Fortinet Document Library

Version:

Version:

Version:


Table of Contents

More Links

Sandboxing

Administration Guide

Download PDF
Copy Link

Using FortiSandbox with antivirus

Antivirus profiles can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiGate can supplement its own antivirus database with FortiSandbox's threat intelligence to detect files determined as malicious or suspicious. This augments the FortiGate antivirus with zero-day detection.

FortiSandbox can be used with antivirus in both proxy-based and flow-based inspection modes. When FortiSandbox is enabled, full scan mode antivirus can submit the following for inspection: only suspicious files, all supported files, or no files. Quick scan mode antivirus cannot submit suspicious files to FortiSandbox, so either all files or no files are submitted for inspection.

For more information, see Sandboxing.

To enable FortiSandbox inspection in an antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Create, edit, or clone an antivirus profile.
  3. In the APT Protection Options section, set Send Files to FortiSandbox for Inspection to either Suspicious Files Only or All Supported Files.

    Suspicious Files represents files that the antivirus engine has detected having any possibility of active content. For the limited submission rate on FortiGate Cloud Sandbox, we suggest to select this option. All Supported Files is based on the file types defined in the scan profile of the FortiSandbox.

  4. Optionally, for Do not submit files matching types, click the + to exclude certain file types from being sent to FortiSandbox.
  5. Optionally, for Do not submit files matching file name patterns, click the + to enter a wildcard pattern to exclude files from being sent to FortiSandbox.

  6. Enable Use FortiSandbox Database.
  7. Click OK.

FortiGate diagnostics

To view the detection count:
# diagnose test application quarantined 7
Total: 0

Statistics:
        vfid: 0, detected: 2, clean: 1252, risk_low: 6, risk_med: 2, risk_high: 1, limit_reached:0
To verify the address is configured correctly:
# diagnose test application quarantined 1
…
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no 
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0
…
To run the diagnostics for real-time debugging:
# diagnose debug application quarantined -1
# diagnose debug enable
To check the FortiGate Cloud server status:
# diagnose test application forticldd 3  
…
    Active APTServer status:  up 
To view FortiGate Cloud Sandbox submission statistics for advanced debugging:
# diagnose test application quarantined 2

FortiSandbox diagnostics

To run the OFTP debug for advanced debugging:
# diagnose-debug device <client serial number>

More Links

Using FortiSandbox with antivirus

Antivirus profiles can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiGate can supplement its own antivirus database with FortiSandbox's threat intelligence to detect files determined as malicious or suspicious. This augments the FortiGate antivirus with zero-day detection.

FortiSandbox can be used with antivirus in both proxy-based and flow-based inspection modes. When FortiSandbox is enabled, full scan mode antivirus can submit the following for inspection: only suspicious files, all supported files, or no files. Quick scan mode antivirus cannot submit suspicious files to FortiSandbox, so either all files or no files are submitted for inspection.

For more information, see Sandboxing.

To enable FortiSandbox inspection in an antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Create, edit, or clone an antivirus profile.
  3. In the APT Protection Options section, set Send Files to FortiSandbox for Inspection to either Suspicious Files Only or All Supported Files.

    Suspicious Files represents files that the antivirus engine has detected having any possibility of active content. For the limited submission rate on FortiGate Cloud Sandbox, we suggest to select this option. All Supported Files is based on the file types defined in the scan profile of the FortiSandbox.

  4. Optionally, for Do not submit files matching types, click the + to exclude certain file types from being sent to FortiSandbox.
  5. Optionally, for Do not submit files matching file name patterns, click the + to enter a wildcard pattern to exclude files from being sent to FortiSandbox.

  6. Enable Use FortiSandbox Database.
  7. Click OK.

FortiGate diagnostics

To view the detection count:
# diagnose test application quarantined 7
Total: 0

Statistics:
        vfid: 0, detected: 2, clean: 1252, risk_low: 6, risk_med: 2, risk_high: 1, limit_reached:0
To verify the address is configured correctly:
# diagnose test application quarantined 1
…
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no 
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0
…
To run the diagnostics for real-time debugging:
# diagnose debug application quarantined -1
# diagnose debug enable
To check the FortiGate Cloud server status:
# diagnose test application forticldd 3  
…
    Active APTServer status:  up 
To view FortiGate Cloud Sandbox submission statistics for advanced debugging:
# diagnose test application quarantined 2

FortiSandbox diagnostics

To run the OFTP debug for advanced debugging:
# diagnose-debug device <client serial number>