Fortinet black logo

Administration Guide

Home FortiSandbox 3.1.5 Administration Guide
3.1.5
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6

How to improve system scan performance

How to improve system scan performance

There is a limited number of files that a unit can process within a time period. There are certain ways to improve the unit’s scan power:

  1. Only keep jobs with a Clean rating for a short period. If the user is not concerned about processed files with a Clean rating, the user can configure the system to remove them after a short period. This will save the system resource and improve system performance. To do that, go to Scan Policy > General, and configure Delete all traces of jobs of Clean or Other rating after.
  2. Turn on Pre-Filtering for certain file types. By default, if a file type is associated with a Windows VM image, all files of this file type will be scanned inside it. Sandboxing scans inside Windows VM is a slow and expensive process.

    For example, a FSA3000D unit can only scan 560 files/hr inside VM on average. Users can enable Pre-Filtering on certain file types. If it is enabled, files of that file type will be pre-filtered and have a Clean rating; only suspicious ones will be scanned inside a VM.

    The following file types support Pre-Filtering: DLL, PDF, SWF, JS, HTML, URL, trustvendor, and trust domain.

    For URL type, if Pre-filtering is enabled, only URLs whose web filtering category is Unrated will be scanned inside VM.

  3. Associate every file type to only one VM type. Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to improve scan performance, every file type should be associated with only one VM type.
  4. Allocate clone numbers of each VM type according to distribution of file types.

    Each unit can only prepare a limited number of guest image clones. The number is determined by installed Windows license keys. Users should allocate clone numbers according to the distribution of file types.

    For example, if there are a lot of Office files and WIN7X86VM is associated with Office files, users can decrease the clone number of other VM types and increase the clone number of the WIN7X86VM image. If the user sees a large number of pending jobs, they can use the pending-jobs CLI command or go to the Scan Input > Job Queue page to see which file type is most present in the queue and increase the clone numbers of its associated VM type. See Job Queue for more information.

Previous
Next

How to improve system scan performance

There is a limited number of files that a unit can process within a time period. There are certain ways to improve the unit’s scan power:

  1. Only keep jobs with a Clean rating for a short period. If the user is not concerned about processed files with a Clean rating, the user can configure the system to remove them after a short period. This will save the system resource and improve system performance. To do that, go to Scan Policy > General, and configure Delete all traces of jobs of Clean or Other rating after.
  2. Turn on Pre-Filtering for certain file types. By default, if a file type is associated with a Windows VM image, all files of this file type will be scanned inside it. Sandboxing scans inside Windows VM is a slow and expensive process.

    For example, a FSA3000D unit can only scan 560 files/hr inside VM on average. Users can enable Pre-Filtering on certain file types. If it is enabled, files of that file type will be pre-filtered and have a Clean rating; only suspicious ones will be scanned inside a VM.

    The following file types support Pre-Filtering: DLL, PDF, SWF, JS, HTML, URL, trustvendor, and trust domain.

    For URL type, if Pre-filtering is enabled, only URLs whose web filtering category is Unrated will be scanned inside VM.

  3. Associate every file type to only one VM type. Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to improve scan performance, every file type should be associated with only one VM type.
  4. Allocate clone numbers of each VM type according to distribution of file types.

    Each unit can only prepare a limited number of guest image clones. The number is determined by installed Windows license keys. Users should allocate clone numbers according to the distribution of file types.

    For example, if there are a lot of Office files and WIN7X86VM is associated with Office files, users can decrease the clone number of other VM types and increase the clone number of the WIN7X86VM image. If the user sees a large number of pending jobs, they can use the pending-jobs CLI command or go to the Scan Input > Job Queue page to see which file type is most present in the queue and increase the clone numbers of its associated VM type. See Job Queue for more information.

Previous
Next