FortiSandbox Student Guide-Online

DO NOT REPRINT
FORTINET
FortiSandbox
Student Guide
for FortiSandbox 2.0.3
DO NOT REPRINT
FORTINET
FortiSandbox Student Guide
for FortiSandbox 2.0.3
Last Updated: 18 October 2015
We would like to acknowledge the following major contributors: Michael Liu
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2015 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
DO NOT REPRINT
FORTINET
Table of Contents
VIRTUAL LAB BASICS ...................................................................................5
Topology .............................................................................................................................. 6
Logging In ............................................................................................................................ 6
Disconnections/Timeouts .............................................................................................................................9
Transferring Files to the VM ................................................................................................. 9
Using HTML5 Instead of Java .............................................................................................. 10
Screen Resolution ................................................................................................................ 10
International Keyboards ....................................................................................................... 11
Troubleshooting Tips ............................................................................................................ 12
INLINE DEPLOYMENT ....................................................................................14
Objectives ............................................................................................................................ 14
Time to Complete ................................................................................................................. 14
Exercise 1: Communication with a FortiGate ....................................................................... 15

Initialize the configuration .............................................................................................................................15
Configure file inspection and submission .....................................................................................................19
Submitting files from FortiGate to FortiSandbox ...........................................................................................21
Exercise 2: Communication with a FortiMail ......................................................................... 27

Initialize the configuration .............................................................................................................................27
Configure attachment inspection and submission ........................................................................................29
Submitting files from FortiMail to FortiSandbox ............................................................................................30
SNIFFER DEPLOYMENT .................................................................................32
Objectives ............................................................................................................................ 32
Time to Complete ................................................................................................................. 32
Exercise 1: Sniffer-based detection ...................................................................................... 33

DO NOT REPRINT
FORTINET
OTHER FILE SUBMISSION METHODS..............................................................34
Objectives ............................................................................................................................ 34
Time to Complete ................................................................................................................. 34
Exercise 1: Manual File Submission..................................................................................... 35
Exercise 2: Scanning File Shares......................................................................................... 37

Access the file share ....................................................................................................................................37
Configure a network share ...........................................................................................................................38
Configure a quarantine location....................................................................................................................39
Exercise 3: Inspecting Suspicious URLs .............................................................................. 40
REPORTS .....................................................................................................43
Objectives ............................................................................................................................ 43
Time to Complete ................................................................................................................. 43
Exercise 1: Generating Reports ........................................................................................... 44
DIAGNOSTICS ...............................................................................................45
Objectives ............................................................................................................................ 45
Time to Complete ................................................................................................................. 45
Exercise 1: FortiGate Diagnostics ........................................................................................ 46
Exercise 2: FortiMail Diagnostics ......................................................................................... 48
Exercise 3: FortiSandbox Diagnostics .................................................................................. 50
APPENDIX A: ADDITIONAL RESOURCES........................................................51
APPENDIX B: PRESENTATION SLIDES ...........................................................52
1 Sandboxing Concepts ...................................................................................................... 53
2 Basic Setup ...................................................................................................................... 100

DO NOT REPRINT
FORTINET
3 Inline Deployment............................................................................................................. 145
4 Sniffer Deployment ........................................................................................................... 163
5 Other File Submission Methods and URL Scanning ........................................................ 176
6 Logs and Reports ............................................................................................................. 193
7 Troubleshooting................................................................................................................ 227
DO NOT REPRINT Virtual Lab Basics
FORTINET
Virtual Lab Basics
In this class, you will use a virtual lab for hands-on exercises. This section explains how to connect to
the lab and its virtual machines. It also shows the topology of the virtual machines in the lab.
Note: If your trainer asks you to use a different lab, such as devices physically located in
your classroom, please ignore this section. This applies only to the virtual lab accessed
through the Internet. If you do not know which lab to use, please ask your trainer.
FortiSandbox Student Guide 6

FORTINET
Topology
port1
10.200.2.100
FORTIMAIL
FORTIGATE
10.200.2.254/24
port2
LINUX
WIN-LOCAL 10.0.1.254/24 10.200.1.1/24 10.200.1.254
10.0.1.10 port3 port1 eth1
port4 port5 eth0

10.200.4.254/24 10.200.5.254/24
10.200.4.213 10.200.5.213
port1 port5
port2 port3
FORTISANDBOX 10.200.1.213
Logging In
1. Run the System Checker. This will fully verify both:
compatibility with the virtual lab environment's software, and
that your computer can connect
It can also diagnose problems with your Java Virtual Machine, firewall, or web proxy.
Use the URL for your location.
North America/South America:
https://remotelabs.training.fortinet.com/training/syscheck/?location=NAM-West
Europe/Middle East/Africa:
https://remotelabs.training.fortinet.com/training/syscheck/?location=Europe
Asia/Pacific:
https://remotelabs.training.fortinet.com/training/syscheck/?location=APAC

FORTINET
If a security confirmation dialog appears, click Run.
If your computer successfully connects to the virtual lab, the result messages for the browser and
network checks will each display a check mark icon. Continue to the next step.
If a browser test fails, this will affect your ability to access the virtual lab environment. If a network
test fails, this will affect the usability of the virtual lab environment. For solutions, either click the
Support Knowledge Base link or ask your trainer.
2. With the user name and password from your trainer, log into the URL for the virtual lab.
https://remotelabs.training.fortinet.com/

FORTINET
3. If prompted, select the time zone for your location, then click Update.
This ensures that your class schedule is accurate.
4. Click Enter Lab.
A list of virtual machines that exist in your virtual lab should appear.
From this page, you can access the console of any of your virtual devices by either:
clicking on the devices square, or
selecting System > Open.

FORTINET
5. Click Windows to open a connection to that server.
A new window should open within a few seconds. (Depending on your accounts preferences, the
window may be a Java applet. If this fails, you may need change browser settings to allow Java to
run on this web site. You also may need to review and accept an SSL certificate.)
Depending on the virtual machine, the applet provides access to either the GUI or a text-based
CLI. Connections to Windows machines will use a Remote Desktop-like GUI. The applet should
automatically log in, then display the Windows desktop. For most lab exercises, you will connect to
this VM.
Disconnections/Timeouts
If your computers connection with the virtual machine times out or if you are accidentally
disconnected, to regain access, return to the initial window/tab that contains your sessions list of VMs
and open the VM again.
If your session frequently times out or does not connect, ask your instructor.
Transferring Files to the VM

When using the Java applet to connect to a VM, you can drag-and-drop files from your computer to
the VM. For example, if you have a FortiGate configuration file that you want to upload to your lab VM,
you could create it on your computer, then drag it into the Java application window that is connected to
the Windows VM. Usually the destination folder is C:\Uploads.
Alternatively, if you store files in a cloud service such as Dropbox or SugarSync, you can use the web
browser to download them to your VM instead.

FORTINET
Using HTML5 Instead of Java
When you open a VM, your browser may download and use a Java application to connect to the
virtual labs VM. This means that Java must be installed, updated, and enabled in your browser.
Alternatively, you can use HTML5 instead. Click the Settings button, then select Use Java Client. Click
Save & Disconnect, then log in again. (To use this preference, your browser must allow cookies.)
When connecting to a VM, your browser should then open a display in a new window or tab.
Screen Resolution
Some Fortinet devices' user interfaces require a minimum screen size.
In the Java client, to configure the screen resolution, click the arrow at the top of the window.

FORTINET
In the HTML 5 client, to configure screen resolution, open the System menu.
International Keyboards
If characters in your language dont display correctly, keyboard mappings may not be correct.
To solve this in the HTML 5 client, open the Keyboard menu at the top of the window. Choose to either
display an on-screen keyboard, or send text from your computer to the VM's clipboard.
To solve this in the Java client, copy and paste between your computer and the Java applet. This
sends special characters or combinations using the keyboard icon at the top of the applet window.

FORTINET
Troubleshooting Tips
If the HTML 5 client does not work, try the Java client instead. Remembering this preference
requires that your browser allow cookies.
Do not connect to the virtual lab environment through a low-bandwidth or high-latency connection,
including VPN tunnels or wireless such as 3G or Wi-Fi. For best performance, use a stable
broadband connection such as a LAN.
Do not disable or block Java applets. On Mac OS X since early 2014, to improve security, Java
has been disabled by default. In your browser, you must allow Java for this web site. On Windows,
if the Java applet is allowed and successfully downloads, but does not appear to launch, you can
open the Java console while troubleshooting. To do this, open the Control Panel, click Java, and
change the Java console setting to be Show console.
Network firewalls can also block Java executables.
Note: JavaScript is not the same as Java...
Prepare your computer's settings:

FORTINET
o Disable screen savers
o Change the power saving scheme so that your computer is always on, and does not go to
sleep or hibernate
If disconnected unexpectedly from any of the virtual machines (or from the virtual lab portal),
please attempt to reconnect. If unable to reconnect, please notify the instructor.

DO NOT REPRINT Inline Deployment
FORTINET
Inline Deployment
In this lab, you will configure a FortiSandbox appliance to communicate with a FortiGate firewall and a
FortiMail appliance for inline inspection.
Objectives
Configure a FortiGate device to submit files to a FortiSandbox appliance for inspection
Configure a FortiMail device to submit suspicious email attachments to a FortiSandbox appliance
for inspection
Use the FortiSandbox GUI to monitor the inspection results and statistics of the processed files
Time to Complete
Estimated: 55 minutes

FORTINET
Exercise 1: Communication with a FortiGate
Configure a FortiGate firewall and a FortiSandbox appliance to communicate with each other, then
confirm the connection by having the FortiGate firewall submit files for inspection.
Initialize the configuration

1. From the Lab Overview dashboard of the virtual lab, go to the FortiGate VM and select System >
Open to connect to the FortiGate firewall's local console command line interface (CLI):
2. At the login prompt, enter the username admin (all lower case). Leave the password blank.
3. To be able to access the FortiWeb's GUI, you must first configure the port3 network interface.
Assign its IP address, and specifically allow HTTP connections to the GUI.
config system interface
edit port3
set ip 10.0.1.254/24
set allowaccess ping http https ssh telnet
next
end

FORTINET
4. Type the CLI command to format the log disk:
execute formatlogdisk
Type 'y' to confirm. After formatting the log disk, the FortiGate firewall will reboot. Wait until it has
restarted.
5. Return to the Lab Overview dashboard. Connect to the Windows server.
6. On the Windows servers desktop, open a Firefox browser window and connect to the FortiGate
firewalls graphical user interface (GUI) via HTTP:
http://10.0.1.254
Use the admin username again with no password.
The GUI will display a warning indicating that the FortiGate VM is currently using an evaluation
(trial) license. Ignore the warning and click Remind Later to continue.
Note: You might notice that you cannot connect to the FortiGate GUI using HTTPS. This is
expected since the device is using a trial license. FortiGate trial licenses do not support
any of the high encryption algorithms that the browser, by default, uses.
7. Restore the initial configuration file required by these labs. Go to System > Status and click the
Restore link inside the System Information widget:

FORTINET
Click Browse. Select the backup file FortiGate.conf inside the folder Resources/FortiSandbox
located in the Windows desktop. Click Restore.
The FortiGate will restore the configuration and restart. Wait a few seconds until it has restarted.
8. Test the connectivity between the FortiGate firewall and the FortiSandbox appliance. From the
FortiGate CLI, enter this CLI command:
execute ping 10.200.4.213
Note: Now that there is network connectivity between the Windows VM and the FortiGate
VM, you can alternatively use the PuTTY application in the Windows VM to access the
FortiGate CLI.
9. Open PuTTY and use SSH to connect to 10.0.1.254.

10. Adjust the FortiGate firewalls time zone by entering these CLI commands:
config system global
set timezone ?
After pressing the question mark key at the end of the last command, the CLI will display a list of
time zones with their ID numbers. Press the space bar to page through the list. Locate your time
zone and take note of its ID number.
After locating the ID for your time zone, type these commands:
set timezone <your_timezone_ID>
end
11. In the FortiGate GUI go to System > Config > FortiSandbox, select Enable Sandbox inspection.
Select FortiSandbox Appliance and enter the following settings:
IP Address: 10.200.5.213
Notifier Email: student@training.lab
Click Apply to save the changes.

12. Click Test Connectivity. It should fail. This is because your FortiGate has not been authorized by
FortiSandbox.
13. Open a new web browser tab (or window) and connect to the FortiSandbox GUI:
https://fsa.training.lab
Log in using the default credentials (username admin with no password).

FORTINET
Go to System > Dashboard > Status and check the licenses status in the System Information
widget. Both the VM License and the Windows VM License rows should show a green up arrow
icon.
14. Go to File-based Detection > File Input > Devices, and select the FortiGate firewall. Click Edit,
enable Authorized and click OK.
15. In the FortiSandbox GUI, go to System > Dashboard > Status and click the Change link besides
the System Time.
Adjust the Time Zone to match your geographical location. Enable Synchronize with NTP Server
and type pool.ntp.org as the NTP server.

FORTINET
Click Apply.
16. Enable the logging of file submissions. Go to System > Config > General and mark the check box
for Log event of file submission from device. Click OK.
17. Return to your FortiGate GUI (http://fgt.training.lab).
Go to System > Config > FortiSandbox and click Test Connectivity again.
It should now display that the connection is successful.
Configure file inspection and submission

1. Open a browser window and connect to the FortiGate GUI. Go to Security Profiles > Antivirus,
then click the "+" icon at upper-right corner to create a new profile:
Configure these settings:
Name: Test_Heuristics
Inspection Mode: Proxy
Send Files to FortiSandbox Appliance for Inspection Enabled
HTTP Virus Scan and Block Enabled
SMTP Virus Scan and Block Enabled
POP3 Virus Scan and Block Enabled
Leave the other settings with their default values and click OK to save the changes.
2. Go to Policy & Objects > Policy > Proxy Options. Verify the default profile and make sure that the
options for HTTP and SMTP have been enabled and set to the correct default ports:

FORTINET
3. Go to Policy & Objects > Policy > IPv4. The traffic from the Windows server to the Internet
matches the first policy on the top from port3 to port1. Click this policy and click Edit:
In the Security Profile section, enable Antivirus, and select the Test_Heuristic profile from the
drop-down menu.
Click OK to save and apply the change.

