Using FortiSandbox antivirus inspection
The FortiSandbox appliance and FortiSandbox cloud service are used for automated sample tracking, or sandboxing. You can send suspicious email attachments to FortiSandbox for inspection when you configure antivirus profiles (see Managing antivirus profiles). If the file exhibits risky behavior, or is found to contain a virus, the result will be sent back to FortiMail and a new virus signature is created and added to the FortiGuard antivirus signature database as well.
If email attachments are sent to FortiSandbox, and the "reject" action is configured in the action profile, the actual action will fallback to "system quarantine" if spam or viruses are detected afterward. |
To add a FortiSandbox unit
- Go to System > FortiSandbox > FortiSandbox.
- Enable the FortiSandbox Inspection and configure the following settings:
GUI item |
Description |
FortiSandbox type |
If you use an appliance, specify the appliance’s host name or IP address; If you use the regular or enhanced cloud service, see FortiCloud service. |
Server name/IP |
Enter the FortiSandbox host name or IP address. The port to use is 514. If you have a firewall in between FortiMail and FortiSandbox, make this port is allowed. |
Notification email |
This is the email address that FortiSandbox will use to send out notifications and reports. If you want to receive such email, enter your email address. For details, see the FortiSandbox documentation. |
Statistics interval |
Specify how long FortiMail should wait to retrieve some high level statistics from FortiSandbox. The default interval is 5 minutes. The statistics include how many malwares are detected and how many files are clean among all the files submitted. |
Scan timeout |
Specify how long FortiMail will wait to get the scan results. If you receive timeouts and want to wait longer for the results, you can increase the timeout. |
Scan result expires in |
Specify how long FortiMail will cache the results. 0 means no local cache. |
File Scan Setting |
|
File types |
Select what types of attachment files will be uploaded to FortiSandbox for scanning. |
File patterns |
Create your own file pattern that will be uploaded to FortiSandbox, for example, *.txt. |
File size |
Specify the maximum file size to upload to FortiSandbox. You may want to limit the file size to improve performance. |
URL Scan Setting |
|
Email selection |
Specify to scan URLs in all email or the suspicious email only. To determine if an email message is suspicious, the same algorithms are used in URL email selection and FortiGuard Spam Outbreak check. For details, see "About FortiGuard spam outbreak protection" in Configuring FortiGuard services |
URL selection |
Specify a URL category profile or click New to create one. You can also click Edit to modify the selected profile. |
Upload URL on rating error |
Sometimes, FortiMail may not be able to get results from the FortiGuard queries (for example, ratings errors due to network connection failures). In this case, you can choose whether to upload those URLs to FortiSandbox for scanning. Choosing not to upload those URLs may help improving the FortiSandbox performance. |
Bypass one-time URL |
When enabled, any URLs that are in the personal or business category and are a pre-defined filter pattern, or if the URL is locally defined, bypass URL submission to FortiSandbox. |
Number of URLs per email |
Specify how many URLs will be scanned in one email message. |
The spam URLs already detected by FortiGuard will not be submitted to FortiSandbox. |
FortiCloud service
If you have a valid FortiMail Cloud Sandbox entitlement, select Regular or Enhanced Cloud when configuring the service for use with the FortiMail appliance.
Depending on your FortiCare contract, FortiMail Cloud Sandbox provides two operational modes:
- Regular cloud service: You will share the Cloud Sandbox service with other users.
- Enhanced cloud service: You will have dedicated Cloud Sandbox service and enjoy better performance.
If you have a hosted FortiSandbox Cloud deployment in FortiCloud, or are using a hardware or virtual FortiSandbox appliance, FortiMail should be configured in appliance mode. Check to ensure FortiMail can communicate with FortiSandbox over TCP port 514. |
To use the FortiCloud service
- Go to Dashboard > Status.
- Under License Information, click Activate besides FortiCloud.
- In the popup dialog box, enter the email address and password for the FortiCloud account.
- Click OK to log on to FortiCloud.
- Go to System > FortiSandbox > FortiSandbox and select Cloud or Enhanced Cloud for FortiSanbox type depending on your FortiCare contract. Also configure other scan settings (see Using FortiSandbox antivirus inspection).
- After you activate FortiCloud and configure the FortiSandbox scan settings, you can access the FortiCloud web portal by going to Dashboard > Status and clicking Launch Portal besides FortiCloud under License Information.
- If you upgrade from older releases, a reminder will appear on the dashboard, telling you to activate FortiCloud (that is, to create an FortiCloud account) before you can access the FortiCloud portal.
Now the License Information should display as Paid Contract (if you use a demo unit, it displays as Trial License).
The portal allows you view the FortiMail file submission status and FortiSandbox cloud scan results.
If you are running FortiMail HA, you must activate FortiCloud service on the primary and secondary units. For active-passive HA, this is to ensure that the secondary unit can continue to use the FortiCloud service in case of HA failover. For config-only HA, this is because all the units need to access the service. |
See also
Viewing the mailbox backup/restoration status