Fortinet white logo
Fortinet white logo

Administration Guide

Scan Profile Advanced Tab

Scan Profile Advanced Tab

Use the Advanced tab to define advanced features for file/URL detection.

Scan Enhancements
Adaptive Scan

Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.

Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs. However, the total VM clone number cannot exceed licensed clone count.

In an HA-Cluster, only the primary node can enable this option, and the setting is immediately synced to all nodes.

A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.

A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.

An enabled local VM has at least one clone. The number of assignable clones cannot be less than 0 at any time.

Note

FortiSandbox-Ali, FortiSandbox-AWS, FortiSandbox-Azure, FortiSandbox-GCP, and FortiSandbox-HyperV do not support Adaptive Scan.

Parallel VM Scan

Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job. Normally, a job is scanned in the VM in sequence if the file type is associated with a different VM.

The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.

In an HA-Cluster, only the primary node can enable this option, and the setting is immediately synced to all nodes.

Pipeline Mode

Enable this option to improve performance and accelerate the scan by reducing the time spent on VM instance starts and shutdowns. This means that jobs can be scanned in a VM instance one at a time without shutting down the instance.

A guest VM instance can only be reused when the scanning job won’t change the VM instance status. If the guest VM status has been changed, the VM instance will be shut down and restored for the next job.

If a job is rated malicious or suspicious in a pipeline mode VM instance, the job is rescanned in a fresh restored VM to secure a final rating.

When a file is scanned in Pipeline Mode VM clone, the Job Details overview page will indicate the launched pipeline mode clone, (for example, Pipeline mode OS:WIN7X86VM).

If debug level log is enabled, Job Event will show the number of jobs scanned in Pipeline Mode VM clone, (for example, WIN7X86VM_clone065 is in pipeline and has scanned 2 jobs. See, Logging Levels.

Pipeline mode VM clone can scan files and URLs. However, on demand jobs will not use pipeline mode VM clone. In addition, executable files from any source will not use pipeline mode VM clone.

Note

FortiSandbox-AWS , FortiSandbox-Azure and Fortinet-GCP do not support Pipeline Mode.

VM Scan Ratio

Enable this option to allow a customized ratio for jobs that are scanned in the VM. The ratio is a low bound for the jobs that need to be scanned, meaning the percentage of jobs scanned in the VM can be equal to or higher than the preset ratio.

This option:

  • Is an extra filter that sends a job to the VM. When disabled, the VM scan is skipped.
  • Does not affect jobs that should normally be scanned in the VM. Those jobs are still VM scanned.

For more information, see Scan Profile Advanced Tab

Rescan of completed jobs AV signature updates are frequent (every hour). Running an AV rescan against finished jobs of the last 24 hours could hinder performance. You have the option to disable the AV Rescan to improve performance.

Cloud Services

Community Cloud Query

By default, the Cloud Query is enabled. Disable the Cloud Query in the following scenarios:

  • You have an enclosed environment. Disabling the Cloud Query will improve the scan speed.

  • You receive an incorrect verdict from the Cloud Query and before Fortinet fixes it, you can turn it off temporarily.

Cloud Rating Service Enable this option to enhance the rating of the submission to provide a better detection rate by utilizing the Rating Engine and supervised Machine Learning in the cloud. When enabled, the local verdict and rating log are sent to the cloud. The original submitted file is not included.

Real-Time Zero-Day Anti-Phishing Service

Enable this option to allow FortiSandbox to use this subscription-based service to scan a URL for phishing and spam in real-time. See, Real-Time Zero-Day Anti-Phishing Service.

This option can also be enabled by running the following CLI command: anti-phishing. For more information, see the FortiSandbox CLI Reference Guide.

Limits and Timeouts

URL depth limit

Enable this option to examine the recursive depth of URLs (from 1 to 5).

When this option is disabled, only the URL itself is examined.

URL content limit

Enable this option to specify the maximum number of URLs from 1 to 10000.

When this option is disabled, the maximum number of URLs is unlimited.

