Scan Profile Job Queue Tab
Use the Job Queue page to define file types and URLs that are allowed to enter the job queue if they are from a sniffer, adapter, or device other than FortiMail.
Files or URLs submitted through On-Demand, RPC JSON API, network share, or FortiMail are always put into the job queue even if their file types are not set to enter the job queue. For unsupported or disabled file types, those files are dropped and rated as clean. |
To allow a file type to enter the job queue:
Click its toggle button on the right side to enable it. If the button is greyed out, files of that type will be dropped.
File Detection
FortiSandbox supports a customized timeout value to control the tracer running time in VM.
Currently, MAC OSX and Windows Cloud VM do not support File detection.
To configure File Detection:
- Click Scan Policy and Object > Scan Profile
- In the File detection window, enter a Default Timeout value between 60 and 180 seconds.
A shorter Default Timeout value gives better performance and faster scan speed, but lower accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range.
- Click Apply.
The Scan results shows the VM Scan time.
URL Detection
When URL detection is enabled, FortiSandbox scans URLs (WEBLinks). You can also define the Default Depth setting (from 0 to 5) of the URL and the Default Timeout.
If there is a long queue of pending jobs, consider turning off some file types to job queue. For example, in most networks, static web files (JavaScript, html, aspx files) and Adobe Flash files comprise a large portion of all files. When performance issue are met, users can consider turning them off. If a file type is turned off, files of that type already in the job queue will still be processed. You can use the |
To determine the number of each file type and its input source, use the CLI command |
Allow adaptive VM scan
Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.
Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs.
In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.
A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.
A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.
An enabled local VM has at least one clone. At any time, the number of assignable clones cannot be less than 0.
Allow parallel VM scan
Normally, a job is scanned in VM in sequence if the file type is associated with a different VM. Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job.
The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.
In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes.
Set customized sandboxing ratio
Enable this option to allow a customized ratio for jobs that are scanned in VM. The ratio is a low bound for the jobs that need to be scanned in VM, meaning that the percentage of jobs scanned in VM can be equal to or higher than the preset ratio.
To configure this options, enable Set customized sandboxing ratio and set a ratio between 1 and 100.
This option is an extra filter that sends a job to the VM. When not enabled, the VM scan is skipped.
This option does not affect jobs that should normally be scanned in VM. Those jobs are still VM scanned.
In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in about the last one hour. This lets you see how many files were scanned in VM in the last hour.
VM scan ratio calculation
The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.
Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So the current job will be sent to VM.
Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So this job won’t be sent to VM.
Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.
In an HA-Cluster, only the primary node can enable this option and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.
Allow VM scan cache
Enable this option to allow VM scan cache.