Fortinet black logo

Cookbook

Using FortiSandbox Cloud with antivirus

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:904357
Download PDF

Using FortiSandbox Cloud with antivirus

Feature overview

FortiSandbox Cloud allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It works the same way as the physical FortiSandbox appliance.

FortiSandbox Cloud allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliances regarding data storage locations.

Support and limitations

  • In FortiOS 6.2 and later, users do not require a FortiGate Cloud account to use FortiSandbox Cloud.
  • Without a valid AVDB license, FortiGate devices are limited to 100 FortiGate Cloud submissions per day.
  • Unlimited FortiGate Cloud submissions are allowed if the FortiGate has a valid AVDB license.
    • There is a limit on how many submissions are sent per minute.
    • Per minute submission rate is based on the FortiGate model.
  • FortiSandbox can be used with antivirus in both proxy-based and flow-based policy inspection modes.
  • With FortiSandbox enabled, Full Scan mode antivirus can do the following:
    • Submit only suspicious files to FortiSandbox for inspection.
    • Submit every file to FortiSandbox for inspection.
    • Do not submit anything.
  • Quick Scan mode antivirus cannot submit suspicious files to FortiSandbox. It can only do the following:
    • Submit every file to FortiSandbox for inspection.
    • Do not submit anything.

Network topology example

Configuring the feature

To configure antivirus to work with an external block list, the following steps are required:

  1. Through FortiCare/FortinetOne, register the FortiGate device and purchase a FortiGuard antivirus license
  2. Enable FortiSandbox Cloud on the FortiGate
  3. Enable FortiSandbox inspection
  4. Enable the use of the FortiSandbox database
To obtain or renew an AVDB license:
  1. Please see the video How to Purchase or Renew FortiGuard Services for FortiGuard antivirus license purchase instructions.
  2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud license.
    1. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.

    2. Users can also view this indicator at Global > System > FortiGuard.

To enable FortiSandbox Cloud on the FortiGate:
  1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On position.

  2. Select FortiSandbox Cloud and choose a region from the dropdown list.

  3. Select Apply to save the settings.

  4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox's current database version is displayed.

To enable FortiSandbox inspection:
  1. Go to Security Profiles > AntiVirus.
  2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.

  3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.

  4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.

  5. Select Apply.
To enable the use of the FortiSandbox database:
  1. Go to Security Profiles > AntiVirus.
  2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On position.

  3. Select Apply.

Diagnostics and debugging

  • Checking FortiGate Cloud controller status:
    FGT_FL_FULL (global) # diagnose test application forticldd 2
    Server: log-controller, task=0/10, watchdog is off
    Domain name: logctrl1.fortinet.com
    Address of log-controller: 1
            172.16.95.168:443
            Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago
    http connection: is not in progress
            Current address: 172.16.95.168:443
            Calls: connect=9, rxtx=12
    Current tasks number: 0
    Account: name=empty, status=0, type=basic
    Current volume: 0B
    Current tasks number: 0
    Update timer fires in 74240 secs
  • Checking Cloud APT server status:
    FGT_FL_FULL (global) # diagnose test application forticldd 3
    Debug zone info:
        Domain:
        Home log server: 0.0.0.0:0
        Alt log server: 0.0.0.0:0
        Active Server IP:      0.0.0.0
        Active Server status:  down
        Log quota:      0MB
        Log used:       0MB
        Daily volume:   0MB
        fams archive pause: 0
        APTContract : 1                           <====
        APT server: 172.16.102.51:514             <====
        APT Altserver: 172.16.102.52:514          <====
        Active APTServer IP:      172.16.102.51   <====
        Active APTServer status:  up              <====
  • FortiSandbox Cloud diagnostics:
    FGT_FL_FULL (global) # diagnose test application quarantine 1
    Total remote&local devices: 4, any task full? 0
    System have disk, vdom is enabled, mgmt=3, ha=1
    xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no
        addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=1, hmac_alg=0
        License=0, content_archive=0, arch_pause=0.
    
