Technical Tip: FortiSandbox scan error causes monitored actions instead of blocked in FortiGate Antivirus profile
| Description | This article describes the behavior where files detected as malware are shown in logs with the action 'monitored' instead of 'blocked', even when the FortiGate antivirus profile is configured with the 'Block' action.
The issue occurs when FortiSandbox is integrated for inline inspection (set fortisandbox-mode inline) and the FortiGate does not receive a response from the sandbox due to a timeout or scan error. In such cases, the default FortiGate behavior is to allow the file and log the event as monitored to avoid session interruption. |
| Scope | FortiGate. |
| Solution | Log message containing:
msg="FortiSandbox scan error" action="monitored" icbaction="error"
To prevent FortiGate from allowing files when a FortiSandbox scan fails or times out, the antivirus profile must be configured to block files under these conditions.
config antivirus profile edit <profile_name> set fortisandbox-error-action block set fortisandbox-timeout-action block end
After this change, any file that cannot be analyzed by FortiSandbox due to an error or timeout will be blocked automatically, and the logs will display the action 'blocked' instead of 'monitored'.
Related document: |