FortiSandbox - Administration Guide
`VERSION 2.3.2
`
`Page 1 of 191
`
`Netskope Exhibit 1005
`
`

`

`FORTINET DOCUMENT LIBRARY
`http://docs.fortinet.com
`
`FORTINET VIDEO GUIDE
`http://video.fortinet.com
`
`FORTINET BLOG
`https://blog.fortinet.com
`
`CUSTOMER SERVICE & SUPPORT
`https://support.fortinet.com 
`
`FORTIGATE COOKBOOK
`http://cookbook.fortinet.com
`
`FORTINET TRAINING SERVICES
`http://www.fortinet.com/training
`
`FORTIGUARD CENTER
`http://www.fortiguard.com
`
`END USER LICENSE AGREEMENT
`http://www.fortinet.com/doc/legal/EULA.pdf
`
`FEEDBACK
`Email: techdocs@fortinet.com
`
`November 09, 2016
`
`FortiSandbox 2.3.2 Administration Guide
`
`34-232-380472-20161109
`
`Page 2 of 191
`
`Netskope Exhibit 1005
`
`

`

`TABLE OF CONTENTS
`
`Change Log
`Introduction
`What's new in FortiSandbox 2.3.2
`About this document
`Connecting to the Command Line Interface
`Using the GUI
`GUI overview
`Connecting to the GUI
`Default port information
`Dashboard
`Customizing the dashboard
`Dashboard Settings
`Change the system host name
`Change the administrator password
`Change the GUI idle timeout
`Configure the system time
`Microsoft Windows VM license activation
`Microsoft Office license upload and activation
`Log out of the unit
`Visit online help
`Update the FortiSandbox firmware
`Update the system utilities version
`Server overrides
`Reboot and shutdown the unit
`Backup or restore the system configuration
`FortiView
`Operation Center
`Threats by Hosts
`Threats by Hosts - level 1
`Threats by Hosts - level 2
`Threats by Hosts - level 3
`Threats by Hosts - level 4
`Threats by Files
`Threats by Files - level 1
`
`7
`8
`10
`10
`11
`12
`12
`12
`13
`16
`17
`23
`23
`23
`24
`24
`25
`25
`26
`26
`26
`26
`27
`28
`28
`30
`30
`33
`33
`34
`35
`36
`37
`37
`
`Page 3 of 191
`
`Netskope Exhibit 1005
`
`

`

`Threats by Files - level 2
`Threats by Files - level 3
`Threats by Files - level 4
`Threats by Devices
`Threats by Devices - level 1
`Threats by Devices - level 2
`Threats by Devices - level 3
`Threats by Devices - level 4
`Search
`Network
`Interfaces
`Failover IP
`DNS Configuration
`Static Routing
`System
`Administrators
`Certificates
`LDAP Servers
`RADIUS Servers
`Mail Server
`SNMP
`Configuring the SNMP agent
`MIB files
`FortiGuard
`Login Disclaimer
`Settings
`Virtual Machine
`VM Status
`VM Images
`Clone Number for VM Image
`VM Screenshot
`Scan Policy
`Scan Profile
`File types
`Scan Profile Part One
`Scan Profile Part 2
`File Scan Priority
`General
`How to improve system scan performance
`White/Black Lists
`YARA Rules
`URL Category
`
`37
`38
`39
`39
`40
`40
`41
`42
`43
`45
`45
`46
`47
`47
`49
`49
`53
`54
`56
`58
`60
`60
`62
`62
`64
`64
`65
`65
`65
`68
`69
`70
`70
`70
`71
`71
`73
`73
`77
`78
`79
`81
`
`Page 4 of 191
`
`Netskope Exhibit 1005
`
`

