Fortinet white logo
Fortinet white logo

Administration Guide

Virtual Machine

VM Images

Go to Virtual Machine > VM Images to view all installed VM images and configure the number of instances of each image.

VM images are grouped into the following categories:

Default VMs

Basic set of images installed on FortiSandbox by default. The FSA-AWS models are the Windows VMs installed on AWS.

Optional VMs

Fortinet published optional VM images.

Customized VMs

User created images and uploaded to FortiSandbox.

Remote VMs

MACOSX and Windows Cloud VM are supported as remote VMs. You can purchase subscription services from Fortinet to reserve clone numbers in the FortiSandbox Cloud.

There is no trial license for MACOSX VM.

In cluster mode for MACOSX remote VMs, all cluster nodes share a collected pool of reserved clones from each unit. This means that even if a node has no remote VM contract, it can still upload files to the cloud for scanning. For the cluster as a whole, at any moment, the number of files being scanned on the cloud cannot exceed the total number of reserved clone numbers.

In cluster mode for Windows Cloud VM, VM00 units in the cluster can purchase Windows cloud VM seat counts. These cloud VM clones are local to the VM00 unit and are not shared.

Simulator VMs

From 3.1.1, Linux OT is supported as a simulator Linux VM to address OT industry’s need to detect malware. You can purchase the Industry Security Signature Contract from Fortinet to enable Linux OT.

To scan files with the simulator VM, submit files through the Ubuntu VM which simulates protocols such as Modbus, SNMP, IPMI, FTP, and TFTP to detect malware. Currently, SIEMENS is supported inside the simulator VM. OT image is not supported on EOL like FSA 1000-D, 3000-D, and 3500-D. OT images use one VM license, however, the clone number does not change when enabled.

Note

A new Ubuntu18 optional VM is introduced in FortiSandbox 3.1.0.

When Fortinet publishes a new version of VM image on its image server, the image appears in the Optional VMs group with a download button in Status column. Click the button to start downloading. After the image has downloaded, a Ready to Install button will be displayed. When the user clicks on it, all downloaded images will start installing. After installation, the system will reboot automatically. Users can also click the Remove button to delete a downloaded image.

After an image is installed, its license key is checked. If no keys are available, the image's status is installed but disabled until the key is imported and the image is activated. After the image is activated, users can start using it by setting its clone number to be greater than 0. After that, the image's status becomes activated.

The following options are available:

Edit Clone Number

Edit the selected entry. Click the green checkmark to save the new number and then click Apply.

Delete VM

Delete the selected entry. VMs deleted in the GUI are deleted when the system reboots. You cannot delete the default set of four Windows VMs.

Undelete VM

After deleting a VM, you can use Undelete the VM to recover it. After the system reboots and the delete action is completed, you cannot undelete a VM.

VM Screenshot

Take a screenshot of a running VM and view the filename the VM is scanning. This is only available for a admin users.

The following information is displayed:

Enabled VM Types

The maximum number of VM types that can concurrently run. The maximum is four on models other than FSA-3000E. The maximum is six on FSA-3000E.

Keys

Maximum number of keys including used key numbers and installed key numbers.

Clone Number

Maximum clone number and the number of the installed Windows license. For example:

  • FSA-3000D, the maximum clone number is 28.
  • FSA-1000D, the maximum clone number is 8.
  • FSA-3500D, the maximum clone number is 8.
  • FSA-3000E, the maximum clone number is 56.
  • FSA-2000E, the maximum clone number is 24.
  • FSAVM00, the maximum clone number is 8.

To expand the unit's scan power, you can purchase cloud Windows VM subscription. Files can be sent to Fortinet Cloud Sandboxing to scan.

Name

Name of the VM image. The name is unique in the system. If you upload a new VM image of the same name, the current installation is replaced.

To see the VM’s usage chart, click the Chart icon beside the Name.

Version

VM image version. If there is a new version of an image on the Fortinet Image Server, a New Version Available icon appears. You can download, install, and activate it.

Status

VM image status such as:

  • Ready to Download
  • Ready to Upgrade
  • Downloading (shows a progress bar)
  • Ready to Install (Install or Remove downloaded image)
  • Installing
  • Installed (Disabled)
  • Installed (No Keys Available)
  • Activated

Enabled

If an image's clone number is 0, it is disabled. Otherwise it is enabled.

Clone#

VM clone number. Double-click the number to edit it and then click the green checkmark to save the new number. Click Apply to apply the change. The VM system re-initializes.

The total clone number of all VM images cannot exceed the number of installed Windows licenses. For example, for FSA-3000D, the maximum clone number is 28.

We recommend applying more than 8+clone_number*3 of memory on your FSA unit.

Load#

The used VM clone number. For example, if a cluster master node is set to use 50% of sandboxing scan power, the load # is half of clone #.

Extensions

List of all the file types the VM image is associated with. It means files of these types will be scanned by this VM if these types are determined to enter the job queue. The system decides if they need to be sandboxed.

If the sandbox prefiltering is turned off for a file type, it will be scanned inside each associated VM type.

If sandbox prefiltering is turned on, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned inside associated VM types.

You can define file type and VM association in Scan Policy > Scan Profile. You can double-click the value to access the Scan Profile page to edit the list.

Enabled clone numbers are checked against allocated CPU and memory resources. If there are not enough resources, a warning message appears and the setting is denied.

