Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 5.0.0 Administration Guide
    5.0.0
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Network Share

    Network Share

    FortiSandbox can scan files stored in a network share folder and optionally quarantine files of any rating. Go to Security Fabric > Network Share to view and configure network share information.

    Network Share scans can be scheduled or run on-demand. Connectivity with the Network Share can be tested. For information about data storage, see Network share record retention.

    Note

    Network Share is only available in the Primary node of an HA cluster.
    Tooltip

    To improve the scan performance, delete any empty sub-folders in the Network Share.

    The following options are available:

    Create New

    Create a new network share.

    Edit

    Edit the selected entry.

    Clone

    Clone the selected entry. Only the Network Share Name is different. All other settings are the same as the original.

    Delete

    Delete the selected entry.

    Scan Now

    Schedule an immediate scan for the selected entry.

    Scan Details

    View the selected entry's scheduled scan entries.

    Test Connection

    Test the selected entry's connection. The result is displayed in the banner at the bottom right corner.

    The following information is displayed:

    Name

    Name of the network share.

    Scan Scheduled

    Display if the scan scheduled is enabled or not. Scheduled network scans are done in parallel.

    Type

    Mount type.

    Share Path

    Network share path.

    Quarantine

    Displays if quarantine is enabled or disabled.

    Sanitized

    Displays if sanitized is enabled or disabled..

    Enabled

    Displays if the network share is enabled or disabled. FortiSandbox does not run the scheduled scans when disabled.

    Status

    Displays if the network share status is accessible or down.

    Click Test Connection to show the connection status (AWS S3, Azure Blob Storage, Google Cloud Storage, MS One Drive and SFTP).
    To create a new network share:
    1. Go to Security Fabric > Network Share.
    2. Click Create New.
    3. Configure the following options and click OK.

      Enabled

      Select to enable network share configuration. If network share is not enabled, its scheduled scan will not run.

      Mount Type

      Select the mount type. The following options are available:

      For domain-based DFS namespace, ensure the domain name can be resolved with the system Primary DNS server.

      Network Share Name

      Network share name.

      Server Name/IP

      Server FQDN or IP address.

      Share Path

      File share path in the format /path1/path2.

      Scan Files Of Specified Pattern

      Include or exclude files which match a file name pattern.

      File Name Pattern

      File name pattern.

      Username, Password, Confirm Password

      Username and password. For domain users, use the format domain_name\user_name.

      Scan Job Priority

      When multiple network share scans run at the same time, higher priority scans get more scan power.

      Keep A Copy Of Original File On FortiSandbox

      Keep a copy of the original file on FortiSandbox.

      NOTE: Configuring this setting may affect when the original files are kept, deleted and transferred based on the Quarantine settings. For detailed information, see Configure Network share to keep, delete or transfer files in the FortiSandbox Best Practice guide.

      Skip scanning unchanged files after first round of scan

      • Skip dynamic scan only: Allows files to bypass resource-intensive VM scans while still ensuring that files undergo static scans. However, this option requires downloading the files from remote storage, which will incur cost.
      • Skip all types of scans: FortiSandbox will not perform any scans on the files. Files will not be downloaded from remote storage.

      For more information about skip scanning, see Skip scanning unchanged files after first round of scan.

      Enable Quarantine of Malicious Files

      Quarantine files with a Malicious rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Suspicious - High Risk files

      Quarantine suspicious files with a High Risk rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Suspicious - Medium Risk files

      Quarantine suspicious files with a Medium Risk rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Suspicious - Low Risk files

      Quarantine suspicious files with a Low Risk rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Other rating files

      Quarantine suspicious files with a Other rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable copying or moving clean files to a sanitized location

      Copy or move files with a Clean rating to another location.

      By default, a new folder is created for each scheduled scan job in the sanitized location and all clean files are copied into it with the original folder structure. To save space, uncheck Keep a complete copy of clean files for every scheduled scan so that files of the same path have only one copy in the sanitized location.

      Enable Scheduled Scan

      Enable scheduled scan and specify the schedule type.

      Description

      Optional description for the network share entry.

      Send notification email after each scan

      Email a summary report for each network share scan to the specified users.

