Version:

Version:


Table of Contents

Download PDF
Copy Link

Understanding Inline Block feature

The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.

To configure Inline Block on:

When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:

  • Active Content check searches for any executable code, macro and scripts.
  • Pre-filtering is a Scan Profile configuration.
  • FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
  • Static Scan engines are the Antivirus and AI engines using pattern matching and models.

In most cases, these scans only take a few seconds.

When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.

Considerations

Office and PDF files

The FortiSandbox 2000E and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

Executable files

FortiSandbox needs to be thorough. FortiGate will timeout before it can get the final rating. For continuity, the FortiSandbox sends a notification to FortiGate that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. Normally, it would block the file with a replacement message to try downloading again at a later time. When the user tries to download again, FortiSandbox would have known the rating and should be able to response quickly.

Other considerations:
  • Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E and 2000E. The other deployment models can possibly meet the requirement depending on its current capacity.
  • Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefiltering. Enable sandboxing cache with CLI command sandboxing-cache.
  • Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.

Understanding Inline Block feature

The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.

To configure Inline Block on:

When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:

  • Active Content check searches for any executable code, macro and scripts.
  • Pre-filtering is a Scan Profile configuration.
  • FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
  • Static Scan engines are the Antivirus and AI engines using pattern matching and models.

In most cases, these scans only take a few seconds.

When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.

Considerations

Office and PDF files

The FortiSandbox 2000E and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

Executable files

FortiSandbox needs to be thorough. FortiGate will timeout before it can get the final rating. For continuity, the FortiSandbox sends a notification to FortiGate that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. Normally, it would block the file with a replacement message to try downloading again at a later time. When the user tries to download again, FortiSandbox would have known the rating and should be able to response quickly.

Other considerations:
  • Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E and 2000E. The other deployment models can possibly meet the requirement depending on its current capacity.
  • Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefiltering. Enable sandboxing cache with CLI command sandboxing-cache.
  • Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.