Fortinet white logo
Fortinet white logo

Administration Guide

Scan Profile Pre-Filter Tab

Scan Profile Pre-Filter Tab

Use the Pre-Filter feature to define file types and URLs that are allowed to enter the job queue so that only suspicious files or unrated URLs are forwarded for Dynamic Scan. The files and URLs will still go through the Static Scan stage. Enabling the Pre-Filter can improve the scan performance. For more information, see Improving Scan Performance in the FortiSandbox Best Practices and Troubleshooting Guide.

To allow a file type to enter the job queue:

Click the toggle button to enable it. If the button is grayed out, files of that type are dropped.

Note

Selected processing file type applies to submission via sniffer, adapters and Fabric devices (except FortiMail). Files from OnDemand, FortiMail and Network Share are always processed.

To enable pre-filter for selected file types:

Click the toggle button of the file types and URLs to enable pre-filter accordingly. If the button is enabled, only suspicious files or unrated URLs are forwarded for Dynamic Scan.

To use trust results from trusted resources during pre-filter:

Click the toggle button to enable it. If the button is enabled, files rated by that resources are pre-filtered.

When FortiNDR entrust is enabled, files rated by FortiNDR as clean skip the sandboxing VM scan step.

When Trusted Vendor is enabled, executable files from a small internal list of trusted vendors skip the sandboxing scan step.

When Trust Domain is enabled, files downloaded from a small internal list of trusted domains skip the sandboxing scan step.

Trusted domains:
Trusted vendors:
  • Microsoft

  • Fortinet Technologies

  • Adobe Systems

  • Google

  • Apple

If there is a long queue of pending jobs, consider turning off some file types to the job queue. For example, in most networks, many files are static web files (JavaScript, html, aspx files) and Adobe Flash files. When you have performance issue, consider turning them off.

If a file type is turned off, files of that type already in the job queue will still be processed. You can use the pending-jobs command or Scan Job > Job Queue page to purge them.

To determine the number of each file type and its input source, use the pending-jobs command or the Scan Job > Job Queue page.

Using URL Pre-Filtering with Scan Profile and Web Categories

By default, URL scanning is done inside a VM. However, if performance is a concern, you can enable URL Pre-Filtering.

When URL Pre-Filtering is enabled, it works with the Scan Profile settings and Web Category settings to create the job and rate the URL.

When

Then

The category or URL is Unrated The URL will be scanned inside the VM.
The URL category is defined in the Web Category page but is not checked as Benign A job is created and the URL will be rated as Suspicious (Low Risk, Medium Risk or High Risk according to the category).
The URs category is defined in the Web Category page, but is checked as Benign A job is created and the URL will be rated as Clean and will not be scanned inside the VM.

Scan Profile Pre-Filter Tab

Scan Profile Pre-Filter Tab

Use the Pre-Filter feature to define file types and URLs that are allowed to enter the job queue so that only suspicious files or unrated URLs are forwarded for Dynamic Scan. The files and URLs will still go through the Static Scan stage. Enabling the Pre-Filter can improve the scan performance. For more information, see Improving Scan Performance in the FortiSandbox Best Practices and Troubleshooting Guide.

To allow a file type to enter the job queue:

Click the toggle button to enable it. If the button is grayed out, files of that type are dropped.

Note

Selected processing file type applies to submission via sniffer, adapters and Fabric devices (except FortiMail). Files from OnDemand, FortiMail and Network Share are always processed.

To enable pre-filter for selected file types:

Click the toggle button of the file types and URLs to enable pre-filter accordingly. If the button is enabled, only suspicious files or unrated URLs are forwarded for Dynamic Scan.

To use trust results from trusted resources during pre-filter:

Click the toggle button to enable it. If the button is enabled, files rated by that resources are pre-filtered.

When FortiNDR entrust is enabled, files rated by FortiNDR as clean skip the sandboxing VM scan step.

When Trusted Vendor is enabled, executable files from a small internal list of trusted vendors skip the sandboxing scan step.

When Trust Domain is enabled, files downloaded from a small internal list of trusted domains skip the sandboxing scan step.

Trusted domains:
Trusted vendors:
  • Microsoft

  • Fortinet Technologies

  • Adobe Systems

  • Google

  • Apple

If there is a long queue of pending jobs, consider turning off some file types to the job queue. For example, in most networks, many files are static web files (JavaScript, html, aspx files) and Adobe Flash files. When you have performance issue, consider turning them off.

If a file type is turned off, files of that type already in the job queue will still be processed. You can use the pending-jobs command or Scan Job > Job Queue page to purge them.

To determine the number of each file type and its input source, use the pending-jobs command or the Scan Job > Job Queue page.

Using URL Pre-Filtering with Scan Profile and Web Categories

By default, URL scanning is done inside a VM. However, if performance is a concern, you can enable URL Pre-Filtering.

When URL Pre-Filtering is enabled, it works with the Scan Profile settings and Web Category settings to create the job and rate the URL.

When

Then

The category or URL is Unrated The URL will be scanned inside the VM.
The URL category is defined in the Web Category page but is not checked as Benign A job is created and the URL will be rated as Suspicious (Low Risk, Medium Risk or High Risk according to the category).
The URs category is defined in the Web Category page, but is checked as Benign A job is created and the URL will be rated as Clean and will not be scanned inside the VM.