Consider the case when seeing the connection status as 'Unreachable or unauthorized', even though the FortiGate cloud status is enabled:

execute ping service.fortiguard.net

execute ping update.fortiguard.net

execute ping guard.fortinet.net

Under Security Profiles -> Antivirus -> profile -> APT Protection Options, send files to FortiSandbox for inspection.

The selection button beside the option 'Send files to FortiSandbox must be enabled to make the FortiGate Cloud Sandbox status normal.

Note: Make sure that the Antivirus profile is enabled in the firewall policy. Collect output from the below commands and share with TAC.

diagnose debug application quarantine -1

diagnose debug enable

In quarantine debug an error similar to the following is seen:

__quar_start_connection()-1003: oftp_connect failed: connect() failed: Network is unreachable

If the results of 'execute system fortisandbox test-connectivity' show 'FortiSandbox is not enabled', then check the licenses accordingly :

• A FortiCloud premium license is needed.
• FortiSandbox Cloud entitlement should be included in the Contract.
• FortiGate license - FortiGate should be registered on the same account as the FortiCloud license.

Sometimes, it is necessary to specify source-ip under FortiGuard settings and log FortiGuard settings as below:

config log fortiguard setting

    set source-ip 192.168.10.10

end

config system fortiguard

    set source-ip 192.168.10.10

end

Both configurations need to be set with the same IP address.

Scenario:
In the output of the command: 'diagnose test application quarantine 1', the source IP is observed.

diagnose test application quarantine 1

Total remote&local devices: 2, any task full? 0

System does not have disk, vdom is disabled, mgmt=0, ha=1

License=0, content_archive=0, arch_pause=0.

forticloud-fsb(154.53.11.146) is enabled: analytics, realtime=yes, taskfull=no

addr=154.53.11.146/514, source-ip=10.50.255.1, keep-alive=no.

ssl_opt=1, hmac_alg=0

intf_sel=auto() oif=0

fortisandbox-fsb1 is disabled.

fortisandbox-fsb2 is disabled.

The source IP shown in the output above is configured under:

config log fortiguard setting

set source-ip 10.50.255.1 <-----

There is no source IP configured under the 'config system fortiguard'. This results in connection status: Unreachable or not authorized.

After removing the source IP from the above configuration, the connection status is shown correctly.

Note:

Along with setting the source-ip under 'config system fortiguard'  and 'config log fortiguard settings', if SD-WAN is being used on the FortiGate, it may also be necessary to change the 'interface-select-method' from the default setting of 'auto' to 'sdwan' using the commands below:

config log fortiguard setting
    set interface-select-method sdwan
end

config system fortiguard
    set interface-select-method sdwan
end

Related articles: 

Technical Tip: FortiSandbox Cloud troubleshooting on FortiGate
Troubleshooting Tip: Integration with FortiWeb Cloud Sandbox shows the status 'Disconnected'