Skip to main content
vifi
Staff
vifi
Staff
February 26, 2025

Technical Tip: Cannot set region when Inline Scanning with FortiGuard AI-Based Sandbox Service is used

  • February 26, 2025
  • 0 replies
  • 633 views
Description This article describes how to fix the issue when it is not possible to set the region in FortiGate Cloud under 'Cloud Sandbox Setting'
Scope FortiGate.
Solution

How to configure: Inline Scanning with FortiGuard AI-Based Sandbox Service 

cloud.png

 

Note:

FortiGate Cloud is chosen instead of FortiSandbox Cloud.


While setting the region, the error below is shown:

 

execute forticloud-sandbox region

Failed

Command fail. Return code 5

 

 

Troubleshooting steps:

  • Check if FortiGate Cloud is activated successfully.
  • Check the region where FortiGate Cloud is activated under Dashboard -> Status -> FortiGate Cloud.

 

global.png

 

  • Issue these debugs:

 

diag test application forticldd 1

diag test application forticldd 2

diag test application forticldd 3

 

diagnose debug application forticldd -1
diagnose debug enable

 

FG # diagnose test application forticldd 3

 

Debug zone info:


Domain:GLOBAL
Home log server: 173.243.132.171:514
Alt log server: 173.243.139.121:514
Active Server IP:173.243.139.121
Active Server status: unknown
Log quota: 3145728MB
Log used: 0MB
Daily volume: 20480MB
fams archive pause: 0
APTContract : 0
APT server: 0.0.0.0:0
APT Altserver: 0.0.0.0:0
Active APTServer IP: 0.0.0.0
Active APTServer status: unknown

 

[294] fds_svr_default_on_established: Cloud-sandbox-controller has connected to ip=173.243.139.121:443
[301] fds_svr_default_on_established: server-Cloud-sandbox-controller handles cmd-24

(output ommitted)

[320] fds_https_recv: received the header from server: 173.243.139.121:443, [HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19]
[330] fds_https_recv: response code is 503: [HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Content-Length: 19]
[669] fds_https_stop_server: 173.243.139.121:443

[206] __ssl_data_ctx_free: Done
[1094] ssl_free: Done
[198] __ssl_cert_ctx_free: Done
[1104] ssl_ctx_free: Done
[1085] ssl_disconnect: Shutdown
[550] fds_https_rxtx: Protocol error
[240] fds_svr_default_on_error: Cloud-sandbox-controller: ip=173.243.139.121:443, reason=2
[280] fds_svr_default_on_error: Cloud-sandbox-controller: req-id=24, num_try=1, read=0, reason=2

 

  • Setting the region under 'config system fortiguard' gives an error:

FG (fortiguard) # set sandbox-region Global
Sandbox region can only be set by 'exec forticloud-sandbox region'.
node_check_object fail! for sandbox-region Global
value parse error before 'Global'
Command fail. Return code -39
 
  • Check the configuration of FortiGuard:


Example:

 

config system fortiguard
    set fortiguard-anycast disable
    set update-server-location eu
    set webfilter-cache disable
    set sdns-server-ip "208.91.112.220" "173.243.140.53" "210.7.96.53"
    set sdns-options include-question-section
end
 

Despite the FortiGate communicating successfully with FortiGuard servers, still, the region cannot be set.

 

Solution:

Change the configuration of FortiGuard as below:

 

config system fortiguard
    set fortiguard-anycast disable
    set protocol udp
    set port 8888
    set webfilter-cache disable 

 

If the issue is not resolved after this change, share the debugs mentioned above with Technical Support to investigate further.
    Terms & ConditionsAccessibility statement