The following example configuration sets up FortiSandbox integration using AntiVirus, Web Filtering, and a FortiClient profile. This configuration assumes that a connection has already been established between the FortiSandbox Appliance and the FortiGate.
- Go to Security Profiles > AntiVirus and edit the default profile. Under Inspection Options, enable both Send Files to FortiSandbox Appliance for Inspection and Use FortiSandbox Database. Select Apply.
- Go to Security Profiles > Web Filter and edit the default profile. Under Static URL Filter, enable Block malicious URLS discovered by FortiSandbox. Select Apply.
- Go to Security Profiles > FortiClient Profiles and edit the default profile. Under AntiVirus, enable Realtime Protection, then enable Scan Downloads, followed by Scan with FortiSandbox. Enter the IP of the FortiSandbox, then enable Use FortiSandbox signatures. Select Apply.
- Go to Policy & Objects > IPv4 Policy and view the policy list. If a policy has AntiVirus and Web Filtering scanning applied, the profiles will be listed in the Security Profiles column. If scanning needs to be added to any security policy (excluding the Implicit Deny policy) select the + button in the Security Profiles column for that policy, then select the default AntiVirus Profile, the default Web Filter Profile, the appropriate Proxy Options, and the deep-inspection profile for SSL Inspection Options (to ensure that encrypted traffic is inspected).
- Select OK.
If your FortiGate discovers a suspicious file, it will now be sent to the FortiSandbox. To view information about the files that have been sent on the FortiGate, go to FortiView > FortiSandbox to see a list of file names and current status.
To view results on the FortiSandbox, go to the Dashboardand view the Scanning Statistics widget. There may be a delay before results appear on the FortiSandbox.
Open FortiClient using a Windows PC on the internal network. Make sure it is registered to your FortiGate. Go to AntiVirus > Realtime Protection Enabled and edit the settings. You will see that the Realtime Protection settings match the FortiClient Profile configured on the FortiGate. These settings cannot be changed using FortiClient.
If a PC running FortiClient downloads a suspicious file that the FortiSandbox determined was malicious, a quarantine would be applied automatically. While the quarantine is in effect, FortiClient cannot be shutdown on the PC. It can not be uninstalled or unregistered from the FortiGate. The quarantine can only be released from the FortiClient Monitor on the FortiGate.