Technical Tip: FortiGate sends logs to FortiSandbox despite "Send files to FortiSandbox for inspection" being disabled
| Description | This article discusses how FortiGate sends logs to FortiSandbox even when the AV profile had 'Send files to FortiSandbox for inspection' disabled for the firmware mentioned in the scope. |
| Scope | FortiOS v7.2.5 to v7.2.8, v7.4.1. Feature Impacted: Antivirus (AV) profiles with FortiSandbox enabled. |
| Solution | The expected behavior is that FortiGate should not send any logs to Sandbox when "Send files to FortiSandbox for inspection" is disabled.
The first trigger condition is that the sandbox must be enabled in the FortiGate configuration.
config system fortisandbox set status enable set inline-scan enable set server "x.x.x.x" end
On the FortiGate, even if the feature 'Send files to FortiSandbox for inspection' is disabled in the AV profile as below, logs are still observed with the message field 'File submitted to Sandbox'.
date=2024-12-11 time=14:35:42 logid="0201009233" type="utm" subtype="virus" eventtype="analytics" level="information" policytype="policy" msg="File submitted to Sandbox." action="analytics" service="HTTPS" dstport=443 proto=6 direction="incoming" filetype="unknown" url="https://xxxxxxxxxxx" ClientAsync" httpmethod="POST" analyticscksum="xxxxxxxxxxxx" analyticssubmit="true"
The issue arises when FortiGate has deep inspection with AV scanning enabled in the firewall policy, and the sandbox feature is active, but 'Send Files to FortiSandbox for Inspection' is disabled. The behavior contradicts expected functionality, where disabling this setting should prevent any logs from being sent to FortiSandbox.
Fix: Upgrade the FortiGate firmware above 7.2.9 or above, 7.4.2 or above. |
