Fortinet white logo
Fortinet white logo

Administration Guide

FortiSandbox inline scanning

FortiSandbox inline scanning

When inline scanning is enabled, the client's file is held while it is sent to FortiSandbox for inspection. During this time, the FortiProxy may apply client comforting. For example, leaking a certain amount of bytes at a certain time interval to the client. Once a verdict is returned, the appropriate action (allow or block) is performed on the held file. If there is an error connecting to the FortiSandbox or a timeout on the FortiSandbox scanning the file within the default 50 seconds, the file can be passed, logged, or blocked based on FortiProxy's configuration.

Inline scanning requires a FortiSandbox appliance running version 4.4.5 or later, and the FortiSandbox must be reachable by port 4443. This feature is not supported on FortiSandbox Cloud. See Understanding Inline Block feature in the FortiSandbox Best Practices for more information.

FortiSandbox inline scanning is disabled by default. FortiSandbox inline scanning is best used in conjunction with AV engine scanning since there is a higher rate of detection by using both at the same time.

To enable FortiSandbox inline scanning globally:
config system fortisandbox
    set status enable
    set inline-scan {enable | disable}
    set server <fortisandbox_server_ip>
end
To configure the FortiSandbox scanning options in an antivirus profile:
config antivirus profile
    edit <name>
        set fortisandbox-mode {inline | analytics-suspicious | analytics-everything}
        set fortisandbox-error-action {ignore | log-only | block}  
        set fortisandbox-timeout-action {ignore | log-only | block}
        set fortisandbox-max-upload <integer>
        config {http | ftp | imap | pop3 | smtp | mapi | cifs | ssh}
            set av-scan {disable | block | monitor}
            set fortisandbox {disable | block | monitor}
        end	
    next
end

fortisandbox-mode {inline | analytics-suspicious | analytics-everything}

Set the FortiSandbox scan mode:

  • inline: FortiSandbox inline scanning
  • analytics-suspicious: FortiSandbox post-transfer scanning; submit supported files if heuristics or other methods determine they are suspicious
  • analytics-everything: FortiSandbox post-transfer scanning; submit supported files and known infected files (default)

fortisandbox-error-action {ignore | log-only | block}

Set the action to take if FortiSandbox inline scanning encounters an error reaching the FortiSandbox:

  • ignore: take no action
  • log-only: log the FortiSandbox inline scan error, but allow the file (default)
  • block: block the file upon FortiSandbox inline scan error

fortisandbox-timeout-action {ignore | log-only | block}

Set the action to take if FortiSandbox inline scanning encounters a scan timeout:

  • ignore: take no action
  • log-only: log the FortiSandbox inline scan timeout, but allow the file (default)
  • block: block the file upon FortiSandbox inline scan timeout

fortisandbox-max-upload <integer>

Set the maximum size of files that can be uploaded to FortiSandbox (1 - 396, default = 10).

av-scan {disable | block | monitor}

Enable the antivirus scan service. Set to block or monitor to work with FortiSandbox (default = disable).

fortisandbox {disable | block | monitor}

Set the protocol level parameter for FortiSandbox file scanning:

  • disable (default), block, and monitor are available for inline scanning
  • disable (default) and monitor are available for post-transfer scanning

Basic configuration

This example assumes that Inline Block Policy is already enabled in FortiSandbox for the FortiProxy with selected risk levels. The inline block policy in this example blocks all risk levels: malicious, high risk, medium risk, and low risk.