      When a file is moved, to leave a copy in its original location, go to the Quarantine edit page to enable Leave a File At Source Location and select A Copy of Original File.

    Conserve Mode:

    FortiSandbox goes into Conserve Mode once the pending jobs count is over 10,000 and exits after the pending jobs count is less than 5,000. There is no difference between standalone and HA-cluster.

    In Conserve Mode, FortiSandbox stops downloading files from Network Share and continues processing the downloaded files until the pending jobs count is less than 5,000. After exiting Conserve Mode, FortiSandbox resumes downloading files from the Network Share until the entire submission is complete, even if it enters and exits conserve mode multiple times during the process.

    A warning level system log entry alerts you of the event.
    To run a network share scan immediately:
    1. Go to Security Fabric > Network Share.
    2. Select a share.

    3. Click Scan Now to immediately run the scan. If you are an admin with Prioritize Netshare Scan privileges, then you have the option of selecting Prioritize Scan.For information, see Netshare Groups.

    To test network share connectivity:
    1. Go to Security Fabric > Network Share.
    2. Select a share.
    3. Click Test Connection to test connectivity with the network share.

    Network share record retention

    Network Share scan records are retained for four weeks (28 days), regardless of the Settings > Data Storage settings (see, Settings. Network share records only include the filename , filepath, verdict and scan time. The scan details such as files, logs, tracers, and metadata are deleted according to the Data Storage settings.

    For example, if you set Data Storage to 24 hours:

    • The scan details (files, logs, tracers, and metadata) are deleted after 24 hours.
    • The network share records (the filename , filepath, verdict and scan time) are retained for 28 days.

    Skip scanning unchanged files after first round of scan

    FortiSandbox supports two types of scans: Static Scan and Dynamic Scan. Static Scan uses the Virus database and AI technologies which are usually done in several seconds with less system resources. Dynamic Scan needs to spawn a VM instance and analyze the file/URL in the VM. This usually takes several minutes to complete and requires more system resources.

    Enabling skip scanning saves time and resources by skip scanning unchanged files after the first round of scanning.

    Previous
    Next

    Network Share

    Network Share

    FortiSandbox can scan files stored in a network share folder and optionally quarantine files of any rating. Go to Security Fabric > Network Share to view and configure network share information.

    Network Share scans can be scheduled or run on-demand. Connectivity with the Network Share can be tested. For information about data storage, see Network share record retention.

    Note

    Network Share is only available in the Primary node of an HA cluster.
    Tooltip

    To improve the scan performance, delete any empty sub-folders in the Network Share.

    The following options are available:

    Create New

    Create a new network share.

    Edit

    Edit the selected entry.

    Clone

    Clone the selected entry. Only the Network Share Name is different. All other settings are the same as the original.

    Delete

    Delete the selected entry.

    Scan Now

    Schedule an immediate scan for the selected entry.

    Scan Details

    View the selected entry's scheduled scan entries.

    Test Connection

    Test the selected entry's connection. The result is displayed in the banner at the bottom right corner.

    The following information is displayed:

    Name

    Name of the network share.

    Scan Scheduled

    Display if the scan scheduled is enabled or not. Scheduled network scans are done in parallel.

    Type

    Mount type.

    Share Path

    Network share path.

    Quarantine

    Displays if quarantine is enabled or disabled.

    Sanitized

    Displays if sanitized is enabled or disabled..

    Enabled

    Displays if the network share is enabled or disabled. FortiSandbox does not run the scheduled scans when disabled.

    Status

    Displays if the network share status is accessible or down.

    Click Test Connection to show the connection status (AWS S3, Azure Blob Storage, Google Cloud Storage, MS One Drive and SFTP).
    To create a new network share:
    1. Go to Security Fabric > Network Share.
    2. Click Create New.
    3. Configure the following options and click OK.

      Enabled

      Select to enable network share configuration. If network share is not enabled, its scheduled scan will not run.

      Mount Type

      Select the mount type. The following options are available:

      For domain-based DFS namespace, ensure the domain name can be resolved with the system Primary DNS server.

      Network Share Name

      Network share name.

      Server Name/IP

      Server FQDN or IP address.

      Share Path

      File share path in the format /path1/path2.

