Connect Secure SD-WAN to a sandbox service

Configure the settings that Secure SD-WAN uses to connect to the cloud sandbox or the local sandbox.

Before you begin

You must have a Sandbox Service element that defines the settings for the connection to the cloud sandbox or the local sandbox.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration.
Right-click an engine, then select Edit <element type>.
Browse to Add-Ons > Sandbox.
From the Sandbox Type drop-down list, select one of the following options:
- Advanced Malware Detection & Protection
- Cloud Sandbox - Forcepoint Advanced Malware Detection
- Local Sandbox - Forcepoint Advanced Malware Detection
  Note:
  - To use a local sandbox, you must have a Forcepoint Advanced Malware Detection appliance.
  - The field options change as per the sandbox type that is selected from the Sandbox Type drop-down list.
  - The License Key and License Token are only used with Cloud Sandbox - Forcepoint Advanced Malware Detection and Local Sandbox - Forcepoint Advanced Malware Detection services.
  - The Advanced Malware Detection & Protection sandbox service does not use a License Key or License Token. Instead, the cloud service automatically identifies the caller engine license and the subscription status for the Advanced Malware Detection & Protection sandbox service.
  - The Advanced Malware Detection & Protection sandbox service is only supported on engine version 7.0.2 and higher.
Click Select next to the Sandbox Service field, then select a Sandbox Service element.
- For the cloud sandbox, select the Sandbox Service element that represents the data center that the engine contacts to request file reputation scans.
- For the local sandbox, select the Sandbox Service element that represents your Forcepoint Advanced Malware Detection appliance.
In the License Key field, enter or paste the license key for the connection to the sandbox service.

Note: This field is only displayed when the Cloud Sandbox - Forcepoint Advanced Malware Detection or Local Sandbox - Forcepoint Advanced Malware Detection option is selected from the Sandbox Type drop-down list.
In the License Token field, enter or paste the license token for the connection to the sandbox service.

Note: This field is only displayed when the Cloud Sandbox - Forcepoint Advanced Malware Detection or Local Sandbox - Forcepoint Advanced Malware Detection option is selected from the Sandbox Type drop-down list.
(Optional) Click Add next to the HTTP Proxies field, then select a http proxy element to add to the list.
Click Save and Refresh to transfer the changed configuration.

Result

You can now use the Forcepoint Advanced Malware Detection scan for malware detection in the File Filtering Policy.

Engine Editor > Add-Ons > Sandbox

Use this branch to select and configure sandbox servers for Secure SD-WAN Engines.

Option	Definition
Sandbox Type	Specifies which type of sandbox the Secure SD-WAN Engine uses for sandbox file reputation scans. None — The Secure SD-WAN Engine does not use a sandbox. Advanced Malware Detection & Protection — The engine uses the Advanced Malware Detection & Protection cloud service for sandbox analysis and file reputation scan. Note: This is a licensed service which requires a subscription to use. Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection. Local Sandbox - Forcepoint Advanced Malware Detection — The engine uses the local sandbox for Forcepoint Advanced Malware Detection. Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.

Option

Definition

Sandbox Type

Specifies which type of sandbox the Secure SD-WAN Engine uses for sandbox file reputation scans.

None — The Secure SD-WAN Engine does not use a sandbox.
Advanced Malware Detection & Protection — The engine uses the Advanced Malware Detection & Protection cloud service for sandbox analysis and file reputation scan.
Note: This is a licensed service which requires a subscription to use.
Cloud Sandbox - Forcepoint Advanced Malware Detection — The engine uses the cloud sandbox for Forcepoint Advanced Malware Detection.
Local Sandbox - Forcepoint Advanced Malware Detection — The engine uses the local sandbox for Forcepoint Advanced Malware Detection.
Note: To use the local sandbox for Forcepoint Advanced Malware Detection, you must have a Forcepoint Advanced Malware Detection appliance.

Option	Definition
When Sandbox Type is Advanced Malware Detection & Protection
Sandbox Service	Specifies the sandbox service that the engine contacts to request a file reputation with the file hash (SHA256), and if not found, sends the file for sandbox analysis. Click Select to select an element.
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list.

Option

Definition

When Sandbox Type is Advanced Malware Detection & Protection

Sandbox Service

Specifies the sandbox service that the engine contacts to request a file reputation with the file hash (SHA256), and if not found, sends the file for sandbox analysis. Click Select to select an element.

HTTP Proxies

(Optional)

When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly.

Add — Allows you to add an HTTP Proxy to the list.

Remove — Removes the selected HTTP Proxy from the list.

Option	Definition
When Sandbox Type is Cloud Sandbox - Forcepoint Advanced Malware Detection
License Key (Optional)	The license key for the connection to the sandbox server. If you have not entered a license key in the properties of the Sandbox Service element, you must enter a license key here. If you have entered a license key in the properties of the Sandbox Service element, you can optionally enter a license key here to override the global setting. Note: The license defines the home data center where files are analyzed. Enter the key and license token for the data center that you want to use as the home data center. CAUTION: The license keys and license tokens allow access to confidential analysis reports. Handle the license key and license token securely.
License Token (Optional)	The license token for the connection to the sandbox server. If you have not entered a license token in the properties of the Sandbox Service element, you must enter a license key here. If you have entered a license token in the properties of the Sandbox Service element, you can optionally enter a license token here to override the global setting.
Sandbox Service	Specifies the sandbox service that the engine contacts to request file reputation scans. Click Select to select an element.
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list.

Option	Definition
When Sandbox Type is Local Sandbox - Forcepoint Advanced Malware Detection
License Key (Optional)	The license key for the connection to the sandbox server. If you have not entered a license key in the properties of the Sandbox Service element, you must enter a license key here. If you have entered a license key in the properties of the Sandbox Service element, you can optionally enter a license key here to override the global setting.
License Token (Optional)	The license token for the connection to the sandbox server. If you have not entered a license token in the properties of the Sandbox Service element, you must enter a license key here. If you have entered a license token in the properties of the Sandbox Service element, you can optionally enter a license token here to override the global setting.
Sandbox Service	Specifies the sandbox service that the engine contacts to request file reputation scans. Click Select to select an element.
HTTP Proxies (Optional)	When specified, requests are sent through an HTTP proxy instead of the engine accessing the external network directly. Add — Allows you to add an HTTP Proxy to the list. Remove — Removes the selected HTTP Proxy from the list.

HTTP Proxy Properties dialog box

Use this dialog box to change the properties of an HTTP proxy.

Option	Definition
General tab
Name	The name of the element or the domain name of the proxy.
Resolve (Optional)	Automatically resolves the domain name in the Name field.
IP Address	Specifies the IPv4 or IPv6 address of the HTTP proxy.
Port	Specifies the TCP port number of the HTTP proxy. The default port is 8080.
User Name (Optional)	Specifies the user name for logging on to the HTTP proxy.
Password (Optional)	Specifies the password for logging on to the HTTP proxy. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds commands to the right-click menu for the element. Click Select to select an element.
Comment (Optional)	A comment for your own reference.

Option	Definition
Monitoring tab
Log Server	The Log Server that monitors the status of the element.
Status Monitoring	When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile	Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception	Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile	Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone	Selects the time zone for the logs.
Encoding	Selects the character set for log files.
SNMP Trap Reception	Enables the reception of SNMP traps from the third-party device.
NetFlow Reception	Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).