Fortinet black logo

New Features

Inline scanning with FortiGuard AI-Based Sandbox Service 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:599740
Download PDF

Inline scanning with FortiGuard AI-Based Sandbox Service 7.2.1

Inline scanning is now supported when the FortiGate is licensed with the FortiGuard AI-Based Sandbox Service (FAIS). It works similar to inline scanning for the FortiSandbox appliance by holding a file up to 50 seconds for the verdict to be returned. Timed out scans can be set to block, log, or ignore (see Configuration with FortiSandbox scanning error and timeout actions for use case examples). Inline scanning can be enabled from the GUI on the Cloud Sandbox configuration page.

Note

Inline scanning is supported for FortiSandbox appliance, FortiNDR, and FAIS. On a FortiGate, only a single inline scanning type can be configured at a time.

To configure FAIS inline scanning in the GUI:
  1. Enable the FortiGate Cloud feature visibility:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable FortiGate Cloud Sandbox.

    3. Click Apply.

  2. Configure the Cloud Sandbox Fabric connector:

    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.

    2. Set the Type to FortiGate Cloud.

    3. Select a Region.

    4. Enable Inline scan.

    5. Click OK.

  3. Configure the antivirus profile:

    1. Go to Security Profiles > AntiVirus and click Create New.

    2. Set the Feature set to Proxy-based.

    3. Enable the protocols to inspect.

    4. Enable Send files to FortiSandbox for inspection.

    5. Set the Scan strategy to Inline, and set the Action to Block.

    6. Click OK.

To configure FAIS inline scanning in the CLI:
  1. Disable FortiSandbox appliance and FortiSandbox Cloud:

    config system fortisandbox 
        set status disable 
    end
  2. Configure FortiGate Cloud Sandbox:

    # execute forticloud-sandbox region 
    0  Global
    1  Europe
    2  Japan
    3  US
    Please select cloud sandbox region[0-3]:0
    Cloud sandbox region is selected: Global
  3. Enable inline scanning for FortiGate Cloud:

    config system fortiguard
        set sandbox-region "Global"
        set sandbox-inline-scan enable
    end
  4. Configure the antivirus profile:

    config antivirus profile
        edit "av"
            set feature-set proxy
            set fortisandbox-mode inline
            config http
                set fortisandbox block
            end
            config ftp
                set fortisandbox block
            end
            config imap
                set fortisandbox block
            end
            config pop3
                set fortisandbox block
            end
            config smtp
                set fortisandbox block
            end
            config mapi
                set fortisandbox block
            end
            config cifs
                set fortisandbox block
            end
            config ssh
                set fortisandbox block
            end
            set scan-mode default
        next
    end
To verify that infected files are blocked inline:
  1. On a client, open a web browser and download an infected file using HTTP.

  2. The file is held while being scanned by FortiGate Cloud Sandbox. Once FortiGate Cloud Sandbox determines that file's risk level is not tolerated, the FortiGate drops the connection and displays a replacement message that the file cannot be downloaded.

  3. Verify the antivirus log:

    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2022-07-12 time=16:31:26 eventtime=1657668686245018328 tz="-0700" logid="0210008232" type="utm" subtype="virus" eventtype="fortisandbox" level="warning" vd="vdom1" policyid=1 poluuid="54c06312-01fd-51ed-0db5-10c9586a0c2e" policytype="policy" msg="Blocked by FortiSandbox." action="blocked" service="HTTP" sessionid=19934 srcip=10.1.100.191 dstip=172.16.200.194 srcport=51688 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" dstuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" proto=6 direction="incoming" filename="skip_vm.vXE" quarskip="Quarantine-disabled" virus="Unknown" viruscat="Trojan" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=Unknown" virusid=0 url="http://172.16.200.194/sandbox/inline/skip_vm.vXE" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="deny" fsaverdict="block" fsaseverity="high-risk" fsafileid=0 fsafiletype="exe" crscore=50 craction=2 crlevel="critical"
To verify that infected files are monitored:
  1. Edit the antivirus profile to monitor files over HTTP:

    config antivirus profile
        edit "av"
            set feature-set proxy
            set fortisandbox-mode inline
            config http
                set fortisandbox monitor
            end
        next
    end
  2. On a client, open a web browser and download an infected file using HTTP.