`

`Supporting URL Pre-Filtering for DLL files
`Job Archive
`Malware Package Options
`Configuration
`URL Package Options
`Configuration
`IOC Package
`Scan Input
`File Input
`File and URL On Demand
`File On-Demand
`Job Queue
`Sniffer
`Device
`Supported Devices
`FortiClient
`Adapter
`Configure Carbon Black/Bit9 Server
`Configure ICAP Client
`Network Share
`Quarantine
`Malware Package
`URL Package
`HA-Cluster
`Centrally manage Slave nodes on the Master node
`Requirements before Configuring a HA Cluster
`Master's Role and Slave's Role
`Configure a cluster level fail-over IP set for Master unit
`Main HA Cluster CLI Commands
`Example configuration
`What happens during a failover
`Upgrading or rebooting a Cluster
`In-line mode
`In-line mode in core environments
`In-line mode in distributed enterprise environments
`Health Check
`Job Summary
`Status
`HA Cluster Information
`File Detection
`Summary Report
`Analysis Details
`
`82
`82
`84
`84
`85
`85
`86
`88
`88
`88
`88
`96
`98
`100
`101
`107
`109
`111
`113
`113
`117
`119
`119
`121
`122
`123
`123
`124
`124
`124
`126
`127
`128
`128
`128
`129
`130
`131
`131
`133
`133
`135
`
`Page 5 of 191
`
`Netskope Exhibit 1005
`
`

`

`Malicious Files
`Suspicious Files
`Clean/Unknown Files
`Network Alerts
`Summary Report
`Network Alerts
`URL Detection
`Summary Report
`Suspicious URLs
`Clean/Unknown URLs
`Search
`View details
`Log & Report
`About Logs
`Log Details
`Logging Levels
`Raw logs
`Log Categories
`Log Servers
`Viewing Logs in FortiAnalyzer
`Customizing the log view
`Columns
`Report Access
`Generate reports
`Appendix A - Reset a Lost Password
`Appendix B - Hot Swapping Hard Disks
`Appendix C - Create a Customized Virtual Machine Image using Pre-Con-
`figured VMs
`Appendix D - Create a Customized Virtual Machine Image using your own
`ISO
`
`137
`140
`145
`150
`150
`152
`155
`155
`156
`158
`159
`160
`163
`163
`163
`163
`164
`164
`166
`167
`168
`169
`170
`170
`171
`172
`
`173
`
`177
`
`Page 6 of 191
`
`Netskope Exhibit 1005
`
`

`

`Change Log
`
`Date
`
`Change Description
`
`2016-11-03
`
`Initial release.
`
`2016-11-09
`
`Updated Appendix C: Create a Customized Virtual Machine > Step 7 Install
`the Customized VM Image to FortiSandbox and Apply It > CLI command :
`vm-customized -cf -mproduct.list –t<ftp|scp> –
`s<server_ip> –u<username> -p<password> -f</meta_file_
`path> –v<custom_vm_name>
`
`Page 7 of 191
`
`Netskope Exhibit 1005
`
`

`

`Introduction
`
`Fighting today’s Advanced Persistent Threats (APTs) requires a multi-layer approach. FortiSandbox
`offers the ultimate combination of proactive mitigation, advanced threat visibility, and comprehensive
`reporting. More than just a sandbox, FortiSandbox deploys Fortinet’s award-winning, dynamic antivirus
`and threat scanning technology, dual level sandboxing, and optional integrated FortiGuard cloud
`queries to beat Advanced Evasion Techniques (AETs) and deliver state-of-the-art threat protection.
`
`Fortinet’s dynamic scanning is based on our custom Compact Pattern Recognition Language (CPRL)
`and ASIC hardware acceleration. The result is fast, powerful detection, unique to Fortinet, that uses a
`single signature to identify tens of thousands of variations of viral code. FortiSandbox utilizes advanced
`detection, dynamic antivirus scanning, and threat scanning technology to detect viruses and APTs. It
`leverages the FortiGuard web filtering database to inspect and flag malicious URL requests, and is able
`to identify threats that standalone antivirus solutions may not detect.
`
`FortiSandbox works with your existing devices, like FortiGate, FortiWeb, FortiClient and FortiMail, to
`identify malicious and suspicious files and network traffic. It has a complete extreme antivirus database
`that will catch viruses that may have been missed.
`
`FortiSandbox can be configured to sniff traffic from the network, scan files on a network share with a
`pre-defined schedule, quarantine malicious files, and receive files from FortiGate, FortiWeb, FortiMail,
`and FortiClient. For example, FortiMail 5.2.0 and later allows you to forward email attachments to
`FortiSandbox for advanced inspection and analysis. Files can also be uploaded directly to it for
`sandboxing through the web GUI or JSON API. You can also submit a website URL to scan to help you
`identify web pages hosting malicious content before users attempt to open the pages on their host
`machines.
`
`FortiSandbox executes suspicious files in the VM host module to determine if the file is High, Medium,
`or Low Risk based on the behavior observed in the VM sandbox module. The rating engine scores each
`file from its behavior log (tracer log) that is gathered in the VM module and, if the score falls within a
`certain range, a risk level is determined.
`
`The following table lists infection types and attacks that are identified by FortiSandbox.
`
`Infection Type
`
`Description
`
`Infector
`
`Worm
`
`Botnet
`
`Hijack
`
`Infector malware is used to steal system and user information. The stolen
`information is then uploaded to command and control servers. Once the
`infector installs on a computer, it attempts to infect other executable files with
`malicious code.
`
`Worm malware replicates itself in order to spread to other computers. This type
`of malware does not need to attach itself to an existing program. Worms, like
`viruses, can damage data or software.
`
`Botnet malware is used to distribute malicious software. A botnet is a collection
`of Internet-connected programs communicating with other similar programs in
`order to perform a task. Computers that are infected by botnet malware can be
`controlled remotely. This type of malware is designed for financial gain or to
`launch attacks on websites or networks.
`
`Hijack malware attempts to hijack the system by modifying important registry
`keys or system files.
`
`Page 8 of 191
`
`Netskope Exhibit 1005
`
`