    global-fas is disabled.
    forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no
        addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=1, hmac_alg=0
    fortisandbox-fsb1 is disabled.
    fortisandbox-fsb2 is disabled.
    fortisandbox-fsb3 is disabled.
    fortisandbox-fsb4 is disabled.
    fortisandbox-fsb5 is disabled.
    fortisandbox-fsb6 is disabled.
    global-faz is disabled.
    global-faz2 is disabled.
    global-faz3 is disabled.
  • Checking FortiSandbox Cloud submission statistics:
    FGT_FL_FULL (global) # diagnose test application quarantined 2
    Quarantine daemon state:
    QUAR mem: mem_used=0, mem_limit=97269, threshold=72951
    dropped(0 by quard, 0 by callers)
    pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1
    alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0
    tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0
    xfer-fas:
        ips: total=0, handled=0, accepted=0
        quar: total=0, handled=0, accepted=0
        archive: total=0, handled=0, accepted=0
        analytics: total=0, handled=0, accepted=0, local_dups=0
        analytics stats: total=0, handled=0, accepted=0
        last_rx=0, last_tx=0, error_rx=0, error_tx=0
        max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0
    forticloud-fsb:
        ips: total=0, handled=0, accepted=0
        quar: total=0, handled=0, accepted=0
        archive: total=0, handled=0, accepted=0
        analytics: total=0, handled=0, accepted=0, local_dups=0
    num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm='Sun Feb 17 00:00:00 2019
    '
        analytics stats: total=24, handled=24, accepted=24
        last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0
        max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0
  • Checking FortiSandbox analysis statistics:
    FGT_FL_FULL (global) # diagnose test application quarantine 7
    Total: 0
    
    Statistics:
            vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
            vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
            vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
    
    FGT_FL_FULL (global) #
  • Update Daemon debug:
    FGT_FL_FULL (global) # diagnose debug application quarantined -1
    FGT_FL_FULL (global) # diagnose debug enable
    
    quar_req_fsa_file()-890: fsa ext list new_version (1547781904)
    quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[].
    __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1
    [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
    [551] ssl_ctx_create_new_ex: SSL CTX is created
    [578] ssl_new: SSL object is created
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0
    __quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=99
    quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0
    __quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0
    __quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1
    quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1
    quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2).
    quar_put_job_req()-332: Job 337 deleted
    quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0
    __quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0
    __quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=98
    ...
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[].
    __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1
    [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
    [551] ssl_ctx_create_new_ex: SSL CTX is created
    [578] ssl_new: SSL object is created
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0
    __quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1
    quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1
    quar_store_analytics_report()-590: Analytics-report return file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735
    quar_store_analytics_report()-597: The request '83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1
    quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1).
    quar_put_job_req()-332: Job 2 deleted
    quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
    quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
    quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)
    [193] __ssl_data_ctx_free: Done
    [805] ssl_free: Done
    [185] __ssl_cert_ctx_free: Done
    [815] ssl_ctx_free: Done
    [796] ssl_disconnect: Shutdown
  • Appliance FortiSandbox diagnostics:
    FGT_PROXY # config global
    FGT_PROXY (global) # diagnose test application quarantined 1
    Total remote&local devices: 8, any task full? 0
    System have disk, vdom is enabled, mgmt=1, ha=2
    xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no
        addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=0, hmac_alg=0
        License=0, content_archive=0, arch_pause=0.
    
    global-fas is disabled.
    forticloud-fsb is disabled.
    fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    global-faz is disabled.
    global-faz2 is disabled.
    global-faz3 is disabled.

Using FortiSandbox Cloud with antivirus

Feature overview

FortiSandbox Cloud allows users to take advantage of FortiSandbox features without having to purchase, operate, and maintain a physical appliance. It works the same way as the physical FortiSandbox appliance.

FortiSandbox Cloud allows you to control the region where your traffic is sent to for analysis. This allows you to meet your country's compliances regarding data storage locations.

