FortiSandbox in the Fortinet Security Fabric

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin

In this recipe, you will add a FortiSandbox to the Fortinet Security Fabric and configure each FortiGate in the network to send suspicious files to FortiSandbox for sandbox inspection. The FortiSandbox scans and tests these files in isolation from your network.

This recipe is in the Fortinet Security Fabric Collection. You can also use it as a standalone recipe.

This example uses the Security Fabric configuration created in the Fortinet Security Fabric collection recipe. The FortiSandbox connects to the root FortiGate in the Security Fabric, known as External. There are two connections between the devices:

  • FortiSandbox port 1 (administration port) connects to Edge port 16
  • FortiSandbox port 3 (VM outgoing port) connects to Edge port 13

If possible, you can also use a separate Internet connection for FortiSandbox port 3, rather than connecting through the Edge FortiGate to use your main Internet connection. This configuration avoids having IP addresses from your main network blacklisted if malware that’s tested on the FortiSandbox generates an attack. If you use this configuration, you can skip the steps listed for FortiSandbox port 3.

Find this recipe for other FortiOS versions
5.4 | 5.6 | 6.0

1. Checking the Security Rating results before installing the FortiSandbox

On Edge (the root FortiGate in the Security Fabric), go to Security Fabric > Security Rating.

Since you haven’t yet installed a FortiSandbox in your network, the Security Fabric fails the Advanced Threat Protection check.

In the example, the Security Rating Score decreases by 30 points for each of the four FortiGates in the Security Fabric.

 

2. Connecting the FortiSandbox and Edge

Connect to the FortiSandbox.

To edit port1, which is used for communication between the FortiSandbox and the rest of the Security Fabric, go to Network > Interfaces.

Set IP Address/Netmask to an internal IP address. In this example, the FortiSandbox connects to the same subnet as the FortiAnalyzer that you installed previously, using the IP address 192.168.65.20.

 

Edit port3. This port is used for outgoing communication by the virtual machines (VMs) running on the FortiSandbox. It’s recommended that you connect this port to a dedicated interface on your FortiGate to protect the rest of the network from threats that the FortiSandbox is currently investigating.

Set IP Address/Netmask to an internal IP address (in the example, 192.168.179.10/255.255.255.0).

 

To add a static route, go to Network > System Routing. Set Gateway to the IP address of the FortiGate interface that port 1 connects to (in the example, 192.168.65.2).

 

Connect to Edge.

To configure the port that connects to port3 on the FortiSandbox (in the example, port13), go to Network > Interfaces. Set IP/Network Mask to an address on the same subnet as port 3 on the FortiSandbox (in the example, 192.168.179.2/255.255.255.0)


 

Connect the FortiSandbox to the Security Fabric.

3. Allowing VM Internet access

Connect to Edge.

To create a policy that allows connections from the FortiSandbox to the Internet, go to Policy & Objects > IPv4 Policy.

Connect to FortiSandbox.

Go to Scan Policy > General and select Allow Virtual Machines to access external network through outgoing port3. Set Gateway to the IP address of port 13 on the FortiGate.

Go to the Dashboard and locate the System Information widget. Verify that VM Internet Access has a green checkmark beside it.

4. Adding the FortiSandbox to the Security Fabric

Connect to Edge.

To add FortiSandbox to the Security Fabric, go to Security Fabric > Settings. Enable Sandbox Inspection.

Make sure FortiSandbox Appliance is selected and set Server to the IP address of port 1 on the FortiSandbox.

Select Test Connectivity. An error message appears because Edge hasn’t been authorized on the FortiSandbox.

Edge, as the root FortiGate, pushes FortiSandbox settings to the other FortiGates in the Security Fabric. To verify this, connect to Accounting and go to Security Fabric > Settings.

On the FortiSandbox, go to Scan Input > Device. The FortiGates in the Security Fabric (Edge, Accounting, Marketing, and Sales) are listed but the Auth column indicates that the devices are unauthorized.

Select and edit Edge. Under Permissions & Policies, select Authorized.

Repeat this for the other FortiGates.

 
On Edge, go to Security Fabric > Settings and test the Sandbox Inspection connectivity again. External is now connected to the FortiSandbox.

5. Adding sandbox inspection to Antivirus, Web Filter, and FortiClient profiles

You can apply sandbox inspection with three types of security inspection: antivirus, web filter, and FortiClient compliance profiles. In this step, you add sandbox to all FortiGate devices in the Security Fabric individually, using the profiles that each FortiGate applies to network traffic.

In order to pass the Advanced Threat Protection check, you must add sandbox inspection to antivirus profiles for all FortiGate devices in the Security Fabric.

Go to Security Profiles > AntiVirus and edit the default profile.

Under Inspection Options, set Send Files to FortiSandbox Appliance for Inspection to All Supported Files.

 

Enable Use FortiSandbox Database, so that if the FortiSandbox discovers a threat, it adds a signature for that file to the antivirus signature database on the FortiGate.

Go to Security Profiles > Web Filter and edit the default profile.

Under Static URL Filter, enable Block malicious URLs discovered by FortiSandbox.

If the FortiSandbox discovers a threat, the URL that threat came from is added to the list of URLs that are blocked by the FortiGate.

Go to Security Profiles > FortiClient Compliance Profiles and edit the default profile. Enable Security Posture Check.

Enable Realtime Protection and Scan with FortiSandbox.

 

6. Results

If a FortiGate in the Security Fabric discovers a suspicious file, it sends the file to the FortiSandbox.

You can view information about scanned files on either the FortiGate that sent the file or the FortiSandbox.

On one of the FortiGate devices, go to the Dashboard and locate the Advanced Threat Protection Statistics widget. This widget shows files that both the FortiGate and FortiSandbox scan.

On the FortiSandbox, go to System > Status and view the Scanning Statistics widget for a summary of scanned files.

You can also view a timeline of scanning in the File Scanning Activity widget.

On Edge, go to Security Fabric > Security Rating and run a rating. When it is finished, select the All Results view.

In the example, all four FortiGate devices in the Security Fabric pass the Advanced Threat Protection check and the Security Rating Score increases by 9.7 points for each FortiGate.

For further reading, check out Overview of sandbox inspection in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Facebooktwittergoogle_pluslinkedinFacebooktwittergoogle_pluslinkedin