Description
This article explains how to check and troubleshoot the FortiSandbox Cloud connection.
The initial setup is described in this cookbook article, as well as the limitations of this service.
Some troubleshooting commands also available there.
Make sure first that the setup guide is followed.
(the FortiSandbox Cloud is enabled, used in an AV-profile, which is also used in a firewall policy).
Details
Initial state that can tell if FortiSandbox Cloud is working or not:
- Red icon in the dashboard, (showing not licensed), but green in System -> FortiGuard -> FortiSandbox Cloud.
- 0 'Files uploaded today' // no traffic.
- System Event logs “FortiCloud x.x.x.x sandbox server is disconnected” or 'FortiCloud server connection failed'.
- 'Unable to connect to fortiguard server' on dashboard.
Red icon in the dashboard: If this is the only symptom, this may be a known GUI bug (already fixed).
Fix: Please update the FortiOS firmware to the latest version available for the unit
0 'Files uploaded today' // no traffic.
Make sure that antivirus is active, and is applied on a policy with traffic.
Files must be detected and marked as 'suspect' in order to be sent for inspection.
You may see file statistics with these commands:
# diagnose test application quarantine 1
# diagnose test application quarantine 2
# diagnose test application quarantine 7
System Event logs 'FortiCloud x.x.x.x sandbox server is disconnected' or 'FortiCloud server connection failed'.
First of all, make sure those IPs are reachable from the command line, without any options:
# exec ping x.x.x.x
# exec telnet x.x.x.x 541
If not reachable, check the routing and adjust accordingly:
# get router info routing-table detail x.x.x.x
It is possible to change the interface or source-ip from '# config system fortiguard' as described here.
If the problem persists, check the commands below to identify the cause.
'Unable to connect to fortiguard server' on dashboard.
This is not necessarily a condition related to FortiSandbox Cloud, but will surely cause this not to function.
FortiGuard server provides the licensing verification and IPs for FortiSandbox Cloud.
Verify first that correct routing is in place and self-originating traffic is not blocked, and that there is a correct wan IP (# diag sys waninfo).
Additional FortiSandbox Cloud diagnostic commands.
Check what is causing it:
Are the packets sent out on the correct interface?
# diag sniffer packet any "net 154.45.1.0/24 and port 514" 4 0
# diag sniffer packet any "net 83.231.212.0/24 and port 514" 4 0
# exec forticloud-sandbox region (enter)(options are displayed)(type the number for the region)(enter).<----- This will refresh/start a new session to forticloud sandbox (generate some packets, port 514).
No > check routing
Yes, or No packets at all > check process statistics and debug
Statistics:
# diag test application forticldd 2
# diag test application forticldd 3<-----(APT part shows the Sandbox Cloud server).
# diag test application quarantine 1
# diag test application quarantine 2
# diag test application quarantine 7
# diag fdsm account-info
# diag fdsm log-controller-update
Process debug:
# diag debug reset
# diag debug cons time enable
# diag debug application forticldd -1
# diag debug enable
(wait for some time, then stop with # diag debug disable).
Look for errors. If not obvious, or if none seen, continue with the debug of quarantine:
# diag debug reset
# diag debug console time enable
# diag debug application quarantine -1
# diag debug enable
Look for errors.
A common error in quarantine debug:
'SSL_connect failes: EOF was observed that violates the protocol'
Mostly caused by a change in upstream inspection or path.
(possible) fix: Restart the quarantine process.
# diag sys process pidof quard
# diag sys kill 11 <----- Use the process ID from above.
Verify the process was restarted (should return different number):
# diag sys process pidof quard
It is possible to try to restart the forticldd process in the same manner as above.
