FortiSASE includes an integrated Sandbox engine hosted in the cloud, orchestrated through the FortiSASE console. However, its enforcement occurs locally on the endpoint through the FortiClient agent.

Go to Configuration -> Profile -> Default -> the Sandbox tab and select the 'FortiSASE' option for sandbox mode to enable a built-in sandbox engine.

Configure the options as shown below:

Verification:

1. Wait for the next telemetry Sync between the FortiClient endpoint and FortiSASE, then verify that a new SANDBOX DETECTION tab is present on the FortiClient agent.
2. Open a browser on the Windows endpoint, enter rb3.ftnt.io/downloader and press enter to download the file as shown in the example below. This is a webpage which contains a zero-day malware test file whose signature is unknown by the FortiClient. Be aware that certain browsers, such as Chrome, might issue warnings or prevent the download of zero-day files, such as this one. If this occurs, consider using an alternative browser (such as Microsoft Edge or Mozilla) and proceed with the file download despite any warnings.

Each time a new file with an unfamiliar signature is downloaded, FortiClient will initiate a file submission to the FortiSASE Sandbox engine. As depicted below, return to FortiClient and access the 'SANDBOX DETECTION' tab to confirm that the file has been submitted. Its initial verdict will be in a pending state until the cloud engine completes the sandbox process.

In the interim, while the file is under examination and its verdict remains unknown, opening or executing the file should be restricted. To confirm, locate the file in the file explorer and attempt to double-click on it; an error message should appear.

After a few minutes, FortiClient should receive the file verdict from the Sandbox engine and apply the configured action, as shown in the example below.