Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yangw
Staff
Staff

Created on ‎08-13-2024 11:13 PM Edited on ‎10-23-2025 09:34 PM By Staff

Article Id 332945

Troubleshooting Tip: FortiGate Cloud Sandbox status 'unreachable or not authorized' even with no network connectivity issues

Description This article describes how to check the necessary settings for the FortiGate Cloud Sandbox feature.
Scope FortiGate v7.4.
Solution

FortiGate Cloud Sandbox status is 'unreachable or not authorized'.

 

unreachable sandbox.PNG

 

service.fortiguard.net, update.fortiguard.net and guard.fortinet.net can be reached.

 

network reachable.PNG

 

Under Security Profiles -> Antivirus -> Profile -> APT Protection Options, send files to FortiSandbox for inspection.

The selection button beside the option 'Send files to FortiSandbox for inspection' must be enabled, and the AntiVirus profile must be used in a firewall policy for the FortiSandbox connector to change status to 'connected'.

 

enable feature under AV.PNG

 

Use the command 'diagnose test app forticldd 3' to obtain the APT server and the server status. To confirm the communication, run 'execute telnet X.X.X.X 514' where X.X.X.X is the APT server IP from the previous command.

Screenshot 2025-04-11 114957.png

 

If the 'Active APTServer status' is unknown, verify the connection between FortiGate and APTServer using the telnet command described in the previous section. If the connection is not successful, check the routing table to make sure there is a route to send the traffic to the APT server successfully. In the following case, a default internet route with a tunnel interface was not able to make a successful connection with APTServer.

 

get router info routing-table all

 

S* 0.0.0.0/0 [1/0] via PRI-S2S tunnel x.x.x.x, [1/0]

             [1/0] via y.y.y.y, wan2, [5/0]

 

diagnose test app forticldd 3

APTContract : 1

APT server: 209.40.106.197:514

APT Altserver: 209.40.106.198:514

Active APTServer IP: 209.40.106.197

Active APTServer status: unknown

 

Configure a static route through the active outgoing internet interface for the destination as the IP address of 'Active APTServer IP' (209.40.106.197 in this case). Once FortiGate can telnet to 209.40.106.197 successfully, the 'Active APTServer status' will show as Up.

 

config router static

    edit 2

        set dst 209.40.106.197 255.255.255.255

        set gateway y.y.y.y

        set device "wan2"

    next

end

 

diagnose test app forticldd 3

APTContract : 1

APT server: 209.40.106.197:514

APT Altserver: 209.40.106.198:514

Active APTServer IP: 209.40.106.197

Active APTServer status: up

 

Note:

If the error message is still visible after enabling 'Send files to FortiSandbox for inspection', make sure that at least one Antivirus profile is active in a firewall policy.

Related article:

Technical Tip: How to activate FortiSandbox Cloud
2569
0 Kudos
Suggest New Article
Article Feedback
Comments
GILMENDO
Staff & Editor
Staff & Editor
‎09-05-2024 11:49 AM

Thank you for the input @aleguizamon 

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.