This article describes how to force sandbox traffic to use SD-WAN when using FortiGate Cloud as a solution to an issue where the sandbox does not use SD-WAN. This setting also applies to logs.

FortiGate with FortiCloud sandbox enabled, or a FortiGate logging to FortiCloud. Tested with FortiOS v7.2.4 and FortiCloud v23.1.

From FortiOS v7.4 upwards it will follow the system.fortiguard settings instead of log.fortiguard settings, this article may not apply.

An issue may occur where sandbox traffic does not abide by specified SD-WAN rules.

Example scenario:

- SD-WAN members config:

member 1 = wan2
member 2 = wan1

- SD-WAN Rule:

Necessary config:

Force the use of SDWAN with the following configuration:

config log fortiguard setting

set interface-select-method sdwan

end

Optional - To configure the FortiGuard traffic to also follow SD-WAN, implement the following configuration:

config system fortiguard

set interface-select-method sdwan

end

To check the sandbox settings, run the following diagnosis command:

diagnose test application quarantined 1

Use the following general sniffer to test:

diagnose sniffer packet any "(net 154.0.0.0/8 or 83.231.212.0/24 or 173.0.0.0/8 or 208.0.0.0/8 or 173.0.0.0/8) and !arp port 514" 4 0 l

To generate traffic, download new files or perform '9. Request analytic stats' in CLI:

diagnose test application quarantined 9

Results:

Sniffer filter:

diagnose sniffer packet any "(net 154.0.0.0/8 or 83.231.212.0/24 or 173.0.0.0/8 or 208.0.0.0/8 or 173.0.0.0/8) and !arp port 514" 4 0 l

Before the change:

wan1 out 10.109.16.103.12995 -> 154.52.11.131.514: syn 2534663346

After the change:

wan2 out 10.109.48.103.3621 -> 154.52.11.131.514: syn 2517737523

Related documents:

'config log fortiguard setting' - CLI DOCS

Technical Tip: FortiSandbox Cloud troubleshooting on FortiGate

Technical Tip: Use SD-WAN intelligence for selecting interface to use in communicating with Fortigua...

Technical Tip: Unable to activate FortiCloud/FortiSandbox inspection