`

`Infection Type
`
`Description
`
`Stealer
`
`Backdoor
`
`Injector
`
`Rootkit
`
`Adware
`
`Dropper
`
`Stealer malware is used to harvest login credentials of standalone systems, net-
`works, FTP, email, game servers and other websites. Once the system is infec-
`ted, the malware can be customized by the attacker.
`
`Backdoor malware installs a network service for remote access to your network.
`This type of malware can be used to access your network and install additional
`malware, including stealer and downloader malware.
`
`Injector malware injects malicious code into system processes to perform tasks
`on its behalf.
`
`Rootkit malware attempts to hide its components by replacing vital system
`executables. Rootkits allow malware to bypass antivirus detection as they
`appear to be necessary system files.
`
`Adware malware is a software package which attempts to access advertising
`websites. Adware displays these unwanted advertisements to the user.
`
`Dropper malware is designed to install malicious software to the target system.
`The malware code may be contained within the dropper or downloaded to the
`target system once activated.
`
`Downloader
`
`Downloader malware attempts to download other malicious programs.
`
`Trojan
`
`Riskware
`
`Grayware
`
`Trojan malware is a hacking program which gains privileged access to the oper-
`ating system to drop a malicious payload, including backdoor malware. Trojans
`can be used to cause data damage, system damage, data theft or other mali-
`cious purposes.
`
`Riskware malware has security critical functions which pose a threat to the com-
`puter.
`
`Grayware malware is a classification for applications that behave in a manner
`that is annoying or undesirable. Grayware includes spyware, adware, dialers,
`and remote access tools that are designed to harm the performance of com-
`puters on your network.
`
`Unknown
`
`No definitions currently exist for this type of attack.
`
`FortiSandbox scans executable (Windows .exe and .dll script files), JavaScript, Microsoft Office,
`Adobe Flash, PDF, archives, and other file types the user defines. JavaScript and PDF are the two
`common software types that malware uses to execute malicious code. For example, JavaScript is often
`used to create heap sprays and inject malicious code to execute in other software products such as
`Adobe Reader (PDF).
`
`When a malware is scanned inside a FortiSandbox VM environment,FortiSandbox scans its outgoing
`traffic for connections to botnet servers and determines the nature of the traffic and connection hosts.
`
`Key features of FortiSandbox include:
`
`l Dynamic Antimalware updates/Cloud query: Receives updates from FortiGuard Labs and send queries to
`the FortiSandbox Community Cloud in real time, helping to intelligently and immediately detect existing
`and emerging threats.
`
`Page 9 of 191
`
`Netskope Exhibit 1005
`
`