FORTINET
4. Connect to the FortiGate CLI. To examine the antivirus profile selected, type:
show antivirus profile Test_Heuristics

By default, when FortiSandbox is enabled from the GUI, the FortiGate firewall sends all the files
that were not detected as a virus by the FortiGates antivirus scan to the FortiSandbox appliance.
In those cases and after using the previous show command, you will see:
set ftgd-analytics everything

5. Change the profile to send only files that trigger heuristic detection.
config antivirus profile
edit Test_Heuristics
set ftgd-analytics suspicious
end
Submitting files from FortiGate to FortiSandbox

1. In the Windows VM, open Firefox and connect to:
http://www.training.lab/fortisandbox
Download these 3 executable files from the website:
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
Note: Because the FortiGate firewall in this lab is using a trial license, HTTPS inspection is
not supported. Make sure that you are connecting HTTP, and not HTTPS, to the internal
web site. If you download any of those files using HTTPS, the FortiGate firewall will not be
able to inspect the traffic and send the files to FortiSandbox.
2. Log out from the FortiGate GUI, then then log in again. A new menu section (Log & Report >
Security Log > AntiVirus) should appear. Go there and notice that only the file fsa_sample_1.exe
was sent to the FortiSandbox. The other two files were not. Do you know why?

FORTINET
3. In the FortiSandbox GUI, go to System > Status and check the Scanning Statistics widget. If the
FortiSandbox has not finished processing the file, you will see one file in the Processing state.
In that case, wait and refresh the widget until it eventually shows that 1 file is Processed and 1 file
is Clean.

FORTINET
4. Go to File-based detection > Scan Results > Suspicious files.
You will notice that there are no suspicious files listed. Go to File-based detection >
Scan Results > Clean/Unknown Files. It lists the file fsa_sample_1.exe.
Stop and Think

Your FortiGate firewalls current configuration only sends files that trigger heuristic
detection. Only the file fsa_sample_1.exe triggered heuristics. The other files did not.
Skilled malware developers will try to make their software appear innocent to antivirus
scans. Thats why the default is to submit all non-virus files.
5. In the FortiGate GUI, go to Security Profiles > Antivirus. Click the "+" icon at upper-right corner to
create a new profile. Configure these settings:
Name: all_executables
Inspection Mode: Proxy
Send Files to FortiSandbox Appliance for Inspection Enabled
HTTP Virus Scan and Block Enabled
SMTP Virus Scan and Block Enabled
POP3 Virus Scan and Block Enabled
Leave all other settings with their default values. Click OK to save the changes.
6. Create a file pattern list that will match all the files with the .exe extension. This file pattern will be
later used in the antivirus profile configuration.
First from the FortiGate CLI, enter this command to enter into the DLP file pattern configuration
mode:
config dlp filepattern

The FortiGate trial license running in this lab allows only up to two file pattern entries. Because the
default configuration already contains two entries, delete the first entry:
delete 1
Now, create a new entry:
edit 1
set name all_exe
config entries
edit *.exe
end
end

FORTINET
7. Apply the file pattern list to the profile as a black list.
config antivirus profile
edit all_executables
set analytics-bl-filetype 1
end
Stop and Think

This profile will submit to FortiSandbox all the files that have the .exe extension.
8. In your FortiGate GUI, go to Policy & Objects > Policy > IPv4 and edit the port3 to port1 firewall
policy.
In the Security Profile section, change the antivirus profile to use all_executables instead of
Test_Heuristic. Click OK.
9. In a new browser tab or window, connect to the internal site:
Download the 3 executable files:
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe

FORTINET
10. In the FortiGate GUI, go to Log & Report > Security Log > AntiVirus. Confirm that the FortiGate
this time sent the three files to the FortiSandbox.
11. In the FortiSandbox GUI, go to System > Dashboard > Status. Wait until Scanning Statistics
shows that all files have been Processed.
Stop and Think

You might have observed that the FortiSandbox appliance is processing two files not the
three files sent by the FortiGate Firewall. Do you know why?
Discussion
FortiSandbox does not need to process the file fsa_sample_1.exe again. It remembers
from its checksum that the file has been already processed, and is clean.

FORTINET
12. Go to File-based Detection > Scan Results > Suspicious files. Locate the entries for
fsa_dropper.exe and fsa_downloader.exe.
In the row for the fsa_droppper.exe entry, click on View Details.
Review all of the details listed for that malware, such as:
Source and destination IP addresses
Files created by the malware
Sequence of suspicious steps (behaviors) executed by the malware
Stop and Think

Do you remember when the executable files were originally downloaded? Heuristic
antivirus scanning considered two of them to be safe, but sandboxing detects that they are
suspicious. This illustrates the inherent weakness in relying solely on antivirus engines
heuristic detection.

FORTINET
Exercise 2: Communication with a FortiMail
Configure FortiMail and FortiSandbox to communicate with each other. Confirm that this
communication is successful by having the FortiMail submit files for inspection.
Initialize the configuration

1. From the Lab Overview dashboard of your virtual lab, go to the FortiMail VM and select System >
Open to connect to the FortiMails local console command line interface (CLI):
2. Type these CLI commands to set port1's IP address and disable the HTTP to HTTPS redirection
of the GUI:
config system interface
edit port1
set ip 10.200.2.100/24
set allowaccess ping http https ssh telnet
next
end
config antispam quarantine-report
set web-release-https disable
end

FORTINET
3. Type these CLI commands to add a default route:
config system route
edit 0
set gateway 10.200.2.254
set interface port1
next
end
Note: Now you can alternatively use the PuTTY application in the Windows VM to access
the FortiMail CLI.
4. Open PuTTY and connect via SSH to 10.200.2.100.

5. In the Windows VM, open a browser window and connect to the FortiMail GUI:
http://fml.training.lab/admin
Log in using the default credentials (user name admin with no password).
Note: You might notice that you cannot connect to the FortiMail GUI using HTTPS. This is
expected as the device is using a trial license. FortiMail trial licenses do not support any of
the high encryption algorithms that the browser, by default, uses.
6. Restore the configuration file required for this lab.

Go to Maintenance> System > Configuration. In the Restore Configuration area, click Browse.

FORTINET
Select the backup file FortiMail.tgz inside the folder Resources/FortiSandbox located in the
Windows VM desktop. FortiMail will reboot. Wait until it has restarted, then log in again.
7. Adjust the system time zone.
Go to System > Configuration > Time and change the Time zone to match your geographical
location. Click Apply.
8. Go to System > Configuration > FortiSandbox. Enable the use of a FortiSandbox.
Use the same information that was used on the FortiGate:
IP Address: 10.200.5.213
Admin Email: student@training.lab
Click Apply to save your settings.

9. Click Test Connectivity. It should fail. This is because you havent authorized FortiSandbox to
accept submissions from FortiMail yet.
10. In the FortiSandbox GUI, go to File-based Detection > File Input > Devices. Edit the entry for the
FortiMail, enable Authorized, then click OK.
Return to your FortiMail GUI and click Test Connectivity again. The test should succeed now.
Configure attachment inspection and submission

Configure the FortiMail to start submitting attachments to the FortiSandbox for further inspection. The
FortiMail will be also configured to discard emails when it receives indication from FortiSandbox that
the email contains suspicious attachments.
1. In the FortiMail GUI, go to Profile > Antivirus. Create a new profile with these settings:
Domain: -System-
Profile name: Sandbox_AV
Default action: predefined_av_discard
Virus Scanning: Enabled
Upload suspicious attachment to FortiSandbox: Enabled
Use default values for other settings. Click Create to save the profile.

FORTINET
2. Go to Policy > Policies. Click New to create a new incoming Recipient Policy.
Select Sandbox_AV as the AntiVirus profile and leave all other settings with their default values.
Click Create.
Submitting files from FortiMail to FortiSandbox

Now that the FortiMail is configured for attachment inspection and submission, test sending files from
FortiMail to FortiSandbox.
1. Open a browser window and go to the FortiMail Web Mail URL:
http://fml.training.lab/mail
Log in as student with the password fortinet.
2. Click Compose Mail.

FORTINET
Send an email to student2@training.lab with the subject Test file 1. Attach the file
fsa_downloader.exe downloaded in a previous step. Click Send.
3. Send two more emails to the same user (student2@training.lab). Attach fsa_dropper.exe to one,
and fsa_sample_1.exe to the other one.
4. Wait a few seconds, then log out from web mail. Log in again, but this time using the name
student2 with the password fortinet. You should observe that only the email with the
fsa_sample_1.exe attachment was received.
5. Return to the FortiMail administrative GUI:
http://fml.training.lab/admin
Go to Monitor > Log > History. You should observe a new log entry.
Select the log file and click View. It should show logs for the three email that you sent. Two were
discarded. The antivirus scan did not detect a virus in the third email.
The emails with fsa_dropper.exe and fsa_sample_1.exe attached were both discarded because
FortiSandbox identified those files as suspicious.

DO NOT REPRINT Sniffer Deployment
FORTINET
Sniffer Deployment
During this lab, you will configure the FortiSandbox device for sniffer-mode inspection.
Objectives
Configure a FortiSandbox device to capture traffic and inspect it for potentially dangerous files
Time to Complete

FORTINET
Exercise 1: Sniffer-based detection
1. Configure the FortiGate to stop submitting files to the FortiSandbox. The simplest way to do this is
by disabling antivirus scanning.
Connect the FortiGate GUI, and go to Policy & Object > Policy > IPv4. Edit the firewall policy from
port3 to port1. Disable antivirus inspection and click OK.
2. In the FortiSandbox GUI, go to File-based Detection > File Input > Sniffer and click Enable Sniffer.
Keep port2 as the interface where you want it to capture traffic.
Click OK.
3. Wait about 2 minutes to allow the sniffer process to start. Then go to:
Download these three files one more time:
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
4. In the FortiSandbox GUI, go to System > Dashboard > Status. Check the Scanning Statistics
widget and wait until all the files are Processed. You should observe 2 suspicious and 1 clean files
under the Sniffer column.
Go to File-based Detection > Scan Results > Suspicious Files. More entries were added for the
suspicious files that the sniffer detected.
Go to Log & Report > Log > Local Log. Examine the related log entries.
5. Go to File-based Detection > File Input > Sniffer and uncheck Enable Sniffer. Click OK.

DO NOT REPRINT Other File Submission Methods
FORTINET
Other File Submission Methods
During this lab, you will use additional FortiSandbox features, such as manual file submission, file
share scanning, and URL scanning.
Objectives
Manually submit files for inspection
Scan network file shares for suspicious files
Manually submit URLs for inspection of potentially malicious web sites
Time to Complete

FORTINET
Exercise 1: Manual File Submission
1. In the FortiSandbox GUI, go to System > FortiView > On Demand. Select Submit File. Click
Browse and select the file fsa_dropper.exe.
Check the Sandboxing and Cloud Query boxes to bypass those types of inspection.
Click Submit and then Close.

2. Wait a few seconds, then click the refresh button.
The file will be reported as clean.
Go to Log & Report > Log > Local Log and examine the entry for the submitted file.
Stop and Think

The antivirus scan does not detect that fsa_dropper.exe is dangerous because it does not
match any antivirus signature, and you bypassed the sandboxing inspection. However, a
dropper is a dangerous file to execute. If you submit it for sandboxing inspection,
FortiSandbox will detect that it is suspicious.
This is an expected behavior. These steps are meant to demonstrate the differences
between the various types of inspections in FortiSandbox appliances.
3. Return to System > FortiView > On-Demand and submit the fsa_dopper.exe file again. This time,
do not bypass any inspection type.
Click on the refresh button. Wait a few minutes while FortiSandbox processes the file.

FORTINET
FortiSandbox should now indicate that the file is suspicious.
Stop and Think

In order to obtain malware samples and submit them to FortiGuard, you may need to
temporarily bypass specific types of inspections. This is why the option exists.

FORTINET
Exercise 2: Scanning File Shares
In this exercise, you will configure the FortiSandbox appliance to scan a network file share on the
Linux server.
Access the file share

Two file shares have already been created on the www.instructor.lab server. You will put some files
there and configure the FortiSandbox appliance to inspect them.
1. On the Windows VM, open a File Explorer window and type this directory path inside the top
navigation bar:
\\10.200.1.254\share
2. Copy and paste all three files you downloaded from the internal website to this shared folder.
fsa_downloader.exe
fsa_dropper.exe
fsa_sample_1.exe
3. Open a new File Explorer window and go to this shared folder:
\\10.200.1.254\quarantine
The quarantine folder will be used later to quarantine suspicious files detected by the
FortiSandbox appliance.
Leave these two folder windows open.

FORTINET
Configure a network share
You must now configure the FortiSandbox appliance with the file share information. This includes the
server IP address and folder name. The preconfigured file shares allow anonymous connections, so
no user login credentials are required.
1. In the FortiSandbox GUI, go to File-based Detection > File Input > Network Share and click Create
New. Configure these settings:
Name: Share
Mount Type CIFS
Server IP 10.200.1.254
Sharepath /share
Filename pattern *.*
Leave all the other settings at the default values and click OK to save the file share.
2. Edit the file share created and click Test connectivity at the bottom.
Ensure the FortiSandbox appliance reports that that share is accessible. Click OK to close it and
check that the status appears.
3. Edit the file share more time and click Scan Now. The unit will start scanning the files in the
shared folder.
4. Go to System > Dashboard > Status and check the Network column in the Scanning Statistics
widget. Wait until the unit has processed all the files.
Once the scan is complete, go to File-based Detection > Scan Results > Suspicious Files. You will
find details about the suspicious files being reported by the file share inspection.
5. Refresh the two file share folders open on your desktop. You will notice that the content has not
changed. The share folder still contains the 3 files and the quarantine folder is still empty.
Note: Simply enabling a file share does not configure a FortiSandbox appliance to
quarantine any suspicious file.

FORTINET
Configure a quarantine location
If you want to quarantine suspicious files, you first must create a quarantine folder.
1. In the FortiSandbox GUI go to File-based Detection > File Input > Quarantine and click Create
New. Make a share with these settings:
Name: Quarantine
Mount Type CIFS
Server IP 10.200.1.254
Sharepath /quarantine
Keep original file at current location Disable
Leave all the other settings with the default values and click OK.
2. Edit the quarantine folder you just created and click Test connectivity.
Confirm that the folder is accessible.
3. Configure the FortiSandbox appliance to use the quarantine folder. Go to File-based Detection >
File Input > Network Share and edit the Share entry.
Select Enable Quarantine and choose the Quarantine entry. Click OK to save the change.
4. Edit your Share entry again and click Scan now. Wait until all the files have been processed.
Once the inspection finishes, refresh the two shared folders on your desktop (share and
quarantine). Notice the content of both has changed.The share folder still has fsa_sample_1.exe,
which is clean, but FortiSandbox replaced the other two files with .quarantined files.
The quarantine folder contains now a subfolder with two files per suspicious file detected. One file
contains the metadata of the suspicious file, and the other file the file data.

