Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Troubleshooting warning icon in Dashboard

In the Dashboard, the color of the icons indicates status. When FortiSandbox is fully operational, icons are green. Yellow icons indicate that FortiSandbox is seeing a potential issue.

For Windows VM

When Windows VM is initializing, it is normal for the yellow icon to be displayed in the Dashboard. If the yellow icon persists, the Windows VM was not initialized successfully. To see initialization details:

  1. Go to Scan Policy and Object > VM Settings and check that there are installed Windows VM images and at least one is enabled (the clone number is not zero). You can also use the CLI command vm-status –l to display the installed VM images.
  2. Make sure there are valid Windows license keys installed. For example, if Windows 8 image in Optional VMs group is enabled, a valid Windows 8 key should be purchased and installed. Use the CLI command vm-license –l to check the Windows keys.
  3. Go to Log & Report > Events > VM Events or All Events and check the logs from the time of system boot up. For example, errors from Microsoft activation server might help you find the cause of failed activation.

For FortiGuard connectivity servers, such as for FDN update, community cloud, or web filtering

  1. Check that Antivirus DB Contract and Web Filtering Contract on Dashboard are valid. If they are, it is possible the unit has a bad network connection to external FortiGuard services.
  2. Run the CLI command test-network. This can provide detailed information about the network condition. Sometimes the network is blocking the ping and errors about the ping are expected. The output shows connection speed and connectivity to related servers.
  3. Some firewalls are configured to block packets to UDP port 53. This blocks web filtering query. To correct this, take the web filtering server IP (available in @@@ testing Web Filtering service @@@ part of test-network command), go to System > FortiGuard and use the IP and port 8888 to overwrite the web filtering server. In addition, enable Use override server port of community cloud server query and select port 8888 in the FortiSandbox Community Cloud & Threat Intelligence Settings section.

For VM Internet access

For VM Internet access, it means the Windows VM cannot access the Internet through port3. This affects the catch rate even if FortiSandbox has a SIMNET feature. For example, the Downloader type for malwares need access to an outside network to download a malicious payload.

To rectify, check the following:
  1. In the Scan Policy and Object > General Settings page, check that Allow Virtual Machines to access external network through outgoing port is enabled.
  2. A valid Gateway should be provided. The gateway should be able to access the Internet. If no DNS server is set, the system one is used.
  3. Use the CLI command test-network to show network condition through port3.

Troubleshooting warning icon in Dashboard

In the Dashboard, the color of the icons indicates status. When FortiSandbox is fully operational, icons are green. Yellow icons indicate that FortiSandbox is seeing a potential issue.

For Windows VM

When Windows VM is initializing, it is normal for the yellow icon to be displayed in the Dashboard. If the yellow icon persists, the Windows VM was not initialized successfully. To see initialization details:

  1. Go to Scan Policy and Object > VM Settings and check that there are installed Windows VM images and at least one is enabled (the clone number is not zero). You can also use the CLI command vm-status –l to display the installed VM images.
  2. Make sure there are valid Windows license keys installed. For example, if Windows 8 image in Optional VMs group is enabled, a valid Windows 8 key should be purchased and installed. Use the CLI command vm-license –l to check the Windows keys.
  3. Go to Log & Report > Events > VM Events or All Events and check the logs from the time of system boot up. For example, errors from Microsoft activation server might help you find the cause of failed activation.

For FortiGuard connectivity servers, such as for FDN update, community cloud, or web filtering

  1. Check that Antivirus DB Contract and Web Filtering Contract on Dashboard are valid. If they are, it is possible the unit has a bad network connection to external FortiGuard services.
  2. Run the CLI command test-network. This can provide detailed information about the network condition. Sometimes the network is blocking the ping and errors about the ping are expected. The output shows connection speed and connectivity to related servers.
  3. Some firewalls are configured to block packets to UDP port 53. This blocks web filtering query. To correct this, take the web filtering server IP (available in @@@ testing Web Filtering service @@@ part of test-network command), go to System > FortiGuard and use the IP and port 8888 to overwrite the web filtering server. In addition, enable Use override server port of community cloud server query and select port 8888 in the FortiSandbox Community Cloud & Threat Intelligence Settings section.

For VM Internet access

For VM Internet access, it means the Windows VM cannot access the Internet through port3. This affects the catch rate even if FortiSandbox has a SIMNET feature. For example, the Downloader type for malwares need access to an outside network to download a malicious payload.

To rectify, check the following:
  1. In the Scan Policy and Object > General Settings page, check that Allow Virtual Machines to access external network through outgoing port is enabled.
  2. A valid Gateway should be provided. The gateway should be able to access the Internet. If no DNS server is set, the system one is used.
  3. Use the CLI command test-network to show network condition through port3.