`

`l Code emulation: Performs lightweight sandbox inspection in real time for best performance, including
`certain malware that uses sandbox evasion techniques and/or only executes with specific software
`versions.
`l Full virtual environment: Provides a contained runtime environment to analyze high risk or suspicious
`code and explore the full threat life cycle.
`l Advanced visibility: Delivers comprehensive views into a wide range of network, system and file activity,
`categorized by risk, to help speed incident response.
`l Network Alert: Inspects network traffic for requests to visit malicious sites, establish communications with
`C&C servers and other activity indicative of a compromise. It provides a complete picture of the victim
`host's infection cycle.
`l Manual analysis: Allows security administrators to manually upload malware samples via the
`FortiSandbox web GUI or JSON API to perform virtual sandboxing without the need for a separate
`appliance.
`l Optional submission to FortiSandbox Community Cloud: Tracer reports, malicious files and other
`information may be submitted to FortiSandbox Community Cloud in order to receive remediation
`recommendations and updated in line protections.
`l Schedule scan of network shares: Perform a schedule scan of network shares in Network File System
`(NFS) v2 to v4 and Common Internet File System (CIFS) formats to quarantine suspicious files.
`l Scan job archive: You can archive scan jobs to a network share for backup and further analysis.
`l Website URL scan: Scan websites to a certain depth for a predefined time period.
`l Cluster supporting High Availability: Provide a non-interruption, high performance system for malware
`detection.
`
`What's new in FortiSandbox 2.3.2
`
`To view a detailed list of the new features and enhancements in FortiSandbox 2.3.2, please see the
`FortiSandbox 2.3.2 Release Notes available at the Fortinet Document Library.
`
`About this document
`
`This document describes how to configure and manage your FortiSandbox system and the connected
`FortiGate/FortiMail devices.
`
`FortiSandbox system documentation assumes that you have one or more Fortinet products such as
`FortiGate/FortiMail units, the Fortinet system documentation, and you are familiar with configuring
`your Fortinet devices units before using the FortiSandbox system.
`
`To configure your FortiGate device to submit files to FortiSandbox, your
`FortiGate must be running FortiOS or FortiOS Carrier version 5.0.4 and later or
`5.2.0 and later.
`For more information, see The FortiOS Handbook in the Fortinet Document
`Library.
`
`Page 10 of 191
`
`Netskope Exhibit 1005
`
`

`

`To configure your FortiMail email gateway to identify suspicious or high risk
`files in email and submit them to FortiSandbox, your FortiMail must be running
`FortiMail version 5.2.0 and later.
`For more information, see the FortiMail 5.2 Administration Guide in the
`Fortinet Document Library.
`
`To configure your FortiClient to send files to the FortiSandbox and receive res-
`ults, your FortiClient must be running FortiClient 5.4.0 and later.
`For more information, see the FortiClient 5.4.0 Administration Guide in the
`Fortinet Document Library.
`
`To configure your FortiWeb to submit files for FortiSandbox to evaluate, your
`FortiWeb must be running 5.4.0 and later
`For more information, see the FortiWeb 5.4.0 Administration Guide in the
`Fortinet Document Library.
`
`Connecting to the Command Line Interface
`
`The FortiSandbox CLI commands are intended to be used for initial device configuration and
`troubleshooting. The FortiSandbox device is primarily configured using the GUI. You can enable SSH
`and Telnet access on the port1 (administration) interface and access the CLI through SSH or Telnet to
`troubleshoot the device including RAID related hard disk issues. You can also connect to the CLI
`through the console port.
`
`To connect to the CLI through the console port:
`
`1. Connect the FortiSandbox unit console port to the management computer using the provided console
`cable.
`2. Start a terminal emulation program on the management computer.
`3. Use the following settings:
`
`Serial line to connect to
`Speed (baud)
`Data bits
`Stop bits
`Parity
`Flow Control
`
`COM1
`
`9600
`
`8
`
`1
`
`None
`
`None
`
`4. Press Open to connect to the FortiSandbox CLI. The login as page is displayed.
`5. Type a valid administrator name and press Enter.
`6. Type the password for this administrator and press Enter.
`For more information on FortiSandbox CLI commands, see Appendix A: CLI Reference.
`
`Page 11 of 191
`
`Netskope Exhibit 1005
`
`

