Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Best Practices

    Home FortiSandbox 4.2.0 Best Practices
    4.2.0
    5.0.0
    4.4.0
    4.2.0
    4.0.0
    3.2.0
    3.1.0
    3.0.0

    Understanding Inline Block feature

    Understanding Inline Block feature

    The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.

    To configure Inline Block on:

    When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:

    • Active Content check searches for any executable code, macro and scripts.
    • Pre-filtering is a Scan Profile configuration.
    • FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
    • Static Scan engines are the Antivirus and AI engines using pattern matching and models.

    In most cases, these scans only take a few seconds.

    When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.

    Considerations

    Office and PDF files

    The FortiSandbox 2000E and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

    Executable files

    FortiSandbox scans executable files thoroughly by sending the files to its Static AI and Dynamic AI Analysis stages. If FortiSandbox can provide its rating based on static AI analysis back to the FortiGate, then the file can be allowed for clean or blocked if suspicious rating. If the FortiSandbox needs to continue with the dynamic AI analysis, it sends a notification to FortiGate for continuity that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. The default FortiGate setting is to allow download of files on time out or scan error from FortiSandbox. The configuration can be changed to block the file with a replacement message and try downloading again at a later time. When the user tries to download again, FortiSandbox will have known the rating and should be able to response quickly.

    Other considerations:
    • Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E and 2000E. The other deployment models can possibly meet the requirement depending on its current capacity.
    • Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefilter.
    • Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.
    Previous
    Next

    Understanding Inline Block feature

    Understanding Inline Block feature

    The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.

    To configure Inline Block on:

    When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:

    • Active Content check searches for any executable code, macro and scripts.
    • Pre-filtering is a Scan Profile configuration.
    • FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
    • Static Scan engines are the Antivirus and AI engines using pattern matching and models.

    In most cases, these scans only take a few seconds.

    When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.

    Considerations

    Office and PDF files

    The FortiSandbox 2000E and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

    Executable files

    FortiSandbox scans executable files thoroughly by sending the files to its Static AI and Dynamic AI Analysis stages. If FortiSandbox can provide its rating based on static AI analysis back to the FortiGate, then the file can be allowed for clean or blocked if suspicious rating. If the FortiSandbox needs to continue with the dynamic AI analysis, it sends a notification to FortiGate for continuity that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. The default FortiGate setting is to allow download of files on time out or scan error from FortiSandbox. The configuration can be changed to block the file with a replacement message and try downloading again at a later time. When the user tries to download again, FortiSandbox will have known the rating and should be able to response quickly.

    Other considerations:
    • Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E and 2000E. The other deployment models can possibly meet the requirement depending on its current capacity.
    • Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefilter.
    • Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.
    Previous
    Next