To configure FortiSandbox inline scanning in the GUI:
  1. Enable FortiSandbox inline scanning globally:
    1. Go to Security Fabric > Fabric Connectors and double-click the Sandbox card.
    2. In the Settings tab, set the Status to Enabled.
    3. Set the Type to FortiSandbox.
    4. Enter the server address.
    5. Optionally enter a notifier email address.
    6. Enable Inline scan.
    7. Click OK to save the changes.
  2. Configure the antivirus profile:
    1. Go to Security Profiles > AntiVirus and click Create New.
    2. Configure the options under AntiVirus Scan Service.
    3. Under Inspection Options, select inline for Send files to FortiSandbox for inspection.
    4. Click OK.
To configure FortiSandbox inline scanning in the CLI:
  1. Enable FortiSandbox inline scanning globally:
    config system fortisandbox
        set status enable
        set inline-scan enable
        set server "172.18.70.76"
    end
  2. Configure the antivirus profile:
    config antivirus profile
        edit "Inline_scan_demo"
            config http
                set av-scan block
                set fortisandbox block
            end
            config ftp
                set av-scan block
                set fortisandbox block
            end
            config imap
                set av-scan block
                set fortisandbox block
            end
            config pop3
                set av-scan block
                set fortisandbox block
            end
            config smtp
                set av-scan block
                set fortisandbox block
            end
            config mapi
                set av-scan block
                set fortisandbox block
            end
            config cifs
                set av-scan block
                set fortisandbox block
            end
            config ssh
                set av-scan block
                set fortisandbox block
            end
        next 
    end
To verify that infected files are blocked inline:
  1. On a client, open a web browser and download an infected file.
  2. The file is held while being scanned by FortiSandbox. Once FortiSandbox determines that file's risk level is not tolerated by the inline block policy, the FortiProxy drops the connection and displays a replacement message that the file cannot be downloaded.
  3. In FortiProxy, view the antivirus log.
    • In the GUI, go to Log & Report > Security Events and click the AntiVirus card.
    • In the CLI:
      # execute log filter category 2
      # execute log display
      1 logs found.
      1 logs returned.
      
      1: date=2022-03-23 time=16:19:37 eventtime=1648077577156255080 tz="-0700" logid="0210008232" type="utm" subtype="virus" eventtype="fortisandbox" level="warning" vd="vdom1" policyid=1 poluuid="9170ca3e-aade-51ec-772b-1d31f135fe26" policytype="policy" msg="Blocked by FortiSandbox." action="blocked" service="HTTP" sessionid=10545 srcip=10.1.100.181 dstip=172.16.200.184 srcport=37046 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="5b426c60-aade-51ec-f020-b3d334ba18d3" dstuuid="5b426c60-aade-51ec-f020-b3d334ba18d3" proto=6 direction="incoming" filename="skip_vm.vXE" quarskip="File-was-not-quarantined" virus="Trojan" viruscat="Unknown" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=Trojan" virusid=0 url="http://172.16.200.184/sandbox/inline/skip_vm.vXE" profile="Inline_scan_demo" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="deny" fsaseverity="high-risk" fsaverdict="block" fsafileid=0 fsafiletype="exe" crscore=50 craction=2 crlevel="critical

Configuration with FortiSandbox scanning error and timeout actions

In this example, the HTTP protocol settings for av-scan and fortisandbox in the AV profile are both set to block. All files traversing HTTP in this configuration are scanned by the AV engine first, and then by FortiSandbox inline scanning for further file analysis. Based on the FortiSandbox results, FortiProxy will take the appropriate action.

Files can be blocked if they contain a scan error or timeout. The scan timeout is configured in FortiSandbox and set to 50 seconds. If the file scan takes longer than 50 seconds, FortiSandbox returns a timeout to the FortiProxy, and file is dropped with the current configuration. If a user tries to download the same file again, the cached result is provided by FortiSandbox to the FortiProxy based on the previous file scan.

This example assumes FortiSandbox inline scanning has been configured globally. The FortiProxy will block the file if there is an inline scanning error or timeout.

To configure the antivirus profile to block files if there is an inline scanning error or timeout:
config antivirus profile
    edit "av"
        set fortisandbox-mode inline
        config http
            set av-scan block
            set fortisandbox block
        end
        set fortisandbox-error-action block
        set fortisandbox-timeout-action block
    next
end

If the administrator decides to take more risk and scan all files traversing HTTP, but log or ignore an inline scanning error or timeout, the profile is modified as follows:

config antivirus profile
    edit "av"
        set fortisandbox-error-action {log-only | ignore}
        set fortisandbox-timeout-action {log-only | ignore}
    next
end

The AV engine is still used first, followed by FortiSandbox inline scanning. The FortiProxy will log or ignore the file if there is an inline scanning error or timeout, and the file is allowed to pass through.