`

`Using the GUI
`
`This section describes general information about using the GUI to access the FortiSandbox system
`from within a web browser. This section also explains common GUI tasks that an administrator does on
`a regular basis.
`
`GUI overview
`
`The GUI is a user-friendly interface for configuring settings and managing the FortiSandbox unit. The
`GUI can be accessed from a web browser on any management computer.
`
`Connecting to the GUI
`The FortiSandbox unit is configured and managed using the GUI. This section will step you through
`connecting to the unit via the GUI.
`
`To quickly locate a menu item, you can enter the term in the Search bar loc-
`ated at the top of the left side panel.
`
`Information messages for certain pages will be displayed in the Message Bar
`located at the top of the right side panel. Messages will disappear after a few
`seconds.
`
`To connect to the FortiSandbox GUI:
`
`1. Connect the port1 (administration) interface of the device to a management computer using the
`provided Ethernet cable.
`2. Configure the management computer to be on the same subnet as the internal interface of the
`FortiSandbox unit:
`a. Browse to Network and Sharing Center > Change adapter settings > Local Area Connection
`Properties > Internet Protocol Version 4 (TCP/IPv4) Properties. These directions may vary
`based on the version of your operating system.
`b. Change the IP address of the management computer to 192.168.0.2 and the network mask
`to 255.255.255.0.
`3. Start a supported web browser and browse to https://192.168.0.99.
`4. Type admin in the Name field, leave the Password field blank, and select Login.
`You can now proceed with configuring your FortiSandbox unit.
`
`If the network interfaces have been configured differently during installation,
`the URL and/or permitted administrative access protocols may no longer be in
`their default state.
`
`Page 12 of 191
`
`Netskope Exhibit 1005
`
`

`

`Default port information
`FortiSandbox treats Port1 as reserved for device management, and Port3 be reserved for the Windows
`VM to communicate with the outside network. The other ports are used for file input and
`communication among cluster nodes. In Cluster mode, FortiSandbox uses TCP ports 2015 and 2018
`for cluster internal communication.
`
`The following tables list the default open ports for each FortiSandbox interface.
`
`FortiSandbox 3500D and 3000E default ports
`
`Port (Interface)
`
`Type
`
`Default Open Ports
`
`Port1
`
`RJ-45
`
`22 (SSH), 23 (Telnet), 80 and 443 (GUI), 514 (OFTP communication
`with FortiGate, FortiWeb, FortiClient & FortiMail), SNMP local query
`port.
`
`FortiGuard Distribution Servers (FDS) use 8890 for download. The
`FortiSandbox will use a random port picked by the kernel.
`
`FortiGuard Web Filtering servers use UDP port 53 or 8888. The
`FortiSandbox will use a random port picked up by the kernel.
`
`The Sandbox Community Cloud uses UPD port 53 or 8888 and TCP
`port 443. The FortiSandbox will use a random port picked up by the
`kernel.
`
`If you configure an internal mail server, internal DNS server, remote
`syslog server, LDAP server, SNMP managers, NTP server, or over-
`ride the web filtering server IP address, communication is recom-
`mended to be through this interface. Ensure that the applicable
`routing is configured.
`
`Port2, Port4
`
`RJ-45
`
`No service listens except OFTP.
`
`Port3
`
`RJ-45
`
`No service listens. Reserved for guest VM to communicate with the
`outside network.
`
`Port5, Port6
`
`SFP+
`
`No service listens except OFTP.
`
`Page 13 of 191
`
`Netskope Exhibit 1005
`
`

`

`FortiSandbox 3000D default ports
`
`Port (Interface)
`
`Type
`
`Default Open Ports
`
`Port1
`
`RJ-45
`
`22 (SSH), 23 (Telnet), 80 and 443 (GUI), 514 (OFTP communication
`with FortiGate, FortiWeb, FortiClient & FortiMail). SNMP local query
`port.
`
`FortiGuard Distribution Servers (FDS) use 8890 for download. The
`FortiSandbox will use a random port picked by the kernel.
`
`FortiGuard Web Filtering servers use UDP port 53 or 8888. The
`FortiSandbox will use a random port picked up by the kernel.
`
`The Sandbox Community Cloud uses UPD port 53 or 8888 and TCP
`port 443. The FortiSandbox will use a random port picked up by the
`kernel.
`
`If you configure an internal mail server, internal DNS server, remote
`syslog server, LDAP server, SNMP managers, NTP server, or over-
`ride the web filtering server IP address, communication is recom-
`mended to be through this interface. Ensure that the applicable
`routing is configured.
`
`Port2, Port4
`
`RJ-45
`
`All ports are open.
`
`Port3
`
`RJ-45
`
`All ports are open. Reserved for guest VM to communicate with the
`outside network.
`
`Port5, Port6
`
`SFP
`
`All ports are open.
`
`Port7, Port8
`
`SFP+
`
`All ports are open.
`
`Page 14 of 191
`
`Netskope Exhibit 1005
`
`