FORTINET
Exercise 3: Inspecting Suspicious URLs
During this exercise you will upload a list of URLs that the FortiSandbox appliance will inspect.
1. Connect to the classroom website:
Right-click on the url.txt file and select Save Link As to save it to the Windows desktop.
Double-click the file to open it with a text editor. It contains a list of three websites.
2. In the FortiSandbox GUI, go to URL Detection > Scan Results > On-Demand and click Submit file.
Set Depth to 1 and click Browse. Select the url.txt file from the desktop, then click Submit.
Caution: The Depth value determines how far the FortiSandbox appliance will follow any
link on the page. For example, a value of 5 would cause the device to follow all links on the
initial page, then every link on all of the sub-pages, repeating this a total of 5 times.
Some websites might find this kind of activity to be suspicious, and therefore might
temporarily (or permanently) block your public IP address. Only use this feature to
investigate a website suspected of being hijacked or delivering malware.
Stop and Think

The FortiSandbox appliance is acting like a web spider when it evaluates the content of a
website. Some websites will block traffic if there are too many requests coming from the
same source IP address, because its a typical of content scrapers and DoS botnets.
In a large website like Amazon or eBay, each page has many links; there are many pages.
Consider how many connections FortiSandbox would make if you set the depth value too
high. So dont scan production web sites if possible (use a staging or QA copy if possible),
dont set your depth value too high, and avoid scanning the same website repeatedly.
3. Go to URL Detection > Scan Results > On-Demand. Wait a few minutes until the Status of the
submission changes from In-Progress to Done. Meanwhile, click View Jobs to examine which
URLs FortiSandbox has already inspected.
Stop and Think

What is the FortiSandbox appliance doing now?
Discussion

FORTINET
URL inspection does much more than just web filtering rating. The FortiSandbox appliance
is using the VMs browsers to open the URLs and record the resulting traffic. It is also
logging all changes in the VM while the browsers download and display the URLs content.
4. After FortiSandbox has inspected the three URLs, click View Jobs again. You should observe that
FortiSandbox detected that one of the three URLs is suspicious. Click View Details for that URL.
Observe details such as Suspicious Behaviors, Files Created, and Network Behaviors. Then go to
the WIN7X64VM tab and click Captured Packets. Download a packet capture (PCAP) file.

FORTINET
5. Double-click the packet capture file to open it. Wireshark will decode and display the packets.

DO NOT REPRINT Reports
FORTINET
Reports
During this lab, you will generate FortiSandbox reports about the latest threat activities.
Objectives
Generate reports about the sandboxed threats that FortiSandbox finds on the network
Time to Complete

DO NOT REPRINT Reports
FORTINET
Exercise 1: Generating Reports
1. In the FortiSandbox GUI, go to Log & Report > Report > Generate. Use these settings:
Report Type Threat Activity Report
Time Period Last Day
Click OK.
2. Go to Log & Report > Report > Access. Select the report, then click Download Report.
Save the PDF file and open it to view its content.

3. Return to Log & Report > Report > Generate. This time, use these settings:
Report Type Executive Summary Report
Time Period Last Day
Click OK.
4. Go to Log & Report > Report > Access, select the new report, then click Download Report.
Save the new PDF file. Open it and compare its content with the content of the first report.

DO NOT REPRINT Diagnostics
FORTINET
Diagnostics
During this lab, you will learn to use some FortiGate, FortiMail and FortiSandbox debug commands.
You can use them to troubleshoot the most common issues when deploying a FortiSandbox.
Objectives
Diagnose sandboxing connection issues between FortiSandbox and an integrated FortiGate
Determine whether or not FortiMail is sending a suspicious file to FortiSandbox
Determine the current FortiGuard package versions and last known connectivity status
Time to Complete

FORTINET
Exercise 1: FortiGate Diagnostics
In this exercise, configure the FortiGate firewall to submit files to the FortiSandbox appliance again
while running and analyzing the output of some FortiGate debug commands.
1. In the FortiGate GUI, go to Policy & Objects > Policy > IPv4. Edit the firewall policy from port3 to
port1 and enable the Test_Heuristics antivirus security profile.
2. Use PuTTY to connect to the FortiGate CLI and enter these commands to enable the real-time
debug output for the quarantine process:
diagnose debug application quarantine -1
diagnose debug enable

3. Connect to the internal website and download the file fsa_sample_1.exe one more time. Wait a
few minutes for the FortiSandbox appliance to process the file. You should observe lines similar to
these ones in the debug output:
__quar_job_validation()-164: analytics: Vfid=0, Status=1, Status-

descr=fsa_sample_1.exe, Service=4, Checksum=d187c977, Size=4096,
URL_length=46
The FortiGate firewall has created the quarantine request.
__quar_start_connection()-778: start server global_fsb-10.200.4.213

in vdom-0
Connection is started to the FortiSandbox appliance (IP=10.200.4.213).
__quar_build_pkt()-330: build req(id=320, type=4) for vdom-root,

len=79, oftp_name=
quar_remote_send()-441: req(id=320, type=4) read response,

dev=global_fsb, xfer_status=1, buflen=12
The file is being transferred to the FortiSandbox appliance.
quar_remote_recv()-632: file-[320] is accepted by server(global_fsb).
quar_put_job_req()-314: Job 320 deleted

FortiSandbox is accepting the file.
4. Disable the debug output.
diagnose debug application quarantine 0
diagnose debug disable
Caution: Always disable all debug output after finishing troubleshooting. Otherwise
debug output will continue to run in the background, even after an administrator logs out,
resulting in wasted CPU resources. If debug logs are written to disk, this can also result in
premature disk failure to the high volume of entries.

FORTINET
5. Enable the debug output for the antivirus scan process.
diagnose debug application scanunit -1

6. Download the same file again. Analyze the new debug output.
7. To finish this lab exercise, disable the antivirus scan debug output.
diagnose debug application scanunit 0
diagnose debug disable

FORTINET
Exercise 2: FortiMail Diagnostics
In this exercise, the FortiMail appliance will send a file to the FortiSandbox appliance again, while
running and analyzing the output of a FortiMail debug command.
1. Use PuTTY to connect to the FortiMail CLI. Enable these debug outputs.
diagnose debug application sandboxclid 65
diagnose debug application sandboxclid enabled
diagnose debug application sandboxclid display

2. Connect to the FortiMail web mail portal using the student account with the password
fortinet.
http://10.200.2.100
Send an email to student2@training.lab with the fsa_dropper.exe file attached.
Examine the CLI diagnostic output. Did FortiMail receive the email? Did it scan the file? If so, what
was the verdict? What did it do with the email as a result?
....:AgentImpl.cpp:272:EnsureConnection: connected to sandbox server
....:AttachmentExtractorQF.cpp:53:ParseHeaders: attachments [2C] will

be uploaded
....:AttachmentExtractorQF.cpp:90:visitRfc822Msg: attachment 1 is
skipped
....:FileVerdictCommand.cpp:70:Prepare: checking xxxx
....:RemoteCommand.cpp:217:Execute: server ack code: 0
....:FileVerdictCommand.cpp:102:ParseData: size of OFTP_OPT_DATA: 67,

raw: 1258291200
....:FileVerdictCommand.cpp:139:ParseData: verdict data returned:

0190877C
....:FileVerdictCommand.cpp:141:ParseData: number of verdict

returned: 1
....:FileVerdictCommand.cpp:166:ParseData: verdict_v2_t is used
....:FileVerdictCommand.cpp:172:ParseData: hash xxxx, score 2, flags

0
....:FileVerdictCommand.cpp:175:ParseData: hash xxxx, malware Dropper

FORTINET
....:AgentImpl.cpp:533:ScanEmail: File fsa_dropper.exe (checksum:
xxxx) was previously scanned by FortiSandbox. Scan result:
rating=SUSPICIOUS_HIGH, name=Dropper
....:SandboxEngine.cpp:364:state: scanjob report: 0 s to pickup, 0 s

to upload, 0 s to check results
....:SandboxEngine.cpp:380:state: Email qft8LHHoZq002003-

t8LHHoZr002003 has been processed by FortiSandbox, 1 suspicious is
found, 0s used to process the email
....:SandboxEngine.cpp:234:PutScanJob: scan job is done

3. Disable the debug output.
diagnose debug application sandboxclid disable

FORTINET
Exercise 3: FortiSandbox Diagnostics
1. From the Lab Overview dashboard of the virtual lab, go to the FortiSandbox VM and select
System > Open to connect to the FortiSandbox local console CLI.
2. Enter the CLI command:
sandbox-engines
It displays the version information for different components of the FortiSandbox firmware.
test-network
It runs a series of connectivity tests, including DNS and Internet access tests.
show
It displays all the interfaces IP addresses.
5. Enter these CLI commands:
status
vm-status
They provide information about the firmware, licenses and VM status.

DO NOT REPRINT Appendix A: Additional Resources
FORTINET
Appendix A: Additional Resources
Training Services http://training.fortinet.com
Technical Documentation http://help.fortinet.com
Knowledge Base http://kb.fortinet.com
Forums https://forum.fortinet.com/
Customer Service & Support https://support.fortinet.com
FortiGuard Threat Research & Response http://www.fortiguard.com
Build a malware analysis lab http://resources.infosecinstitute.com/portable-

malware-lab-for-beginners/
https://zeltser.com/build-malware-analysis-toolkit/
Programming forum about malware http://www.kernelmode.info

DO NOT REPRINT Appendix B: Presentation Slides
FORTINET
Appendix B: Presentation Slides

DO NOT REPRINT Sandboxing Concepts
FORTINET
In this lesson, we will explore many of the basic concepts you need to understand
FortiSandbox. This includes an overview of FortiSandboxs deployment methods.

FORTINET
After completing this lesson, you should have these practical skills that will allow you
to employ a FortiSandbox device in your network:
Understand how antivirus signatures work, what heuristics are, and how
sandboxing is different
Describe malware mechanisms and terminology
Understand FortiSandbox models, sizing, licenses, and support contracts
Locate documentation

FORTINET
FortiSandbox specializes in detecting new malware. So lets begin by defining

malware: what it is, how it operates, and the techniques it uses to evade detection.

FORTINET
Are viruses new? No, but the idea is even older than you may think.
In 1949, long before PCs existed, John Von Neumann gave lectures at the
University of Illinois about what he called self-replicating automata. On ARPANET,
the precursor to the Internet, the first virus, named Creeper, was detected in 1971.
Since then, malicious software has evolved into many types. Technically, although
we often refer to all malware as viruses, not every piece of unwanted software
behaves like a virus malware is not always self-replicating, and sometimes users
willingly install it. To include viruses, worms, Trojans, spyware and all others, we
now use the term malware.
Malware can be divided into 2 major types:

viruses, which infect the computer and spread on their own (generally via an
exploit), such as Flash ad banners whose binaries contain buffer overflow code
grayware which requires some kind of user interaction but convinces them that
the benefit outweighs the cost, such as browser toolbars that also track the users
activity and insert its own ads into web pages

FORTINET
Within the category of viruses, there are 2 important subtypes:

Trojans such as Zeus, like the literary Trojan horse, trick users into letting down
their defenses and installing them, and then often use the network to spread via
email or instant message.
Worms, such as Conficker and Code Red, spread by connecting to open ports on
the network and exploiting misconfigurations or other vulnerabilities in those
daemons. Note: No user interaction is required. One popular misconception
is that people will be safe if they just dont click the wrong thing: dont
open spam, dont double-click EXE files. But this is false. Worms dont
require you to click anything. And for many years, people thought that images
couldnt contain viruses because they werent executables, but now image
viruses exist: they exploited bugs in Windows image rendering algorithms: no
click and no executable required.
A Trojan can infect the same host multiple times, but that happens when another
copy arrives from an external source. The local copy of the software does not try to
re-infect the computer.

FORTINET
Just as viruses have evolved many vectors for spreading, they also have evolved
many techniques for evading antivirus engines and manual analysis.
Viruses can encrypt their payloads, or change the exact code. As a result, when
comparing a signature to the binary sample, the two therefore arent an exact, bit-
by-bit match. So in order to detect the virus, the engine must be able to either:
match flexibly, or
ignore the changeable parts of the code, and match only based on the
polymorphic or metamorphic engine.

FORTINET
How else can malware go undetected? If a vulnerability is unknown.
Ideally, security researchers find a vulnerability before attackers make the software
to exploit it. This gives the vendor time to create a patch and security companies
time to create signature or engine updates. But in the case of a zero-day attack,
there is no advance notice. There is a dangerous gap: systems are being exploited
but no fix or defense is available.
Exploits for unknown vulnerabilities called zero-day attacks are sold for large
amounts of money on the black market. Since these exploits arent known to their
vendors, nor to security experts, theres no available patch or signature for
detection. Thats what makes them so dangerous.
Some companies and organizations like Facebook and Google have offered
bounties for the responsible disclosure of these exploits, but theres a very profitable
market for black hat hackers to sell these discoveries to everyone from covert
government surveillance to organized crime syndicates.
Zero-day attacks are the keys to unauthorized access of your entire network.

FORTINET
If you notice an attack, your initial self-defense instinct may be to immediately take
the server offline, then format it to remove all traces of malware. But by doing this,
youll alert the attacker, and destroy forensic evidence. For motivated attackers, this
will only educate them their next attack will be harder to detect, and more
sophisticated. Make sure your team understands the most appropriate way to
respond to each different type of intrusion.
If youre vigilant, and if you have the resources, you can also write your own custom
IPS signatures. Better yet, add a FortiSandbox.
FortiSandbox is designed specifically to combat zero-day attacks. It discovers

them as soon as possible, and where possible, automatically makes a
signature to begin protecting your network instantly.

FORTINET
Malware can behave in many different ways. Sometimes, they combine different
behaviors. Malware developers are highly skilled and actively work to avoid
detection. Malware developers often test their results against antivirus engines,
including Fortinets.
When FortiSandbox makes reports about detected malware, it will use specific
words to indicate the malwares behavior. Lets define those words.

FORTINET
Regardless of how the virus spreads, once installed, a virus is somehow malicious.
What makes it malicious? Its behavior. (This is one of the reasons, by the way, that
security analysts use sandboxing such as FortiSandbox to discover new viruses.
Looking at which C functions a virus contains, for example, cannot find all viruses.
Forensics lab must see which functions actually execute, and what the effects are.)
Most people are familiar with spyware, adware, and rootkits. Malware could also be:
Ransomware such as the CryptoLocker worm is fairly new. The software holds
the computer hostage, often encrypting critical user data with a password or
secret key, until the victim pays the extortionist.
Key loggers record key strokes and return them to a remote location including
sending administrator logins and personal email addresses for executives.
Mass mailers transform computers into open relay mail servers for the botnet,
often managed via a remote command and control, sending spam for hire. These
are often operated by organized crime syndicates.

FORTINET
An infector is a type of malware that inserts code into your files. Every time a user
starts that program, or opens that file, the code runs. This is a classic computer
virus.

FORTINET
When infected, hosts may connect to a server controlled by the attacker. The
attacker then uses the compromised hosts effectively as if the botnet is their
personal cloud: to send spam, attack other servers, and even re-compromise hosts
where the administrator has removed the original virus.
One such botnet is known as Chimera.

