Technical Tip: Identifying traffic from FortiSandbox Cloud IP addresses

WAF Alerts.

External security logs or Web Application Firewalls (WAF) sometimes detect traffic originating from Fortinet-owned IP addresses used for cloud security services. These specific IP addresses belong to the FortiSandbox Cloud SaaS infrastructure. Below is an example of the logs:

Why Traffic is Generated.

The FortiSandbox Cloud service receives file submissions from global customers to scan for malicious activity. During the analysis process, files are executed in a secure sandbox environment.

If a submitted file contains instructions to communicate with an external URL or web server, the sandbox environment allows this outgoing internet access to record the behavior of the file. Consequently, if a file under analysis contains references to a specific domain, the FortiSandbox environment attempts to reach that server.

Observed Traffic Characteristics.

Based on reported cases, the traffic exhibits the following traits:

• Source IPs: Specific Fortinet-owned service addresses.

• Source ASN: Fortinet-registered autonomous system.

• User Agents: Often appear as common web browsers or productivity software such as 'Microsoft Office Word'.

• Destination Port: Typically port 443 (HTTPS) or port 80 (HTTP).

Analysis of findings.

The presence of this traffic does not indicate a breach or a direct attack from Fortinet. Instead, it signifies that a file being analyzed by the FortiSandbox service is attempting to interact with the target web server. This often happens when:

• A document contains a link to an external resource.

• An application or script is designed to call home to a specific API or web service.