FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the behavior where files detected as malware are shown in logs with the action 'monitored' instead of 'blocked', even when the FortiGate antivirus profile is configured with the 'Block' action.
The issue occurs when FortiSandbox is integrated for inline inspection (set fortisandbox-mode inline) and the FortiGate does not receive a response from the sandbox due to a timeout or scan error. In such cases, the default FortiGate behavior is to allow the file and log the event as monitored to avoid session interruption.
Scope
FortiGate.
Solution
Log message containing:
msg="FortiSandbox scan error"
action="monitored"
icbaction="error"
To prevent FortiGate from allowing files when a FortiSandbox scan fails or times out, the antivirus profile must be configured to block files under these conditions.
Access the FortiGate CLI.
Edit the antivirus profile applied to the affected policy.
Add the following commands:
config antivirus profile
edit <profile_name>
set fortisandbox-error-action block
set fortisandbox-timeout-action block
end
After this change, any file that cannot be analyzed by FortiSandbox due to an error or timeout will be blocked automatically, and the logs will display the action 'blocked' instead of 'monitored'.
