Fortinet white logo
Fortinet white logo

Administration Guide

Using FortiSandbox post-transfer scanning with antivirus

Using FortiSandbox post-transfer scanning with antivirus

Antivirus profiles can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiProxy can supplement its own antivirus database with FortiSandbox's threat intelligence to detect files determined as malicious or suspicious. This augments the FortiProxy antivirus with zero-day detection.

The FortiProxy first examines the file for any known viruses. When a match is found, the file is tagged as known malware. If no match is found, the files are forwarded to FortiSandbox using the following options:

  • All Supported Files: all files matching the file types defined in the scan profile of the FortiSandbox are forwarded.

  • Suspicious Files Only: files classified by the antivirus as having any possibility of active content are forwarded to FortiSandbox. When using FortiGate Cloud Sandbox, we recommend selecting this option due to its submission limits.

To enable FortiSandbox inspection in an antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Create, edit, or clone an antivirus profile.
  3. In the Inspection Options section, set Send files to FortiSandbox for inspection to analytics-suspicious or analytics-everything.
  4. Enable Use FortiSandbox Database.
  5. Click OK.

FortiProxy diagnostics

To view the detection count:
# diagnose test application quarantined 7
Total: 0

Statistics:
        vfid: 0, detected: 2, clean: 1252, risk_low: 6, risk_med: 2, risk_high: 1, limit_reached:0
To verify the address is configured correctly:
# diagnose test application quarantined 1
…
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no 
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0
…
To run the diagnostics for real-time debugging:
# diagnose debug application quarantined -1
# diagnose debug enable
To check the FortiGate Cloud server status:
# diagnose test application forticloud 3  
…
    Active APTServer status:  up 
To view FortiGate Cloud Sandbox submission statistics for advanced debugging:
# diagnose test application quarantined 2

FortiSandbox diagnostics

To run the OFTP debug for advanced debugging:
# diagnose-debug device <client serial number>

Using FortiSandbox post-transfer scanning with antivirus

Using FortiSandbox post-transfer scanning with antivirus

Antivirus profiles can submit potential zero-day viruses to FortiSandbox for inspection. Based on FortiSandbox's analysis, the FortiProxy can supplement its own antivirus database with FortiSandbox's threat intelligence to detect files determined as malicious or suspicious. This augments the FortiProxy antivirus with zero-day detection.

The FortiProxy first examines the file for any known viruses. When a match is found, the file is tagged as known malware. If no match is found, the files are forwarded to FortiSandbox using the following options:

  • All Supported Files: all files matching the file types defined in the scan profile of the FortiSandbox are forwarded.

  • Suspicious Files Only: files classified by the antivirus as having any possibility of active content are forwarded to FortiSandbox. When using FortiGate Cloud Sandbox, we recommend selecting this option due to its submission limits.

To enable FortiSandbox inspection in an antivirus profile:
  1. Go to Security Profiles > AntiVirus.
  2. Create, edit, or clone an antivirus profile.
  3. In the Inspection Options section, set Send files to FortiSandbox for inspection to analytics-suspicious or analytics-everything.
  4. Enable Use FortiSandbox Database.
  5. Click OK.

FortiProxy diagnostics

To view the detection count:
# diagnose test application quarantined 7
Total: 0

Statistics:
        vfid: 0, detected: 2, clean: 1252, risk_low: 6, risk_med: 2, risk_high: 1, limit_reached:0
To verify the address is configured correctly:
# diagnose test application quarantined 1
…
fortisandbox-fsb1 is enabled: analytics, realtime=yes, taskfull=no 
addr=172.18.52.154/514, source-ip=0.0.0.0, keep-alive=no. ssl_opt=3, hmac_alg=0
…
To run the diagnostics for real-time debugging:
# diagnose debug application quarantined -1
# diagnose debug enable
To check the FortiGate Cloud server status:
# diagnose test application forticloud 3  
…
    Active APTServer status:  up 
To view FortiGate Cloud Sandbox submission statistics for advanced debugging:
# diagnose test application quarantined 2

FortiSandbox diagnostics

To run the OFTP debug for advanced debugging:
# diagnose-debug device <client serial number>