Configuring Cloud Sandbox Inspection

After cloud sandbox inspection is configured, the restored file is sent to the cloud sandbox connected to FW for inspection. The FW periodically obtains file inspection results from the cloud sandbox, updates the cached malicious file and malicious URL lists accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to prevent APT attacks.

Prerequisites

To use the cloud sandbox detection function, ensure that:

You have activated a valid license.
You have configured the address of the DNS server that can correctly resolve domain name sec.huawei.com.
The FW has loaded the cloud sandbox component.
The FW is reachable to sec.huawei.com, and the FW is properly connected to the cloud sandbox.
Currently, the port number of the cloud sandbox is 12443, and the protocol is TCP. To allow the FW to communicate with the cloud sandbox, a security policy must be configured on the FW to permit the traffic of this port.

Context

The FW has a default APT defense profile named default. You cannot modify or delete the default profile. The following functions are enabled in the default profile:

Malicious URL detection.

File reputation detection. The protocol type, direction, and default action are listed in the following table.

**Table 1** Protocol type, direction, and default action of inspected files
Protocol	File Detection in the Upload Direction	File Detection in the Download Direction	Default Action
HTTP	Enable	Enable	Block
HTTPS	Enable	Enable	Block
FTP	Enable	Enable	Block
SMTP	Enable	-	Alert
POP3	-	Enable	Alert
IMAP	Enable	Enable	Alert
NFS	Enable	Enable	Alert
SMB	Enable	Enable	Block

Sandbox detection. The following table lists sandbox detection parameters.

**Table 2** Sandbox detection parameters
Protocol	Sandbox Inspection in the Upload Direction	Sandbox Inspection in the Download Direction
HTTP	Enable	Enable
HTTPS	Enable	Enable
FTP	Enable	Enable
SMTP	Enable	-
POP3	-	Enable
IMAP	Enable	Enable
NFS	Enable	Enable
SMB	Enable	Enable
File Type: BAT, CLASS, PE32, MSI, HLP, JAR, DOC, RTF, XLS, PPT, PDF, SWF, VBS, DOCX, PPTX, XLSX, WPS, DPS, ET, RAR, ZIP, GZ, 7Z, CAB, BZIP2, TAR, EML, ELF, MSP, VSD, APK, MST. Sandbox Type: Cloud sandbox.

You can run the display profile type aapt name default command on the CLI to view the configuration information about the default profile.

The FW supports user-defined APT defense profiles. You can configure the preceding functions and parameters as required.

Procedure

Set parameter values for the interworking between the FW and cloud sandbox.
1. Access the system view.
  
  system-view
2. Set the country where the FW device resides.
  
  country country-code
  
  If you set the country where the FW resides before enabling the cloud sandbox function, the system schedules could sandbox services based on the configured country when the cloud sandbox function is enabled.
3. Configure the account name for the FW to log in to the cloud in the system view.
  
  cloud account-name account-name
  You shall apply for this account on isecurity.huawei.com. Whether this account is configured does not affect the FW's connection to and usage of the cloud sandbox. The major difference lies in that:
  - If the cloud account is not configured on the FW, you cannot view the result of detecting files submitted by the FW to the cloud sandbox on isecurity.huawei.com.
  - If the cloud account is configured on the FW, you can use the account to log in to isecurity.huawei.com and view the result of detecting files submitted by the FW to the sandbox.
4. Access the cloud sandbox view from the system view.
  
  sandbox cloud
5. Set cloud sandbox parameters in the cloud sandbox view.
  - Enable the cloud sandbox interworking function.
    
    linkage enable
    
    After the cloud sandbox component and license are successfully loaded, the cloud sandbox interworking function is enabled by default. After you disable the cloud sandbox interworking function, you can still perform other configurations in the cloud sandbox view. However, these configurations take effect only after you run this command to enable the cloud sandbox interworking function.
  - Specify the deployment region for the cloud sandbox.
    
    server deployment-region region-name
    
    When the cloud sandbox function is enabled, the system schedules cloud sandbox services based on the country configured using the country (system view) command and the deployment region configured using the server deployment-region command. If the country where the device resides is configured but the deployment region of the cloud sandbox is not configured, the system schedules cloud sandbox services based on the country. If the deployment region of the cloud sandbox is configured but the country where the device resides is not configured, the system schedules cloud sandbox services based on the deployment region. If both the country where the device resides and the deployment region of the cloud sandbox are not configured, the system fails to schedule cloud sandbox services.
  - Specify the CA certificate used by the device to interwork with the cloud sandbox through HTTPS.
    ca-certificate certificate-file-name
    
    By default, the device uses the preset ca certificate (default_ca.cer) to interwork with the cloud sandbox through HTTPS.
  - Specify the local certificate used by the device to interwork with the cloud sandbox through HTTPS.
    local-certificate certificate-file-name
    
    By default, the device uses the preset local certificate to interwork with the cloud sandbox through HTTPS.
  - Configure sizes of files sent to the cloud sandbox.
    
    file-set { exe | office | gzip | pdf } max-size max-file-size
    
    The FW filters files of various types based on their sizes. Oversized files are not sent to the cloud sandbox for detection, reducing the load on the sandbox.
Add the APT defense profile.
1. Access the APT defense profile view from the system view.
  
  profile type aapt name name
2. Configure the description of the APT defense profile in the APT defense profile view.
  
  description description
  
  A description helps identify the function of a specific profile.
Configure sandbox inspection.
- Configure the file protocol and file transfer direction subject to sandbox inspection.
  
  sandbox-detect protocol-type direction { both | download | upload }
- Configure types of files that need to be sent to the sandbox for detection.
  
  file-type { name &<1-8> | all }
  
  By default, no file type is configured.
  
  The cloud sandbox does not support image files, web page files, media files, or other files (including CMD, VBE, RB, PY, POWERSHELL, JSE, WSF, LNK, TXT, and PSD files).
- Set the sandbox type to the cloud sandbox.
  
  sandbox-type cloud
Optional: Initiate an interworking test towards the cloud sandbox to obtain the state of the connection to it.
linkage try
Reference the APT defense profile in security policies.
profile aapt name

Follow-up Procedure

You can use the cloud account to log in to isecurity.huawei.com and view the detection list and report of files submitted by the firewall to the cloud sandbox. You can also manually submit files to the cloud sandbox for detection.