FortiSandbox inline scanning

FortiSandbox inline scanning

When inline scanning is enabled, the client's file is held while it is sent to FortiSandbox for inspection. During this time, the FortiProxy may apply client comforting. For example, leaking a certain amount of bytes at a certain time interval to the client. Once a verdict is returned, the appropriate action (allow or block) is performed on the held file. If there is an error connecting to the FortiSandbox or a timeout on the FortiSandbox scanning the file within the default 50 seconds, the file can be passed, logged, or blocked based on FortiProxy's configuration.

Inline scanning requires a FortiSandbox appliance running version 4.4.5 or later, and the FortiSandbox must be reachable by port 4443. This feature is not supported on FortiSandbox Cloud. See Understanding Inline Block feature in the FortiSandbox Best Practices for more information.

FortiSandbox inline scanning is disabled by default. FortiSandbox inline scanning is best used in conjunction with AV engine scanning since there is a higher rate of detection by using both at the same time.

To enable FortiSandbox inline scanning globally:
config system fortisandbox
    set status enable
    set inline-scan {enable | disable}
    set server <fortisandbox_server_ip>
end
To configure the FortiSandbox scanning options in an antivirus profile:
config antivirus profile
    edit <name>
        set fortisandbox-mode {inline | analytics-suspicious | analytics-everything}
        set fortisandbox-error-action {ignore | log-only | block}  
        set fortisandbox-timeout-action {ignore | log-only | block}
        set fortisandbox-max-upload <integer>
        config {http | ftp | imap | pop3 | smtp | mapi | cifs | ssh}
            set av-scan {disable | block | monitor}
            set fortisandbox {disable | block | monitor}
        end	
    next
end

fortisandbox-mode {inline | analytics-suspicious | analytics-everything}

Set the FortiSandbox scan mode:

  • inline: FortiSandbox inline scanning
  • analytics-suspicious: FortiSandbox post-transfer scanning; submit supported files if heuristics or other methods determine they are suspicious
  • analytics-everything: FortiSandbox post-transfer scanning; submit supported files and known infected files (default)

fortisandbox-error-action {ignore | log-only | block}

Set the action to take if FortiSandbox inline scanning encounters an error reaching the FortiSandbox:

  • ignore: take no action
  • log-only: log the FortiSandbox inline scan error, but allow the file (default)
  • block: block the file upon FortiSandbox inline scan error

fortisandbox-timeout-action {ignore | log-only | block}

Set the action to take if FortiSandbox inline scanning encounters a scan timeout:

  • ignore: take no action
  • log-only: log the FortiSandbox inline scan timeout, but allow the file (default)
  • block: block the file upon FortiSandbox inline scan timeout

fortisandbox-max-upload <integer>

Set the maximum size of files that can be uploaded to FortiSandbox (1 - 396, default = 10).

av-scan {disable | block | monitor}

Enable the antivirus scan service. Set to block or monitor to work with FortiSandbox (default = disable).

fortisandbox {disable | block | monitor}

Set the protocol level parameter for FortiSandbox file scanning:

  • disable (default), block, and monitor are available for inline scanning
  • disable (default) and monitor are available for post-transfer scanning

Basic configuration

This example assumes that Inline Block Policy is already enabled in FortiSandbox for the FortiProxy with selected risk levels. The inline block policy in this example blocks all risk levels: malicious, high risk, medium risk, and low risk.