VM Scan timeout for executable file

FortiSandbox supports a customized timeout value to control the tracer running time for executable files in the VM. If a zip file is sent to the VM while it has executable children, it will use this timeout value as well.

The accepted value is between 60 to 180 seconds. The default value is 180 seconds.

VM Scan timeout for documents and other non-executable files

FortiSandbox supports a customized timeout value to control the tracer running time in the VM. A shorter value provides better performance and faster scan speed, but lower accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range for normal model. Higher-end models (2000E/3000E/3000F/1500G), allows 45-180 second range. The default value for all models is 60 seconds.

Currently, MAC OSX and Windows Cloud VM do not support file detection timeout.

For more information, see Scan Profile Advanced Tab

VM Scan timeout for URL

When URL detection is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the timeout setting (from 30 to 1200 seconds).

When this option is disabled, the default timeout is 60 seconds.

Additional Options

Default Password-protected archive files

Define a list of passwords that can be tried to extract archive files. Input passwords line by line. A maximum of 30 passwords is allowed.

Note

When upgrading FortiSandbox:

If the Scan Profile contains more than 30 archive passwords at the time of upgrade, the passwords will continue to work. However, if you save any changes to the Scan Profile, the system will prompt you to limit the archive to 30 passwords.

Default Password-protected PDF/Office files Define a list of passwords to attempt decryption of PDF/Office files. Input one password per line. A maximum of 30 passwords is allowed.

Reject duplicate files from Security Fabric Device

When FortiSandbox receives a duplicate file from the same or different fabric device, it will return the existing verdict without scanning it again.

Feedback Options

Contribute detected suspicious files to FortiSandbox Community Cloud Enable to upload malicious and suspicious file and URL information to the Sandbox Community Cloud. If enabled, the original file/URL, file/URL checksum, tracer log, verdict, submitting device serial number, and downloading URL are uploaded. The maximum file size you can upload to Sandbox Community Cloud is 200MB.
Contribute detected suspicious URL to FortiGuard Enable to submit malware downloading URL to the FortiGuard Web Filter Service.
Upload detection statistics to FortiGuard Enable to upload statistics to FortiGuard. If enabled, the following are uploaded: submitting device serial number and firmware, job-related results and statistics.
To enhance the VM Scan Ration:

Enable Set customized sandboxing ratio and set a ratio between 1 and 100.

In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in approximately the last hour. This lets you see how many files were scanned in the VM in the last hour.

VM scan ratio calculation

The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.

Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So, the current job will be sent to the VM.

Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So, this job will not be sent to the VM.

Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.

In an HA-Cluster, only the primary node can enable this option, and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.

Note

The Dynamic Scan or VM Scan timeout is the maximum runtime of the VM. The VM Scan may shorten the duration when the file or URL finish execution.

Real-Time Zero-Day Anti-Phishing Service

To configure the server settings:

Go to System > FortiGuard. For information, see FortiGuard.

To troubleshoot the Real-Time Zero-Day Anti-Phishing Service:

Use the CLI command diagnose-debug anti-phishing to troubleshoot the following issues:

  • Server connection status

  • Server return rating result

  • Downloading screen shots

For more information, see the FortiSandbox CLI Reference Guide.

Scan Profile Advanced Tab

Scan Profile Advanced Tab

Use the Advanced tab to define advanced features for file/URL detection.

Scan Enhancements
Adaptive Scan

Enable this option to dynamically adjust the number of clones of enabled local VMs. Local VMs include default VMs, optional VMs, and customized VMs.

Enabling this option does not affect the number of remote MacOS or WindowsCloudVMs. However, the total VM clone number cannot exceed licensed clone count.

In an HA-Cluster, only the primary node can enable this option, and the setting is immediately synced to all nodes.

A VM's clone number is increased when its usage is higher than a threshold and there are assignable clones or reassignable clones.

A VM's clone number is reduced when it has reassignable clones and there are other VMs requiring more clones.

