Fortinet white logo
Fortinet white logo

Administration Guide

Scan Profile VM Association Tab

Scan Profile VM Association Tab

The VM Association tab defines file type and VM type association. Association means files of a certain file type are sandboxed by the associated VM type. This page displays all installed VM image(s), their clone numbers, versions, and status.

To configure VM association:

Click the edit icon. The left panel shows installed applications and the right panel shows current associated file types.

For an associated file to be sandboxed in the VM image:

  • Its file type has to be configured to enter a job queue.
  • The VM image has a non-zero clone number (i.e. it is enabled).
  • The file is not filtered out from the Sandboxing scan. For more information, see the sandboxing-prefilter command in the CLI Reference guide.

If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type; if sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned by associated VM type. Other files go through all scan steps except the Sandboxing scan step.

To improve the system scan performance, you can turn on the sandbox pre-filtering of a file type through the sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the sandboxing pre-filtering is OFF for js/html files, all of them will be scanned inside associated VM types. This may use up system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox 4.4.3 CLI Reference Guide.

To edit an associated file type:
  1. Click Scanned File Types area and a file type list will be displayed.
  2. File types are grouped in different categories. Clicking the category title will toggle associations of all grouped file types. Clicking on an individual file type will toggle its own association. When the file type is displayed in full width, it means the file type is associated.
Add a user defined extension:

Make sure the user defined extension is enabled.

  1. Click the + sign and enter a non-existing extension.
  2. Click the green check mark. The user can then click on the new extension to toggle its association.
Finalizing the list of Scanned File Types:
  1. After the user has finished the association configuration, click the Scanned File Types to finalize the list.
  2. Click the Apply button to apply the changes.

    Files will then be scanned by the associated VM images.

    FortiSandbox provides default scan profile settings.

When a user defined extension is associated with VM, files with the user defined extension will be scanned by VM regardless its real file type. Only a file's extension counts. To meet the criteria for user defined extension, files must possess the exact extension that is specified.

HA-Cluster

In an HA cluster environment, it is highly recommended that all cluster nodes have the same enabled VM. The Scan Profile can only be configured on the primary node, and these configurations are synchronized to the worker nodes. The primary node will collect all enabled VM image information. If a unique VM image is only installed on a worker node, you can still configure the primary node and the result will be synchronized to that worker node.

In a cluster environment, it is highly recommended that all cluster nodes have the same enabled VM, although it is not enforced. If cluster nodes do not have the same list of enabled VM types, a warning message will show up on top of the Scan Profile page for five seconds.

HA-Cluster Scan Profile VM Association Tab

This page displays all cluster nodes enabled VM images and their enabled extensions. If the clone number is 0, the VM type is disabled. In this case, the enabled simulator VM is not listed.

The tips beside each cluster nodes display the unassociated file types on this node. The fix now link opens a configuration page for the file type associations. It is highly recommended that all cluster nodes have the same associated file types as the enabled VM.

Cluster nodes will be grouped with same enabled VM image. The tips and fix now link disappear when there are no longer any unassociated file types.

To configure associations for the HA-Cluster:

Click the pencil icon or the fix now link to edit the corresponding HA node.

A new page will appear, with the left side panel displaying the installed applications and the right side panel displaying the currently associated file types.

To edit the associated file type for the HA-Cluster:
  1. Click the Scanned File Types area. The Select Extensions pane is displayed.

  2. Click the name of the extension to toggle associations of grouped file types. The file types are grouped in different categories. Click an individual file type to toggle the corresponding association on or off.
    When the file type is displayed in the full width of the Select Extensions pane, it means the file type is associated (for example, the .jse extension above). When the file type is displayed in partial width, it means the file type is not currently associated (for example, the .exe extension above).
To add a user-defined extension for the HA-Cluster:

First, make sure the user-defined extension is enabled in the Pre-Filter tab.

To create a new user defined extension for the HA-Cluster:
  1. Scroll to the bottom of the Select Extensions pane and click the + icon next to User defined extensions.
  2. Enter a new extension in the text window.
  3. Click the green check mark to confirm.
  4. You can then click the new extension to toggle its association.
To add a user defined extension defined by other cluster nodes:
  1. Click the + icon.
  2. Enter the extension defined by other cluster nodes in the text window.
  3. Click the green check mark to confirm.
  4. You can then click on the new extension to toggle its association.
Finalizing the list of Scanned File Types in the HA-Cluster:
  1. After you have finished the VM association, click Scanned File Types to finalize the list.
  2. Click the Apply button to apply the changes. The configuration on the primary node will be synchronized with the edited node in real-time. Files will then be scanned by the associated VM images.
  3. On the primary node, an alert message may appear in the bell icon in the upper right corner after updating the configuration. Click this, and the bell icon shows Scan Profile requires your action. Clicking the alert message redirects to the Scan Profile > VM Association page where you can use the fix now links to resolve issues with file extensions.

The url, htm, and lnk file types in the Web pages group are for the file types containing shortcuts of a web link, while the WEBLink type in the URL detection group is for URL addresses. The WEBLink type follows the depth and timeout settings in the Pre-Filter tab.

There might be malicious URLs, including direct download links, inside Office files and PDF files. You can scan selected URLs along with the original file inside files' associated VM. To turn on this feature, use the sandboxing-embeddedurl CLI command. For more information, see the FortiSandbox CLI Reference Guide.

