Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 4.0.4 Administration Guide
    4.0.4
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Primary and worker roles

    Primary and worker roles

    On the primary node, all functionality is available based on your licenses and contracts. This includes accepting files from different input sources, sending alert emails, and generating malware packages. Scan profiles should also be configured on the primary node and will be synchronized to other nodes.

    The following table below lists the features and its synchronization settings.

    • Failover – the related settings are synchronized from primary to secondary on a regular basis and applied during a failover event.
    • Realtime – the related settings are synchronized as soon as changes are applied.
    • Realtime* – the related settings are synchronized in realtime only if configured.

    Feature

    Secondary

    Worker

    Dashboard > Status

    Widget settings

    Failover

    NTP Server settings

    Failover

    Security Fabric

    Device, including FortiClient

    Failover

    Adapter

    Failover

    Network Share, including network share scans

    Failover

    Quarantine

    Failover

    Sniffer

    Failover

    FortiAI

    Realtime

    Realtime

    HA-Cluster

    Health Check

    Failover

    Scan Job

    Overridden job verdicts

    Realtime

    Realtime

    Scan Policy and Object

    Scan Profile > Pre-Filter

    Realtime

    Realtime

    Scan Profile > Advanced

    Realtime

    Realtime

    General Settings > Allow VMs outbound port3

    Realtime*

    Realtime*

    General Settings > Upload

    Failover

    General Settings > Job Archive

    Failover

    General Settings > Upload/Password/Clean up schedule settings

    Realtime

    Realtime

    Job Queue Priority

    Realtime

    Realtime

    Allowlist/Blocklist

    Realtime

    Realtime

    YARA Rules

    Realtime

    Realtime

    Web Category

    Realtime

    Realtime

    Customized Rating

    Realtime

    Realtime

    Global Network settings

    Failover

    Threat Intelligence > Generation Settings

    Failover

    System

    Administrators

    Failover/Realtime*

    Realtime*

    Device Groups

    Failover/Realtime*

    Realtime*

    Certificates

    Failover/Realtime*

    Realtime*

    LDAP Servers and RADIUS Servers

    Failover/Realtime*

    Realtime*

    Network settings (DNS)

    Realtime*

    Realtime*

    Mail Server, including Scheduled Report Configuration

    Failover

    SNMP

    Failover/Realtime*

    Realtime*

    FortiGuard

    Realtime*

    Realtime*

    Login Disclaimer

    Realtime*

    Realtime*

    System Recovery

    Failover/Realtime*

    Realtime*

    Settings

    Failover

    Log & Report

    Log Servers

    Realtime*

    Realtime*

    Local Log

    Realtime*

    Realtime*

    CLI only configuration

    AI Mode

    Realtime

    Realtime

    Device Low-Encryption

    Failover

    Device Authorization

    Failover

    File size limit configuration

    Realtime

    Realtime

    FortiMail expired timeout

    Failover

    Network settings (proxy and routing tables)

    Realtime*

    Realtime*

    HA Cluster settings (cluster IP/encryption)

    Failover

    OFTPD conserve mode

    Failover

    Primary node scan power

    Failover

    Prescan configuration

    Realtime

    Realtime

    Remote authentication timeout

    Failover

    TLS version

    Realtime

    Realtime

    Sandboxing embedded URL

    Realtime

    Realtime
    Note

    Although you can assign different VM types to each node in a cluster, we recommend all nodes share the same VM types. VM types are collected from all nodes and are displayed in the primary node’s Scan Profile > VM Association page where VM associations can be configured and synchronized for the entire cluster. If an association for a VM type is missing on the worker node, the sandbox scan cannot be completed.

    For example, if you associate WIN10X64VM to scan all executable files when configuring the Scan Profile on the primary node, but do not enable WIN10X64VM on a worker node, all executable files distributed to that worker are not scanned.
    Previous
    Next

    Primary and worker roles

    Primary and worker roles

    On the primary node, all functionality is available based on your licenses and contracts. This includes accepting files from different input sources, sending alert emails, and generating malware packages. Scan profiles should also be configured on the primary node and will be synchronized to other nodes.

    The following table below lists the features and its synchronization settings.

    • Failover – the related settings are synchronized from primary to secondary on a regular basis and applied during a failover event.
    • Realtime – the related settings are synchronized as soon as changes are applied.
    • Realtime* – the related settings are synchronized in realtime only if configured.

    Feature

    Secondary

    Worker

    Dashboard > Status

    Widget settings

    Failover

    NTP Server settings

    Failover

    Security Fabric

    Device, including FortiClient

    Failover

    Adapter

    Failover

    Network Share, including network share scans

    Failover

    Quarantine

    Failover

    Sniffer

    Failover

    FortiAI

    Realtime

    Realtime

    HA-Cluster

    Health Check

    Failover

    Scan Job

    Overridden job verdicts

    Realtime

    Realtime

    Scan Policy and Object

    Scan Profile > Pre-Filter

    Realtime

    Realtime

    Scan Profile > Advanced

    Realtime

    Realtime

    General Settings > Allow VMs outbound port3

    Realtime*

    Realtime*

    General Settings > Upload

    Failover

    General Settings > Job Archive

    Failover

    General Settings > Upload/Password/Clean up schedule settings

    Realtime

    Realtime

    Job Queue Priority

    Realtime

    Realtime

    Allowlist/Blocklist

    Realtime

    Realtime

    YARA Rules

    Realtime

    Realtime

    Web Category

    Realtime

    Realtime

    Customized Rating

    Realtime

    Realtime

    Global Network settings

    Failover

    Threat Intelligence > Generation Settings

    Failover

    System

    Administrators

    Failover/Realtime*

    Realtime*

    Device Groups

    Failover/Realtime*

    Realtime*

    Certificates

    Failover/Realtime*

    Realtime*

    LDAP Servers and RADIUS Servers

    Failover/Realtime*

    Realtime*

    Network settings (DNS)

    Realtime*

    Realtime*

    Mail Server, including Scheduled Report Configuration

    Failover

    SNMP

    Failover/Realtime*

    Realtime*

    FortiGuard

    Realtime*

    Realtime*

    Login Disclaimer

    Realtime*

    Realtime*

    System Recovery

    Failover/Realtime*

    Realtime*

    Settings

    Failover

    Log & Report

    Log Servers

    Realtime*

    Realtime*

    Local Log

    Realtime*

    Realtime*

    CLI only configuration

    AI Mode

    Realtime

    Realtime

    Device Low-Encryption

    Failover

    Device Authorization

    Failover

    File size limit configuration

    Realtime

    Realtime

    FortiMail expired timeout

    Failover

    Network settings (proxy and routing tables)

    Realtime*

    Realtime*

    HA Cluster settings (cluster IP/encryption)

    Failover

    OFTPD conserve mode

    Failover

    Primary node scan power

    Failover

    Prescan configuration

    Realtime

    Realtime

    Remote authentication timeout

    Failover

    TLS version

    Realtime

    Realtime

    Sandboxing embedded URL

    Realtime

    Realtime
    Note

    Although you can assign different VM types to each node in a cluster, we recommend all nodes share the same VM types. VM types are collected from all nodes and are displayed in the primary node’s Scan Profile > VM Association page where VM associations can be configured and synchronized for the entire cluster. If an association for a VM type is missing on the worker node, the sandbox scan cannot be completed.

    For example, if you associate WIN10X64VM to scan all executable files when configuring the Scan Profile on the primary node, but do not enable WIN10X64VM on a worker node, all executable files distributed to that worker are not scanned.
    Previous
    Next