Fortinet black logo

Administration Guide

Scan Profile VM Association Tab

Copy Link
Copy Doc ID 7885f8f7-912a-11e9-81a4-00505692583a:312790
Download PDF

Scan Profile VM Association Tab

The VM Association tab defines file type and VM type association. Association means files of a certain file type will be sandboxed by the associated VM type. This page displays all installed VM image(s), their clone numbers, versions, and status.

If a VM type is disabled (clone # is 0), its Clone # field will be red.

To configure association:

Click the VM image’s name. The left side panel shows installed applications and right side panel shows current associated file types.

For an associated file to be sandboxed in the VM image:

  • Its file type has to be configured to enter a job queue.
  • The VM image has a non-zero clone number (i.e. it is enabled).
  • The file is not filtered out from Sandboxing scan. For more information, see the sandboxing-prefilter command in the CLI Reference guide.

If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type; if sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned by associated VM type. Other files go through all scan steps except the Sandboxing scan step.

To improve the system scan performance, you can turn on the sandbox pre-filtering of a file type through the sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the sandboxing pre-filtering is OFF for js/html files, all of them will be scanned inside associated VM types. This may use up system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox 3.1.0 CLI Reference Guide.

To edit associated file type:
  1. Click Scanned File Types area and a file type list will be displayed.
  2. File types are grouped in different categories. Clicking the category title will toggle associations of all grouped file types. Clicking on an individual file type will toggle its own association. When the file type is displayed in full length, it means the file type is associated.
Add a user defined extension:

Make sure the user defined extension is enabled.

  1. Click the + sign and enter a non-existing extension.
  2. Click the green check mark. The user can then click on the new extension to toggle its association.
Finalizing the list of Scanned File Types:
  1. After the user has finished the association configuration, click the Scanned File Types to finalize the list.
  2. Click the Apply button to apply the changes.

    Files will then be scanned by the associated VM images.

For files with a user defined extension, they will be scanned by a VM image no matter what file types they really are. Only a file's extension counts.

FortiSandbox provides default scan profile settings.

In a cluster environment, it is highly recommended that all cluster nodes have the same enabled VM, although it is not enforced.

If cluster nodes do not have the same list of enabled VM types, a warning message will show up on top of the Scan Profile page for five seconds.

The Scan Profile can only be configured on the Master node and the configurations will be synced to slave nodes. Master node will collected all installed VM image information. If a unique VM image is only installed on a slave node, the user can still configure on the Master node and the result will be synchronized to that Slave node.

lnk file type in Web pages group is for shortcut of a web link. While WEBLink type in URL detection group is for URL scans, which follows depth and timeout settings in Job Queue tab.

There might be malicious URLs inside Office files and PDF files. Users can choose to scan randomly selected URLs along with the original file inside files' associated VM. To turn this feature ON, use the sandboxing-embeddedurl CLI command. For more details, refer to the FortiSandbox 3.1.0 CLI Reference Guide.

A unit can join global threat network as Contributor to allow the Collector to control its Scan Profile, or it can work as Collector to manage Scan Profile of all units in the network. Only Standalone unit or Master node in a cluster can join the network.

After you configure the Scan Profile on the Collector, the settings will be downloaded by all Contributors. On Contributor units, the Scan Profile page becomes read-only.

Scan Profile VM Association Tab

The VM Association tab defines file type and VM type association. Association means files of a certain file type will be sandboxed by the associated VM type. This page displays all installed VM image(s), their clone numbers, versions, and status.

If a VM type is disabled (clone # is 0), its Clone # field will be red.

To configure association:

Click the VM image’s name. The left side panel shows installed applications and right side panel shows current associated file types.

For an associated file to be sandboxed in the VM image:

  • Its file type has to be configured to enter a job queue.
  • The VM image has a non-zero clone number (i.e. it is enabled).
  • The file is not filtered out from Sandboxing scan. For more information, see the sandboxing-prefilter command in the CLI Reference guide.

If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type; if sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned by associated VM type. Other files go through all scan steps except the Sandboxing scan step.

To improve the system scan performance, you can turn on the sandbox pre-filtering of a file type through the sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the sandboxing pre-filtering is OFF for js/html files, all of them will be scanned inside associated VM types. This may use up system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox 3.1.0 CLI Reference Guide.

To edit associated file type:
  1. Click Scanned File Types area and a file type list will be displayed.
  2. File types are grouped in different categories. Clicking the category title will toggle associations of all grouped file types. Clicking on an individual file type will toggle its own association. When the file type is displayed in full length, it means the file type is associated.
Add a user defined extension:

Make sure the user defined extension is enabled.

  1. Click the + sign and enter a non-existing extension.
  2. Click the green check mark. The user can then click on the new extension to toggle its association.
Finalizing the list of Scanned File Types:
  1. After the user has finished the association configuration, click the Scanned File Types to finalize the list.
  2. Click the Apply button to apply the changes.

    Files will then be scanned by the associated VM images.

For files with a user defined extension, they will be scanned by a VM image no matter what file types they really are. Only a file's extension counts.

FortiSandbox provides default scan profile settings.

In a cluster environment, it is highly recommended that all cluster nodes have the same enabled VM, although it is not enforced.

If cluster nodes do not have the same list of enabled VM types, a warning message will show up on top of the Scan Profile page for five seconds.

The Scan Profile can only be configured on the Master node and the configurations will be synced to slave nodes. Master node will collected all installed VM image information. If a unique VM image is only installed on a slave node, the user can still configure on the Master node and the result will be synchronized to that Slave node.

lnk file type in Web pages group is for shortcut of a web link. While WEBLink type in URL detection group is for URL scans, which follows depth and timeout settings in Job Queue tab.

There might be malicious URLs inside Office files and PDF files. Users can choose to scan randomly selected URLs along with the original file inside files' associated VM. To turn this feature ON, use the sandboxing-embeddedurl CLI command. For more details, refer to the FortiSandbox 3.1.0 CLI Reference Guide.

A unit can join global threat network as Contributor to allow the Collector to control its Scan Profile, or it can work as Collector to manage Scan Profile of all units in the network. Only Standalone unit or Master node in a cluster can join the network.

After you configure the Scan Profile on the Collector, the settings will be downloaded by all Contributors. On Contributor units, the Scan Profile page becomes read-only.