< Home

Configuring Local Sandbox Inspection

After local sandbox inspection is configured, the restored file is sent to the local sandbox connected to FW for inspection. The FW periodically obtains file inspection results from the local sandbox, updates the cached malicious file and malicious URL lists accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to prevent APT attacks.

Prerequisites

To use the local sandbox function, ensure that the local sandbox is usable and that the FW is reachable to the local sandbox.

Currently, the local sandbox uses ports 5002 and 5102 and uses TCP. The FW interworks with the local sandbox through port 5002 and submits files to the local sandbox through port 5102. Therefore, you need to configure a security policy to permit traffic from the two ports.

Procedure

  1. Set parameter values for the interworking between the FW and local sandbox.

    1. Access the local sandbox view from the system view.

      sandbox default

    2. Set local sandbox parameters in the local sandbox view.

      • Enable the local sandbox interworking function.

        linkage enable

        By default, the local sandbox interworking function is disabled. After you disable the local sandbox interworking function, you can still perform other configurations in the local sandbox view. However, these configurations take effect only after you run this command to enable the local sandbox interworking function.

      • Set the local sandbox address.

        ip ip-address [ port port-number ]

      • (Optional) Configure the sandbox device certificate.

        server-certificate file-name

      • Configure the API key required in the local sandbox interworking.

        api-key api-key-value

        When the FW initiates a connection request towards the local sandbox, the local sandbox uses the API key to authenticate the FW. You need to obtain the API key from the local sandbox administrator. The API key on the FW must be the same as that in the local sandbox.

      • Configure sizes of files sent to the local sandbox.

        file-set { exe | office | gzip | pdf | picture | web | media | other } max-size max-file-size

        The FW filters files of various types based on their sizes. Oversized files are not sent to the local sandbox for detection, reducing the load on the sandbox.

  2. Add the APT defense profile.

    1. Access the APT defense profile view from the system view.

      profile type aapt name name

    2. Configure the description of the APT defense profile in the APT defense profile view.

      description description

      A description helps identify the function of a specific profile.

  3. Configure sandbox inspection.

    • Configure the file protocol and file transfer direction subject to sandbox inspection.

      sandbox-detect protocol-type direction { both | download | upload }

    • Configure types of files that need to be sent to the sandbox for detection.

      file-type { name &<1-8> | all }

      By default, no file type is configured.

    • Set the sandbox type to the local sandbox.

      sandbox-type local

  4. Optional: Initiate an interworking test towards the local sandbox to obtain the state of the connection to it.

    linkage try

  5. Reference the APT defense profile in security policies.

    profile aapt name

  6. Log in to the local FireHunter (https://ip:port), choose Configuration > Device, and add an interworking device.

Follow-up Procedure

You can access https://local sandbox IP:port to view the detection list and report of files submitted by the firewall to the local sandbox.

Parent Topic: Configuring APT Defense Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >