Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 5.0.0 Administration Guide
    5.0.0
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Scan Profile VM Association Tab

    Scan Profile VM Association Tab

    The VM Association tab defines file type and VM type association. Association means files of a certain file type are sandboxed by the associated VM type. This page displays all in-use VM image(s) and associated file types. For standalone units, the VM clone number is also displayed.

    When you click the VM type, the panel expands to show the Selected Browser and Installed Applications for this VM type.

    To edit an associated file type:

    Click the Edit icon. The Select File Types pane opens from the ride side of the page showing all the available file types.

    File types are grouped into different categories. You can select an individual file type or click All to select all the file types in the category.

    The url, htm, and lnk file types in the Web pages group are for the file types containing shortcuts of a web link, while the WEBLink type in the URL detection group is for URL addresses. The WEBLink type follows the depth and timeout settings in the Advanced tab.

    There might be malicious URLs, including direct download links, inside Office files and PDF files. You can scan selected URLs along with the original file inside files' associated VM. To turn on this feature, use the sandboxing-embeddedurl CLI command. For more information, see the FortiSandbox CLI Reference Guide.
    Add a user defined extension:

    Before you begin, click the Pre-Filter tab, under Process the following selected file types, to make sure User defined is enabled.

    1. In the Select File Types pane, scroll to the bottom and click the + sign and enter a new extension.
    2. Click the green check mark, then associate the extension to the selected VM.
    3. Click OK.
    Note

    When a user defined extension is associated with a VM, files with the user defined extension will be scanned by the VM regardless of its real file type. Only a file's extension counts. To meet the criteria for user defined extension, files must possess the exact extension that is specified.

    Finalizing the list of Scanned File Types:

    After you have finished the association configuration, click Apply to apply the changes. Files will then be scanned by the associated VM images if they meet the entry conditions for VM scan.

    Note

    For a file to be scanned in the VM image:

    • Its file type has to be associated with a VM image.
    • The VM image has a non-zero clone number (i.e. it is enabled).
    • The file is not rated by another rating mechanism, (eg, static scan, allow/block list) prior to Sandboxing scan.
    • The file is not filtered out from the Sandboxing scan. For more information, see the sandboxing-prefilter command in the for FortiSandbox CLI Reference guide.

    If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type. If sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious files will be scanned by the associated VM type. Other files go through all scan steps except the Sandboxing scan step.

    To improve the system scan performance, you can turn on the sandbox pre-filtering for a file type with the sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the sandboxing pre-filtering is OFF for js/html files, all of them will be scanned inside associated VM types. This may use up the system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox CLI Reference Guide.

    Note

    For a predefined file extension, FortiSandbox will autodetect the file extension.

    For user-defined file extension, the file must possess the exact extension.

    HA-Cluster

    In an HA cluster environment, Scan Profile can only be configured on the primary node then synchronized to all worker nodes.

    The primary node will collect all enabled VM image information. It is highly recommended that all cluster nodes have the same in-use VM, although it is not enforced. If cluster nodes do not have the same list of enabled VM types, a warning message appears at the top of the Scan Profile page. If a unique VM image is only installed on a worker node, you can still configure in the primary node and the result will be synchronized to that worker node.

    Previous
    Next

    Scan Profile VM Association Tab

    Scan Profile VM Association Tab

    The VM Association tab defines file type and VM type association. Association means files of a certain file type are sandboxed by the associated VM type. This page displays all in-use VM image(s) and associated file types. For standalone units, the VM clone number is also displayed.

    When you click the VM type, the panel expands to show the Selected Browser and Installed Applications for this VM type.

    To edit an associated file type:

    Click the Edit icon. The Select File Types pane opens from the ride side of the page showing all the available file types.

    File types are grouped into different categories. You can select an individual file type or click All to select all the file types in the category.

    The url, htm, and lnk file types in the Web pages group are for the file types containing shortcuts of a web link, while the WEBLink type in the URL detection group is for URL addresses. The WEBLink type follows the depth and timeout settings in the Advanced tab.

    There might be malicious URLs, including direct download links, inside Office files and PDF files. You can scan selected URLs along with the original file inside files' associated VM. To turn on this feature, use the sandboxing-embeddedurl CLI command. For more information, see the FortiSandbox CLI Reference Guide.
    Add a user defined extension:

    Before you begin, click the Pre-Filter tab, under Process the following selected file types, to make sure User defined is enabled.

    1. In the Select File Types pane, scroll to the bottom and click the + sign and enter a new extension.
    2. Click the green check mark, then associate the extension to the selected VM.
    3. Click OK.
    Note

    When a user defined extension is associated with a VM, files with the user defined extension will be scanned by the VM regardless of its real file type. Only a file's extension counts. To meet the criteria for user defined extension, files must possess the exact extension that is specified.

    Finalizing the list of Scanned File Types:

    After you have finished the association configuration, click Apply to apply the changes. Files will then be scanned by the associated VM images if they meet the entry conditions for VM scan.

    Note

    For a file to be scanned in the VM image:

    • Its file type has to be associated with a VM image.
    • The VM image has a non-zero clone number (i.e. it is enabled).
    • The file is not rated by another rating mechanism, (eg, static scan, allow/block list) prior to Sandboxing scan.
    • The file is not filtered out from the Sandboxing scan. For more information, see the sandboxing-prefilter command in the for FortiSandbox CLI Reference guide.

    If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type. If sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious files will be scanned by the associated VM type. Other files go through all scan steps except the Sandboxing scan step.

    To improve the system scan performance, you can turn on the sandbox pre-filtering for a file type with the sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the sandboxing pre-filtering is OFF for js/html files, all of them will be scanned inside associated VM types. This may use up the system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox CLI Reference Guide.

    Note

    For a predefined file extension, FortiSandbox will autodetect the file extension.

    For user-defined file extension, the file must possess the exact extension.

    HA-Cluster

    In an HA cluster environment, Scan Profile can only be configured on the primary node then synchronized to all worker nodes.

    The primary node will collect all enabled VM image information. It is highly recommended that all cluster nodes have the same in-use VM, although it is not enforced. If cluster nodes do not have the same list of enabled VM types, a warning message appears at the top of the Scan Profile page. If a unique VM image is only installed on a worker node, you can still configure in the primary node and the result will be synchronized to that worker node.

    Previous
    Next