Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
auppal
Staff
Staff

Created on ‎07-07-2025 09:09 AM

Article Id 397270

Technical Tip: Explaining 'Files dropped by quarantine daemon' log message generated by the FortiGate.

Description

 

This article explains the meaning of the 'Files dropped by quarantine daemon' log when AntiVirus and FortiSandbox are in use.

Scope

 

FortiGate.

 

Solution

 

While using an AntiVirus security profile with 'Send files to FortiSandbox for inspection' enabled, FortiGate may generate the following log:

date=2025-05-30 time=08:04:49 devname="xxxx" devid="FGT91GTKxxxx" eventtime=1748617489514728688 tz="-0700"
logid="0100022100" type="event" subtype="system" level="warning" vd="root" logd
esc="Files dropped by quarantine daemon" count=41 duration=3600 limit=241522 use
d=2 fams_pause=0 action="transfer" status="drop" reason="duplicated-analytics-fi
le" msg="In the past 3600 seconds, 41 files were dropped by quard or others."

 

When FortiGate first sends a file to FortiSandbox for scanning, it will record the analyticscksum of the file and cache it.

If the FortiGate then sees another file with a matching analyticscksum value then it will identify it as a duplicate file and will not re-send it to FortiSandbox. Instead, it drops the file from being uploaded and takes action based on the cached FortiSandbox verdict.

 

For example, the following two antivirus logs reference files with the same checksum, so the files are considered duplicates:

date=2019-06-20 time=10:30:30 idseq=221203798020849730 bid=8032254 dvid=1029 itime="2019-06-20 10:30:30" euid=3 epid=101 dsteuid=0 dstepid=3448 logver=60 logid=0201009233 type="utm" subtype="virus" level="information" msg="File submitted to Sandbox." action="analytics" service="SMTP" srcip=x.x.x.x dstip=x.x.x.x srcport=36607 dstport=25 sessionid=1252597364 direction="outgoing" filetype="unknown" filename="xxxx.docx" profile="xxxx" proto=6 eventtype="analytics" analyticscksum="72cb730bab29eab3e692eadfd786593a0675acb94307fe57c78077673c8785bb" analyticssubmit="true" policyid=110021 srcintf="port3" dstintf="port1" srcintfrole="undefined" dstintfrole="undefined" eventtime=1561051830 devid="FG5H1Exxxx" vd="root" dtime="2019-06-20 10:30:30" itime_t=1561051830 devname="xxxx"

date=2019-06-20 time=10:30:30 idseq=221203798020849727 bid=8032266 dvid=1029 itime="2019-06-20 10:30:30" euid=3 epid=101 dsteuid=0 dstepid=3448 logver=60 logid=0201009233 type="utm" subtype="virus" level="information" msg="File submitted to Sandbox." action="analytics" service="SMTP" srcip=x.x.x.x dstip=x.x.x.x srcport=35591 dstport=25 sessionid=1252474391 direction="outgoing" filetype="unknown" filename="xxxx.docx" profile="RMC-AV-Default" proto=6 eventtype="analytics" analyticscksum="72cb730bab29eab3e692eadfd786593a0675acb94307fe57c78077673c8785bb" analyticssubmit="true" policyid=110021 srcintf="port3" dstintf="port1" srcintfrole="undefined" dstintfrole="undefined" eventtime=1561051830 devid="FG5H1Exxxx" vd="root" dtime="2019-06-20 10:30:30" itime_t=1561051830 devname="xxxx"

 

To confirm if FortiGate is dropping a file due to it being a duplicate to another, run the following FortiSandbox and FortiGate debugs over a 2-3 hour period:

On the FortiSandbox:

 

diagnose-debug device <FortiGate-SN>

 

On FortiGate:

 

diagnose debug console time enable

diagnose de duration 180

diagnose debug application quarantine -1

diagnose debug enable

 

To stop the debugs:


diagnose debug disable
diagnose debug reset

 

The following debugs can be expected on the FortiGate if a file is dropped due to being a duplicate to a previously-scanned file:

 

__quar_ipc_recver()-437: New job, cmd 7, req_length 848, qfd: 21

__quar_job_validation()-165: analytics: Vfid=0, Status=1, Status-descr=Scanner 3 yr warranty 2018.pdf, Service=2, Checksum=e6e2a454, Size=702983, URL_length=10, Mail_header_length=0

__quar_alloc_job_req()-301: New job created, id: 5528757

quar_fsb_handle_quar()-1404: req(id=5528757, type=3) is duplicated

quar_put_job_req()-332: Job 5528757 deleted

quar_monitor_connection_func()-968: monitoring dev fortisandbox-fsb1

 

Along with the above debugs, capture/review the AntiVirus and System event logs during the time when the debugs were running and confirm that a file was dropped by the quarantine daemon.

 

Related articles:

FortiSandbox Administration Guide

Technical Tip: How to configure antivirus profile to upload files to FortiSandbox for virus scanning

Technical Tip: FortiGate sends logs to FortiSandbox despite "Send files to FortiSandbox for inspecti...

311
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.