      Scan Files Of Specified Pattern

      Include or exclude files which match a file name pattern.

      File Name Pattern

      File name pattern.

      Username, Password, Confirm Password

      Username and password. For domain users, use the format domain_name\user_name.

      Scan Job Priority

      When multiple network share scans run at the same time, higher priority scans get more scan power.

      Keep A Copy Of Original File On FortiSandbox

      Keep a copy of the original file on FortiSandbox.

      NOTE: Configuring this setting may affect when the original files are kept, deleted and transferred based on the Quarantine settings. For detailed information, see Configure Network share to keep, delete or transfer files in the FortiSandbox Best Practice guide.

      Skip scanning unchanged files after first round of scan

      • Skip dynamic scan only: Allows files to bypass resource-intensive VM scans while still ensuring that files undergo static scans. However, this option requires downloading the files from remote storage, which will incur cost.
      • Skip all types of scans: FortiSandbox will not perform any scans on the files. Files will not be downloaded from remote storage.

      For more information about skip scanning, see Skip scanning unchanged files after first round of scan.

      Enable Quarantine of Malicious Files

      Quarantine files with a Malicious rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Suspicious - High Risk files

      Quarantine suspicious files with a High Risk rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Suspicious - Medium Risk files

      Quarantine suspicious files with a Medium Risk rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Suspicious - Low Risk files

      Quarantine suspicious files with a Low Risk rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable Quarantine of Other rating files

      Quarantine suspicious files with a Other rating in the selected location.

      Quarantined files are put in a folder with the name of the Job ID and each file is renamed with the Job ID for that file and a meta file with more information.

      Enable copying or moving clean files to a sanitized location

      Copy or move files with a Clean rating to another location.

      By default, a new folder is created for each scheduled scan job in the sanitized location and all clean files are copied into it with the original folder structure. To save space, uncheck Keep a complete copy of clean files for every scheduled scan so that files of the same path have only one copy in the sanitized location.

      Enable Scheduled Scan

      Enable scheduled scan and specify the schedule type.

      Description

      Optional description for the network share entry.

      Send notification email after each scan

      Email a summary report for each network share scan to the specified users.

      When a file is moved, to leave a copy in its original location, go to the Quarantine edit page to enable Leave a File At Source Location and select A Copy of Original File.

    Conserve Mode:

    FortiSandbox goes into Conserve Mode once the pending jobs count is over 10,000 and exits after the pending jobs count is less than 5,000. There is no difference between standalone and HA-cluster.

    In Conserve Mode, FortiSandbox stops downloading files from Network Share and continues processing the downloaded files until the pending jobs count is less than 5,000. After exiting Conserve Mode, FortiSandbox resumes downloading files from the Network Share until the entire submission is complete, even if it enters and exits conserve mode multiple times during the process.

    A warning level system log entry alerts you of the event.
    To run a network share scan immediately:
    1. Go to Security Fabric > Network Share.
    2. Select a share.

    3. Click Scan Now to immediately run the scan. If you are an admin with Prioritize Netshare Scan privileges, then you have the option of selecting Prioritize Scan.For information, see Netshare Groups.

    To test network share connectivity:
    1. Go to Security Fabric > Network Share.
    2. Select a share.
    3. Click Test Connection to test connectivity with the network share.

    Network share record retention

    Network Share scan records are retained for four weeks (28 days), regardless of the Settings > Data Storage settings (see, Settings. Network share records only include the filename , filepath, verdict and scan time. The scan details such as files, logs, tracers, and metadata are deleted according to the Data Storage settings.

    For example, if you set Data Storage to 24 hours:

    • The scan details (files, logs, tracers, and metadata) are deleted after 24 hours.
    • The network share records (the filename , filepath, verdict and scan time) are retained for 28 days.

    Skip scanning unchanged files after first round of scan

    FortiSandbox supports two types of scans: Static Scan and Dynamic Scan. Static Scan uses the Virus database and AI technologies which are usually done in several seconds with less system resources. Dynamic Scan needs to spawn a VM instance and analyze the file/URL in the VM. This usually takes several minutes to complete and requires more system resources.

    Enabling skip scanning saves time and resources by skip scanning unchanged files after the first round of scanning.

    Previous
    Next