  3. Verify the antivirus log:

    # execute log display
    1 logs found.
    1 logs returned.
    					
    1: date=2022-07-12 time=16:34:25 eventtime=1657668865371976563 tz="-0700" logid="0210008233" type="utm" subtype="virus" eventtype="fortisandbox" level="notice" vd="vdom1" policyid=1 poluuid="54c06312-01fd-51ed-0db5-10c9586a0c2e" policytype="policy" msg="Detected by FortiSandbox." action="monitored" service="HTTP" sessionid=20002 srcip=10.1.100.191 dstip=172.16.200.194 srcport=51724 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" dstuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" proto=6 direction="incoming" filename="skip_vm.vXE" quarskip="Quarantine-disabled" virus="Unknown" viruscat="Trojan" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=Unknown" virusid=0 url="http://172.16.200.194/sandbox/inline/skip_vm.vXE" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="deny" fsaverdict="block" fsaseverity="high-risk" fsafileid=0 fsafiletype="exe" crscore=50 craction=2 crlevel="critical"
To verify that infected files are blocked inline if a scan timeout occurs:
  1. Edit the antivirus profile to block files over HTTP and when there is a scan timeout:

    config antivirus profile
        edit "av"
            set feature-set proxy
            set fortisandbox-mode inline
            config http
                set fortisandbox block
            end
            set fortisandbox-timeout-action block
        next
    end
  2. On a client, open a web browser and download a large ZIP file (clean file).

  3. When the scan timeout occurs, a replacement message appears that The file "zipfile.zip" is still being scanned and will be released once complete. Please try the transfer again in a few minutes.

  4. Verify the antivirus log:

    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2022-07-12 time=16:44:51 eventtime=1657669491697816069 tz="-0700" logid="0210008236" type="utm" subtype="virus" eventtype="fortisandbox" level="warning" vd="vdom1" policyid=1 poluuid="54c06312-01fd-51ed-0db5-10c9586a0c2e" policytype="policy" msg="FortiSandbox scan timeout." action="blocked" service="HTTP" sessionid=20258 srcip=10.1.100.191 dstip=172.16.200.194 srcport=51830 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" dstuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" proto=6 direction="incoming" filename="zipfile.zip" quarskip="Quarantine-disabled" url="http://172.16.200.194/sandbox/zipfile.zip" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="timeout" fsafileid=0 crscore=50 craction=2 crlevel="critical"
  5. After a few minutes, download the ZIP file again.

  6. When the scan is complete on the FortiSandbox side, the file is downloaded and no log is generated because the scan deemed that the file is clean.

Inline scanning with FortiGuard AI-Based Sandbox Service 7.2.1

Inline scanning is now supported when the FortiGate is licensed with the FortiGuard AI-Based Sandbox Service (FAIS). It works similar to inline scanning for the FortiSandbox appliance by holding a file up to 50 seconds for the verdict to be returned. Timed out scans can be set to block, log, or ignore (see Configuration with FortiSandbox scanning error and timeout actions for use case examples). Inline scanning can be enabled from the GUI on the Cloud Sandbox configuration page.

Note

Inline scanning is supported for FortiSandbox appliance, FortiNDR, and FAIS. On a FortiGate, only a single inline scanning type can be configured at a time.

To configure FAIS inline scanning in the GUI:
  1. Enable the FortiGate Cloud feature visibility:

    1. Go to System > Feature Visibility.

    2. In the Additional Features section, enable FortiGate Cloud Sandbox.

    3. Click Apply.

  2. Configure the Cloud Sandbox Fabric connector:

    1. Go to Security Fabric > Fabric Connectors and double-click the Cloud Sandbox card.

    2. Set the Type to FortiGate Cloud.

    3. Select a Region.

    4. Enable Inline scan.

    5. Click OK.

  3. Configure the antivirus profile:

    1. Go to Security Profiles > AntiVirus and click Create New.

    2. Set the Feature set to Proxy-based.

    3. Enable the protocols to inspect.

    4. Enable Send files to FortiSandbox for inspection.

    5. Set the Scan strategy to Inline, and set the Action to Block.

    6. Click OK.

To configure FAIS inline scanning in the CLI:
  1. Disable FortiSandbox appliance and FortiSandbox Cloud:

    config system fortisandbox 
        set status disable 
    end
  2. Configure FortiGate Cloud Sandbox:

    # execute forticloud-sandbox region 
    0  Global
    1  Europe
    2  Japan
    3  US
    Please select cloud sandbox region[0-3]:0
    Cloud sandbox region is selected: Global
  3. Enable inline scanning for FortiGate Cloud:

    config system fortiguard
        set sandbox-region "Global"
        set sandbox-inline-scan enable
    end
  4. Configure the antivirus profile:

    config antivirus profile
        edit "av"
            set feature-set proxy
            set fortisandbox-mode inline
            config http
                set fortisandbox block
            end
            config ftp
                set fortisandbox block
            end
            config imap
                set fortisandbox block
            end
            config pop3
                set fortisandbox block
            end
            config smtp
                set fortisandbox block
            end
            config mapi
                set fortisandbox block
            end
            config cifs
                set fortisandbox block
            end
            config ssh
                set fortisandbox block
            end
            set scan-mode default
        next
    end
To verify that infected files are blocked inline:
  1. On a client, open a web browser and download an infected file using HTTP.