An enabled local VM has at least one clone. The number of assignable clones cannot be less than 0 at any time.

Note

FortiSandbox-Ali, FortiSandbox-AWS, FortiSandbox-Azure, FortiSandbox-GCP, and FortiSandbox-HyperV do not support Adaptive Scan.

Parallel VM Scan

Enable this option to allow FortiSandbox to run multiple VMs at the same time for a job. Normally, a job is scanned in the VM in sequence if the file type is associated with a different VM.

The parallel VM scan only happens when a job needs two or more VM scans and those VMs have a free clone. If there are no free clones, then parallel VM scan does not happen.

In an HA-Cluster, only the primary node can enable this option, and the setting is immediately synced to all nodes.

Pipeline Mode

Enable this option to improve performance and accelerate the scan by reducing the time spent on VM instance starts and shutdowns. This means that jobs can be scanned in a VM instance one at a time without shutting down the instance.

A guest VM instance can only be reused when the scanning job won’t change the VM instance status. If the guest VM status has been changed, the VM instance will be shut down and restored for the next job.

If a job is rated malicious or suspicious in a pipeline mode VM instance, the job is rescanned in a fresh restored VM to secure a final rating.

When a file is scanned in Pipeline Mode VM clone, the Job Details overview page will indicate the launched pipeline mode clone, (for example, Pipeline mode OS:WIN7X86VM).

If debug level log is enabled, Job Event will show the number of jobs scanned in Pipeline Mode VM clone, (for example, WIN7X86VM_clone065 is in pipeline and has scanned 2 jobs. See, Logging Levels.

Pipeline mode VM clone can scan files and URLs. However, on demand jobs will not use pipeline mode VM clone. In addition, executable files from any source will not use pipeline mode VM clone.

Note

FortiSandbox-AWS , FortiSandbox-Azure and Fortinet-GCP do not support Pipeline Mode.

VM Scan Ratio

Enable this option to allow a customized ratio for jobs that are scanned in the VM. The ratio is a low bound for the jobs that need to be scanned, meaning the percentage of jobs scanned in the VM can be equal to or higher than the preset ratio.

This option:

  • Is an extra filter that sends a job to the VM. When disabled, the VM scan is skipped.
  • Does not affect jobs that should normally be scanned in the VM. Those jobs are still VM scanned.

For more information, see Scan Profile Advanced Tab

Rescan of completed jobs AV signature updates are frequent (every hour). Running an AV rescan against finished jobs of the last 24 hours could hinder performance. You have the option to disable the AV Rescan to improve performance.

Cloud Services

Community Cloud Query

By default, the Cloud Query is enabled. Disable the Cloud Query in the following scenarios:

  • You have an enclosed environment. Disabling the Cloud Query will improve the scan speed.

  • You receive an incorrect verdict from the Cloud Query and before Fortinet fixes it, you can turn it off temporarily.

Cloud Rating Service Enable this option to enhance the rating of the submission to provide a better detection rate by utilizing the Rating Engine and supervised Machine Learning in the cloud. When enabled, the local verdict and rating log are sent to the cloud. The original submitted file is not included.

Real-Time Zero-Day Anti-Phishing Service

Enable this option to allow FortiSandbox to use this subscription-based service to scan a URL for phishing and spam in real-time. See, Real-Time Zero-Day Anti-Phishing Service.

This option can also be enabled by running the following CLI command: anti-phishing. For more information, see the FortiSandbox CLI Reference Guide.

Limits and Timeouts

URL depth limit

Enable this option to examine the recursive depth of URLs (from 1 to 5).

When this option is disabled, only the URL itself is examined.

URL content limit

Enable this option to specify the maximum number of URLs from 1 to 10000.

When this option is disabled, the maximum number of URLs is unlimited.

VM Scan timeout for executable file

FortiSandbox supports a customized timeout value to control the tracer running time for executable files in the VM. If a zip file is sent to the VM while it has executable children, it will use this timeout value as well.

The accepted value is between 60 to 180 seconds. The default value is 180 seconds.

