Antivirus profiles can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiGate can supplement its own antivirus database with FortiSandbox's threat intelligence to detect files determined as malicious or suspicious. This augments the FortiGate antivirus with zero-day detection.
FortiSandbox can be used with antivirus in both proxy-based and flow-based inspection modes. The FortiGate first examines the file for any known viruses. When a match is found, the file is tagged as known malware. If no match is found, the files are forwarded to FortiSandbox using the following options:
All Supported Files: all files matching the file types defined in the scan profile of the FortiSandbox are forwarded.
Suspicious Files Only: files classified by the antivirus as having any possibility of active content are forwarded to FortiSandbox. When using FortiGate Cloud Sandbox, we recommend selecting this option due to its submission limits.
None: files are not forwarded to FortiSandbox.
For more information, see Sandboxing.
- Go to Security Profiles > AntiVirus.
- Create, edit, or clone an antivirus profile.
- In the APT Protection Options section, set Send Files to FortiSandbox for Inspection to either Suspicious Files Only or All Supported Files.
- Optionally, for Do not submit files matching types, click the + to exclude certain file types from being sent to FortiSandbox.
- Optionally, for Do not submit files matching file name patterns, click the + to enter a wildcard pattern to exclude files from being sent to FortiSandbox.
- Enable Use FortiSandbox Database.
- Click OK.
# diagnose test application quarantined 7 Total: 0 Statistics: vfid: 0, detected: 2, clean: 1252, risk_low: 6, risk_med: 2, risk_high: 1, limit_reached:0
# diagnose test application quarantined 1 … fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0 …
# diagnose debug application quarantined -1 # diagnose debug enable
# diagnose test application forticldd 3 … Active APTServer status: up
# diagnose test application quarantined 2
# diagnose-debug device <client serial number>