FORTINET
A hijack is a type of malware that takes over control of communications channels

and redirects them without user consent or knowledge. Generally this is done to
intercept, monitor, and/or prevent communication.
Cross-site scripting (XSS) using malicious JavaScript, for example, can redirect web
traffic through a compromised server.

FORTINET
A stealer is a type of malware designed to harvest information from the infected

host. Generally stealers go after user credentials and passwords, but they can also
look to transmit files as well.
An example of this would be a keylogger tool that records all of the keystrokes a
user types and then sends them back to a remote server.

FORTINET
A backdoor is a type of malware that provides a remote user access to, or control of,
the system while bypassing any sort of normal authentication measures.
There are numerous ways in which backdoors can be installed.

FORTINET
An injector is a type of malware that modifies a legitimate program in order to

execute malicious code.
This malware often propagates through infected web browsers or browser add-ons.

FORTINET
A rootkit is a type of malware that gains administrative privileges (like a root user on
a UNIX system). Because only the Administrator or root account has sufficient
permissions to see the malwares files, normal user accounts cant see them, and
they can remain hidden for a long time unless you are monitoring for unexpected
traffic or root files.
ZeroAccess and Skynet are examples of rootkits.

FORTINET
A dropper is a type of malware designed solely to bypass detection and install other
kinds of malware. Droppers can be difficult to detect by virus scanning because they
usually look like a normal installer or other system file.
Droppers often act like Trojans.

FORTINET
A downloader is a type of malware similar to a dropper except that it doesnt

include the malware, so its even harder for an antivirus software to detect. Most
behavior is identical to legitimate software installers.
What makes it different from a normal installer?
When executed, a downloader connects to a server thats controlled by an attacker.

The server decides what malware to install. To try to avoid detection, it may send an
encrypted package.

FORTINET
Now that we know how viruses behave, how can we detect them?
Lets discuss antivirus signatures and heuristic antivirus scanning, including their
limitations, and how sandboxing fits in.

FORTINET
During a traditional antivirus scan, in order to be detected as a virus, it must match a

defined pattern called a signature.
Different vendors have different names for the same virus. Some vendors use
patterns that detect one virus per pattern, while others use patterns that are more
flexible, and can catch multiple viruses with a single pattern. It varies by the
vendors engine.
What is standard is the attack vector designation. Its at the beginning of the name.
For example, if the vector is W32, it represents 32-bit Windows. W64 represents
64-bit Windows. JS represents JavaScript (which is cross-platform).
Because signatures require an exact match, however, they dont provide

much protection against new viruses no signature exists yet. So what other
techniques can antivirus engines use?

FORTINET
Antivirus signature databases have two related challenges: performance and

flexibility.
Performance decreases when databases get larger. This is because they

must, on average, make more comparisons to find a match or determine that
there is no known match. Engines that use file hashes for signatures usually
have the worst performance: hashes are fast to compute, but viruses mutate so
frequently that there may be hundreds of hashes for each virus.
Flexibility is crucial, too, because of how often viruses mutate. Ideally, one
pattern can match multiple variants. If a signature cannot catch many forms of the
same virus, then the virus may have mutated several times after the previous
signature update, making each signature less effective.
To design for these challenges, Fortinet uses CPRL (Compact Pattern Recognition
Language) to write its signatures. That way, FortiGate can detect a wide variety of
malware using a relatively small database.

FORTINET
What is another way that FortiGate can use to detect viruses? It can look for
attributes that viruses usually have and make educated guesses in other words, it
can apply heuristics.
Heuristics are based on probability, so they increase the possibility of false

positives, but they also can detect zero-day viruses viruses that are new and
unknown, and therefore no signature exists yet. That is the tradeoff. If your network
is a frequent target for virus-writers, enabling heuristics may be worth the
performance cost because it can help you to detect a virus before the outbreak
begins.
By default, when the antivirus scans heuristic engine detects a virus-like

characteristic, it will log the file as Suspicious but will not block it. Suspicious files
can be treated differently from a positive match with a virus or grayware signature:
you can choose whether to block or allow suspicious files.

FORTINET
Both antivirus signatures and heuristic rules have limitations. They can only
detect what they are configured to know according to the antivirus engine and its
signatures. Plus, with heuristics, the antivirus engine could sometimes mistakenly
quarantine innocent files.
What can detect new viruses with more certainty?

FORTINET
Emulating the code, or running a full simulation, is a much more certain method.
But is this safe? Is it fast?
Some network virus scanners can do some runtime code execution. Full execution
is generally not done by a network virus scanner, however: smart malware will
disable or destroy antivirus scanners, and could infect the host. Full code execution
requires a separate, protected environment. This requires system resources and
time thats not normally available on a network device. In other words, it requires a
sandbox

FORTINET
Obviously you shouldnt try a potential malware file unless its in a very controlled
environment. So malware analysts have usually created their own isolated hosts
and networks to do this. These are called sandboxes: expendable hosts that
arent connected to the rest of your network.
Just like a childs sandbox environment in which play structures are created, once
complete, a sandbox host is torn down and reset back to the original state. There is
no risk to the integrity of your overall network.
Like honey pots, manual sandboxing requires resources and expertise. Theyre not
trivial to set up. If not done correctly, malware could escape and cripple thousands
of hosts on your network. Developing safe removal procedures for unknown
malware can require expert knowledge of the operating system.
FortiSandbox simplifies much of the complexity of creating your own sandbox, and
thereby makes it safer. In addition, sophisticated and detailed tracing software
record the behavior and provide a report on the activities. This is a crucial step to
defending against new malware.

FORTINET
Whether you use FortiSandbox to discover new viruses, or one is discovered by

your own security team, the next step is to develop a signature to detect it so that
your FortiGates can begin to block it.
New viruses can be submitted to FortiGuards security research team manually or

automatically, via FortiSandbox or FortiCloud Sandbox.
If you want to submit a new virus manually, go to the FortiGuard web site. Upload
the file for scanning. If the virus does not currently exist in any of the FortiGuard
Antivirus databases, the web site will report it as being clean. You will then have
the option to submit the sample to FortiGuard analysts. They will develop a
signature for it, as well as engine modifications (if necessary), and this will be in the
next update that your FortiGate and FortiMail devices download from FortiGuard.
In addition to protecting your own network, this obviously also helps to ensure that
others networks wont be infected either. By being part of a united security
community, you can help to stop botnets from growing into large threats that
can DDoS and spam your servers. This has benefits for you, and not just your
neighbors.

FORTINET
What does a sandbox look like? What is its software architecture?

FORTINET
Apart from the virtual machines inside FortiSandbox the images of target hosts
such as Windows 7 and other platforms that malware could attack FortiSandbox
also has FortiGuard engines and packages, including the extreme database for
FortiGuard Antivirus.

FORTINET
The master VM is the original system in which the Windows license key is activated.
A snapshot is created so the master VM contains the main image plus a snapshot.
The snapshot is taken in a running state in order to achieve a faster startup (no
waiting for the system initialization).
Once started, the master VM is cloned and each new VM is set in such a way that
after terminating the execution of a sample, it reverts to the snapshots. This way,
there is no risk of infection of the system because each sample is run in a clean
environment that has been started from the snapshot.

FORTINET
When a Fortinet device submits a file to a FortiSandbox, FortiSandbox first performs

a FortiGuard Antivirus scan. If the file is not a known virus, then it queries the
FortiGuard Cloud. This is to see if another FortiSandbox device has already
analyzed the same file, saving time. If the file is not known to the cloud, then
FortiSandbox creates a VM clone and begins local sandboxing.
Once the process is finished, a rating engine evaluates the behavior and decides if
the file is malicious or not. FortiSandbox replies to the device that submitted the file,
and if the file was malicious, may help it to create a signature and alert. By default, it
also notifies FortiGuard Cloud of the result. FortiGuard security researchers utilize
the results to develop detection signatures, which your FortiGate and other Fortinet
devices can then use to protect your network.

FORTINET
In this section, we will examine the different FortiSandbox appliances available as

well as the available models, sizing, licenses, and support contracts.

FORTINET
The number of files scanned per hour listed in the FortiSandbox specifications is
based on a calculation of 3 minutes per file--which is a worst case scenario
calculation (a safe estimate). In actuality, since file sizes and scan times are
variable, the real number of files that get scanned will generally be higher then the
value advertised. FortiSandbox uses adaptive logic to decide how long a file should
be sandboxed.
For example: A 1000D is listed as being able to scan 160 files per hour.
This is determined by assuming all 8 VMs are inspecting files and spending the full
3 minutes to sandbox each one. In production, not all files will be sandboxed for the
full 3 minutes (or even sandboxed at all) so the actual number of files that will be
scanned per hour is going to be higher.

FORTINET
The FortiSandbox is available as both a hardware appliance and a virtual machine.
As a hardware appliance, FortiSandbox has two models: 1000D and 3000D. The
differences between the two are noted in the table.
The number of files a FortiSandbox virtual machine is capable of scanning per hour
depends on the processing power and speed of the server on which it has been
installed. Providing more resources for the image will increase the amount of traffic
it can process.

FORTINET
The number of nested VM images that a FortiSandbox VM is capable of running is

based on the licenses purchased. The licenses also increase the minimum
recommended resources. The overall minimum for a FortiSandbox VM can be found
by adding the values of all the licenses applied.
Note that having a FortiSandbox VM of any significant size requires a large amount
of memory and processing power. You must also consider drive space.
The minimum recommended amount of memory for a FortiSandbox VM with these

licensesand keep in mind that these numbers are minimumsis 100GB.
The FortiSandbox puts files into a queue for scanning if it cannot keep up with
traffic.

FORTINET
Different FortiSandbox models have different capabilities. The snapshots that is,
instances of a host such as Windows 7 configured in a specific way, running specific
services at a specific time are configured slightly differently as well.
WIN7X86 is a 32-bit version of Windows 7. It has Internet Explorer 9, Adobe

Reader 10, and MS Office 2013. WIN7X64 is a 64-bit version of Windows 7 with
Internet Explorer 10 and Adobe Reader 11.
Sandboxing jobs are queued by the files requirements. Software required to

run a file varies, and may not exist on all VMs. FortiSandbox will choose the next
available VM that meets the requirements, which in some cases could be any of the
4 snapshots.
For example, Microsoft Office 2007 does not understand Office 365 files, but Office
2013 does. This means that only the 32-bit Windows 7 VM can be used to sandbox
Office 365 files. So if all snapshots of WIN7X86 are in use, the Office 365 file will
be queued as a job and wait for the next available instance of WIN7X86. If another
file is submitted with different snapshot requirements and other VM images are
available (while the Office document is waiting), it will be scanned first.

FORTINET
There are a couple of reasons that Windows XP VMs are run on FortiSandbox:
1. Windows XP still accounts for a large portion of the desktop market today.
2. Windows XP is less secure than newer Windows operating systems. This makes
it an easier vector for infection and therefore a target for malware developers.
3. Windows XP-based malware running on Windows 7 will be forced to contend
with the Windows 7 architecture (even with the built in XP emulation), which
could result in a failed execution because of some aspect of Windows 7.

FORTINET
One of the reasons FortiSandbox does not have more VMs with newer operating
systems is due to the nature of the malware landscape itself. Currently, the majority
of the threats observed by FortiGuard are Windows XP and 32 bits.
Why is this? It has to do with malware code. 32-bit code can run in both a 32- and
64-bit environment. All 64-bit operating systems include a 32-bit emulator for code
execution. Because of this, malware developers prefer to write code in 32-bits; 64-
bit code reduces the number of possible infections (because 64-bit code cant run
on 32-bit machines). Since Windows XP uses different technology than newer
Windows operating systems, use of the 32-bit emulator is more reliable than on
Windows 7 and 8.
The design of the FortiSandbox, however, allows for additional OSes to be added
over time as the threat landscape evolves.

FORTINET
A FortiSandbox support contract (on both the hardware appliance or VM) entitles
you to:
1.Next business day hardware exchange. If the hardware breaks and it is under
contract, a replacement is shipped and should arrive on the next business day.
2. Technical support.
3. Updates from the FortiGuard Distribution Network. This includes updates to the
virus definitions and engine, the sandbox engine, the network alerts, cloud queries,
and URL ratings.
If the contract expires, FortiSandbox continues to perform antivirus scanning and

sandboxing, but over time, as new malware is released, they wont be effective
against new malware. The ability to query the cloud to see if a sample has been
scanned as well as the ability to rate URLs will stop, which will also impair the scan
accuracy.

FORTINET
When FortiSandbox boots, it validates the licenses of the VM images it uses for
scanning. This requires an Internet connection. Once the images are activated, the
VMs inside FortiSandbox are cloned each time that it needs to create a sandbox,
then destroyed at the end of the sandbox job.

FORTINET
As far as the FortiSandbox VM licenses are concerned, they operate in a similar

fashion to the FortiGate with VDOM licenses. The base VM requires a contract,
which provides the same benefits as the hardware appliance. You can then
purchase and apply additional licenses to expand the number and type of VMs the
virtual device will run. As previously mentioned in this lesson, each additional
license increases system requirements.
License files are applied through the FortiSandbox Web-based manager or CLI (the
process is similar to FortiGate).

FORTINET
Another feature of FortiSandbox is the ability to inspect Microsoft Office documents.

While versions of Microsoft Office 2007 and 2013 are pre-installed on the Windows
VMs, they are not activated automatically.
You can download the license file for Microsoft Office from the Customer Service &
Support website, after which you must manually apply the license to FortiSandbox.
Once the license file is applied, the software on the VM is automatically unlocked
and FortiSandbox begins scanning Office documents. All versions of Office
documents can be scanned, including Office 365 files.

FORTINET
FortiSandbox feature support varies by which device is submitting files, and what
firmware version they have.

FORTINET
Here, we show the features that support communications with FortiSandbox:
FortiSandbox interoperates with other Fortinets devices for traffic inspection,

such as: FortiOS 5.0.4 (FortiGate or FortiWiFi), FortiMail 5.2, FortiClient 5.4 and
FortiWeb 5.4. FortiClient and FortiWeb only support communication with
FortiSandbox 2.1.
FortiGate can send to FortiSandbox, through previous configuration, either all
files or only suspicious ones for further inspection. FortiMail and FortiClient send
all files.
FortiSandbox will also send back: statistic information to the FortiGate; statistic
and rating information to the FortiMail; and rating information and real-time file
signatures to the FortiClient.
Dynamic, local intelligence updates (signatures and IPs), generated by
FortiSandbox is supported to act on FortiOS 5.4.
Dynamic IPs are also supported, and FortiGate will not have to be reconfigured
on the FortiSandbox each time.
FortiSandbox can be deployed in both architectures, NAT and Transparent mode.