VM Scan timeout for documents and other non-executable files

FortiSandbox supports a customized timeout value to control the tracer running time in the VM. A shorter value provides better performance and faster scan speed, but lower accuracy. For a balance of speed and accuracy, use a value that falls in the middle of the 60-180 second range for normal model. Higher-end models (2000E/3000E/3000F/1500G), allows 45-180 second range. The default value for all models is 60 seconds.

Currently, MAC OSX and Windows Cloud VM do not support file detection timeout.

For more information, see Scan Profile Advanced Tab

VM Scan timeout for URL

When URL detection is enabled, FortiSandbox scans URLs (WEBLinks). You can also specify the timeout setting (from 30 to 1200 seconds).

When this option is disabled, the default timeout is 60 seconds.

Additional Options

Default Password-protected archive files

Define a list of passwords that can be tried to extract archive files. Input passwords line by line. A maximum of 30 passwords is allowed.

Note

When upgrading FortiSandbox:

If the Scan Profile contains more than 30 archive passwords at the time of upgrade, the passwords will continue to work. However, if you save any changes to the Scan Profile, the system will prompt you to limit the archive to 30 passwords.

Default Password-protected PDF/Office files Define a list of passwords to attempt decryption of PDF/Office files. Input one password per line. A maximum of 30 passwords is allowed.

Reject duplicate files from Security Fabric Device

When FortiSandbox receives a duplicate file from the same or different fabric device, it will return the existing verdict without scanning it again.

Feedback Options

Contribute detected suspicious files to FortiSandbox Community Cloud Enable to upload malicious and suspicious file and URL information to the Sandbox Community Cloud. If enabled, the original file/URL, file/URL checksum, tracer log, verdict, submitting device serial number, and downloading URL are uploaded. The maximum file size you can upload to Sandbox Community Cloud is 200MB.
Contribute detected suspicious URL to FortiGuard Enable to submit malware downloading URL to the FortiGuard Web Filter Service.
Upload detection statistics to FortiGuard Enable to upload statistics to FortiGuard. If enabled, the following are uploaded: submitting device serial number and firmware, job-related results and statistics.
To enhance the VM Scan Ration:

Enable Set customized sandboxing ratio and set a ratio between 1 and 100.

In the system log, FortiSandbox creates a job event log (debug level) every 5 minutes for VM scan ratio statistics for jobs in approximately the last hour. This lets you see how many files were scanned in the VM in the last hour.

VM scan ratio calculation

The ratio is recalculated for each job based on the total old jobs from one hour ago to the current job submission time.

Example 1. The preset ratio is 60%, there are 100 total jobs in the last hour before the current job, and 60 of 100 have been sent to VM scan. The ratio before the current job is 60*100.0/100 = 60% (<=60%). So, the current job will be sent to the VM.

Example 2. You submit another job after the above example. The scan ratio is (60+1)*100.0/(100+1) = 60.39% (>60%). So, this job will not be sent to the VM.

Because the VM scan takes time and there are jobs rated by cache, AV, allowlist/blocklist, Static Scan, and so on, the ratio of jobs finished in VM scan over all finished jobs in the last hour can be different from the ratio set for this feature.

In an HA-Cluster, only the primary node can enable this option, and the setting is immediately synced to all nodes. Each node uses its local scan jobs to calculate the latest VM scan ratio, and then compare the universal ratio to decide whether to send a current job to VM.

Note

The Dynamic Scan or VM Scan timeout is the maximum runtime of the VM. The VM Scan may shorten the duration when the file or URL finish execution.

Real-Time Zero-Day Anti-Phishing Service

To configure the server settings:

Go to System > FortiGuard. For information, see FortiGuard.

To troubleshoot the Real-Time Zero-Day Anti-Phishing Service:

Use the CLI command diagnose-debug anti-phishing to troubleshoot the following issues:

  • Server connection status

  • Server return rating result

  • Downloading screen shots

For more information, see the FortiSandbox CLI Reference Guide.