Description
Solution
This article describes how FortiSandbox Detection works under FortiView > Threat > FortiSandbox Detection .
This view is designed to populate a Process Flow Chart describing what happened to a particular "session" tagged with a sessionid in the traffic logs that were inspected by UTM features like Antivirus, Web filter, FortiSandbox scanning if enabled under Antivirus and what was the result of the FortiSandbox scan.
Things to note here are, the flow is described for a particular traffic session with UTM events mainly Antivirus which in the traffic log has a specific Session ID tagged along with it.
Solution
Below Screen shot illustrates what the view looks like
Clicking on each Process flow , would display the corresponding log entry/entries .
For example , clicking Webfilter check would display corresponding "webfilter " scan details.
Now Clicking on FortiSandbox Scan results , would display either
Or
This view requires that the FortiSandbox device , which is scanning the files submitted by FortiGate to be added on the same FortiAnalyzer device (under FortiSandbox ADOM). Just adding it wouldn't help and display an error "FortiSandbox admin user has no permission, please check device configuration"
To fix the above error and things to configure to get this working.
1. Adding the FortiSandbox which is scanning files onto the FSA ADOM
2. Configuring a valid Admin user for the Fortisandbox . To do this right click on FortiSandbox device , edit > Admin User > Add a super_admin user account configured on the FortiSandbox and additionally if password is configured for the super_admin user.
This settings will enable the FortiAnalyzer to retrieve scan results and display them on FortiView > FortiView > Threat > FortiSandbox Detection where the FortiGate is added.
Now switch back to the ADOM where the FortiGate is added and go to
FortiView > Threat > FortiSandbox Detection .
Additional FAQs about this view under FortiView ,
1. How is Security Analysis report fetched from FortiSandbox?
Fetched only when the user clicks on FortiSandbox Scan, then the result will be cached in local disk for
some time. The cached report file will expire after 12 hrs.
2. What is storage or retention policy for these FortiSandbox reports?
The maximum cache size for FSA reports depends on hard disk size. E.g., for 500GB, the maximum size
is 2GB. the old report file will be trimmed once total report size reaches the max value.
3. Limitation with FSA detection
Support is available only for detections done by FSA appliance/VMs. FSA cloud is not supported as FAZ
has no way to interact with FSA Cloud to retrieve the Security Analysis Data