Virtual Machine

VM Images

Go to Virtual Machine > VM Images to view all installed VM images and configure the number of instances of each image.

VM images are grouped into the following categories:

Default VMs

Basic set of images installed on FortiSandbox by default. The FSA-AWS models are the Windows VMs installed on AWS.

Optional VMs

Fortinet published optional VM images.

Customized VMs

User created images and uploaded to FortiSandbox.

Remote VMs

MACOSX and Windows Cloud VM are supported as remote VMs. You can purchase subscription services from Fortinet to reserve clone numbers in the FortiSandbox Cloud.

There is no trial license for MACOSX VM.

In cluster mode for MACOSX remote VMs, all cluster nodes share a collected pool of reserved clones from each unit. This means that even if a node has no remote VM contract, it can still upload files to the cloud for scanning. For the cluster as a whole, at any moment, the number of files being scanned on the cloud cannot exceed the total number of reserved clone numbers.

In cluster mode for Windows Cloud VM, VM00 units in the cluster can purchase Windows cloud VM seat counts. These cloud VM clones are local to the VM00 unit and are not shared.

Simulator VMs

From 3.1.1, Linux OT is supported as a simulator Linux VM to address OT industry’s need to detect malware. You can purchase the Industry Security Signature Contract from Fortinet to enable Linux OT.

To scan files with the simulator VM, submit files through the Ubuntu VM which simulates protocols such as Modbus, SNMP, IPMI, FTP, and TFTP to detect malware. Currently, SIEMENS is supported inside the simulator VM. OT image is not supported on EOL like FSA 1000-D, 3000-D, and 3500-D. OT images use one VM license, however, the clone number does not change when enabled.

Note

A new Ubuntu18 optional VM is introduced in FortiSandbox 3.1.0.

When Fortinet publishes a new version of VM image on its image server, the image appears in the Optional VMs group with a download button in Status column. Click the button to start downloading. After the image has downloaded, a Ready to Install button will be displayed. When the user clicks on it, all downloaded images will start installing. After installation, the system will reboot automatically. Users can also click the Remove button to delete a downloaded image.

After an image is installed, its license key is checked. If no keys are available, the image's status is installed but disabled until the key is imported and the image is activated. After the image is activated, users can start using it by setting its clone number to be greater than 0. After that, the image's status becomes activated.

The following options are available:

Edit Clone Number

Edit the selected entry. Click the green checkmark to save the new number and then click Apply.

Delete VM

Delete the selected entry. VMs deleted in the GUI are deleted when the system reboots. You cannot delete the default set of four Windows VMs.

Undelete VM

After deleting a VM, you can use Undelete the VM to recover it. After the system reboots and the delete action is completed, you cannot undelete a VM.

VM Screenshot

Take a screenshot of a running VM and view the filename the VM is scanning. This is only available for a admin users.

The following information is displayed:

Enabled VM Types

The maximum number of VM types that can concurrently run. The maximum is four on models other than FSA-3000E. The maximum is six on FSA-3000E.

Keys

Maximum number of keys including used key numbers and installed key numbers.

Clone Number

Maximum clone number and the number of the installed Windows license. For example:

  • FSA-3000D, the maximum clone number is 28.
  • FSA-1000D, the maximum clone number is 8.
  • FSA-3500D, the maximum clone number is 8.
  • FSA-3000E, the maximum clone number is 56.
  • FSA-2000E, the maximum clone number is 24.
  • FSAVM00, the maximum clone number is 8.

To expand the unit's scan power, you can purchase cloud Windows VM subscription. Files can be sent to Fortinet Cloud Sandboxing to scan.

Name

Name of the VM image. The name is unique in the system. If you upload a new VM image of the same name, the current installation is replaced.

To see the VM’s usage chart, click the Chart icon beside the Name.

Version

VM image version. If there is a new version of an image on the Fortinet Image Server, a New Version Available icon appears. You can download, install, and activate it.

Status

VM image status such as:

  • Ready to Download
  • Ready to Upgrade
  • Downloading (shows a progress bar)
  • Ready to Install (Install or Remove downloaded image)
  • Installing
  • Installed (Disabled)
  • Installed (No Keys Available)
  • Activated

Enabled

If an image's clone number is 0, it is disabled. Otherwise it is enabled.

Clone#

VM clone number. Double-click the number to edit it and then click the green checkmark to save the new number. Click Apply to apply the change. The VM system re-initializes.

The total clone number of all VM images cannot exceed the number of installed Windows licenses. For example, for FSA-3000D, the maximum clone number is 28.

We recommend applying more than 8+clone_number*3 of memory on your FSA unit.

Load#

The used VM clone number. For example, if a cluster master node is set to use 50% of sandboxing scan power, the load # is half of clone #.

Extensions

List of all the file types the VM image is associated with. It means files of these types will be scanned by this VM if these types are determined to enter the job queue. The system decides if they need to be sandboxed.

If the sandbox prefiltering is turned off for a file type, it will be scanned inside each associated VM type.

If sandbox prefiltering is turned on, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned inside associated VM types.

You can define file type and VM association in Scan Policy > Scan Profile. You can double-click the value to access the Scan Profile page to edit the list.

Enabled clone numbers are checked against allocated CPU and memory resources. If there are not enough resources, a warning message appears and the setting is denied.