Scan Profile Pre-Filter Tab
Use the Pre-Filter page file type panel to define file types and URLs that are allowed to enter the job queue if they are from a sniffer, adapter, or device other than FortiMail.
Files or URLs submitted through On-Demand, RPC JSON API, network share, or FortiMail are always put into the job queue even if their file types are not set to enter the job queue. |
To allow a file type to enter the job queue:
Click the toggle button to enable it. If the button is grayed out, files of that type are dropped.
To enable pre-filter for selected file types:
Click the toggle button to enable it. If the button is enabled, only suspicious files or unrated URLs are forwarded for VM Scan. The files and URLs will still go through the Static Scan stage. Enabling the prefilter can improve the scan performance. For more information, see Improving Scan Performance in the FortiSandbox Best Practices and Troubleshooting Guide.
To use trust results from trusted resources during pre-filter:
Click the toggle button to enable it. If the button is enabled, files rated by that resources are pre-filtered.
When FortiNDR entrust is enabled, files rated by FortiNDR as clean skip the sandboxing VM scan step.
When Trusted Vendor is enabled, executable files from a small internal list of trusted vendors skip the sandboxing scan step.
When Trust Domain is enabled, files downloaded from a small internal list of trusted domains skip the sandboxing scan step.
Trusted domains:
Trusted vendors:
-
Microsoft
-
Fortinet Technologies
-
Adobe Systems
-
Google
-
Apple
If there is a long queue of pending jobs, consider turning off some file types to the job queue. For example, in most networks, many files are static web files (JavaScript, html, aspx files) and Adobe Flash files. When you have performance issue, consider turning them off. If a file type is turned off, files of that type already in the job queue will still be processed. You can use the |
To determine the number of each file type and its input source, use the |
How URL Pre-Filtering works with Scan Profile and Web Category settings
By default, URL scanning is done inside a VM. However, if performance is a concern, you can enable URL Pre-Filtering.
When URL Pre-Filtering is enabled, it works with the Scan Profile settings and Web Category settings to create the job and rate the URL.
When |
Then |
---|---|
The category or URL is Unrated | The URL will be scanned inside the VM. |
The URL category is defined in the Web Category page but is not checked as Benign | A job is created and the URL will be rated as Suspicious (Low Risk, Medium Risk or High Risk according to the category). |
The URs category is defined in the Web Category page, but is checked as Benign | A job is created and the URL will be rated as Clean and will not be scanned inside the VM. |