FORTINET
FortiManager and FortiAnalyzer can also interoperate with FortiSandbox.
FortiAnalyzer 5.0.8 or newer can store logs from your FortiSandbox. In

FortiAnalyzer 5.2.2 or newer, event management is also supported.
You can use FortiManager 5.0.6 or newer to manage your FortiSandbox, and to
provide a centralized local source for FortiGuard updates, instead of all your
devices communicating directly with Fortinets global FDN service for FortiGuard
Antivirus updates.

FORTINET
You can find FortiSandbox documentation at:

http://docs.fortinet.com/
Each model has its own QuickStart Guide that you can use to quickly get
FortiSandbox up and running. Release Notes provide useful information about
upgrades and bug fixes in each release. Finally, the Administration Guide contains
detailed information on each feature.
For general information on how to analyze malware, you can begin with some of the
books and web sites listed here.

FORTINET
To review, these are the topics we discussed:
Behaviors of each malware type

How sandboxing is different from traditional heuristic and/or signature-based virus
detection
FortiSandbox models, sizing, licenses, and support contracts
Available resources and documentation

DO NOT REPRINT Basic Setup
FORTINET
In this lesson, well show how to complete basic settings that are independent of
your FortiSandbox deployment topology.

FORTINET
After completing this lesson, you should have these practical skills that you can use
to complete basic FortiSandbox setup, up to the point where traffic is flowing and
you can begin to apply security settings.
Lab exercises can help you to test and reinforce your skills.

FORTINET
In this section, we will explore FortiSandbox placement into your network.

FORTINET
When deploying FortiSandbox, you first need to know where to position the device
within your network.
Issues you need to consider are connectivity and administrative access. For
example, will the VM images running on the sandbox be allowed to access the
Internet? Which network segments should be able to access the web-based
manager (GUI)?
Finally, should there be any access restrictions on the Internet for the FortiSandbox
itself? If you want to have access restrictions, then you many want to consider
running FortiGuard through FortiManager.

FORTINET
When FortiSandbox is deployed within a network, you should ensure each port on
the device serves a specific purpose.
Port 1 is locked to provide access to the GUI and CLI. Likewise port 3 is locked so it
provides outside access to the VMs.
However, port 1 (through the use of various static routes, as needed) could also be
used for other types of system management traffic, such as alert emails or SNMP
traffic. Port 3 can also be used, not only for Windows VMs' Internet access, but also
for FortiSandbox Internet traffic, such as FortiGuard and DNS traffic.
This leaves six other ports available for files submissions from devices and sniffer
deployment.

FORTINET
So, the behavior for ports 1 and 3 is hard-coded and cannot be changed:
Port 1 is set up for administrative access

Port 3 is set up for Internet access
It is important to note that the VMs will use Port 3 to access the internet. This
means malware uses it to access the Internet, and as such, for the accuracy of
malware detection this port should be unrestricted. You must ensure, however, that
this interface has no possible way of accessing the internal network, since it could
result in the spread of malware through the network.
You can prevent the VMs from sending traffic out Port 3 to access the internet, but
this will lead to less accurate detection.

FORTINET
Not all of the ports on FortiSandbox are setup up to allow for administrative access.
Only Port 1 is hard-coded to allow for admin access on HTTPS and ping. These
cannot be disabled.

FORTINET
Port 3 traffic is generated by malware running within the sandbox environments as

well as through Internet queries from the device itself.

FORTINET
Whether to allow the VMs to operate in an open or closed environment is not a

trivial consideration. Allowing the VMs to access the Internet needs to be considered
carefully.
Due to the nature of software that FortiSandbox is intended to find, the resulting
traffic can lead to a bad reputation for that IP. If you have legitimate services running
on that connection, it could result in a service disruption (due to a bad reputation).
The reality is that your IPs reputation is always at risk from infected computers
within your network. Sandbox execution is very short, so while it is unlikely to result
in a poor reputation, it is still a possibility to consider.
If you plan to allow access to the Internet, your best option is to use a dedicated
Internet connection for the outgoing FortiSandbox traffic.

FORTINET
If you decide not to allow Internet access to the VMs on FortiSandbox, inspection
occurs as illustrated in this downloader example.
When the malware does a DNS query, the FortiSandbox responds with an internal
IP address. When the software then attempts to download some software, the
FortiSandbox provides a fake download package. This allows the downloader to
successfully execute even without access to the internet.

FORTINET
If you decide to allow Internet access to the VMs on FortiSandbox, the same
downloader could result in a very different report.
Starting with the IP address to which the malware connects, the IP reputation
information for that could be very different. The payload the malware downloads
could also be very different and possibly result in a specific malware detection. If
that payload results in Callback connections (C2) to a botnet, there is no way this
could be detected in an environment without internet access because the payload is
faked.
If Internet access is allowed, traffic generated by the VMs should have full,
unrestricted access. If traffic gets filtered then it could be blocked on the way to the
Internet, which would result in less accurate reports because some responses are
not received.

FORTINET
Without Internet access some of the checks will not result in accurate detection.
This means that certain types of malware detection will not work as well as they
could.
Allowing Internet access to the VMs is not just about increasing the risk to the
reputation of your IPsit also directly improves the ability of the device to
accurately detect malware.
The best results occur when Internet access is allowed, so this is the preferred
deployment.

FORTINET
You can enable or disable the Internet access for the VM under the general system
configuration setting.

FORTINET
In this section, we will explore some of the required setup settings that must be
configured, regardless of the method of input used to receive files.

FORTINET
All new FortiSandbox devices come with the same default IP addresses: Port 1 is
192.168.0.99, Port 2 ends in 1.99, Port 3 ends in 2.99, and so on.

FORTINET
The FortiSandbox web-based manager is designed to have the same overall look
and feel of other Fortinet products, like the FortiGate or FortiMail. As such,
configuring the interface from the web-based manager is similar.
To configure the IP address assigned to each interface on FortiSandbox, log in to

the web-based manager and go to System > Network > Interfaces.
To complete the same task from the CLI, type set followed by the port designation,
the IP, and subnet. Examples include:
set port1-ip 10.10.10.1/24

set port2-ip 172.16.11.5/255.255.255.0
set port2-ip 2001:db8:1::254/64
Each interface supports the use of a static IPv4 and/or IPv6 IP addresses.

FORTINET
Each interface that sends or receives traffic on FortiSandbox needs to have a static
IPv4 and/or IPv6 address assigned to it in order to be usable. In order to get to
external IPs like the Internet (for VMs and possibly FortiGuard) or other subnets,
you need to manually add additional static routes.

FORTINET
It is important to accurately set the time on your FortiSandbox.
Any investigation into new malware is going to come back to when it was first
submitted to FortiSandbox and from where. In order to make sure this information is
determined with precision, the clock must be accurate, otherwise it will be difficult
(and possibly impossible) to determine where this malware went and how far it has
spread.
In order to make forensic analysis easier (or possible) it is import to make sure that
all the network devices have their clock set accurately.
To setup an NTP server on the FortiSandbox, select [Change] by the System time
on the System Information Widget of the status page and configure an NTP server
to synchronize with.

FORTINET
When you initially log into FortiSandbox, you use the factory default login settings
(i.e. user name admin and a blank password). The default login remains active until
you manually change it.
You can change the default admin password from the GUI under System > Admin >
Administrators, editing the admin user and saving a new password.

FORTINET
Only two types of administrative accounts can be created:
Read-Only accounts are intended to be used by virus analysts. These accounts

provide access to all of the features when it comes to submitting files, getting the
results, and looking at historical data. They do not allow the user to make any kind
of configuration changes to the device.
Read-Write accounts are intended to be used by network administrators. These

accounts are given full access to the device. Primarily these accounts are used for
altering the devices configuration and doing the initial setup and troubleshooting. It
may also be necessary for these accounts to submit files for testing purposes, in
order to confirm they are properly scanned and detected by FortiSandbox.

FORTINET
Not all user information needs to be stored locally. To ensure administrative users
follow the company's password policy (or to ensure that users have the same
password everywhere) FortiSandbox can use LDAP servers to verify the password
for admin users.
You can configure an LDAP server through System > Admin > LDAP Servers.
Note that when this is configured, there is no option to set user privileges. All users
that verify their password using an LDAP server are considered to have Read-Write
privileges.

FORTINET
After an LDAP server has been saved an administrative user can be configured to
use this server in order to verify their password.
This is done by editing the user (or creating a new one) under System > Admin >
Administrator and setting the Type to LDAP.
Once this has been changed the option to alter the users privileges will disappear.

FORTINET
It is important to configure administrative access rights, since the device can only be
accessed through port 1. Responding to HTTPS and ping is hard-coded port 1
behavior. You can also enable additional protocols like HTTP, SSH, and Telnet. Note
that the administrative GUI cannot be enabled on any other interface.
An interfaces settings can be changed by going to System > Network > Interfaces
and then editing each interface individually.
You can also configure the default idle timeout for administrative users. This can be
set from 1 minute, up to 480 minutes. The idle timeout can be adjusted under
System > Admin > Settings.

FORTINET
Rather than closing access to the outside altogether, another option is for
FortiSandbox to use an external proxy to communicate with the outside.
Under System > Network > Proxy, you can set up a proxy the FortiSandbox will use
for the VM communication. VM traffic is still locked to port 3, meaning the proxy
must be reachable out of the port 3 interface.

FORTINET
The admin password reset procedure is similar to the procedure on other Fortinet
devices.
First, connect to the console port and physically power cycle the devicea reboot
from the GUI or CLI is not sufficient.
Once the device is rebooted, log in with the user maintainer (all lower case) and
the password bcpb (lower case), followed by the serial number of the device (all
letters in uppercase). Access through this user is only available through the console
port and only for about 30 seconds after a hard power cycle. Once you log in, you
can change the admin password using the CLI command: admin-pwd-reset.

FORTINET
Allowing FortiSandbox to connect to FortiGuard ensures updates are applied to

various internal components:
New AV signatures allow for detections of additional malware without the need to
resort to sandboxing.
An up-to-date database of IPs allows for more accurate botnet callback detection.
Abnormal behavior and connections to botnets can be identified through network
alerts.
Updates to the Sandbox engine help improve the results of reports by improving
components like the malware tracer or rating engine.

FORTINET
FortiGuard Cloud queries ask if other members of the FortiSandbox community

have already inspected the file. If required, you can disable it.

FORTINET
You must use FortiManager 5.0.6 or newer firmware in order for FortiManager to be
able to recognize FortiSandbox. Check the FortiManager Release Notes to find out
the supported FortiSandbox models and firmware.
Overrides for package updates and FortiGuard web filtering queries can be set to
enabled and configured to use the IP or FQDN of a FortiManager. If there are
updates to the virtual machines themselves, they can be manually stored on an FTP
server and configured for use in the FortiSandbox. This allows the device to update
automatically while still operating within the confines of a closed environment.

FORTINET
The FortiGuard cloud query has 2 aspects to it.

First there is a query which allows the FortiSandbox to check the FortiGuard
network to see if other Sandbox users have run into a piece of malware before. If
so, then report for that behavior is downloaded and used. This allows the
FortiSandbox to save time in processing since it no longer needs to spend the time
to sandbox the sample.
Second is the upload of malicious samples. If cloud query is enabled and the
FortiSandbox detects a suspicious file then this is uploaded to the FortiGuard
network. Its important to make note that the only information that gets sent here is
the report on the behavior and the malware sample itself. No internal information or
details the malware may have harvested or tried to harvest are ever sent.

FORTINET
The first step in the upgrade process is to read the Release Notes of the firmware to
which you are upgrading. This ensures that the upgrade is supported (you may be
required to perform an intermediate upgrade rather than a direct upgrade, so its
good to check). The Release Notes will also make you aware of any changes to the
device behavior.
The next step is to download the firmware image. The firmware does not include the
VM images. Some upgrades may require that the VMs are updated after the
firmware update. If so, this will be in the Release Notes.
The next step is to perform the actual update by applying the image through the
Web-based manager or CLI.
Finally, once the update is finished, check the status in order to make sure
everything is working properly. This includes verifying that the files continue to be
submitted and that any other post-update tasks are performed (like updating the VM
images).

FORTINET
In this section, we will briefly explain the four different input sources available to
FortiSandbox.

FORTINET
A FortiSandbox is capable of scanning files for malware from four different sources:
in-line, sniffer, on-demand, and network share. None of these are a mode of
operation for the device (unlike NAT vs Transparent). They are simply methods of
input that can be used concurrently or in any combination.
In-line is used when other Fortinet products (the FortiGate and FortiMail) submit
files directly to the FortiSandbox.
With 3rd party devices, files must be extracted by having the FortiSandbox look at
the traffic from a mirrored port. This is when you would make use of sniffer based
inspection.
You can manually submit files on-demand at any time using either the FortiSandbox
web-based manager or the JSON API.
You can also configure the FortiSandbox to monitor network file shares in order to
look for files to scan.

FORTINET
For the in-line input source, which allows you to automatically submit files, the only
devices that currently integrate with FortiSandbox 2.0.3 are FortiGate and FortiMail.
File submission is also supported for any file types the FortiGate and FortiMail can
intercept and understand. After the file is scanned, FortiSandbox sends details
about the scan back to the device that submitted the file.
Files can be submitted from any protocol for which the FortiGate is configured to
inspect content (including encrypted content).
Since malware tends to go in waves, with lots of duplicate submissions occurring in

the beginning, files are kept in the hash table in order to minimize the collection of
duplicate files. Submitted files are not kept indefinitely, as storage and memory are
not infinite.

FORTINET
For the sniffer input source, FortiSandbox can monitor network traffic through two
possible connection methods: RJ-45 copper cabling, Fiber Optic cables.
For copper communications a switch must be configured to do port mirroring

(monitoring/span, depending on vendor) in order to send a copy of the traffic out
another physical port to the FortiSandbox.
In order to mirror traffic with fiber optic communications a TAP device is inserted in
the line.
TAP devices effectively do port spanning for fiber connections. Light is split 50/50,
60/40, 70/30 (depends on the TAP device) so that the same light now flows in 2
directions, making a copy.

FORTINET
The on-demand input source involves manual file submissions to the device, rather
than automatic ones.
When a file is submitted for inspection it is possible to bypass various scan

methods. For example, it is possible a file can be submitted and go straight to being
sandboxed without a virus scan.

FORTINET
Rather then manually submitting files to FortiSandbox, you can use Network shares.
You can save files directly to a network file share and configure the FortiSandbox to
access that file share in order to find files to scan and sandbox.

FORTINET
In this section, we will take a deeper look into how FortiSandbox behaves when files
are sandboxed.