To configure FortiSandbox inline scanning in the GUI:
  1. Enable FortiSandbox inline scanning globally:
    1. Go to Security Fabric > Fabric Connectors and double-click the Sandbox card.
    2. In the Settings tab, set the Status to Enabled.
    3. Set the Type to FortiSandbox.
    4. Enter the server address.
    5. Optionally enter a notifier email address.
    6. Enable Inline scan.
    7. Click OK to save the changes.
  2. Configure the antivirus profile:
    1. Go to Security Profiles > AntiVirus and click Create New.
    2. Configure the options under AntiVirus Scan Service.
    3. Under Inspection Options, select inline for Send files to FortiSandbox for inspection.
    4. Click OK.
To configure FortiSandbox inline scanning in the CLI:
  1. Enable FortiSandbox inline scanning globally:
    config system fortisandbox
        set status enable
        set inline-scan enable
        set server "172.18.70.76"
    end
  2. Configure the antivirus profile:
    config antivirus profile
        edit "Inline_scan_demo"
            config http
                set av-scan block
                set fortisandbox block
            end
            config ftp
                set av-scan block
                set fortisandbox block
            end
            config imap
                set av-scan block
                set fortisandbox block
            end
            config pop3
                set av-scan block
                set fortisandbox block
            end
            config smtp
                set av-scan block
                set fortisandbox block
            end
            config mapi
                set av-scan block
                set fortisandbox block
            end
            config cifs
                set av-scan block
                set fortisandbox block
            end
            config ssh
                set av-scan block
                set fortisandbox block
            end
        next 
    end
To verify that infected files are blocked inline:
  1. On a client, open a web browser and download an infected file.
  2. The file is held while being scanned by FortiSandbox. Once FortiSandbox determines that file's risk level is not tolerated by the inline block policy, the FortiProxy drops the connection and displays a replacement message that the file cannot be downloaded.
  3. In FortiProxy, view the antivirus log.
    • In the GUI, go to Log & Report > Security Events and click the AntiVirus card.
    • In the CLI:
      # execute log filter category 2
      # execute log display
      1 logs found.
      1 logs returned.
      
      1: date=2022-03-23 time=16:19:37 eventtime=1648077577156255080 tz="-0700" logid="0210008232" type="utm" subtype="virus" eventtype="fortisandbox" level="warning" vd="vdom1" policyid=1 poluuid="9170ca3e-aade-51ec-772b-1d31f135fe26" policytype="policy" msg="Blocked by FortiSandbox." action="blocked" service="HTTP" sessionid=10545 srcip=10.1.100.181 dstip=172.16.200.184 srcport=37046 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port9" dstintfrole="undefined" srcuuid="5b426c60-aade-51ec-f020-b3d334ba18d3" dstuuid="5b426c60-aade-51ec-f020-b3d334ba18d3" proto=6 direction="incoming" filename="skip_vm.vXE" quarskip="File-was-not-quarantined" virus="Trojan" viruscat="Unknown" dtype="fortisandbox" ref="http://www.fortinet.com/ve?vn=Trojan" virusid=0 url="http://172.16.200.184/sandbox/inline/skip_vm.vXE" profile="Inline_scan_demo" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fsaaction="deny" fsaseverity="high-risk" fsaverdict="block" fsafileid=0 fsafiletype="exe" crscore=50 craction=2 crlevel="critical

Configuration with FortiSandbox scanning error and timeout actions

In this example, the HTTP protocol settings for av-scan and fortisandbox in the AV profile are both set to block. All files traversing HTTP in this configuration are scanned by the AV engine first, and then by FortiSandbox inline scanning for further file analysis. Based on the FortiSandbox results, FortiProxy will take the appropriate action.

Files can be blocked if they contain a scan error or timeout. The scan timeout is configured in FortiSandbox and set to 50 seconds. If the file scan takes longer than 50 seconds, FortiSandbox returns a timeout to the FortiProxy, and file is dropped with the current configuration. If a user tries to download the same file again, the cached result is provided by FortiSandbox to the FortiProxy based on the previous file scan.

This example assumes FortiSandbox inline scanning has been configured globally. The FortiProxy will block the file if there is an inline scanning error or timeout.

To configure the antivirus profile to block files if there is an inline scanning error or timeout:
config antivirus profile
    edit "av"
        set fortisandbox-mode inline
        config http
            set av-scan block
            set fortisandbox block
        end
        set fortisandbox-error-action block
        set fortisandbox-timeout-action block
    next
end

If the administrator decides to take more risk and scan all files traversing HTTP, but log or ignore an inline scanning error or timeout, the profile is modified as follows:

config antivirus profile
    edit "av"
        set fortisandbox-error-action {log-only | ignore}
        set fortisandbox-timeout-action {log-only | ignore}
    next
end

The AV engine is still used first, followed by FortiSandbox inline scanning. The FortiProxy will log or ignore the file if there is an inline scanning error or timeout, and the file is allowed to pass through.