`

`FortiSandbox 1000D default ports
`
`Port (Interface)
`
`Type
`
`Default Open Ports
`
`Port1
`
`RJ-45
`
`22 (SSH), 23 (Telnet), 80 and 443 (GUI), 514 (OFTP communication
`with FortiGate, FortiWeb, FortiClient & FortiMail).
`
`FortiGuard Distribution Servers (FDS) use 8890 for download. The
`FortiSandbox will use a random port picked by the kernel.
`
`FortiGuard Web Filtering servers use UDP port 53 or 8888. The
`FortiSandbox will use a random port picked up by the kernel.
`
`The Sandbox Community Cloud uses UPD port 53 or 8888 and TCP
`port 443. The FortiSandbox will use a random port picked up by the
`kernel.
`
`If you configure an internal mail server, internal DNS server, remote
`syslog server, LDAP server, SNMP managers, NTP server, or over-
`ride the web filtering server IP address, communication is recom-
`mended to be through this interface. Ensure that the applicable
`routing is configured.
`
`Port2, Port4,
`Port5, Port6
`
`Port3
`
`RJ-45
`
`All ports are open.
`
`RJ-45
`
`All ports are open. Reserved for guest VM to communicate with the
`outside network.
`
`Port7, Port 8
`
`SFP
`
`All ports are open.
`
`All ports mentioned above are the same for both IPv4 and IPv6 protocols..
`
`You can dynamically change system firewall rules using the iptables CLI
`command. New rules will be lost after a system reboot.
`
`For more information on FortiSandbox 1000D, FortiSandbox 3000D, FortiSandbox 3500D, and
`FortiSandbox 3000E interfaces, see Network on page 45.
`
`Page 15 of 191
`
`Netskope Exhibit 1005
`
`

`

`Dashboard
`
`The System Status dashboard displays widgets that provide information and enable you to configure
`basic system settings. All of the widgets appear on a single dashboard, which can be customized as
`desired.
`
`If the unit is the master node in a cluster, the displayed data will be a summary
`of all nodes in the cluster, otherwise only the individual unit's data is displayed.
`
`The following widgets are available:
`
`System Information
`
`System Resources
`
`Scanning Statistics
`
`Scanning Activity
`
`Displays basic information about the FortiSandbox system, such as
`the serial number, system up time, and license status information.
`
`Displays the real-time usage status of the CPU and memory.
`Hover the cursor over the memory dial to view the total system
`memory.
`
`Displays a table providing information about the files scanned over a
`selected time span. This includes Sniffer, Device(s), On Demand,
`Network, Adapter, and URL.
`
`Displays the number of clean, suspicious, and malicious events that
`have occurred at specific times over a selected time period. Hover
`the cursor over a colored portion of a bar in the graph to view the
`exact number of events of the selected type that occurred at that
`time.
`
`Sniffer Traffic Through-
`put
`
`Displays sniffed traffic throughput across time.
`
`Page 16 of 191
`
`Netskope Exhibit 1005
`
`

