Label-based sandbox exemptions for sensitive data control
Support added for sandbox submission exemptions based on AIP/MPIP labels, enabling FortiGate to respect data governance policies and prevent sensitive files from leaving the network. This provides more granular control than exemptions based solely on file types.
config antivirus profile
edit <name>
set analytics-ignore-mpip <string>
next
end
Sandbox submission exemptions can be configured based on Microsoft Purview Information Protection (MPIP/AIP) labels. These labels can come from remote connectors (Microsoft 365/Azure) or be defined as local GUID-based labels. The antivirus profile’s analytics-ignore-mpip option is used to enforce these exemptions during post-transfer scanning.
Use case 1
When an Azure SDN connector syncs Microsoft 365 sensitivity labels, selecting the corresponding remote MPIP label for analytics-ignore-mpip lets FortiGate skip sandbox submissions for files tagged with that label while still analyzing all others.
-
Configure an MPIP external connector and a DLP label that uses the external connector's labels. See Sensitivity labels for a sample configuration.
-
Configure an antivirus profile that uses the DLP label:
config antivirus profile edit "FSA_IGNORE_MPIP_REMOTE" set feature-set proxy set analytics-ignore-mpip "remote_label_azure" config http set av-scan monitor set fortisandbox monitor end next end -
Download a file from an HTTP server that matches the MPIP label.
No logs are created, as the file is not submitted to FortiSandbox.
# execute log display 0 logs found. 0 logs returned.
-
Download a file from an HTTP server that does not matches the MPIP label.
Antivirus FortiSandbox submission logs are created:
# execute log display 2 logs found. 2 logs returned. 1: date=2025-10-06 time=15:39:55 eventtime=1759790394976263532 tz="-0700" logid="0201009233" type="utm" subtype="virus" eventtype="analytics" level="information" vd="vdom1" policyid=2 poluuid="2802b718-8c5a-51f0-0eaa-af53d454e7fc" policytype="policy" msg="File submitted to Sandbox." action="analytics" service="HTTP" sessionid=144855 srcip=10.1.100.252 dstip=172.16.200.204 srcport=63711 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="lan" dstintf="port3" dstintfrole="lan" srcuuid="eb7a7402-4489-51ef-4afd-ca286e50ca04" dstuuid="eb7a7402-4489-51ef-4afd-ca286e50ca04" proto=6 direction="incoming" filename="Sample_spreadsheet_personal.xlsx" filetype="msofficex" url="http://172.16.200.204/sandbox/aip_labels/Sample_spreadsheet_personal.xlsx" profile="FSA_IGNORE_MPIP_REMOTE" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0" httpmethod="GET" referralurl="http://172.16.200.204/sandbox/aip_labels/" analyticscksum="7cdcd7bb2a50c16418c15258327ee33f46c9919ee82082ed0886b19236049eed" analyticssubmit="true" 2: date=2025-10-06 time=15:39:55 eventtime=1759790394976252778 tz="-0700" logid="0201009238" type="utm" subtype="virus" eventtype="analytics" level="information" vd="vdom1" srcip=10.1.100.252 dstip=172.16.200.204 srcport=63711 dstport=80 action="monitored" service="HTTP" filename="Sample_spreadsheet_personal.xlsx" fsaverdict="clean" analyticscksum="7cdcd7bb2a50c16418c15258327ee33f46c9919ee82082ed0886b19236049eed" dtype="fortisandbox"
Use case 2
When a local MPIP label with a Globally Unique Identifier (GUID) is assigned for analytics-ignore-mpip, FortiGate bypasses sandbox submission for files carrying that label, keeping sensitive internal data within the network.
-
Configure a local MPIP label. See Sensitivity labels for a sample configuration.
-
Configure an antivirus profile that uses the local label:
config antivirus profile edit "FSA_IGNORE_MPIP_REMOTE" set feature-set proxy set analytics-ignore-mpip "local_label" config http set av-scan monitor set fortisandbox monitor end next end -
Download a file from an HTTP server that matches a GUID defined in the local label.
No logs are created, as the file is not submitted to FortiSandbox.
# execute log display 0 logs found. 0 logs returned.
-
Download a file from an HTTP server that does not matches any of GUID defined in the local label.
Antivirus FortiSandbox submission logs are created:
# execute log display 2 logs found. 2 logs returned. 1: date=2025-10-06 time=16:19:46 eventtime=1759792785952026788 tz="-0700" logid="0201009238" type="utm" subtype="virus" eventtype="analytics" level="information" vd="vdom1" srcip=10.1.100.252 dstip=172.16.200.204 srcport=63811 dstport=80 action="monitored" service="HTTP" filename="Fortigate_fsa_integration_general_anyone_unrestricted.docx" fsaverdict="clean" analyticscksum="e0fb1e820302e59cc1b501fc7b2841706705c0c6dcee943f746679044eadb37e" dtype="fortisandbox" 2: date=2025-10-06 time=16:19:46 eventtime=1759792785952002181 tz="-0700" logid="0201009233" type="utm" subtype="virus" eventtype="analytics" level="information" vd="vdom1" policyid=2 poluuid="2802b718-8c5a-51f0-0eaa-af53d454e7fc" policytype="policy" msg="File submitted to Sandbox." action="analytics" service="HTTP" sessionid=146076 srcip=10.1.100.252 dstip=172.16.200.204 srcport=63811 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="lan" dstintf="port3" dstintfrole="lan" srcuuid="eb7a7402-4489-51ef-4afd-ca286e50ca04" dstuuid="eb7a7402-4489-51ef-4afd-ca286e50ca04" proto=6 direction="incoming" filename="Fortigate_fsa_integration_general_anyone_unrestricted.docx" filetype="msofficex" url="http://172.16.200.204/sandbox/aip_labels/Fortigate_fsa_integration_general_anyone_unrestricted.docx" profile="FSA_IGNORE_MPIP_REMOTE" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0" httpmethod="GET" referralurl="http://172.16.200.204/sandbox/aip_labels/" analyticscksum="e0fb1e820302e59cc1b501fc7b2841706705c0c6dcee943f746679044eadb37e" analyticssubmit="true"