FORTINET
FortiSandbox allows you to configure a file scan profile under File-based Detection
> Config > Scan Profile. The scan profile helps streamline the sandboxing of files.
In order to do a complete scan for certain types of files, FortiSandbox requires more
than one run through in a sandbox environment to finish the job. The scan profile is
available to reduce unnecessary file sandboxing and improve performance.

FORTINET
Flash and PDF files have no version information within the files themselves, so
there is no way to determine what version of Adobe a piece of potential malware
may be intended to attack ahead of time. In order to get a complete picture, these
files need to be sandboxed multiple times using different VM images.
Take the example of a PDF file. After the initial malware scan is finished, the file
gets sandboxed if nothing is detected. Default settings will cause the file to be
sandboxed up to 4 times (each taking up to 3 minutes) in order to see if there is
malware that could affect Adobe 8, 9, 10, or 11.
If FortiSandbox is inspecting a lot of PDF documents, a delay in scanning can

result. If Acrobat 8, 9, and 10 and not present within the network, then no additional
security is gained by scanning for malware that attacks that software. Properly
considering the environment and adjusting the scan profile can dramatically improve
performance.

FORTINET
When FortiSandbox is busy scanning files and runs into one that needs multiple
scans, those scans are done in whatever order the VM images become available to
use.
To continue with the example of a PDF document, a full scan with the default
configuration will require four separate VM images to finish. If the first available
image is WIN7x64, that scan occurs first. If it is a WINXP image with Adobe 9, that
scan occurs first. This continues until all necessary scans are finished, or a scan
comes back with a suspicious rating.

FORTINET
In this section, we will examine how to configure various alert options. Alerts notify
administrators about important events on FortiSandbox.

FORTINET
When dangerous malware is detected, it is important that administrators receive

proper and timely notification. One method for doing this is through alert emails.
To configure, you must set up a mail server and provide the email of one or more
administrators to receive the notification alert. To customize what alerts are sent,
you can specify the rating of the job, for example, malicious, high risk, medium risk,
and low risk. You can configure alert emails under System > Config > Mail Server.
Only one alert email server can be configured. Weekly reports and reports for
malware detection can also be set up.

FORTINET
You can configure FortiSandbox to work with an SNMP server, with traps for high
CPU, low memory, low disk space, IP changing on an interface, and detection of
malware.
You can configure SNMP through System > Config > SNMP. Once the service is
enabled, communities can be created for versions 1, 2c, and 3 of the SNMP
protocol.

FORTINET
Depending on the traffic being generated by FortiSandbox (or coming in), different
ports are used.
In order to make sure those communications can connect, those ports need to be
available and not blocked by devices in between.

FORTINET
To review, these are the topics that we just talked about:
FortiSandbox interfaces roles

Deployment considerations
Initial configuration
Getting FortiGuard updates from a FortiManager
Firmware upgrade
File sources
Alert emails

FORTINET
In this lesson, well explore how to deploy a FortiSandbox inline with a FortiGate and
FortiMail.

FORTINET
After completing this lesson, you will have the practical skills to be able to configure
and deploy FortiSandbox in combination with FortiGate and FortiMail.

FORTINET
Fortinet devices capable of doing malware inspection can be connected to a

FortiSandbox in order to expand their detection capabilities. Supported products for
FortiSandbox 2.0.3 are FortiGate and FortiMail.

FORTINET
FortiSandbox has multiple ports on the device.
When you consider incoming traffic, the only port that can never be used for
incoming connections is port 3.
Port 1 is for management access, but can be used for external devices to deliver
files. However, if there are a lot of incoming file submissions it can interfere with the
management traffic. This can include access to the CLI and GUI, as well as alert
emails, SNMP, and more. Best practice is to connect external devices somewhere
other then port 1.
Accordingly, aside from port 3, an external device can use any other port to
communicate with FortiSandbox (connect and deliver files). You can use multiple
ports as a way of balancing traffic and preventing an interface from being saturated.

FORTINET
You can configure FortiMail to send a copy of any potentially dangerous email
attachment to FortiSandbox.

FORTINET
The FortiMail configuration to communicate with FortiSandbox is a two-step

process:
1. Configure a FortiSandbox that FortiMail will use.

2. Define when FortiMail will submit files to FortiSandbox. This is done by enabling
the Upload suspicious attachment to FortiSandbox option inside the AV profile,
and then making rules for which emails will use that AV profile for scanning.

FORTINET
Unlike FortiMail, FortiGate has a large collection of available protocols on which to

have virus scanning performed. Any protocol the FortiGate is performing virus
scanning on, included encrypted protocols, can be inspected to capture potentially
dangerous files and send them to FortiSandbox.

FORTINET
The process involved in configuring FortiGate to communicate with FortiSandbox is

similar to that of FortiMail. It is a two-part process:
1. Configure a FortiSandbox the device will send files to.

2. Define when FortiGate will submit files to FortiSandbox. This is done by enabling
file submission in the AV profile and applying that profile to firewall policies. Note
that the option to send files for sandboxing in the AV profile will change
depending on if a FortiSandbox is configured for use or not. If no FortiSandbox is
configured, then the option to send files will read Send file to FortiSandbox
cloud.

FORTINET
In the FortiGate CLI there are some settings that will impact whether or not the
FortiGate sends a file to the FortiSandbox based on its file size.
The first size limit applied is the oversize limit (uncompressed oversize limit in the
case of archives). Any files larger than this limit are not virus scanned. Since files
are only sent to FortiSandbox after they are virus scanned, anything over this limit is
not sent to FortiSandbox.
Within the AV profile itself there is a second setting to limit the maximum size of the
upload. Any file that has been virus scanned and is larger than the maximum upload
size will not be sent to FortiSandbox.
Both settings are 10 MB by default, but you can adjust each independently.

FORTINET
Black lists and white lists are another FortiGate configuration option that adjusts
what is submitted to FortiSandbox.
A white list ensures that a particular AV profile submits only file types that do not
appear on the list. A black list does the opposite, submitting only the types that
appear on the list. An AV profile can only have a white or black list enabled, not
both.

FORTINET
Once you configure an external device (FortiGate or FortiMail) to use FortiSandbox,

you must then configure the external device to authorize/allow files to be submitted
to that FortiSandbox. This concept of authorization is similar to how devices are
authorized to be managed by FortiManager or devices are authorized to submit logs
to FortiAnalyzer.
Device authorization is configured through File-based Detection > File Input >
Devices. Find the device in the list on that page and editing the settings. Under
Permissions, enable the Authorized checkbox.

FORTINET
A FortiGate configured with VDOMs and a FortiSandbox creates an interesting

situation. You can configure the AV profiles within each VDOM to individually send
or not sendfiles to FortiSandbox. The VDOMs themselves can not access the
FortiSandbox configuration aspects since this is a global option.
The communication protocol between FortiGate and FortiSandbox does not include
a method for FortiGate to transmit the list of VDOMs that it has enabled. When a file
is submitted from FortiGate, it is tagged with the name of the VDOM from which it
belongs. As such, a VDOM only appears on FortiSandbox once a file is submitted
from a AV profile configured on it.
You can configure FortiSandbox to automatically authorized new VDOMs, or to

unauthorized new VDOMs until they are manually and individually authorized.

FORTINET
You can also configure FortiSandbox to send notifications when a file is considered
dangerous and/or weekly reports outlining device activity. The email address is
configured on FortiGate when the connection to FortiSandbox is established.
The device IP address that appears on this page is the IP the FortiSandbox sees on
the packets when the device tries to connect. FortiSandbox does not communicate
with the FortiGate/FortiMail to obtain configuration details, so any kind of NAT
device will change the details that get shown here.

FORTINET
When integrating with other Fortinet products, communications are handled through
a Fortinet proprietary protocol. Data is encrypted using SSL and transmitted over
TCP port 514.
In order to avoid sandboxing a file multiple times and wasting resources,

FortiSandbox stores hashes of the files it has scanned inside its database.

FORTINET
When a FortiGate/FortiMail decides to send a file for sandboxing, the device first
sends a hash to FortiSandbox. FortiSandbox does a lookup in its database in order
to find out if the file has already been scanned. If it has already been scanned, it
relays that information back to the device so the device will not spend resources
sending the file. If the lookup fails, FortiSandbox responds by indicating the file is
unknown. In this case, the device will send the file over to be stored and sandboxed.
An update to the virus package resets the hash table, as it changes the malware
FortiSandbox is capable of detecting. This change could result in the detection of a
previously unknown (new) malware signature, which the historical scans may not
have. So files submitted to the sandbox will only be scanned once, per update of the
AV database. If there is a period of time that the virus database is not updated (like
when FortiGuard access is not allowed), the database will be cleared out every 2
days.

FORTINET
A FortiMail can be configured to send all potentially malicious files.
A FortiGate can be configured to send all potentially malicious files or only those
flagged as suspicious by the heuristic scanning.

FORTINET
While FortiGate and FortiMail have slightly different file detection capabilities, what
they both send back to FortiSandbox is very similar. Both devices will only transmit
Windows executable files. Executables for other OSes are not sent, because
FortiSandbox only has Windows VMs.
Certain types of archives are sent as well. FortiGate and FortiMail have different
detection capabilities, so slightly different executable and archive types can be
detected and sent from each device. Java Runtime (JAR) files, PFDs, and Microsoft
Office documents are also transmitted, as are Flash (SWF) files.

FORTINET
After this lesson, you should be able to:
Describe what Fortinet devices can communicate FortiSandbox

Configure device access to FortiSandbox
Configure external devices to submit files to FortiSandbox
Understand protocol used for communication with FortiSandbox, and
Understand what files are sent to FortiSandbox

FORTINET
In this lesson, well examine deploying FortiSandbox with sniffer mode.

FORTINET
After completing this lesson, you will understand sniffer mode and how to configure
FortiSandbox to inspect traffic from non-Fortinet products.

FORTINET
Sniffer mode allows you to configure interfaces on FortiSandbox to inspect the traffic
from 3rd party devices. In order to do this, a copy of the traffic needs to be sent to
interfaces on FortiSandbox.
For fiber optic cables, you need to use a TAP device in order to split the light beams.
For traditional network cables, a switch capable of doing port mirroring/monitoring or
SPAN is needed to send a copy of the traffic through a separate interface and out to
FortiSandbox.

FORTINET
Traffic occurring outside the boundaries of your network is not your responsibility.
External firewalls are designed to route and switch traffic, but they also block traffic.
It is the traffic that comes in from outside of any controlled environment that is the
most dangerous.
The traffic that should be sent to FortiSandbox is traffic that has already made it into
your network.
For these reasons, generally the best place to look at traffic is inside your network
and as close to your perimeter firewall as possible. The closer the traffic is to the
border of your network, the better.

FORTINET
To get a better performance, two ports on FortiSandbox are usually recommended

for fully monitoring the traffic. One with the copy of traffic in one direction, the other
one with the copy of the traffic in the other direction.

FORTINET
FortiSandbox can look at traffic flowing in a single direction and parse it in order to
find and scan files. However from a forensic analysis perspective, having
communication in only a single direction makes forensic research more difficult.

FORTINET
FortiSandbox is not able to process VLAN tags when operating in sniffer mode.
Packets that reach the interface and are VLAN tagged will have the contents
inspected in exactly the same way as packets that are not VLAN tagged. The tag
itself is discarded and not logged in any way.

FORTINET
You can enable sniffer from the web-based manager through File-based detection
> File Input > Sniffer. Enable Enable Sniffer and select which interface(s) on
FortiSandbox to use sniffer-based file detection. Port 1 and port 3 have hard-coded
purposes already, so those cannot be selected. All other ports are available.
Ports set to sniffer mode have no IP address and cannot be used for any purpose
other than sniffer-based detection.

FORTINET
There are a few other options you can enable for sniffer, including:
Network alert detection. This examines the traffic for suspicious URLs, botnet
callbacks, as well at attack traffic.
Keeping Incomplete files. This is potentially useful, as incomplete files can still be
scanned for malware (though since part of the file is missing it will result in a less
accurate malware scan, but could still result in positive detection). However,
because the whole file is not there, it will not be sandboxed.
Maximum file size. This setting can be adjusted from 10Kb up to 200,000 Kb.
Keep in mind that larger files mean more storage space is needed.
Services. This option allows you to adjust the protocols FortiSandbox is looking at
in order to focus on specific vectors of infection or avoid overloading the job
queue.

FORTINET
When traffic is being inspected on an interface set to sniffer, you can enable
callback detection. This is used to detect traffic that is communicating to a botnet.
This is only available when the interface is operating in sniffer. With in-line
inspection, FortiSandbox does not see the actual traffic, so it is only capable of
sandboxing files. Also, FortiGate is capable of blocking botnet connection, where as
FortiSandbox can only report it because the traffic is mirrored.

FORTINET
In sniffer mode, FortiSandbox is directly inspecting traffic being sent to its interfaces.
This means that any kind of encrypted traffic cannot be inspected (HTTPS, FTPS,
StartTLS encrypted SMTP, etc.), because SSL is designed to be secure point-to-
point communicationsFortiSandbox is not part of those SSL negotiations.
The protocols FortiSandbox is capable of inspecting are HTTP, FTP, POP3, IMAP
and SMB. They can be detected over any port, not just the default ports for those
protocols

FORTINET
Just like in-line detection through Fortinet devices, the scan profile decides how
FortiSandbox scans and sandboxes different types of files.

FORTINET
Understand how to position the device for sniffer mode

Configure FortiSandbox for sniffer mode and understand botnet callback
detection
Understand protocols that are supported for sniffer inspection and the types of
files that are inspected

FORTINET
In this lesson, we will examine the other methods that are available in order to send
files to a FortiSandbox for inspection. We will also show URL scanning.

FORTINET
After completing this lesson, you should have the skills to be able to:
Manually submit a file to a FortiSandbox, as well as understand the job details

and report results.
Configure network shares to scan network file shares as well as set up a
quarantine to place those infected files.
Configure FortiSandbox to inspect the contents of websites, as well as
understand scan profiles and inspection depths.

FORTINET
In this section, we will explore how to manually submit files to FortiSandbox and
how to understand the job details and report results.
This can be useful in order to force specific scans to occur or test modified versions
of malware samples. It can also be used to retest files that may not have been
detected previously.

FORTINET
You can manually submit files to FortiSandbox from System > FortiView > On-
Demand.
The On-Demand page automatically displays a list of previous on-demand

submission jobs and their status. Since archive files can have more than one file
contained within them, there is also a File Count column that displays how many
files were scanned as part of the job. Archive submissions are also signified by an
i icon in the far left column.
Note that a password protected archive cannot have the contents scanned, so it will
not show up as an archive.

FORTINET
You can manually submit files to FortiSandbox for inspection one at a time. The type
of files you can submit are listed at the top of the Submit New File dialog box.
If you have an idea what FortiSandbox might discover about the file during
inspection, you may want to skip some of the normal scan steps in in order to get
better results. This allows a great deal of control in the behavior of the scan.
Files can be manually submitted to FortiSandbox either through the web-based

manager or the JSON API.

