Fortinet black logo

Best Practices

Home FortiSandbox 4.4.0 Best Practices

Understanding Inline Block feature

4.4.0
4.4.0
4.2.0
4.0.0
3.2.0
3.1.0
3.0.0
Copy Link
Copy Doc ID 337cd289-2003-11ee-8e6d-fa163e15d75b:74936
Download PDF

Understanding Inline Block feature

The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.

To configure Inline Block on:

When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:

  • Active Content check searches for any executable code, macro and scripts.
  • Pre-filtering is a Scan Profile configuration.
  • FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
  • Static Scan engines are the Antivirus and AI engines using pattern matching and models.

In most cases, these scans only take a few seconds.

When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.

Considerations

Office and PDF files

The FortiSandbox 2000E, 1500G and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

Executable files

FortiSandbox scans executable files thoroughly by sending the files to its Static AI and Dynamic AI Analysis stages. If FortiSandbox can provide its rating based on static AI analysis back to the FortiGate, then the file can be allowed for clean or blocked if suspicious rating. If the FortiSandbox needs to continue with the dynamic AI analysis, it sends a notification to FortiGate for continuity that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. The default FortiGate setting is to allow download of files on time out or scan error from FortiSandbox. The configuration can be changed to block the file with a replacement message and try downloading again at a later time. When the user tries to download again, FortiSandbox will have known the rating and should be able to response quickly.

Other considerations:
  • Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E, 2000E, and 1500G. The other deployment models can possibly meet the requirement depending on its current capacity.
  • Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefilter.
  • Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.
Previous
Next

Understanding Inline Block feature

The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.

To configure Inline Block on:

When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The FortiSandbox performs a series of Static Scan modules:

  • Active Content check searches for any executable code, macro and scripts.
  • Pre-filtering is a Scan Profile configuration.
  • FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices located worldwide who contributes to the community.
  • Static Scan engines are the Antivirus and AI engines using pattern matching and models.

In most cases, these scans only take a few seconds.

When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office and PDF files and a few minutes for executable files.

Considerations

Office and PDF files

The FortiSandbox 2000E, 1500G and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

Executable files

FortiSandbox scans executable files thoroughly by sending the files to its Static AI and Dynamic AI Analysis stages. If FortiSandbox can provide its rating based on static AI analysis back to the FortiGate, then the file can be allowed for clean or blocked if suspicious rating. If the FortiSandbox needs to continue with the dynamic AI analysis, it sends a notification to FortiGate for continuity that it requires more time. Meanwhile, the FortiGate will take action on the file based on its configuration. The default FortiGate setting is to allow download of files on time out or scan error from FortiSandbox. The configuration can be changed to block the file with a replacement message and try downloading again at a later time. When the user tries to download again, FortiSandbox will have known the rating and should be able to response quickly.

Other considerations:
  • Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan. Only the following models can meet the resource requirement: 3000F, 3000E, 2000E, and 1500G. The other deployment models can possibly meet the requirement depending on its current capacity.
  • Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefilter.
  • Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.
Previous
Next