Temporarily adding a new web filter profile for monitoring the traffic of FortiSandbox port3:

Configure a new web filter profile, enable the 'FortiGuard Category Based Filter', and ensure that all the actions of the FortiGuard Categories are changed to “Monitor” for the FortiGate to generate logging for the traffic of FortiSandbox Port3.

Configuring the packet capture in FortiGate:

Configuring the packet capture in FortiGate for the interfaces below by following the steps 1 to 5 below:

• WAN interface for FortiSandbox Port3.
• LAN interface for FortiSandbox Port3.

1. In the FortiGate, navigate to Network -> Diagnostics -> Packet Capture.
2. Select 'New packet capture'.
3. Select the WAN interface.
4. Configure the 'Maximum captured packets' to 20000.
5. Select 'Save settings for later'.

Configuring the packet capture in FortiSandbox for Port3 FortiSandbox

1. Open two browser tabs and access the FortiSandbox.
2. Use one of the browser tabs and configure the packet capture for FortiSandbox Port3:

• Navigate to System -> Interfaces.

• Configure the packet capture for FortiSandbox Port3 and configure the duration as 60 seconds, but do not select the 'Capture & Download' button yet because it can only capture for 60 seconds.

3. Perform the On-demand scan with VM interaction enabled.

• Navigate to Scan Job -> File On-demand.
• Select the 'Submit File' button.
• Upload the file sample for the issue and configure by following the screenshots below, but do not select the 'Submit' button yet.

4. Select the 'Submit' button in the On-demand scan in FortiSandbox to start the scan.
5. In the FortiSandbox, navigate to Scan Job -> VM Jobs and select the monitor icon.

6. A browser tab will be prompted out and go into the VM.
7. Look for the 'Scan Flow Control' like screenshot below, but do not select the 'Yes' button yet.

8. Start all the packet captures in FortiGate first and then only start the packet captures in FortiSandbox due to the packet capture can only support 60 seconds.
9. Once the packet capture in the FortiSandbox has been stopped, stop the packet capture in the FortiGate and also stop the on-demand scan in the FortiSandbox.
10. In the FortiSandbox VM, select 'Yes' to exit the on-demand scan in the FortiSandbox.

11. Remove the web filtering profile from the FortiGate that was configured for temporary monitoring of the traffic of FortiSandbox Port3.
12. Attach the following file to the ticket for TAC’s investigation:

• PCAP file for 'WAN interface for FortiSandbox Port3' that was captured in FortiGate.
• PCAP file for 'LAN interface for FortiSandbox Port3' that was captured in FortiGate.
• PCAP file for 'FortiSandbox Port3' that was captured in FortiSandbox.
• FortiSandbox Job Report.
• Web Filter Log from the FortiGate that covers the time/date for the activity above.
• File a sample for the issue.