Understanding Inline Block feature
The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.
To configure Inline Block on:
- FortiSandbox, see Inline Block Policy.
- FortiGate, see FortiSandbox inline scanning. Make sure that the Inspection Mode is set to
proxy
.
When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:
- Active Content check searches for any executable code, macro and scripts.
- Pre-filtering is a Scan Profile configuration.
- FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
- Static Scan engines are the Antivirus and AI engines using pattern matching and models.
In most cases, these scans only take a few seconds.
When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.
Considerations
Office and PDF files
The FortiSandbox 2000E, 1500G and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.
Executable files
FortiSandbox scans executable files thoroughly by sending the files to its Static AI and Dynamic AI Analysis stages. If FortiSandbox can provide its rating based on static AI analysis back to the FortiGate, then the file can be allowed for clean or blocked if suspicious rating. If the FortiSandbox needs to continue with the dynamic AI analysis, it sends a notification to FortiGate for continuity that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. The default FortiGate setting is to allow download of files on time out or scan error from FortiSandbox. The configuration can be changed to block the file with a replacement message and try downloading again at a later time. When the user tries to download again, FortiSandbox will have known the rating and should be able to response quickly.
Other considerations:
- Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E, 2000E, and 1500G. The other deployment models can possibly meet the requirement depending on its current capacity.
- Enable sandboxing prefiltering on all file types with CLI command
sandboxing-prefilter
. - Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.