Configuring Local Sandbox Inspection
After local sandbox inspection is configured, the restored file is sent to the local sandbox connected to FW for inspection. The FW periodically obtains file inspection results from the local sandbox, updates the cached malicious file and malicious URL lists accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to prevent APT attacks.
Prerequisites
To use the local sandbox detection function, ensure that:
The local sandbox is usable and that the FW is reachable to the local sandbox.
Currently, the local sandbox uses ports 5002 and 5102 and uses TCP. The FW interworks with the local sandbox through port 5002 and submits files to the local sandbox through port 5102. Therefore, you need to configure a security policy to permit traffic from the two ports.
On the web UI, the FW and local sandbox can transmit data only through HTTPS. The transmitted data is encrypted.
Procedure
- Set parameter values for the interworking between the FW and local sandbox.
- Choose .
- Click Enable of Local Sandbox Association.
- Set parameter values for the interworking between the FW and local sandbox.
Parameter
Description
Sandbox Address
IP address of the cluster manager in the local sandbox.
Sandbox Certificate
Device certificate of the local sandbox
When the FW and local sandbox use HTTPS to transmit data, the FW can use the device certificate of the sandbox to verify the validity of the sandbox.
The value NONE indicates that the FW does not authenticate the identity of the local sandbox.
API-KEY
API-KEY used by the local sandbox to authenticate the FW. The API-KEY values of the FW and local sandbox must be the same.
Connection Status
Connection status of the local sandbox.
After the interworking with the local sandbox is enabled, this parameter will be displayed as connection success or connection failure.
File Detection Size Limits
File type and size for traffic restoration and file inspection. For specific files in each file type, see the File Type option in the APT defense profile.
- Click Apply to apply the configurations.
- Add the APT defense profile.
- Choose .
- Click Add in the APT Defense Profile List page.
- Configure the name and description of the APT defense profile.
- Configure sandbox inspection.
Select Enable to enable sandbox inspection. By default, sandbox inspection is enabled. If sandbox inspection is disabled, network traffic will not be sent to the sandbox for inspection.
Parameter
Description
Protocol
file protocols for inspection:- File transfer protocols
- HTTP
- HTTPS
- FTP
- Email protocols
- SMTP
- POP3
- IMAP
- File sharing protocols
- NFS
- SMB
Upload
Upload traffic is inspected.
Download
Download traffic is inspected.
File Type
Select the types of files sent to the local sandbox for inspection.
Sandbox Type
Local sandbox
Sandbox Connectivity
Sandbox connectivity status:- Connection succeeded.
- Connection failed.
If the connection failed, you can click Configuration to set the parameters for the FW to interwork with the local sandbox.
- File transfer protocols
- Click OK.
- Reference the APT defense profile in security policies.
- Choose .
- Select an APT defense profile for the target policy. For details on how to configure security policies, see Configuring a Security Policy Using the Web UI.
- Click OK.
- Log in to the local FireHunter (https://ip:port), choose Configuration > Device, and add an interworking device.