Fortinet black logo

Best Practices

Home FortiSandbox 3.0.0 Best Practices

Improving scan performance

3.0.0
4.4.0
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0
Copy Link
Copy Doc ID 609ceb0c-313f-11e9-94bf-00505692583a:484751
Download PDF

Improving scan performance

A unit processes files at a certain rate. There are ways to improve the unit’s scan power. The following suggestions help to optimize your system's scan performance.

  1. Only keep jobs with a clean rating for a short period.

    If you are not concerned about processed files with a clean rating, you can configure the system to remove them after a short period. This saves system resources and improves system performance.

    To do that, go to Scan Policy and Object > General Settings and set a short time period in the Delete all traces of jobs of Clean or Other rating after section.

  2. Turn on FortiGuard Pre-Filtering of certain file types.

    By default, if a file type is associated with a Windows VM image, all files of this file type are scanned inside it. Sandboxing scans inside a Windows VM is a slow and intensive process. For information about throughput, see the FortiSandbox datasheet for your model.

    You can enable FortiGuard Pre-Filtering on some file types. When enabled, files of that file type are inspected by an advanced FortiGuard Pre-Filtering engine and only suspicious files inside a VM are scanned. The Log & Report > File Scan Summary Report > Top File Type > Scanned by Sandboxing page gives you hints on which file types can skip sandboxing.

    Use the CLI command sandboxing-prefilter -e to enable sandboxing.

  3. Associate every file type to only one VM type.

    Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to improve scan performance, every file type should be associated with only one VM type.

  4. Allocate clone numbers of each VM type according to the distribution of file types.

    Each unit can only prepare a limited number of guest image clones. The number is determined by installed Windows license keys. Allocate clone numbers according to the distribution of file types. For example, if there are a lot of Office files and WIN7X86VM is associated with Office files, you can decrease the clone number of other VM types and increase the clone number of the WIN7X86VM image.

    If there are many pending jobs, use the pending-jobs CLI command or go to Scan Job > Job Queue to check which file type has the longest queue and increase clone numbers of its associated VM type.

  5. Reduce enabled Windows VM types.

    Each enabled Windows VM type requires system memory runtime to store them. The more enabled types, the less system memory is available for scanning. This is especially the case when you enable customized images of a large size. To improve scan performance and clone system stability, we recommended reducing enabled VM types.

  6. Do not associate VM types to archive files.

    FortiSandbox checks every file inside an archive file and puts it in its own job queues according to Scan Profile settings. If an archive file is scanned inside a VM, the archive file is opened but the files inside the archive file are not scanned; so sandboxing scan an archive file itself is not effective in detecting malware. Therefore we recommend not associating VM types with archive files.

Previous
Next

Improving scan performance

A unit processes files at a certain rate. There are ways to improve the unit’s scan power. The following suggestions help to optimize your system's scan performance.

  1. Only keep jobs with a clean rating for a short period.

    If you are not concerned about processed files with a clean rating, you can configure the system to remove them after a short period. This saves system resources and improves system performance.

    To do that, go to Scan Policy and Object > General Settings and set a short time period in the Delete all traces of jobs of Clean or Other rating after section.

  2. Turn on FortiGuard Pre-Filtering of certain file types.

    By default, if a file type is associated with a Windows VM image, all files of this file type are scanned inside it. Sandboxing scans inside a Windows VM is a slow and intensive process. For information about throughput, see the FortiSandbox datasheet for your model.

    You can enable FortiGuard Pre-Filtering on some file types. When enabled, files of that file type are inspected by an advanced FortiGuard Pre-Filtering engine and only suspicious files inside a VM are scanned. The Log & Report > File Scan Summary Report > Top File Type > Scanned by Sandboxing page gives you hints on which file types can skip sandboxing.

    Use the CLI command sandboxing-prefilter -e to enable sandboxing.

  3. Associate every file type to only one VM type.

    Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to improve scan performance, every file type should be associated with only one VM type.

  4. Allocate clone numbers of each VM type according to the distribution of file types.

    Each unit can only prepare a limited number of guest image clones. The number is determined by installed Windows license keys. Allocate clone numbers according to the distribution of file types. For example, if there are a lot of Office files and WIN7X86VM is associated with Office files, you can decrease the clone number of other VM types and increase the clone number of the WIN7X86VM image.

    If there are many pending jobs, use the pending-jobs CLI command or go to Scan Job > Job Queue to check which file type has the longest queue and increase clone numbers of its associated VM type.

  5. Reduce enabled Windows VM types.

    Each enabled Windows VM type requires system memory runtime to store them. The more enabled types, the less system memory is available for scanning. This is especially the case when you enable customized images of a large size. To improve scan performance and clone system stability, we recommended reducing enabled VM types.

  6. Do not associate VM types to archive files.

    FortiSandbox checks every file inside an archive file and puts it in its own job queues according to Scan Profile settings. If an archive file is scanned inside a VM, the archive file is opened but the files inside the archive file are not scanned; so sandboxing scan an archive file itself is not effective in detecting malware. Therefore we recommend not associating VM types with archive files.

Previous
Next