  2. The file is held while being scanned by FortiGate Cloud Sandbox. Once FortiGate Cloud Sandbox determines that file's risk level is not tolerated, the FortiGate drops the connection and displays a replacement message that the file cannot be downloaded.

  3. Verify the antivirus log:

    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2022-07-12 time=16:31:26 eventtime=1657668686245018328 tz="-0700" logid="0210008232" type="utm" subtype="virus" eventtype="fortisandbox" level="warning" vd="vdom1" policyid=1 poluuid="54c06312-01fd-51ed-0db5-10c9586a0c2e" policytype="policy" msg="Blocked by FortiSandbox." action="blocked" service="HTTP" sessionid=19934 srcip=10.1.100.191 dstip=172.16.200.194 srcport=51688 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" dstuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" proto=6 direction="incoming" filename="skip_vm.vXE" quarskip="Quarantine-disabled" virus="Unknown" viruscat="Trojan" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=Unknown" virusid=0 url="http://172.16.200.194/sandbox/inline/skip_vm.vXE" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="deny" fsaverdict="block" fsaseverity="high-risk" fsafileid=0 fsafiletype="exe" crscore=50 craction=2 crlevel="critical"
To verify that infected files are monitored:
  1. Edit the antivirus profile to monitor files over HTTP:

    config antivirus profile
        edit "av"
            set feature-set proxy
            set fortisandbox-mode inline
            config http
                set fortisandbox monitor
            end
        next
    end
  2. On a client, open a web browser and download an infected file using HTTP.

  3. Verify the antivirus log:

    # execute log display
    1 logs found.
    1 logs returned.
    					
    1: date=2022-07-12 time=16:34:25 eventtime=1657668865371976563 tz="-0700" logid="0210008233" type="utm" subtype="virus" eventtype="fortisandbox" level="notice" vd="vdom1" policyid=1 poluuid="54c06312-01fd-51ed-0db5-10c9586a0c2e" policytype="policy" msg="Detected by FortiSandbox." action="monitored" service="HTTP" sessionid=20002 srcip=10.1.100.191 dstip=172.16.200.194 srcport=51724 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" dstuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" proto=6 direction="incoming" filename="skip_vm.vXE" quarskip="Quarantine-disabled" virus="Unknown" viruscat="Trojan" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=Unknown" virusid=0 url="http://172.16.200.194/sandbox/inline/skip_vm.vXE" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="deny" fsaverdict="block" fsaseverity="high-risk" fsafileid=0 fsafiletype="exe" crscore=50 craction=2 crlevel="critical"
To verify that infected files are blocked inline if a scan timeout occurs:
  1. Edit the antivirus profile to block files over HTTP and when there is a scan timeout:

    config antivirus profile
        edit "av"
            set feature-set proxy
            set fortisandbox-mode inline
            config http
                set fortisandbox block
            end
            set fortisandbox-timeout-action block
        next
    end
  2. On a client, open a web browser and download a large ZIP file (clean file).

  3. When the scan timeout occurs, a replacement message appears that The file "zipfile.zip" is still being scanned and will be released once complete. Please try the transfer again in a few minutes.

  4. Verify the antivirus log:

    # execute log display
    1 logs found.
    1 logs returned.
    
    1: date=2022-07-12 time=16:44:51 eventtime=1657669491697816069 tz="-0700" logid="0210008236" type="utm" subtype="virus" eventtype="fortisandbox" level="warning" vd="vdom1" policyid=1 poluuid="54c06312-01fd-51ed-0db5-10c9586a0c2e" policytype="policy" msg="FortiSandbox scan timeout." action="blocked" service="HTTP" sessionid=20258 srcip=10.1.100.191 dstip=172.16.200.194 srcport=51830 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" dstuuid="1cb467b6-01fd-51ed-8abf-72abd959c0d0" proto=6 direction="incoming" filename="zipfile.zip" quarskip="Quarantine-disabled" url="http://172.16.200.194/sandbox/zipfile.zip" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="timeout" fsafileid=0 crscore=50 craction=2 crlevel="critical"
  5. After a few minutes, download the ZIP file again.

  6. When the scan is complete on the FortiSandbox side, the file is downloaded and no log is generated because the scan deemed that the file is clean.