Configuring Cloud Sandbox Inspection

After cloud sandbox inspection is configured, the restored file is sent to the cloud sandbox connected to FW for inspection. The FW periodically obtains file inspection results from the cloud sandbox, updates the cached malicious file and malicious URL lists accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to prevent APT attacks.

Prerequisites

To use the cloud sandbox detection function, ensure that:

You have activated a valid license.

Before purchasing a cloud sandbox license, you can choose System > License Management, select Cloud Sandbox License Trial in the license activation mode, and click Activate for trial use of the cloud sandbox.

After the trial license of the cloud sandbox is activated, the six-month trial period starts. You can enjoy trial use only once on each device. If the user purchases and activates a license during the trial period, the trial function becomes invalid, and function items are activated according to the content of the purchased license. The validity period of the purchased license starts from the time it is activated to the end of the service period.
You have configured the address of the DNS server that can correctly resolve domain name sec.huawei.com.
The FW has loaded the cloud sandbox component.
The FW is reachable to sec.huawei.com, and the FW is properly connected to the cloud sandbox.
Currently, the port number of the cloud sandbox is 12443, and the protocol is TCP. To allow the FW to communicate with the cloud sandbox, a security policy must be configured on the FW to permit the traffic of this port.

Context

The FW has a default APT defense profile named default. You cannot modify or delete the default profile. The following functions are enabled in the default profile:

Malicious URL detection.

File reputation detection. The protocol type, direction, and default action are listed in the following table.

**Table 1** Protocol type, direction, and default action of inspected files
Protocol	File Detection in the Upload Direction	File Detection in the Download Direction	Default Action
HTTP	Enable	Enable	Block
HTTPS	Enable	Enable	Block
FTP	Enable	Enable	Block
SMTP	Enable	-	Alert
POP3	-	Enable	Alert
IMAP	Enable	Enable	Alert
NFS	Enable	Enable	Alert
SMB	Enable	Enable	Block

Sandbox detection. The following table lists sandbox detection parameters.

**Table 2** Sandbox detection parameters
Protocol	Sandbox Inspection in the Upload Direction	Sandbox Inspection in the Download Direction
HTTP	Enable	Enable
HTTPS	Enable	Enable
FTP	Enable	Enable
SMTP	Enable	-
POP3	-	Enable
IMAP	Enable	Enable
NFS	Enable	Enable
SMB	Enable	Enable
File Type: BAT, CLASS, PE32, MSI, HLP, JAR, DOC, RTF, XLS, PPT, PDF, SWF, VBS, DOCX, PPTX, XLSX, WPS, DPS, ET, RAR, ZIP, GZ, 7Z, CAB, BZIP2, TAR, EML, ELF, MSP, VSD, APK, MST. Sandbox Type: Cloud sandbox.

The FW supports user-defined APT defense profiles. You can configure the preceding functions and parameters as required.

Procedure

Set parameter values for the interworking between the FW and cloud sandbox.

Choose Object > Security Profiles > Global Configuration, and select Country to the country where the device resides.

If you set the country where the FW resides before enabling the cloud sandbox function, the system schedules could sandbox services based on the configured country when the cloud sandbox function is enabled.
Choose Object > Security Profiles > APT Defense > Sandbox Collaboration Settings > Cloud Sandbox.
Click Enable of Cloud Sandbox Association.

Set parameter values for the interworking between the FW and cloud sandbox.

Parameter	Description
Sandbox Deployment Region	Region in which the cloud sandbox is deployed. If you choose Object > Security Profiles > Global Configuration, and select the county where the device resides, the FW automatically obtains the sandbox deployment area, and you do not need to manually enter it. You can also schedule the sandbox of a specified area through Sandbox Deployment Region.
Specify Deployment Region	This configuration item is displayed only after you click Specify Deployment Region behind Sandbox Deployment Region. sec.huawei.com identifies areas where schedulable cloud sandboxes reside and report them to the FW. These areas become optional sandbox deployment areas. If you do not configure this item or configure it to NONE, the FW automatically obtains sandbox deployment areas based on countries specified in the global configuration. If countries are not specified in the global configuration, cloud sandbox scheduling fails.
Cloud Account	Account registered on isecurity.huawei.com for login to the cloud. After you configure the cloud account on the FW, you can use this account to log in to isecurity.huawei.com and view the result of detecting files previously submitted by the FW to the cloud sandbox. Whether this account is configured on the FW does not affect the FW's connection to and usage of the cloud sandbox.
Connection Status	Connection status of the cloud sandbox. After the interworking with the cloud sandbox is enabled, this parameter will be displayed as connection success (IP address and region of the cloud sandbox are also displayed) or connection failure.
Upper Limits on Files to Be Detected	File type and size for traffic restoration and file inspection. For specific files in each file type, see the File Type option in the APT defense profile. NOTE: The cloud sandbox does not support image files, web page files, media files, or other files (including CMD, VBE, RB, PY, POWERSHELL, JSE, WSF, LNK, TXT, and PSD files).

Add the APT defense profile.
1. Choose Object > Security Profiles > APT Defense.
2. Click Add in the APT Defense Profile List page.
3. Configure the name and description of the APT defense profile.
  
  Parameter
  
  Description
  
  Name
  
  Name of the APT defense profile.
  
  Description
  
  Description of the APT defense profile.
  
  A description helps identify the function of a specific profile.

Parameter	Description
Name	Name of the APT defense profile.
Description	Description of the APT defense profile. A description helps identify the function of a specific profile.

Configure sandbox inspection.

Select Enable to enable sandbox inspection. By default, sandbox inspection is enabled. If sandbox inspection is disabled, network traffic will not be sent to the sandbox for inspection.

Parameter	Description
Protocol	file protocols for inspection: File transfer protocols HTTP HTTPS FTP Email protocols SMTP POP3 IMAP File sharing protocols NFS SMB
Upload	Upload traffic is inspected.
Download	Download traffic is inspected.
File Type	Select the types of files sent to the cloud sandbox for inspection.
Sandbox Type	Cloud sandbox
Sandbox Connectivity	Sandbox connectivity status: Connection succeeded. Connection failed. Cloud sandbox component package not loaded If the connection failed, you can click Configuration to set the parameters for the FW to interwork with the cloud sandbox.

Click OK.
Reference the APT defense profile in security policies.
1. Choose Policy > Security Policy > Security Policy.
2. Select an APT defense profile for the target policy. For details on how to configure security policies, see Configuring a Security Policy Using the Web UI.
3. Click OK.

Follow-up Procedure

You can use the cloud account to log in to isecurity.huawei.com and view the detection list and report of files submitted by the FW to the cloud sandbox. You can also manually submit files to the cloud sandbox for detection.