Skip to main content
kdharan
Staff
kdharan
Staff
June 4, 2026

Technical Tip: Troubleshooting FortiGate inline Sandbox analysis issues

  • June 4, 2026
  • 0 replies
  • 42 views

Description


This article describes a scenario where files intended for FortiSandbox Inline Analysis are not being sent from the FortiGate, resulting in no inspection occurring. This often stems from configuration mismatches in the Antivirus (AV) profile or connectivity issues between the FortiGate and FortiSandbox.


Scope


FortiGate: All models supporting inline sandbox analysis.

Solution


Symptoms:

  • Files are downloaded or transferred without being intercepted for inline scanning.

  • FortiGate logs do not show 'Sent to FortiSandbox' or 'Inline Scan' statuses.

  • The 'Inline-Scan' option is enabled in the AV profile, but no traffic is redirected.


Possible causes:

  1. Incorrect Sandbox Mode: The CLI configuration fortisandbox-mode may be set to analytics-everything rather than inline-scan.

  2. Missing Diagnostic Data: Incomplete logs (Sniffer/Debug) make it difficult to determine if the FortiGate is failing to hand off the file or if the Sandbox is rejecting the connection.

  3. FortiSandbox Side Processing: Service-side issues on the FortiSandbox appliance are preventing it from accepting incoming streams.

Solution and troubleshooting steps:

  1. Verify antivirus Profile Configuration.

Ensure that the antivirus profile is explicitly set to use the inline scanning mode. While the GUI may show the option enabled, verify the CLI settings:

config antivirus profile
edit <profile-name>
config inspection-mode
set fortisandbox-mode inline-scan
end
next
end


  1. Run diagnostic commands:

To understand why files are not being sent, execute the following debugs during a file transfer attempt:

  • Sniffer Trace: Check if there is communication on the FortiSandbox port (usually TCP/443 and 4443).


diagnose sniffer packet any "host <sandbox-ip> and port 4443" 6 0 a


Debug log: debug logs on FortiGate to check the communication and error status between FortiGate and FortiSandbox.

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug disable
diagnose debug application quarantine -1
diagnose debug enable


Leave the debug running till the test is completed, then run the commands below to stop the debug log.

diagnose debug reset
diagnose debug disable


  • Telnet and ping: to check FortiSandbox is reachable and the 443 and 4443 ports are enabled/listening on the sandbox from the FortiGate. 

execute ping 10.3.1.107
execute telnet 10.3.1.107 443
execute telnet 10.3.1.107 4443


Reference log output from FortiGate:

6b644818.png

    Terms & ConditionsAccessibility statement