In this recipe, you will add a FortiSandbox to your Security Fabric and configure each FortiGate in the fabric to send suspicious files to FortiSandbox for Sandbox Inspection. These files will be scanned and tested in isolation from your network on the FortiSandbox .
This example uses the Security Fabric configuration created in the recipe Security Fabric installation. The FortiSandbox will connect to the root FortiGate in the fabric, known as External. There will be two connections between the devices:
- FortiSandbox port 1 (administration port) connects to External port 16
- FortiSandbox port 3 (VM outgoing port) connects to External port 13
Find this recipe for other FortiOS versions
5.4 | 5.6
1. Running a Security Fabric Audit without using FortiSandbox |
|
|
On External (the root FortiGate of the Security Fabric), go to Log & Report > Security Fabric Audit. Run an Audit for your Security Fabric. |
 |
|
Since you are not using FortiSandbox, your Security Fabric will fail the Advanced Threat Protection check and you Security Score will decrease by 30 points for each FortiGate in the Fabric. |
|
2. Connecting the FortiSandbox and External |
|
|
On the FortiSandbox, go to Network > Interfaces and configure port 1. This port will be used for communication between the FortiSandbox and your security fabric. Set the IP/Network Mask to an internal IP address. In this example, the FortiSandbox will connect to the same subnet as a previously installed FortiAnalyzer, using the IP address 192.168.55.20. |
 |
|
Go to Network > Interfaces and configure port 3. This port will be used for outgoing communication by the FortiSandbox’s Virtual Machines (VMs). It is recommended to connect this port to a dedicated interface on your FortiGate to protect the rest of the network from threats currently being investigated by the FortiSandbox. Set the IP/Network Mask to an internal IP address (in the example, 192.168.179.10/255.255.255.0). |
 |
|
On the FortiSandbox, go to Network > System Routing and add a static route for port 1. Set Gateway to the IP of the FortiGate interface that port 1 connects to (in the example, 192.168.55.2). |
 |
| On External, go to Network > Interfaces and port 13. Set IP/Network Mask to an address on the same subnet as port 3 (in the example, 192.168.179.2/255.255.255.0) |  |
| FortiSandbox port 3 must be able to connect to the Internet. On the FortiGate, go to Policy & Objects > IPv4 Policy and create a policy allowing connections from the FortiSandbox to the Internet. |  |
|
If you haven’t already done so, connect the FortiSandbox to your security fabric as shown in the diagram. |
|
3. Activating the FortiSandbox VMs |
|
|
On the FortiSandbox, go to Scan Policy > General. Enable Allow Virtual Machines to access external network through outgoing port3 and set Gateway to the IP address of the FortiGate port 13. |
 |
|
Wait for the FortiSandbox to confirm that it has access to the Internet. Once this occurs, it will start to activate and initialize the Microsoft Windows VM and the Microsoft Office VM. Go to the Dashboard and locate the System Information widget. When the VMs are ready to go, green checkmarks will appear beside them. |
 |
4. Adding the FortiSandbox to the Security Fabric |
|
|
On External, go to System > Security Fabric. Enable Sandbox Inspection. Make sure FortiSandbox Appliance is selected and set Server to the IP address of the FortiSandbox’s port 1. |
 |
| Select Test Connectivity. An error message appears because External has not been authorized on the FortiSandbox. |  |
| On the FortiSandbox, go to Scan Input > Device. External is listed but shown as unauthorized. |  |
| Select the Edit button located beside External’s name. Under Permissions and Policies, select Authorized. |  |
| On External, go to System > Security Fabric and test the Sandbox Inspection connectivity again. External is now connected to the FortiSandbox. |  |
| Repeat these steps for the other FortiGates in the Security Fabric. | |
5. Adding Sandbox Inspection to AntiVirus, Web Filter, and FortiClient Profiles |
|
|
Sandbox Inspection can be applied to three security profiles: AntiVirus, Web Filter, and FortiClient Profiles. In this step, Sandbox Inspection should be added on all FortiGates in the fabric individually, using the profiles that each FortiGate applies to traffic. |
|
|
Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, set Send Files to FortiSandbox Application for Inspection to All Supported Files. |
 |
|
Enable Use FortiSandbox Database, so that if FortiSandbox discovers a threat, a signature for that file is added to the FortiGate’s AntiVirus signature database. |
|
|
Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. |
 |
|
If the FortiSandbox discovers a threat, the URL that threat came from will be added to the list of URLs that will be blocked by the FortiGate. |
|
|
Go to Security Profiles > FortiClient Profiles and edit the default profile. Enable Security Posture Check. Enable Realtime Protection and Scan with FortiSandbox. |
 |
6. Results |
|
|
If your FortiGate discovers a suspicious file, it will now be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to the Dashboard and locate the Advanced Thread Protection Statistics widget, which shows files scanned by both the FortiGate and FortiSandbox. |
 |
|
You can also view results on the FortiSandbox by going to System > Status and viewing the Scanning Statistics widget. |
 |
|
On External, go to Log & Report > Security Fabric Audit and run an Audit. When it is finished, select the All Results view. |
 |
|
Your Fabric has passed the Advanced Threat Protection check and your Security Score has improved. |
|
The post FortiSandbox in the Security Fabric appeared first on Fortinet Cookbook.