Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff

Created on ‎12-14-2021 12:58 AM Edited on ‎09-27-2024 01:31 AM By Moderator

Article Id 200973

Technical Tip: FortiSandbox Cloud troubleshooting on FortiGate

Description

 

This article describes how to check and troubleshoot the FortiSandbox Cloud connection.
The initial setup is described in this cookbook article, as well as the limitations of this service.
Some troubleshooting commands are also available there.

Scope

 

FortiSandbox.

 

Solution

 

Make sure first that the setup guide is followed.

(the FortiSandbox Cloud is enabled, and used in an AV-profile, which is also used in a firewall policy).

 

Details.

Initial state that can tell if FortiSandbox Cloud is working or not:

  • Red icon in the dashboard, (showing not licensed), but green in System -> FortiGuard -> FortiSandbox Cloud.
  • 0 'Files uploaded today' // no traffic.
  • System Event logs 'FortiCloud x.x.x.x sandbox server is disconnected' or 'FortiCloud server connection failed'.
  • 'Unable to connect to fortiguard server' on the dashboard.

 

Red icon in the dashboard: If this is the only symptom, this may be a known GUI bug (already fixed).
Fix: Update the FortiOS firmware to the latest version available for the unit.

0 'Files uploaded today' // no traffic.
Make sure that the antivirus is active and is applied to a policy with traffic.

Files must be detected and marked as 'suspect' to be sent for inspection.
It is possible to see file statistics with these commands:


diagnose test application quarantine 1
diagnose test application quarantine 2
diagnose test application quarantine 7


System Event logs 'FortiCloud x.x.x.x sandbox server is disconnected' or 'FortiCloud server connection failed'.


First of all, make sure those IPs are reachable from the command line, without any options:

 

exec ping x.x.x.x

exec telnet x.x.x.x 514

 

Example:

     

diagnose test application forticldd 3

.......

APT server: 173.243.139.141:514

APT Altserver: 173.243.139.143:514

Active APTServer IP:      173.243.139.141

 

exec ping 173.243.139.141

exec telnet 173.243.139.141 514


If not reachable, check the routing and adjust accordingly:


get router info routing-table detail x.x.x.x


It is possible to change the interface or source-ip from 'config system fortiguardas described here.

 

If ha-direct is enabled, verify that the gateway is configured on:

 

config system ha

    set ha-mgmt-status enable

        config ha-mgmt-interfaces

            edit 1

                set interface "portX"

                set gateway X.X.X.X

            next

        end

    set ha-direct enable

end


If the problem persists, check the commands below to identify the cause.

'Unable to connect to fortiguard server' on the dashboard.


This is not necessarily a condition related to FortiSandbox Cloud, but will surely cause this not to function.

FortiGuard server provides the licensing verification and IPs for FortiSandbox Cloud.


Verify first that correct routing is in place self-originating traffic is not blocked, and that there is a correct wan IP (diag sys waninfo).

 

Additional FortiSandbox Cloud diagnostic commands.

 

Check what is causing it:

 

Check whether the packets were sent out on the correct interface:

 

diag sniffer packet any "net 154.45.1.0/24 and port 514" 4 0
diag sniffer packet any "net 83.231.212.0/24 and port 514" 4 0

exec forticloud-sandbox region (enter)(options are displayed)(type the number for the region)(enter). <- This will refresh/start a new session to FortiCloud sandbox (generate some packets, port 514).

 

No -> check routing.
Yes, or No packets at all -> check process statistics and debug.

Statistics:


diag test application forticldd 2
diag test application forticldd 3 <- (APT part shows the Sandbox Cloud server).
diag test application quarantine 1
diag test application quarantine 2
diag test application quarantine 7
diag fdsm account-info                          
diag fdsm log-controller-update

 

Process debug:

 

diag debug reset
diag debug cons time enable
diag debug application forticldd -1
diag debug enable

(wait for some time, then stop with diag debug disable).


Look for errors. If not obvious, or if none are seen, continue with the debugging of quarantine:

 

diag debug reset
diag debug console time enable
diag debug application quarantine -1
diag debug enable

 

Look for errors.

 

A common error in quarantine debug:
'SSL_connect failes: EOF was observed that violates the protocol'.


Mostly caused by a change in upstream inspection or path.

(possible) fix: Restart the quarantine process.

 

diag sys process pidof quard
diag sys kill 11  <- Use the process ID from above.


Verify the process was restarted (should return a different number):


diag sys process pidof quard


It is possible to try to restart the forticldd process in the same manner as above.

 

It is also possible to configure a static route in the FortiGate pointing to the gateway for the servers. In this example, it is used for servers in the EU: 83.231.212.128/25, 154.45.1.0/24, 154.52.11.0/24.

 

In case of inline scanning then make sure that the antivirus profile inline mode and FortiGuard inline are enabled otherwise in logs file might show a false output.

 

config antivirus profile
    edit "Inline_av"
        set fortisandbox-mode inline ---> Change to inline.

 

config system fortiguard
    set sandbox-inline-scan enable  ---> Must be enabled.

12186
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.