sniffer mode Yes Yes
File Status Feedback and Report Yes Yes
Dynamic Threat Database updates for FortiGate Yes (FortiOS 5.4+) Yes (FortiOS 5.4+)
Dynamic Threat Database updates

for FortiClient

Yes (FortiClient 5.4 for Windows only) Yes (FortiClient 5.6+ for Windows only)

Note that a separate Dynamic Threat Database is maintained for FortiMail. For more information, see the FortiSandbox documentation.

FAQ for Sandbox inspection

FAQ for Sandbox inspection

The following are some frequently asked questions about using sandbox inspection with FortiSandbox and FortiGate.

Why is the FortiSandbox Cloud option not available when sandbox inspection is enabled?

This option is only available if you have created a FortiCloud account. For more information, see the FortiCloud documentation.

Why don’t results from FortiSandbox Cloud appear in the FortiGate GUI?

Go to Log & Report > Log Settings and make sure Send Logs to FortiCloud is enabled and GUI Preferences is set to Display Logs from FortiCloud.

Why are the FortiSandbox Appliance VMs inactive?

Make sure that port 3 on the FortiSandbox has an active Internet connection. This is required in order to activate the FortiSandbox VMs.

Why aren’t files are being scanned by FortiSandbox?

Make sure an AntiVirus profile that sends files to FortiSandbox is enabled for all policies that require sandbox inspection.

Is FortiSandbox supported by FortiGate when in NAT or Transparent mode?

Yes, a FortiGate can be in either NAT or Transparent mode and support FortiSandbox.

Are FortiGates behind a NAT device supported? If so how many?

Yes, multiple FortiGates can be supported in-line with FortiSandbox. Note that the FortiSandbox will see all FortiGates only as one device so there is no way to differentiate reports.

If the FortiGate has a dynamic IP, will the FortiSandbox automatically update the FortiGate?

Yes. Dynamic IPs are supported and the FortiGate will not have to be reconfigured on the FortiSandbox each time.