FORTINET
By going to the job details, an administrative user can view the specifics for what
happened in a particular job. This displays as a single file unless the file scanned
was an archive, in which case all the files contained within it are listed along with a
detailed report on the behavior.

FORTINET
At the top of the report a FortiSandbox classifies the file, for example High Risk
Dropper. If you do not agree with the results of the scan, you can mark it as a false
positive. FortiSandbox also displays from where the result came. In this example,
the results came from a cloud query, which means the file was scanned for
malware, but not actually sandboxed on the device.
You can print or download the report as a PDF document by clicking the print or
download icons from the upper right corner of the report.

FORTINET
In this section, we will look at setting up network shares and quarantines.
The FortiSandbox can be setup to scan network file shares automatically.

FORTINET
On FortiSandbox, a network share and quarantine are the same things: NFS
(Network File Shares). The difference is how FortiSandbox treats them.
With network share, FortiSandbox connects to a NFS in order to look for infected
files.
With quarantine, FortiSandbox connects to a NFS to store suspicious files that it

finds while scanning a network share.

FORTINET
You can create a new quarantine folder though File-based Detection > File Input >
Quarantine.
During the configuration, it is important to select the proper mount type.

FortiSandbox supports connecting to file shares using CIFS, NFSv2, NFSv3 and
NFSv4.
You must also configure the server location, share path, as well as the username
and password of the user with permissions to connect to the NFS. The user also
needs to have write permissions within that folder in order to successfully copy the
files that are considered suspicious. Since those files are considered suspicious,
you should ensure the NFS is not accessible to everyone. General users should be
not be allowed to access the quarantine folder in order to prevent further damage.

FORTINET
You can configure network shares through File-based Detection > File Input >
Network Shares. The options available are almost identical to configuring a
quarantine, because they are both NFSs.
A network share provides an alternative to manually submitting files individually to

the web-based manager. It can also scan a corporate file server. FortiSandbox goes
through all of the files and folders to which it has access.

FORTINET
In additional to the connection information, there are some other settings that can
be enabled in network shares and quarantine.
With network shares, you have to option to:

Keep (or not to keep) a copy of the original file on FortiSandbox. The infected file
is on a NFS (at least initially), so storing it on FortiSandbox could take up a lot of
space over time. However, having files stored on FortiSandbox can make it more
convenient to locate the infected file as well.
Enable quarantine. This stores a copy of an infected file on a separate quarantine
NFS. Depending on the settings in the quarantine configuration, the original file
can also be deleted at the same time. In order to delete a file, the user specified
in the network share configuration would require full read/write permissions on the
files.
Enable a scheduled scan. This enables an automatic, scheduled scan of the
network share. If this is not configured, a scan will only occur if manually initiated.
On the configuration of a quarantine share you can enable the option to delete a file
that is considered to be infected from the network share folder, or not.

FORTINET
In this section, we will examine how FortiSandbox inspects the contents and
behavior of websites.

FORTINET
URL scanning is performed by initiating VM images and using Internet Explorer (IE)
to connect to the URLs to examine their behavior. FortiSandbox uses a scan profile
(separate from the scan profile for sandboxing) to determine how to handle these.
The websites can be scanned with IE version 7, 8, 9 and/or 10. Just remember that
each version of IE requires an additional VM image to be instantiated.
URLs inspected this way must be manually submitted to FortiSandbox in the body
of a text file. Depending on the operating systems and browsers available within the
protected networks, it may be appropriate to limit the versions of IE used for the
scan.
Assuming your FortiSandbox has a connection to FortiGuard, the URLs are also
checked to find their rating. Dangerous categories are automatically flagged. The list
of categories shows all the ones that are automatically flagged, unless overridden.

FORTINET
When URLs are submitted, there is the option to set the inspection depth.
A depth of 0 means FortiSandbox only looks at the contents of the page directly
specified by the URLit does not follow any links to content located on the page.
A depth of 1 means that all links are followed one level. So if a page has a link to
second page and that page contains a link to download, the second page is
followed, but the download link on that second page is not.
A depth of 2 means that all links are followed two levels.
The behavior of all URLs and files are contained in the report, so setting the depth
too high can result in an inaccurate report, as infected resources can be found off
the URL. Setting the depth too low can also cause inaccurate reports because
infected resources wont be detected. Set the value based on the amount of
investigation you wish to do on the website.

FORTINET
A useful application of the FortiSandbox to inspect URLs would be to look at a

suspicious website you believe to be infecting your users. Making use of the feature
does not require extensive knowledge of web technologies that might otherwise be
necessary in order to do this type of investigation.
Another situation where it could be used would be to look at a company website that
was hijacked, in order to make sure that it is not being used for injecting malicious
code. The nice aspect of this is that you can do it immediately upon discovering a
hijack has occurred. You do not need to identify exactly what was done or how it
happened.

FORTINET
After this lesson, you should understand how to manually submit a file, configure
network shares and quarantines, and configure FortiSandbox to inspect Website
content.

DO NOT REPRINT Logs and Reports
FORTINET
In this lesson, we will explore the logs and reports generated on FortiSandbox.

FORTINET
After completing this lesson, you should have these practical skills in order to
monitor the day-to-day activity of FortiSandbox and conceptually approach and
prepare for a situation where FortiSandbox detects a piece of unknown malware.

FORTINET
In this section, we will examine how to view the log events that happen on
FortiSandbox.

FORTINET
The Status page provides a lot of information about the status of FortiSandbox,
including information about files submitted and detected, contract details, and
update information. You can also add/remove widgets and all widgets can be
customized to some degree. Depending on the nature of the widget, the
customization could involve adjusting the refresh rate, or adjusting the number of
entries returned based history length. Most widgets also include the option to drill
down on returned data in order to quickly obtain more specific details about the
data.

FORTINET
The FortiView tab is useful to view detected threat activity at a glance and makes it
easier to identify problem users, files, or devices.
The Threats by Users page organizes detected malware and suspicious files by
the user. If detection occurs from sniffer-based detection, or there is no
authentication enabled on FortiGate, then the IP address is used instead. Since you
can connect multiple FortiGate devices to a single FortiSandbox, the format for the
Device/Username column that indicates where the file submission came from is:
<device> (the name of the device when connected): <VDOM>: <IP or User name>
(user name if authenticated)
The Threats by Files page displays the same kind of information about the
detected threats. However it organizes the threats by file rather than device. This
allows you to more easily see if a particular threat is being detected more often than
others. This is useful in detecting if there is an outbreak of a particular malware.
The Threats by Devices page organizes the detection differently again, this time
according to the device that submitted the file to FortiSandbox. This can help you
more easily tell if a particular location is having a possible outbreak.

FORTINET
Under the File-Based Detection menu there are additional charts and widgets. The
purpose is to summarize the activity for file-based detection, which includes both in-
line and sniffer-based detection.
The Summary Report page pulls together all the information to provide an overall
look at what has been scanned and the results of the scans.
The Malicious Files page provides more detail about the virus detected through
scanning.
The Suspicious Files page provides more detail about files that were not detected
as viruses, but did exhibit suspicious activity.
The Clean/Unknown Files page contains all the results, whether either nothing was
detected or the scan did not finish because it was interrupted.

FORTINET
From Log & Report > Log > Local Log, you can view the event logs, which are
logs FortiSandbox stores for events on the device itself.
The local logs summarizes device activity, such as administrative logins, virtual
machine initializations, scan jobs starting, and other activities of that nature. For
detailed information, you need to locate the scan job itself and view the results.

FORTINET
You can also generate summary reports on demand. There are two types of reports:
executive summary and threat activity.
The executive summary report provides a break down of all the activity.
The threat activity report provides a break down of the files that were detected as
malicious or suspicious.
In both cases, you can set the time period to either the last 24 hours, the last week,
the last month, or specify a custom time period.

FORTINET
You can configure FortiSandbox to send event logs to an external appliance. This
allows FortiSandbox to link to a pre-existing notification system.
An external logging device allows for a central logging location. Central logging
makes forensic investigation easier, as all the log events and notifications are
located and correlated in a single place, without needing to swap back and forth
between devices.
FortiSandbox can log to two external appliances: Syslog and FortiAnalyzer (running
firmware 5.0.8 or newer, or a FortiManager).

FORTINET
In this section, we will explore the importance of havingand maintainingan

incident response plan and how best to establish one.

FORTINET
Reports are not intended to remain in a vacuumthe results should not be taken at
face value. Experts should monitor both negative and positive reports for malware
detection in order to ensure the findings are accurate. If a report shows positive for
malware, it most likely indicates there is an active infection that you need to address
inside your network. Remember, reports come from files that have already entered
the network.
Any organization with a sandbox needs to have an incident response plan in the
event that dangerous new malware is detected and needs to be removed from the
network.

FORTINET
The first phase of an incident response plan involves receiving the alert itself. An
alert from FortiSandbox indicates positive malware detection that you need to
investigate. Your investigation should determine if:
The report is accurate or a false positive
Further action is required in order to mitigate infection and damage
When it comes to generating alerts, the diagram shows there are multiple avenues
available in order to fit into whatever monitoring system is already in place. This
helps ensure that somebody can receive the notification promptly and allow them to
act as quickly as possible.

FORTINET
The second phase of an incident response plan involves evaluating the alert, of
which there are two kinds: malicious and suspicious.
Malicious event occurs when the file is positively identified as an existing virus
through some method of scanning on FortiSandbox. Even though these files are
identified by FortiSandbox, they may have already passed into your network and
may be loose and spreading. You should investigate these alerts to determine if
there is an infection or not.
A suspicious event occurs when the file is considered clean by AV normal scanning,
but dangerous after sandboxing. Suspicious events are potential zero-day exploits
and deserve close attention in order to prevent potential loss of business critical
information.

FORTINET
The third phase of an incident response plan involves the investigation itself: the
details about the malware behavior, infection vector, and methods of safe removal.
In this phase, a malware analyst reviews the report information and examines the
malware in order to find out how it behaves. Depending on what the malware does,
rules may be added to the firewall to prevent/mitigate further infection. Infected
host(s) may need to be quarantined and cleaned, based on the results of the
investigation so far.
Sometimes if especially dangerous malware is identified, it requires immediate

action to quarantine the infected hosts and prevent further infection before the
phase 3 has completely finished. Phase 3 investigation needs to be handled by a
qualified individual/team that has the authority to make those judgment calls.

FORTINET
The fourth phase of an incident response plan involves the response to the phase 3
investigation findings. You should always have a plan for the worst case scenario. In
the event that this ever occurs, having a plan will result in significantly fewer losses.
For clean up purposes, the researchers need to have a variety of software and
utilities at their disposal.
Depending on the results of the investigation so far, the malware analyst should
have a good understanding of how the malware behaves, and hopefully, how to
remove it. If the malware is particularly dangerous and difficult to remove it my
require measures as drastic as formatting the device and reimaging it from scratch.
Being able to restore data from a backup will reduce downtime and lost data.

FORTINET
The fifth and final phase of an incident response plan involves documenting and
sharing your results. Once an incident has been handled it should be properly
documented in case of future reinfection.
Anti-malware is an industry with a history of very open communication with regards

to new and emerging technologies (malware). Openly sharing data with your anti-
malware vendors helps to provide you with protection against this malware in the
form of detection signatures for your software and devices. Sharing information
through other methods, like security blogs, is another way of getting the word out
there.

FORTINET
In this section, we will examine some of the considerations involved in safely

handling samples of unknown malware.

FORTINET
While the purpose of FortiSandbox is to detect unknown malware, it is your

organizations responsibility to ensure unknown malware is handled properly by
individuals who are qualified. This is because unknown malware can be extremely
hazardous, especially since there are no detection signature yet, so improper
handling can lead to large scale infection.

FORTINET
A policy on handling malware samples acts as a security blanket to help protect

your company and employees.
Improper handling of malware can result in large scale disruption of network

resources and/or costly data leakage. Any exceptions to the rules in the policy need
to be carefully documented. In the event of improper handling, the root cause needs
to be determined.
If malware is handled by unqualified individuals which results in damages, it can

lead to legal action against the company.

FORTINET
Samples of malware being investigated should only be handled by individuals

whose job it is to work directly with those samples. Some examples of people who
legitimately need to work with samples would be malware analysts, virus
researchers, or software engineers.
Individuals whose job does not involve handling malware samples should never be
handling samples of unknown malware without good, documented reasons.

FORTINET
An example rule of a malware handling policy can be to always change the file
extension of malware samples when the sample is not being executed in order to
prevent files from being executed by whatever software the designers of the
malware intended to try and exploit. Some malware can infect during preprocessing
of the file, by certain utilities.
In this example, the first letter of the file extension is changed to Z. Any standard is
fine in this instance, since the ultimate purpose is simply to break any file
associations.

FORTINET
Another rule of a malware handing policy can be to always store the malware inside
an archive to allow for an additional layer of security and the ability to change
names and associations. Some software will attempt to execute (or preprocess) the
files inside an archive simply by opening it. Adding a simple password will prevent
that from happening with an accidental click.
The password can be reused on all malware samples. The purpose of this is to
prevent the malware from executing accidentally, so theres no need for the
password to be complex or rotating.

FORTINET
A third rule of a malware handing policy can be to always run the malware sample in
an isolated and unimportant environment. If the test machine can access the
internal company network, this can cause the malware to spread throughout the
company resulting in loss of data and/or disruption.
Important machines and/or machines with important data should never be used to
test malware samples. Some malware have protective measures built in so that if
any tampering is detected, they will damage the host. Virtual machines make
excellent testing environments.
Combining rules together (Example rules 1, 2, and 3) will result in greater security
for your company. A strong internal policy will help instill the proper behavior of
employees and let individuals know your company takes this seriously.

FORTINET
In this section, we will examine a FortiSandbox scan job reports.

FORTINET
When a report about suspicious malware is generated, it is divided into several

sections, each with its own purpose.
The first section is called Scan Job Details. As the name implies, this gives some
overall information about the scan, such as where the file came from, when it was
scanned, what protocol the file was transmitted on, how long the scan tookany
details that would help you track down the source of the file.

FORTINET
The next important section to discuss, very close to the beginning of the report, and
called Behavior Summary.
Some of the terminology used is some of the fields here will directly correspond to
the different types of malware.
Having a quick summary section is important because reports can be very long. The
report being used as an example is over 300 pages.

FORTINET
The next section details the activity that occurred. The Results for <VM Image>
section reflects the VM that detected the file as being dangerous or infected.
It is worth remembering that different VM designations have different software

installed. This can be very important for vulnerabilities involving Internet Explorer,
Acrobat, and Microsoft Office. Also, different operating systems use different
versions of Java. This is something else to keep in mind, depending on the nature of
the vulnerability reported or investigated.

