AntiVirus with FortiSandbox

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will apply antivirus scanning to your network traffic. Any suspicious files entering your network will be sent to a FortiSandbox for further examination.

This recipe was written using FortiSandbox 2.1.0.

1. Connecting the FortiSandbox

Connect the FortiSandbox to your FortiGate as shown in the diagram, so that port 1 and port 3 on the FortiSandbox are on different subnets.

Port 3 on the FortiSandbox is used for outgoing communication triggered by the execution of the files under analysis. It is recommended to connect this port to an isolated interface on your FortiGate (in the example, port 15), to protect the rest of the network from threats currently being investigated by the FortiSandbox.

 
The FortiSandbox requires Internet access on port 3. On the FortiGate, go to Policy & Objects > Policy > IPv4 and create a policy allowing connections from the FortiSandbox to the Internet (using the isolated interface on the FortiGate mentioned above).

On the FortiSandbox, go to System > Network > Static Routing and add static routes for both port 1 and port 3. 

The static route for port 3 must have the Destination/IP Mask 0.0.0.0/0.0.0.0, while port 1 is assigned the Destination/IP Mask for traffic in the local network.

 

Once the FortiSandbox has access to the Internet through port 3, it will begin to activate the VM licenses.

Before continuing with this recipe, wait until a green arrow shows up beside Windows VM in the FortiSandbox’s System Information widget, found at System > Status. This indicates that the VM activation process is complete.

 

2. Enabling Sandbox Inspection

On the FortiGate, go to System > Config > FortiSandbox. Select Enable Sandbox Inspection and select FortiSandbox Appliance.

Set the IP Address (in the example, 172.20.121.128) and enter a Notifier Email, where notifications and reports will be sent.

 

After you select Apply, select Test Connectivity. The Status shows as unreachable, because the FortiGate has not been authorized to connect to the FortiSandbox.

 

On the FortiSandbox, go to File-based Detection > File Input > Device. Edit the entry for the FortiGate.

Under Permissions, enable Authorized.

 

On the FortiGate, go to System > Config > FortiSandbox and select Test Connectivity. The Status now shows that Service is online.

 

3. Enabling FortiSandbox in the default AntiVirus profile

On the FortiGate, go to Security Profiles > AntiVirus and enable Send Files to FortiSandbox for Inspection.

 

4. Applying AntiVirus scanning to network traffic

On the FortiGate, go to Policy & Objects > Policy > IPv4 and view the policy list.

If the AV column is not visible, right-click on the title row, select AV, and select Apply.

If any security policy does not have AntiVirus applied, highlight that policy to make the None option visible in the AV column. Select None, then use the Select Profile option to set the policy to use the default profile.

In order to ensure that AntiVirus is applied to encrypted traffic, you must also make sure that the deep-inspection profile is used for SSL Inspection.

 

5. Results

If your FortiGate discovers a suspicious file, it will now be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to Status > FortiView > FortiSandbox to see a list of files names and current status.  
You can also view results on the FortiSandbox, by going to System > Status and viewing the Scanning Statistics widget.  
Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
If you have a FortiCloud account, you can also select FortiSandbox Cloud.
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing certificate warnings.
There may be a delay before results appear on the FortiSandbox.
  • Cascadia89

    Would like to see FortiSandbox Cloud specific info. For example notes regarding what type of files to submit/scan for. Seems like not filtering out certain file types (JPEG and GIF for example) can overload the submission.