| Description |
This article discusses how FortiGate sends logs to FortiSandbox even when the AV profile had 'Send files to FortiSandbox for inspection' disabled for the firmware mentioned in the scope. |
| Scope |
FortiOS v7.2.5 to v7.2.8, v7.4.1. Feature Impacted: Antivirus (AV) profiles with FortiSandbox enabled. |
| Solution |
The expected behavior is that FortiGate should not send any logs to Sandbox when "Send files to FortiSandbox for inspection" is disabled.
The first trigger condition is that the sandbox must be enabled in the FortiGate configuration.
config system fortisandbox set status enable set inline-scan enable set server "x.x.x.x" end
On the FortiGate, even if the feature 'Send files to FortiSandbox for inspection' is disabled in the AV profile as below, logs are still observed with the message field 'File submitted to Sandbox'.
date=2024-12-11 time=14:35:42 logid="0201009233" type="utm" subtype="virus" eventtype="analytics" level="information" policytype="policy" msg="File submitted to Sandbox." action="analytics" service="HTTPS" dstport=443 proto=6 direction="incoming" filetype="unknown" url="https://xxxxxxxxxxx" ClientAsync" httpmethod="POST" analyticscksum="xxxxxxxxxxxx" analyticssubmit="true"
The issue arises when FortiGate has deep inspection with AV scanning enabled in the firewall policy, and the sandbox feature is active, but 'Send Files to FortiSandbox for Inspection' is disabled. The behavior contradicts expected functionality, where disabling this setting should prevent any logs from being sent to FortiSandbox.
Fix: Upgrade the FortiGate firmware above 7.2.9 or above, 7.4.2 or above. |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: FortiGate sends logs to FortiSandbo...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.