Scan Profile VM Association Tab

Scan Profile VM Association Tab

The VM Association tab defines file type and VM type association. Association means files of a certain file type are sandboxed by the associated VM type. This page displays all installed VM image(s), their clone numbers, versions, and status.

To configure VM association:

Click the edit icon. The left panel shows installed applications and the right panel shows current associated file types.

For an associated file to be sandboxed in the VM image:

  • Its file type has to be configured to enter a job queue.
  • The VM image has a non-zero clone number (i.e. it is enabled).
  • The file is not filtered out from the Sandboxing scan. For more information, see the sandboxing-prefilter command in the CLI Reference guide.

If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type; if sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned by associated VM type. Other files go through all scan steps except the Sandboxing scan step.

To improve the system scan performance, you can turn on the sandbox pre-filtering of a file type through the sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the sandboxing pre-filtering is OFF for js/html files, all of them will be scanned inside associated VM types. This may use up system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox 4.4.3 CLI Reference Guide.

To edit an associated file type:
  1. Click Scanned File Types area and a file type list will be displayed.
  2. File types are grouped in different categories. Clicking the category title will toggle associations of all grouped file types. Clicking on an individual file type will toggle its own association. When the file type is displayed in full width, it means the file type is associated.
Add a user defined extension:

Make sure the user defined extension is enabled.

  1. Click the + sign and enter a non-existing extension.
  2. Click the green check mark. The user can then click on the new extension to toggle its association.
Finalizing the list of Scanned File Types:
  1. After the user has finished the association configuration, click the Scanned File Types to finalize the list.
  2. Click the Apply button to apply the changes.

    Files will then be scanned by the associated VM images.

    FortiSandbox provides default scan profile settings.

When a user defined extension is associated with VM, files with the user defined extension will be scanned by VM regardless its real file type. Only a file's extension counts. To meet the criteria for user defined extension, files must possess the exact extension that is specified.

HA-Cluster

In an HA cluster environment, it is highly recommended that all cluster nodes have the same enabled VM. The Scan Profile can only be configured on the primary node, and these configurations are synchronized to the worker nodes. The primary node will collect all enabled VM image information. If a unique VM image is only installed on a worker node, you can still configure the primary node and the result will be synchronized to that worker node.

In a cluster environment, it is highly recommended that all cluster nodes have the same enabled VM, although it is not enforced. If cluster nodes do not have the same list of enabled VM types, a warning message will show up on top of the Scan Profile page for five seconds.

HA-Cluster Scan Profile VM Association Tab

This page displays all cluster nodes enabled VM images and their enabled extensions. If the clone number is 0, the VM type is disabled. In this case, the enabled simulator VM is not listed.

The tips beside each cluster nodes display the unassociated file types on this node. The fix now link opens a configuration page for the file type associations. It is highly recommended that all cluster nodes have the same associated file types as the enabled VM.

Cluster nodes will be grouped with same enabled VM image. The tips and fix now link disappear when there are no longer any unassociated file types.

To configure associations for the HA-Cluster:

Click the pencil icon or the fix now link to edit the corresponding HA node.

A new page will appear, with the left side panel displaying the installed applications and the right side panel displaying the currently associated file types.

To edit the associated file type for the HA-Cluster:
  1. Click the Scanned File Types area. The Select Extensions pane is displayed.

  2. Click the name of the extension to toggle associations of grouped file types. The file types are grouped in different categories. Click an individual file type to toggle the corresponding association on or off.
    When the file type is displayed in the full width of the Select Extensions pane, it means the file type is associated (for example, the .jse extension above). When the file type is displayed in partial width, it means the file type is not currently associated (for example, the .exe extension above).
To add a user-defined extension for the HA-Cluster:

First, make sure the user-defined extension is enabled in the Pre-Filter tab.

To create a new user defined extension for the HA-Cluster:
  1. Scroll to the bottom of the Select Extensions pane and click the + icon next to User defined extensions.
  2. Enter a new extension in the text window.
  3. Click the green check mark to confirm.
  4. You can then click the new extension to toggle its association.
To add a user defined extension defined by other cluster nodes:
  1. Click the + icon.
  2. Enter the extension defined by other cluster nodes in the text window.
  3. Click the green check mark to confirm.
  4. You can then click on the new extension to toggle its association.
Finalizing the list of Scanned File Types in the HA-Cluster:
  1. After you have finished the VM association, click Scanned File Types to finalize the list.
  2. Click the Apply button to apply the changes. The configuration on the primary node will be synchronized with the edited node in real-time. Files will then be scanned by the associated VM images.
  3. On the primary node, an alert message may appear in the bell icon in the upper right corner after updating the configuration. Click this, and the bell icon shows Scan Profile requires your action. Clicking the alert message redirects to the Scan Profile > VM Association page where you can use the fix now links to resolve issues with file extensions.

The url, htm, and lnk file types in the Web pages group are for the file types containing shortcuts of a web link, while the WEBLink type in the URL detection group is for URL addresses. The WEBLink type follows the depth and timeout settings in the Pre-Filter tab.

There might be malicious URLs, including direct download links, inside Office files and PDF files. You can scan selected URLs along with the original file inside files' associated VM. To turn on this feature, use the sandboxing-embeddedurl CLI command. For more information, see the FortiSandbox CLI Reference Guide.