Fortinet black logo

Cookbook

Troubleshooting

Copy Link
Copy Doc ID a4a06ec3-12a7-11e9-b86b-00505692583a:754915
Download PDF

Troubleshooting

The feature is not visible in the GUI

Confirm that the Inspection Mode is set to Proxy under System > Settings.

Also check that the AntiVirus profile inspection mode is set to proxy using the CLI Console:

config antivirus profile

edit default

set inspection-mode proxy

next

end

Error messages and/or conflicts

If you receive an error message when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile, check the Proxy Options settings in the CLI Console and disable splice and clientcomfort on CDR-supported protocols:

>config firewall profile-protocol-options

>edit default

>config smtp

>unset options splice

>next

>config http

>unset options clientcomfort

>next

>end

>end

You should also confirm the AntiVirus profile’s protocol settings under config antivirus profile:

  • ensure that set options scan is enabled on CDR-supported protocols
  • if set options av-monitor is configured on a CDR-supported protocol, it overrides the config content-disarm detect-only setting (and CDR will not occur)

The FortiSandbox service is unreachable

If testing the FortiSandbox connectivity returns a “Service is unreachable” error message, then you may need to authorize the FortiGate on the FortiSandbox.

On the FortiSandbox, go to Scan Input > Device and edit the entry for the FortiGate.

Under Permissions & Policy, enable Authorized.

Troubleshooting

The feature is not visible in the GUI

Confirm that the Inspection Mode is set to Proxy under System > Settings.

Also check that the AntiVirus profile inspection mode is set to proxy using the CLI Console:

config antivirus profile

edit default

set inspection-mode proxy

next

end

Error messages and/or conflicts

If you receive an error message when attempting to enable Content Disarm and Reconstruction on the AntiVirus profile, check the Proxy Options settings in the CLI Console and disable splice and clientcomfort on CDR-supported protocols:

>config firewall profile-protocol-options

>edit default

>config smtp

>unset options splice

>next

>config http

>unset options clientcomfort

>next

>end

>end

You should also confirm the AntiVirus profile’s protocol settings under config antivirus profile:

  • ensure that set options scan is enabled on CDR-supported protocols
  • if set options av-monitor is configured on a CDR-supported protocol, it overrides the config content-disarm detect-only setting (and CDR will not occur)

The FortiSandbox service is unreachable

If testing the FortiSandbox connectivity returns a “Service is unreachable” error message, then you may need to authorize the FortiGate on the FortiSandbox.

On the FortiSandbox, go to Scan Input > Device and edit the entry for the FortiGate.

Under Permissions & Policy, enable Authorized.