Support and limitations

  • In FortiOS 6.2 and later, users do not require a FortiGate Cloud account to use FortiSandbox Cloud.
  • Without a valid AVDB license, FortiGate devices are limited to 100 FortiGate Cloud submissions per day.
  • Unlimited FortiGate Cloud submissions are allowed if the FortiGate has a valid AVDB license.
    • There is a limit on how many submissions are sent per minute.
    • Per minute submission rate is based on the FortiGate model.
  • FortiSandbox can be used with antivirus in both proxy-based and flow-based policy inspection modes.
  • With FortiSandbox enabled, Full Scan mode antivirus can do the following:
    • Submit only suspicious files to FortiSandbox for inspection.
    • Submit every file to FortiSandbox for inspection.
    • Do not submit anything.
  • Quick Scan mode antivirus cannot submit suspicious files to FortiSandbox. It can only do the following:
    • Submit every file to FortiSandbox for inspection.
    • Do not submit anything.

Network topology example

Configuring the feature

To configure antivirus to work with an external block list, the following steps are required:

  1. Through FortiCare/FortinetOne, register the FortiGate device and purchase a FortiGuard antivirus license
  2. Enable FortiSandbox Cloud on the FortiGate
  3. Enable FortiSandbox inspection
  4. Enable the use of the FortiSandbox database
To obtain or renew an AVDB license:
  1. Please see the video How to Purchase or Renew FortiGuard Services for FortiGuard antivirus license purchase instructions.
  2. Once a FortiGuard license has been purchased or activated, users will be provided with a paid FortiSandbox Cloud license.
    1. Go to Global > Main Dashboard to view the FortiSandbox Cloud license indicator.

    2. Users can also view this indicator at Global > System > FortiGuard.

To enable FortiSandbox Cloud on the FortiGate:
  1. Go to Global > Security Fabric > Settings and set the Sandbox Inspection toggle to the On position.

  2. Select FortiSandbox Cloud and choose a region from the dropdown list.

  3. Select Apply to save the settings.

  4. When the FortiGate is connected to the FortiSandbox Cloud, FortiSandbox's current database version is displayed.

To enable FortiSandbox inspection:
  1. Go to Security Profiles > AntiVirus.
  2. Enable FortiSandbox inspection by selecting either Suspicious Files Only or All Supported Files.

  3. Files can be excluded from being sent to FortiSandbox based on their file types by choosing from a list of supported file types.

  4. Files can also be excluded from being sent to FortiSandbox by using wild card patterns.

  5. Select Apply.
To enable the use of the FortiSandbox database:
  1. Go to Security Profiles > AntiVirus.
  2. Enable use of the FortiSandbox database by setting the Use FortiSandbox Database toggle to the On position.

  3. Select Apply.

Diagnostics and debugging

  • Checking FortiGate Cloud controller status:
    FGT_FL_FULL (global) # diagnose test application forticldd 2
    Server: log-controller, task=0/10, watchdog is off
    Domain name: logctrl1.fortinet.com
    Address of log-controller: 1
            172.16.95.168:443
            Statistics: total=3, discarded=1, sent=2, last_updated=12163 secs ago
    http connection: is not in progress
            Current address: 172.16.95.168:443
            Calls: connect=9, rxtx=12
    Current tasks number: 0
    Account: name=empty, status=0, type=basic
    Current volume: 0B
    Current tasks number: 0
    Update timer fires in 74240 secs
  • Checking Cloud APT server status:
    FGT_FL_FULL (global) # diagnose test application forticldd 3
    Debug zone info:
        Domain:
        Home log server: 0.0.0.0:0
        Alt log server: 0.0.0.0:0
        Active Server IP:      0.0.0.0
        Active Server status:  down
        Log quota:      0MB
        Log used:       0MB
        Daily volume:   0MB
        fams archive pause: 0
        APTContract : 1                           <====
        APT server: 172.16.102.51:514             <====
        APT Altserver: 172.16.102.52:514          <====
        Active APTServer IP:      172.16.102.51   <====
        Active APTServer status:  up              <====
  • FortiSandbox Cloud diagnostics:
    FGT_FL_FULL (global) # diagnose test application quarantine 1
    Total remote&local devices: 4, any task full? 0
    System have disk, vdom is enabled, mgmt=3, ha=1
    xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no
        addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=1, hmac_alg=0
        License=0, content_archive=0, arch_pause=0.
    
