Description
This article describes which information can be checked and reviewed to make sure the files are sent the right way. FortiGate is commonly configured to send files for inspection to FortiSandbox.
Scope
FortiGate, FortiSandbox.
Solution
FortiGate Side:
On the GUI interface, go to the "Log&Report" section and look for the AntiVirus logs - they will either be directly here or they will have to be downloaded. Look for a log like the following one:
date=XXXX-XX-XX time=XX:XX:XX itime="XXXX-XX-XX XX:XX:XX" logver=52 logid=0201009233 type=utm subtype=virus level=notice devid=FGXXXXXXXXXX vd=root msg="File submitted to Sandbox." action=analytics service=HTTP srcip=X.X.X.X dstip=X.X.X.X srcport=51779 dstport=80 sessionid=2013193656 direction=incoming filename=File name sent for inspection quarskip=No-skip url=http://dl.google.com/release2/JYM2KPQ8t30/File sent for inspection profile=AV-Profile agent=Mozilla/5.0 proto=6 eventtype=analytics analyticscksum=52b0dda51113acec993dbbb40a2ff7f1024d0fc998de2d61d6b479ffe26d9be4 analyticssubmit=true policyid=510 srcintf=portXX dstintf=portXX dtime="XXXX-XX-XX XX:XX:XX" itime_t=1492446015 devname=HA_Perimetral
The quarantine process is used in the FortiGates to send files to FortiSandbox; the following debug commands can also be run to review how the files are sent:
diagnose debug reset
diagnose debug disable
diagnose debug application quarantine -1
diagnose debug enable
Leave the debug running for some minutes, then disable this as follows:
diagnose debug reset
diagnose debug disable
FortiSandbox side:
On the GUI interface, go to Logs & Report -> All Events; select 'History Logs' and look for the serial number of the FortiGate. Run the debug to check all file sending processes and connections to the FortiGate:
diagnose-debug device FortiGate_Serial_Number
Leave the debug program running for a few minutes before stopping it with 'CTRL+C'.
Related article:
Technical Tip: How to send files from FortiGate to FortiSandbox for inspection