FORTINET
The Suspicious Behaviors section contains a summary of what the ratings engine
considered to be suspicious or dangerous activity.
In order to find specific details, the appropriate areas of the report need to be looked
at, but at a glance, this provides the highlights of the inappropriate behavior.

FORTINET
The next couple of sections describe the file activity that occurred while the file was
being sandboxed.
In this example, since this report in particular is about a .doc file, WinWord
(Microsoft Word) was used to open and examine the file as you can see in the
Launched Processes section. The file activity that occurred may have been
caused by the piece of malware or may have been caused by normal operations of
the processes involved. Proper understanding of all the data in a report requires a
lot of knowledge about different software.

FORTINET
The Network Behaviors section details what happened with regard to external
connections. Activity within any section is always listed in reverse chronological
order, with the first action to occur being listed at the bottom.
In this example, a DNS request was made for a particular URL and then a file was
downloaded multiple times. At any point in the report if a particular action is
something that the rating engine considers to be dangerous or suspicious, that
activity will appear in red. This makes the activity stand out and therefore hard to
miss.

FORTINET
The last section to appear in any report is Behaviors In Sequence.
The section details every action that occurred within the sandbox environment, for
any reason. This can easily become the largest section of the report, depending on
the activity that occurred.
Dangerous or suspicious activities are displayed in red for increased visibility.

FORTINET
Reports are generated for all scan jobs.
If a generated scan job report indicates clean/unknown results, it means

FortiSandbox did not detect anything (both during the malware scan and the
sandbox process). The other possibility is that the scan job was interrupted by a
reboot, for example.
If a scan job report indicates there is malware, it means a known piece of malware
was detected during the scan job process.
If a report indicates suspicious results it means there was no detection of a known

malware, but the behavior of the file is abnormal in some way.

FORTINET
Scan job reports can be stored locally on FortiSandbox or automatically sent to a

configured external file share. This allows for easy distribution of the report, without
the need to provide access to the device itself. It also provides long term storage of
scan result information, since it is not limited to just the storage space on
FortiSandbox.
FortiSandbox supports connecting to a CIFS or NFSv2, 3, or 4 file share.
The allows for additional information (beyond the report PDF) to be stored on the file
share. FortiSandbox can remotely store malicious, suspicious, clean, and unknown
scan results when the job is finished.

FORTINET
After this lesson, you should be able to understand logs, store logs externally,
archive reports, create an incidence response plan, handle unknown malware,
create a malware handling policy, understand FortiSandbox reports, and work with
FortiGuard.

DO NOT REPRINT Troubleshooting
FORTINET
In this lesson, we will examine various ways to troubleshoot FortiSandbox in certain

situations and when illustrating certain behavior.

FORTINET
After completing this lesson, you will have the practical skills to troubleshoot
connection issues between FortiSandbox and FortiGate or FortiMail, resolve
licensing issues, troubleshoot connectivity-related situations on FortiSandbox, and
activate Windows VMs and Microsoft Office.

FORTINET
In this section, we will examine some of the diagnostics that help to determine
whether FortiGate is properly connected and communicating with FortiSandbox.

FORTINET
On the Status page of the FortiGate, some of the widgets provide information about
FortiSandbox and FortiGate communications. The Advanced Threat Protection
Statistics widget provides a summary of the virus scanning activity that occurred
over the past week. This is a high level view, but it provides a quick glimpse at the
communication that is occurring between the two devices.

FORTINET
The License Information widget on the FortiGate Status page displays the current
state of the communications between FortiGate and FortiSandbox. If the two
devices are communicating successfully the widget displays a green arrow.

FORTINET
In the FortiGate web-based manager, there is a Test Connectivity button when

configuring the FortiGate to use a FortiSandbox. You can execute this function to
confirm the FortiGate is able to communicate with the specified FortiSandbox and
that it is authorized. If the device has not been authorized or is not able to connect,
the test will not be successful.

FORTINET
The quarantine process handles sending files to devices from the FortiGate. This
includes things like sending a DLP archive to a FortiAnalyzer or logs to a
FortiManager/Syslog. It even includes submitting files to FortiSandbox.
To troubleshoot the communication between the FortiGate and the FortiSandbox,

you can use the following command to enable the real time debug of the quarantine
process:
diagnose debug application quarantine -1

This slide shows an example of FortiGate submitting a file to FortiSandbox, sending

the hash, and receiving a duplicate file response. The above response happens if
FortiSandbox has already scanned the file recently.
Use the following command to disable the real time debug:
diagnose debug reset

FORTINET
In this section, we will examine some of the diagnostics that help to determine
whether FortiMail is properly connected to FortiSandbox.

FORTINET
Similar to FortiGate, FortiMail also has a Test Connectivity button where you can
test connectivity to FortiSandbox and determine whether it is authorized. FortiMail
also provides some file statistics on this page.

FORTINET
Real time debug on the FortiMail that looks at communications with FortiSandbox
involve debugging the process called SandboxCLID.
There are more debug levels available than just simply using 65, but its a good
place to start. The bulk of the output is easy to understand and very human
readable. You can view the levels available in the CLI using the question mark. Be
sure to use the appropriate debug level.
Use the following two commands to disable the real time debug:
diagnose debug application sandboxclid disable

FORTINET
In this section, we will examine some of the troubleshooting commands available for
FortiSandbox.

FORTINET
You can use the CLI command sandbox-engines to examine various information
for the engines that are installed. This allows you to view and evaluate the traffic
that gets generated by malware being sandboxed by the device.
Each engine evaluates a different aspect of behavior. For example:

The tracer engine tracks of the behavior of software within the VM in order to
identify process activity in the report.
The rating engine analyzes what happened in a report and identifies various
actions as suspicious or dangerous.
The traffic sniffer extract files from interfaces set to sniffer mode. It has nothing to
do with sandboxing.
The botnet signature DB is a list of known botnet locations that gets compared to
the sniffed traffic. It is also used to examine traffic generated within sandboxes.
The IPS Signature DB is also used to examine the sniffed traffic, as well as traffic
generated during a files sandboxing scan.

FORTINET
You can use the CLI command status to view the overall health of FortiSandbox.
It provides information about the firmware version that is installed, the serial
number, and the system time. There is also the general status on the VM images as
well as a high level look at the status of the RAID for the device.

FORTINET
There are several CLI commands you can use to help troubleshoot issues with
connectivity. For example, ping, tcpdump, iptables, and traceroute.
The syntax for using ping and traceroute are standard. Use an FQDN or IP address
as the destination.
tcpdump and iptables are standard Linux commands, which are more complex in
their syntax. However, there is a lot of information available on how to use them on
the Internet.
One useful command for troubleshooting is the tcpdump. It is used to enable the
built-in sniffer that can capture the traffic arriving and leaving the FortiSandbox.

FORTINET
From the FortiSandbox web-based manager, you can see the list of information
updated through FortiGuard. This includes the virus definition, network alert version
and sandbox engine version details.
Another useful piece of information on this page is the details on the VM images. It
contains a list of names for each VM image the device uses to scan files with, along
with the operating system version information.

FORTINET
In this section, we will examine the process involved in activating Windows VM

images and some of the diagnostics available.

FORTINET
In order to activate Windows VMs, registration of the device on the support site is
not required. The keys are burned into the EPROM hardware for the devices, or
included in the VM license file.
The device includes several keys, but only one is activated in order to be compliant
with our Microsoft agreement. You can see and track the activations of different
keys in the Event logs.
The Windows keys are activated by being verified against the Microsoft servers
through port 3 and require ports 80 and 443 to be open. This is the same way any
normal Windows operating system is activated. In order to accomplish this, the
device must have access to the Internet and working DNS. After the VMs have been
activated, Internet access can be removed and FortiSandbox can be freely
rebooted. Since the VMs are already activated, they will not need to do so again.

FORTINET
Event logs show the sequence of events for activating all the various VM images.
In this example, the actual license keys have been removed for security reasons,
but on a real device you will see the product keys that are used, rather than Xs.
Each of the four VM images need to run through the activation process separately.
There are three log events associated with the full process of activation:
1. The device starts the activation process.
2. The Microsoft servers verify and accept the license key.
3. FortiSandbox finishes installing and setting up the VM image. This sequence
occurs for each of the VM images on the FortiSandbox.

FORTINET
You can use the CLI command vm-license l (lowercase L) to view the license keys
that are available on the device.

FORTINET
You can use the CLI command vm-status to view the status of the virtual machines.
This displays a list of the different master VM images FortiSandbox has loaded as
well as the status of their activation.
An initialized VM is one that has been activated with the Windows key, and the
cloning process has finished successfully.

FORTINET
You can view the VM initialization status through the System Information widget on
the Status page of the Web-based manager. It displays a green arrow if the
Windows VMs have properly initialized. Otherwise, it shows a yellow warning
indicator.

FORTINET
In this section, we will examine the process involved in activating Microsoft Office.

FORTINET
Microsoft Office activation is not performed online. The software verifies the
installation key locally. This is designed by Microsoft and is how MS Office behaves.
There is no online component to the registration of this particular software.
In order to activate MS Office, you must obtain a key file by registering your
FortiSandbox on the support site (support.fortinet.com) along with your device
contract. Once this is completed you can download a license file that activates the
Microsoft Office software installed on the VM images.
Note that the new FortiSandbox hardware does not have this requirement. The
addition of MS Office is fairly recent, so only the newer generation hardware has the
ability to have this information burned to the EPROM. You can tell if a FortiSandbox
is capable of this by looking at the serial number of the device.

FORTINET
For older hardware or VMs, once you download the MS Office license file from the
support site you can apply it through the web-based manager from the System
Information widget. Once the file is loaded, FortiSandbox activates the license and
the device automatically reboots.

FORTINET
After rebooting, the Microsoft Office software will complete the licensing along with
the instantiation of the VM images. This process of initializing the VMs takes a
couple of minutes to complete, so it will still show up as unlicensed immediately
after reboot.

FORTINET
As previously mentioned, the Windows Operating systems on a FortiSandbox must

be activated against the servers at Microsoft over the Internet. This is attempted
during the initial FortiSandbox boot up. It also happens if the VM images are
upgraded. For example, if you upgrade a device from a version 1 firmware to
version 2, the VMs images are upgraded and will need to reactivate afterwards
(assuming they were activated with the version 1 firmware).
The keys used to activate the VMs do not change and Microsoft only allows a
limited number of activations against a single key. This behavior is no different than
reinstalling Windows on your home computer.

FORTINET
If the logs indicate the Microsoft activation server will not allow the VMs to be
activated, you must contact Microsoft. Fortinet is using standard versions of the
Windows operating systems and does not have access to the Microsoft activation
servers.
1. Obtain the installation ID from the logs.

2. Split the installation ID into 9 groups of 6 digits, as per the example. This is simply
to make the number easier to manage.
3. Call the Microsoft Activation service. The contact information can be found by
searching the Microsoft website.
4. Through their phone system, select the option for Business Customer and follow
the automated prompts, providing the information that is required by Microsoft. This
should include the installation ID from steps 1 and 2.

FORTINET
5. Once your request has been accepted, you are provided a 48 digit number. You
will need this number so be certain to record it accurately.
6. From the CLI of the FortiSandbox, use the confirm-id command to enter the
activation key experiencing the issue and the confirmation id provided by Microsoft.
When entering the key and confirmation numbers, do not enter a space between the
flags (-k and c) and the values themselves.
7. Verify the details using the confirm-id l (lowercase L) command. This
displays the activation key(s) with the associated confirmation number.
8. If everything is correct, reboot the FortiSandbox and wait for the VM images to
finish activating against the Microsoft servers.

FORTINET

Register your device for support
Troubleshoot connectivity issues with FortiGate and FortiMail
Troubleshoot issues on FortiSandbox
Activate Windows VMs and Microsoft Office.

FortiSandbox Student Guide-Online

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiSandbox Student Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

We would like to acknowledge the following major contributors: Michael Liu

VIRTUAL LAB BASICS ...................................................................................5

Transferring Files to the VM ................................................................................................. 9

Using HTML5 Instead of Java .............................................................................................. 10

Screen Resolution ................................................................................................................ 10

International Keyboards ....................................................................................................... 11

Troubleshooting Tips ............................................................................................................ 12

INLINE DEPLOYMENT ....................................................................................14

Time to Complete ................................................................................................................. 14

Exercise 1: Communication with a FortiGate ....................................................................... 15

Exercise 2: Communication with a FortiMail ......................................................................... 27

SNIFFER DEPLOYMENT .................................................................................32

Time to Complete ................................................................................................................. 32

Exercise 1: Sniffer-based detection ...................................................................................... 33

Time to Complete ................................................................................................................. 34

Exercise 1: Manual File Submission..................................................................................... 35

Exercise 2: Scanning File Shares......................................................................................... 37

Exercise 3: Inspecting Suspicious URLs .............................................................................. 40

Time to Complete ................................................................................................................. 43

Exercise 1: Generating Reports ........................................................................................... 44

Time to Complete ................................................................................................................. 45

Exercise 1: FortiGate Diagnostics ........................................................................................ 46

Exercise 2: FortiMail Diagnostics ......................................................................................... 48

Exercise 3: FortiSandbox Diagnostics .................................................................................. 50

APPENDIX A: ADDITIONAL RESOURCES........................................................51

APPENDIX B: PRESENTATION SLIDES ...........................................................52

1 Sandboxing Concepts ...................................................................................................... 53

2 Basic Setup ...................................................................................................................... 100

4 Sniffer Deployment ........................................................................................................... 163

5 Other File Submission Methods and URL Scanning ........................................................ 176

6 Logs and Reports ............................................................................................................. 193

FortiSandbox Student Guide 6

port4 port5 eth0

FortiSandbox Student Guide 7

FortiSandbox Student Guide 8

FortiSandbox Student Guide 9

Transferring Files to the VM

FortiSandbox Student Guide 10

FortiSandbox Student Guide 11

FortiSandbox Student Guide 12

Note: JavaScript is not the same as Java...

Prepare your computer's settings:

FortiSandbox Student Guide 13

FortiSandbox Student Guide 14

FortiSandbox Student Guide 15

Exercise 1: Communication with a FortiGate

Initialize the configuration

config system interface

set allowaccess ping http https ssh telnet

FortiSandbox Student Guide 16

FortiSandbox Student Guide 17

execute ping 10.200.4.213

9. Open PuTTY and use SSH to connect to 10.0.1.254.

config system global

set timezone <your_timezone_ID>

Notifier Email: student@training.lab

Click Apply to save the changes.

FortiSandbox Student Guide 18

FortiSandbox Student Guide 19

Configure file inspection and submission

Configure these settings:

Inspection Mode: Proxy

Send Files to FortiSandbox Appliance for Inspection Enabled