    global-fas is disabled.
    forticloud-fsb is enabled: analytics, realtime=yes, taskfull=no
        addr=172.16.102.51/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=1, hmac_alg=0
    fortisandbox-fsb1 is disabled.
    fortisandbox-fsb2 is disabled.
    fortisandbox-fsb3 is disabled.
    fortisandbox-fsb4 is disabled.
    fortisandbox-fsb5 is disabled.
    fortisandbox-fsb6 is disabled.
    global-faz is disabled.
    global-faz2 is disabled.
    global-faz3 is disabled.
  • Checking FortiSandbox Cloud submission statistics:
    FGT_FL_FULL (global) # diagnose test application quarantined 2
    Quarantine daemon state:
    QUAR mem: mem_used=0, mem_limit=97269, threshold=72951
    dropped(0 by quard, 0 by callers)
    pending-jobs=0, tot-mem=0, last_ipc_run=12353, check_new_req=1
    alloc_job_failed=0, job_wrong_type=0, job_wrong_req_len=0, job_invalid_qfd=0
    tgz_create_failed=0, tgz_attach_failed=0, qfd_mmap_failed=0, buf_attached=0
    xfer-fas:
        ips: total=0, handled=0, accepted=0
        quar: total=0, handled=0, accepted=0
        archive: total=0, handled=0, accepted=0
        analytics: total=0, handled=0, accepted=0, local_dups=0
        analytics stats: total=0, handled=0, accepted=0
        last_rx=0, last_tx=0, error_rx=0, error_tx=0
        max_num_tasks=10000, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0
    forticloud-fsb:
        ips: total=0, handled=0, accepted=0
        quar: total=0, handled=0, accepted=0
        archive: total=0, handled=0, accepted=0
        analytics: total=0, handled=0, accepted=0, local_dups=0
    num_buffer=0(per-minute:10) last_min_count=0 last_vol_count=0 next_vol_reset_tm='Sun Feb 17 00:00:00 2019
    '
        analytics stats: total=24, handled=24, accepted=24
        last_rx=1224329, last_tx=1224329, error_rx=2, error_tx=0
        max_num_tasks=200, num_tasks=0, mem_used=0, ttl_drops=0, xfer_status=0
  • Checking FortiSandbox analysis statistics:
    FGT_FL_FULL (global) # diagnose test application quarantine 7
    Total: 0
    
    Statistics:
            vfid: 0, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
            vfid: 3, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
            vfid: 4, detected: 0, clean: 0, risk_low: 0, risk_med: 0, risk_high: 0, limit_reached:0
    
    FGT_FL_FULL (global) #
  • Update Daemon debug:
    FGT_FL_FULL (global) # diagnose debug application quarantined -1
    FGT_FL_FULL (global) # diagnose debug enable
    
