This article explains how Fortisandbox Cloud databases are updated, at which frequency and what kind of logs are created in the System Event category.
FortiOS 6.2, 6.4, 7.0, with free or paid Fortisandbox Cloud.
After enabling Fortisandbox Cloud service under Security Fabric -> Fabric Connectors, it can be noticed that an increased number of 'Scanunit reloaded AV Database' logs are in the System Event category.
When checking closer, those logs are usually accompanied by 'FortiSandbox AV database updated' entries.
This is expected behaviour. Fortisandbox Cloud databases are being updated very frequently and FortiOS has to ensure that it has the most up-to-date databases stored locally.
The update goes in the following way:
--> quard process checks for updates every 2-10 minutes.
--> if an update is received, quard requests AV (scanunit) database reload - this generates logs 'Scanunit reloaded AV Database' and 'FortiSandbox AV database updated'.
--> If upon querying Fortiguard, there are no updates for Fortisandbox Cloud, FortiOS does not generate those logs, this is why the interval between the updates can be random.
When checking the 'FortiSandbox AV database updated' log details, it can be seen that a line 'Version' - with every update the number will be incrementing. The 'Version' in the latest log will be the same as the Dynamic Malware Detection database version under Security Fabric -> Setting -> Sandbox Cloud. The URL Threat Detection version is not shown in the log details.
Now, if Fortisandbox Cloud is not enabled, Fortigate will not be querying for Fortisandbox, but only for regular AV DB-s - at the rate that can be specified in update settings under System -> Fortiguard.
For scheduled updates FortiOS also generates a 'Scanunit reloaded AV Database' log, however, once the Log Details are checked, it will show that the AV (scanunit) reload was requested by another process - updated. This is the process responsible for connecting to Fortiguard and receiving updates.