Description

This article describes how to check and troubleshoot the FortiSandbox Cloud connection. 

Scope

FortiSandbox, FortiGate.

Solution

Make sure that the setup guide is followed (the FortiSandbox Cloud is enabled and used in an AV-profile, which is also used in a firewall policy).

Details.

An initial state that can tell if FortiSandbox Cloud is working or not:

• Red icon in the dashboard (showing not licensed), but green in System -> FortiGuard -> FortiSandbox Cloud.
• 0 'Files uploaded today' // no traffic.
• System Event logs 'FortiCloud x.x.x.x sandbox server is disconnected' or 'FortiCloud server connection failed'.
• 'Unable to connect to fortiguard server' on the dashboard.

Red icon in the dashboard: If this is the only symptom, this may be a known GUI bug (already fixed).
Fix: Update the FortiSwitch firmware to the latest version available for the unit.

0 'Files uploaded today' // no traffic.
Make sure that the antivirus is active and is applied to a policy with traffic.

Files must be detected and marked as 'suspect' to be sent for inspection.
It is possible to see file statistics with these commands:

diagnose test application quarantine 1
diagnose test application quarantine 2
diagnose test application quarantine 7

System Event logs 'FortiCloud x.x.x.x sandbox server is disconnected' or 'FortiCloud server connection failed'.

First of all, make sure those IPs are reachable from the command line, without any options:

execute ping x.x.x.x

execute telnet x.x.x.x 514

Example:

diagnose test application forticldd 3

.......

APT server: 173.243.139.141:514

APT Altserver: 173.243.139.143:514

Active APTServer IP:      173.243.139.141

execute ping 173.243.139.141

execute telnet 173.243.139.141 514

If not reachable, check the routing and adjust accordingly:

get router info routing-table detail x.x.x.x

It is possible to change the interface or source-ip from 'config system fortiguard' as described here: Technical Tip: Traffic routing from SD-WAN member in case tunnel interface does not have an IP addre....

If ha-direct is enabled, verify that the gateway is configured on:

config system ha

    set ha-mgmt-status enable

        config ha-mgmt-interfaces

            edit 1

                set interface "portX"

                set gateway X.X.X.X

            next

        end

    set ha-direct enable

end

If the problem persists, check the commands below to identify the cause.

'Unable to connect to fortiguard server' on the dashboard.

This is not necessarily a condition related to FortiSandbox Cloud, but it will surely cause this not to function.

FortiGuard server provides the licensing verification and IPs for FortiSandbox Cloud.

Verify first that correct routing is in place, self-originating traffic is not blocked, and that there is a correct WAN IP (diagnose sys waninfo).

Additional FortiSandbox Cloud diagnostic commands.

Check what is causing it:

Check whether the packets were sent out on the correct interface:

diagnose sniffer packet any "net 154.45.1.0/24 and port 514" 4 0
diagnose sniffer packet any "net 83.231.212.0/24 and port 514" 4 0

execute forticloud-sandbox region (enter)

(options are displayed)(type the number for the region)(enter). <----- This will refresh/start a new session to FortiCloud sandbox (generate some packets, port 514).

No -> check routing.
Yes, or No packets at all -> check process statistics and debug.

Statistics:

diagnose test application forticldd 2
diagnose test application forticldd 3 <- (APT part shows the Sandbox Cloud server).
diagnose test application quarantine 1
diagnose test application quarantine 2
diagnose test application quarantine 7
diagnose fdsm account-info                          
diagnose fdsm log-controller-update

Process debug:

diagnose debug reset
diagnose debug console time enable
diagnose debug application forticldd -1
diagnose debug enable

Wait for some time, then stop with:

diagnose debug disable
diagnose debug reset

Look for errors. If not obvious, or if none are seen, continue with the debugging of quarantine:

diagnose debug reset
diagnose debug console time enable
diagnose debug application quarantine -1
diagnose debug enable

Look for errors and disable:

diagnose debug disable
diagnose debug reset

A common error in quarantine debug:
'SSL_connect fails: EOF was observed that violates the protocol'.

Mostly caused by a change in upstream inspection or path.

(possible) fix: Restart the quarantine process.

diagnose sys process pidof quard
diagnose sys kill 11  <- Use the process ID from above.

Also, to kill the entire daemon:

fnsysctl killall quard

Verify the process was restarted (should return a different number):

diagnose sys process pidof quard

It is possible to try to restart the forticldd process in the same manner as above.

It is also possible to configure a static route in the FortiGate pointing to the gateway for the servers. In this example, it is used for servers in the EU: 83.231.212.128/25, 154.45.1.0/24, 154.52.11.0/24.

For the Europe region, the IP address 154.52.2.163 will be for ingress, and security egress will be 194.69.174.8

In case of inline scanning, make sure that the antivirus profile in inline mode and FortiGuard inline are enabled; otherwise, the log file might show a false output.

config antivirus profile
    edit "Inline_av"
        set fortisandbox-mode inline ---> Change to inline.

            config system fortiguard
                set sandbox-inline-scan enable  ---> Must be enabled.

Another possible reason that is not reaching FortiSandbox Cloud could be that the ISP is blocking traffic over port 514. To check more about FortiSandbox inline mode, the following article can be reviewed: Troubleshooting Tip: Inline mode not available as 'fortisandbox-mode' in Antivirus profile.

Related article:

Technical Tip: FortiSandbox Cloud shows connection status as Unreachable or not authorized