Skip to main content
peterrr
peterrr
New Member
January 10, 2022
Solved

Fortisandbox outboard internet access

  • January 10, 2022
  • 3 replies
  • 4012 views

Hello all,

 

I've had a look through the documentation, but can't find any information about what URL access forti sandbox needs to function properly. We'd like to lock down the internet access the devices have, but need to make sure we don't cause any problems.

 

Can anyone point me in the right direction?

Best answer by ede_pfau

Well, the main task in building a sandbox is disguising it to be one. That is, if the malware finds out that the environment is restricted or somewhat 'different' from a regular host, it might decide to lay low and wait for better days, thus avoiding detection. That's the last thing you want.

 

Therefore, the internet access for FSA VMs must not be restricted or blocked in any way. The sandbox will monitor the malware's behavior and judge accordingly. I trust FTNT that it will stop the host communication once it is sure that this is indeed a malware. I'd say that in 99% of all infections the main damage is done to the infected host, not other hosts on the internet. At least in the beginning, before downloading more malware from a C&C server. So, malware action will not run forever, and in favor of keeping the disguise up you should allow unrestricted access to the internet.

3 replies

ede_pfau
SuperUser
ede_pfauAnswer
SuperUser
January 16, 2022

Well, the main task in building a sandbox is disguising it to be one. That is, if the malware finds out that the environment is restricted or somewhat 'different' from a regular host, it might decide to lay low and wait for better days, thus avoiding detection. That's the last thing you want.

 

Therefore, the internet access for FSA VMs must not be restricted or blocked in any way. The sandbox will monitor the malware's behavior and judge accordingly. I trust FTNT that it will stop the host communication once it is sure that this is indeed a malware. I'd say that in 99% of all infections the main damage is done to the infected host, not other hosts on the internet. At least in the beginning, before downloading more malware from a C&C server. So, malware action will not run forever, and in favor of keeping the disguise up you should allow unrestricted access to the internet.

peterrr
peterrrAuthor
New Member
January 17, 2022

Hello Ede,

 

thanks for your response - it is very clear and logical and makes me wonder why I didn't think about the VMs needing unfettered internet access in the first place. I have a support case open so will perhaps update if support have a different response, but otherwise I think your explanation answers my question

peterrr
peterrrAuthor
New Member
January 17, 2022

Here is the offical documentation, actually it doesn't include unrestricted web access for VMs:

https://docs.fortinet.com/document/fortigate/6.0.0/fortinet-communication-ports-and-protocols/367832/fortisandbox-open-ports

ede_pfau
SuperUser
ede_pfau
SuperUser
January 17, 2022

@peterrr: this only covers outbound ports for FSA generated traffic, not traffic from VMs. The Admin Guide says:

FortiSandbox uses port3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious. As malicious files are infectious, ensure that the connection for port3 is isolated but can also access the Internet. Do not allow this connection to belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

So, while this does not explicitely request unrestricted outbound access, it's still best practice to do so IMHO. I might have picked this up in a FTNT training or from an SE.

Terms & ConditionsAccessibility statement