`

`Top Devices
`
`Displays the total scanning jobs for the top five devices over a selec-
`ted time interval.
`Hover the cursor over a bar in the graph to view the exact number of
`scanning jobs for that device.
`
`Top Critical Logs
`
`Displays recent critical logs, including the time they occurred and a
`brief description.
`
`Pending Job Statistics
`
`Displays pending scan job numbers for a period of time. This widget
`allows you to monitor the workload trend on your FortiSandbox.
`
`Disk Monitor
`
`Displays the RAID level and status, disk usage, and disk man-
`agement information. This widget is only available in hardware based
`models.
`
`Customizing the dashboard
`
`The FortiSandbox system dashboard can be customized. You can select which widgets to display,
`where they are located on the page, and whether they are minimized or maximized.
`
`To move a widget
`
`Position your mouse cursor on the widget’s title bar, then click and drag the widget to its new location.
`
`To refresh a widget
`
`Select the refresh icon in the widget’s title bar to refresh the data presented in the widget.
`
`To add a widget
`
`In the dashboard toolbar, select Add Widget, then select the names of widgets that you want to add.
`To hide a widget, in its title bar, select the close icon.
`
`The following is a list of widgets you can add to your dashboard.
`
`l System Information
`l System Resources
`l Scanning Statistics
`l Scanning Activity
`l Top Devices
`l Top Critical Logs
`l Pending Job Statistics
`l Disk Monitor
`l Sniffer Traffic Throughput
`
`Multiple widgets of the same type can be added to the dashboard. This can be
`useful for viewing information over different time intervals.
`
`To edit a widget
`
`Select the edit icon in the widget’s title bar to open the edit widget window.
`
`Page 17 of 191
`
`Netskope Exhibit 1005
`
`

`

`Configure the following information, and then select OK to apply your changes:
`
`Custom widget title
`
`Refresh interval
`
`Optionally, type a custom title for the widget. Leave this field blank to
`use the default widget title.
`
`Enter a refresh interval for the widget, in seconds.
`Some widget have default refresh values:
`l Scanning Statistics: 600
`l Top Devices: 300
`l Scanning Activity: 300
`l System Resources: 60
`l Top Critical Logs: 3600
`l Disk Monitor: 300
`
`Top Count
`
`Time Period
`
`Select the number of entries to display in the widget. The top count
`can be between 5 to 20 entries.
`This option is only available in the following widgets: Top Devices,
`Top Critical Logs.
`
`Select a time period to be displayed from the drop-down list. The
`options are: Last 24 hours, Last 7 days, Last 2 weeks.
`This option is only available on the following widgets: Scanning Stat-
`istics, Top Devices, Disk Monitor, and Scanning Activity.
`
`Expand the right panel to
`full screen
`
`Click the Full Screen button located in the upper right corner to
`toggle and only view the right side content.
`
`System Information
`TheSystem Information widget displays various information about the FortiSandbox unit and enables
`you to configure basic system settings.
`
`This widget displays the following information and options:
`
`Unit Type
`
`Host Name
`
`Serial Number
`
`The HA cluster status of the device: Standalone, Master, Primary
`Slave, or Regular Slave. Select [Change] to change the cluster
`status of the device.
`
`The name assigned to this FortiSandbox unit. Select [Change] to
`edit the FortiSandbox host name.
`
`The serial number of this FortiSandbox unit. The serial number is
`unique to the FortiSandbox unit and does not change with firmware
`upgrades. The serial number is used for identification when con-
`necting to the FortiGuard server.
`
`System Time
`
`The current time on the FortiSandbox internal clock or NTP server.
`Select [Change] to configure the system time.
`
`Page 18 of 191
`
`Netskope Exhibit 1005
`
`

`

`Firmware Version
`
`The version and build number of the firmware installed on the
`FortiSandbox unit.
`To update the firmware, you must download the latest version from
`the Fortinet Customer Service & Support portal. Select [Update]
`and select the firmware image to load from the local hard disk or net-
`work volume.
`
`System Configuration
`
`The date and time of the last system configuration backup. Select
`Backup/Restore to browse to the System Recovery page.
`
`System Utilities Version
`
`The current sandbox engine version. Select [Update] to go to the
`FortiGuard Modules page, where you can upload package files. In
`this page, you can also override the FortiGuard server address.
`
`Current Administrator
`
`The administrator that is currently logged on to the system.
`
`Uptime
`
`Windows VM
`
`Microsoft Office
`
`The duration of time that the FortiSandbox unit has been running
`since it boot up.
`
`Microsoft Windows VM license activation and initialization status.
`Displays an up icon if the Microsoft Windows VM is activated and ini-
`tialized. Displays a Caution icon if the Microsoft Windows VM is ini-
`tializing or having issues. Hover the mouse pointer on the status icon
`to view detailed information.
`
`In addition to the pre-installed default set of Windows VM images,
`the user can also purchase, download, and install extra Android, Win-
`dows 8.1 and Windows 10 image packages. The user should down-
`load their license file from the Fortinet Customer Service & Support
`portal. Then, click the [Upload License] link next to the Windows
`VM field. Browse to the license file on the management computer
`and click the Submit button. The system will reboot and activate the
`newly installed Windows 8.1/10 guest VMs.
`
`Microsoft Office product activation status. Select to upload a
`Microsoft Office license file.
`Displays an up icon if the Microsoft Office is activated and initialized.
`Displays a Caution icon if the Microsoft Office is initializing or having
`issues. Hover the mouse pointer on the status icon to view detailed
`information. A warning is displayed when the license file is not avail-
`able or has not been uploaded to FortiSandbox.
`
`Page 19 of 191
`
`Netskope Exhibit 1005
`
`

