FortiSandbox in the Security Fabric

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will add a FortiSandbox to your Security Fabric and configure each FortiGate in the network to send suspicious files to FortiSandbox for sandbox inspection. The FortiSandbox scans and tests these files in isolation from your network.

This recipe is in the Security Fabric Collection. It can also be used as a standalone recipe.

This example uses the Security Fabric configuration created in the following recipe: Security Fabric installation. The FortiSandbox will connect to the root FortiGate in the Security Fabric, known as External. There will be two connections between the devices:

  • FortiSandbox port 1 (administration port) connects to External port 16
  • FortiSandbox port 3 (VM outgoing port) connects to External port 13

This recipe was created using FortiOS 5.6.1. If you are using 5.6.0, GUI paths related to the Security Fabric and the appearance of some pages will differ from what is shown.

Find this recipe for other FortiOS versions
5.4 | 5.6

1. Running a Security Fabric Audit before installing the FortiSandbox

On External (the root FortiGate in the Security Fabric), go to Security Fabric > Audit. Select Next to run an Audit for the Security Fabric.

Since you have not yet installed a FortiSandbox in your network, the Security Fabric fails the Advanced Threat Protection check.

In the example, the Security Score decreases by 30 points for each of the four FortiGates in the Security Fabric.

2. Connecting the FortiSandbox and External

On the FortiSandbox, go to Network > Interfaces and configure port 1. This port will be used for communication between the FortiSandbox and the rest of the Security Fabric.

Set IP Address/Netmask to an internal IP address. In this example, the FortiSandbox will connect to the same subnet as the previously installed FortiAnalyzer, using the IP address 192.168.55.20.

 

Go to Network > Interfaces and configure port 3. This port will be used for outgoing communication by the virtual machines (VMs) running on the FortiSandbox. It is recommended to connect this port to a dedicated interface on your FortiGate to protect the rest of the network from threats currently being investigated by the FortiSandbox.

Set IP Address/Netmask to an internal IP address (in the example, 192.168.179.10/255.255.255.0).

 

Go to Network > System Routing and add a static route for port 1. Set Gateway to the IP address of the FortiGate interface that port 1 connects to (in the example, 192.168.55.2).

 
On External, go to Network > Interfaces and configure port 13. Set IP/Network Mask to an address on the same subnet as port 3 on the FortiSandbox (in the example, 192.168.179.2/255.255.255.0)  
Port 3 on the FortiSandbox must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4 Policy and create a policy allowing connections from the FortiSandbox to the Internet.  

If you have not already done so, connect the FortiSandbox to the Security Fabric, as shown in the diagram at the beginning of this recipe.

3. Activating the FortiSandbox VMs

On the FortiSandbox, go to Scan Policy > General.

Select Allow Virtual Machines to access external network through outgoing port3. Set Gateway to the IP address of port 13 on the FortiGate.

 

Wait for the FortiSandbox to confirm that it has access to the Internet. Once this occurs, it will start to activate and initialize Windows VM and Microsoft Office.

Go to the Dashboard and locate the System Information widget. When the VMs are ready, green checkmarks will appear beside them.

 

4. Adding the FortiSandbox to the Security Fabric 

On External, go to Security Fabric > Settings. Enable Sandbox Inspection.

Make sure FortiSandbox Appliance is selected and set Server to the IP address of port 1 on the FortiSandbox.


 
Select Test Connectivity. An error message appears because External has not been authorized on the FortiSandbox.  
On the FortiSandbox, go to Scan Input > Device. External is listed but the Auth column indicates that it is unauthorized.  
Select the Edit button located beside External’s name. Under Permissions & Policies, select Authorized.  
On External, go to Security Fabric > Settings and test the Sandbox Inspection connectivity again. External is now connected to the FortiSandbox.  
Repeat these steps for the other FortiGates in the Security Fabric.

5. Adding sandbox inspection to AntiVirus, Web Filter, and FortiClient Profiles

Sandbox inspection can be applied with three types of security inspection: AntiVirus, Web Filter, and FortiClient Profiles. In this step, sandbox inspection is added to all FortiGates in the Security Fabric individually, using the profiles that each FortiGate applies to network traffic.

In order to pass the Advanced Threat Protection audit check, all FortiGates in the Security Fabric must have sandbox inspection added to an AntiVirus profile.

Go to Security Profiles > AntiVirus and edit the default profile.

Under Inspection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.

 

Enable Use FortiSandbox Database, so that if FortiSandbox discovers a threat, a signature for that file is added to the FortiGate’s antivirus signature database.

Go to Security Profiles > Web Filter and edit the default profile.

Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.

 

If the FortiSandbox discovers a threat, the URL that threat came from will be added to the list of URLs that will be blocked by the FortiGate.

Go to Security Profiles > FortiClient Profiles and edit the default profile. Enable Security Posture Check

Enable Realtime Protection and Scan with FortiSandbox.

 

6. Results

If a FortiGate in the Security Fabric discovers a suspicious file, it is sent to the FortiSandbox.

You can view information about scanned files on either the FortiGate that sent the file or the FortiSandbox.

On one of the FortiGates, go to the Dashboard and locate the Advanced Threat Protection Statistics widget. This widget shows files scanned by both the FortiGate and FortiSandbox, with the FortiSandbox files on the bottom half of the widget.


 

On the FortiSandbox, go to System > Status and view the Scanning Statistics widget.

 

On External (the root FortiGate), go to Security Fabric > Audit and run an audit. When it is finished, select the All Results view.

In the example, all four FortiGates in the Security Fabric have passed the Advanced Threat Protection check and the Security Score has increased by 9.7 points for each FortiGate.

For further reading, check out Sandbox Inspection in the FortiOS 5.6 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No