    quar_req_fsa_file()-890: fsa ext list new_version (1547781904)
    quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb5, vfid=1, oftp-name=[].
    __quar_start_connection()-908: start server fortisandbox-fsb5-172.18.52.154 in vdom-1
    [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
    [551] ssl_ctx_create_new_ex: SSL CTX is created
    [578] ssl_new: SSL object is created
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=0
    __quar_build_pkt()-408: build req(id=337, type=4) for vdom-vdom1, len=99, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=99
    quar_remote_send()-520: req(id=337, type=4) read response, dev=fortisandbox-fsb2, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb2, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb3 xfer-status=0
    __quar_build_pkt()-408: build req(id=338, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=338, type=6) read response, dev=fortisandbox-fsb3, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb3, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb5 xfer-status=0
    __quar_build_pkt()-408: build req(id=340, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=340, type=6) read response, dev=fortisandbox-fsb5, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb5, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb2 xfer-status=1
    quar_remote_recv()-662: dev(fortisandbox-fsb2) received a packet: len=69, type=1
    quar_remote_recv()-718: file-[337] is accepted by server(fortisandbox-fsb2).
    quar_put_job_req()-332: Job 337 deleted
    quar_remote_recv_send()-731: dev=fortisandbox-fsb4 xfer-status=0
    __quar_build_pkt()-408: build req(id=339, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=339, type=6) read response, dev=fortisandbox-fsb4, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb4, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0
    __quar_build_pkt()-408: build req(id=336, type=4) for vdom-root, len=98, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=98
    ...
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    quar_fsb_handle_quar()-1439: added a req-6 to fortisandbox-fsb1, vfid=1, oftp-name=[].
    __quar_start_connection()-908: start server fortisandbox-fsb1-172.18.52.154 in vdom-1
    [103] __ssl_cert_ctx_load: Added cert /etc/cert/factory/root_Fortinet_Factory.cer, root ca Fortinet_CA, idx 0 (default)
    [551] ssl_ctx_create_new_ex: SSL CTX is created
    [578] ssl_new: SSL object is created
    upd_cfg_extract_av_db_version[378]-version=06002000AVDB00201-00066.01026-1901301530
    upd_cfg_extract_ids_db_version[437]-version=06002000NIDS02403-00014.00537-1901300043
    upd_cfg_extract_ids_db_version[437]-version=06002000APDB00103-00006.00741-1512010230
    upd_cfg_extract_ids_db_version[437]-version=06002000ISDB00103-00014.00537-1901300043
    upd_cfg_extract_ibdb_botnet_db_version[523]-version=06002000IBDB00101-00004.00401-1901281000
    quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=0
    __quar_build_pkt()-408: build req(id=2, type=6) for vdom-vdom1, len=93, oftp_name=
    __quar_send()-470: dev buffer -- pos=0, len=93
    quar_remote_send()-520: req(id=2, type=6) read response, dev=fortisandbox-fsb1, xfer_status=1, buflen=12
    quar_remote_recv_send()-770: dev-fortisandbox-fsb1, oevent=4, nevent=1, xfer-status=1
    quar_remote_recv_send()-731: dev=fortisandbox-fsb1 xfer-status=1
    quar_remote_recv()-662: dev(fortisandbox-fsb1) received a packet: len=767, type=1
    quar_store_analytics_report()-590: Analytics-report return file=/tmp/fsb/83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18.json.gz, buf_sz=735
    quar_store_analytics_report()-597: The request '83bb2d9928b03a68b123730399b6b9365b5cc9a5a77f8aa007a6f1a499a13b18' score is 1
    quar_remote_recv()-718: file-[2] is accepted by server(fortisandbox-fsb1).
    quar_put_job_req()-332: Job 2 deleted
    quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
    quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    __get_analytics_stats()-19: Received an ANALYTICS_STATS request, vfid: 0
    __quar_req_handler()-127: Request 0 was handled successfully
    quar_monitor_connection_func()-978: monitoring dev fortisandbox-fsb1
    quar_stop_connection()-1006: close connection to server(fortisandbox-fsb1)
    [193] __ssl_data_ctx_free: Done
    [805] ssl_free: Done
    [185] __ssl_cert_ctx_free: Done
    [815] ssl_ctx_free: Done
    [796] ssl_disconnect: Shutdown
  • Appliance FortiSandbox diagnostics:
    FGT_PROXY # config global
    FGT_PROXY (global) # diagnose test application quarantined 1
    Total remote&local devices: 8, any task full? 0
    System have disk, vdom is enabled, mgmt=1, ha=2
    xfer-fas is enabled: ips-archive dlp-archive, realtime=yes, taskfull=no
        addr=0.0.0.0/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=0, hmac_alg=0
        License=0, content_archive=0, arch_pause=0.
    
    global-fas is disabled.
    forticloud-fsb is disabled.
    fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb2 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb3 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb4 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb5 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    fortisandbox-fsb6 is enabled: analytics, realtime=yes, taskfull=no
        addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no.
        ssl_opt=3, hmac_alg=0
    global-faz is disabled.
    global-faz2 is disabled.
    global-faz3 is disabled.