`

`VM Internet Access
`
`FDN Download Server
`
`Cloud Server
`
`Web Filtering Server
`
`Displays the status of the FortiSandbox VM accessing the outside net-
`work.
`Displays an up icon if the VM can access the outside network. Dis-
`plays a caution icon if the VM cannot access the outside network.
`Hover the mouse pointer on the status icon to view detailed inform-
`ation. If the VM cannot access the outside network, a simulated net-
`work (SIMNET) will start by default. SIMNET provides responses of
`popular network services, like http where certain malware is expec-
`ted. If the VM internet access is down, beside the down icon,
`SIMNET status is displayed. Clicking it will enter the VM network con-
`figuration page.
`FortiSandbox VM accesses external network through port3. The next-
`hop gateway and DNS settings can be configured in Scan Policy >
`General > Allow Virtual Machines to access external network
`through outgoing port3.
`
`Displays the status of the FDN download server. When the FDN
`download server is inaccessible, no update packages will be down-
`loaded.
`Displays an up icon if the system can access the FDN download
`server. Displays a caution icon if the system cannot access the FDN
`download server. Hover the mouse pointer on the status icon to view
`detailed information.
`
`Displays the status of the Sandbox Community Cloud server.
`Displays an up icon if the system can access the cloud server. Dis-
`plays a caution icon if the system cannot access the cloud server.
`Hover the mouse pointer on the status icon to view detailed inform-
`ation.
`
`Displays the status of the Web Filtering query server.
`Displays an up icon if the system can access the Web Filtering query
`server. Displays a caution icon if the system cannot access the Web
`Filtering query server. Hover the mouse pointer on the status icon to
`view detailed information.
`
`Antivirus DB Contract
`
`The date that the antivirus database contract expires. If the contract
`expires within 15 days, a warning icon will appear.
`
`Web Filtering Contract
`
`The date that the web filtering contract expires. If the contract
`expires within 15 days, a warning icon will appear.
`
`Mobile Security
`
`The date that the Android Sandbox engine contract expires. In this
`release, the contract follows that of the AntiVirus Database.
`
`Select the edit icon to type a custom widget title and enter the refresh interval.
`The default refresh interval is 300 seconds.
`
`System Resources
`This widget displays the following information and options:
`
`CPU Usage
`
`Gauges the CPU percentage usage.
`
`Page 20 of 191
`
`Netskope Exhibit 1005
`
`

`

`Memory
`
`Gauges the Memory percentage usage.
`
`Reboot/Shutdown
`
`Options to shutdown or reboot the FortiSandbox device.
`
`Select the edit icon to type a custom widget title and enter the refresh interval.
`The default refresh interval is 30 seconds.
`
`Scanning Statistics
`The Scanning Statistics widget displays information about the files that have been scanned over a
`specific time period.
`
`This widget displays the following information:
`
`Rating
`
`The file rating refers to the rating categories.
`
`Sniffer, Device(s), On
`Demand, Network,
`Adapter, All
`
`Malicious
`
`Suspicious - High Risk
`
`Suspicious - Medium
`Risk
`
`Suspicious - Low Risk
`
`Clean
`
`Other
`
`Processed
`
`Pending
`
`The input type from which the files were received.
`
`The number of files scanned for each input type that were found to
`be malicious in the selected time period.
`Click the link to view the associated jobs.
`
`The number of files scanned for each input type that were found to
`be suspicious and posed a high risk in the selected time period.
`Click the link to view the associated jobs.
`
`The number of files scanned for each input type that were found to
`be suspicious and posed a medium risk in the selected time period.
`Click the link to view the associated jobs.
`
`The number of files scanned for each input type that were found