Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Manabu
New Contributor

FortiSandbox Send files to FortiSandbox for inspection not work

Hi

 

I’m testing the Sandbox integration with FortiOS7.2.6, but when I set it to “suspicious file Only”, no files are linked to the Sandbox at all. I’m having trouble because even when I use the test file provided at the following URL by Fortiguard lab, it is not linked to the Sandbox. https://www.fortiguard.com/sample-files

Do you have any advice on how to test this? Also, is there anyone else with the same symptoms?

 

 

1 Solution
heng

Hi there,

 

If sandbox integration is working fine with all supported files, that mean you have to look at the FGT.

 

If you are in pre version 7.0, the suspicious file behaviors is scanned by heuristic scanning. From version 7.0 onward, it was scanned by AV Engine AI.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/773410/ai-based-malware-detection

 

For your case, if you do not have any suspicious file send to sanboxing, that mean the files that scanned by AV engine simply do not  contain any characteristics that suggest it as malware. You need do look for some suspicious file to test for your configuration use case.

 

At the same time, you can run the following debug and look at the messages when testing on a certain file to see whether the file being flagged as suspicious before the FGT can send it to sandbox.

 

# diagnose sys scanunit debug quarantine enable

# diagnose sys scanunit debug analytics enable

# diagnose debug enable

NSE8

View solution in original post

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello manabu,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
heng
Staff
Staff

Hi Sir,

Do you have FortiGuard Sanbox service in your ATP subscription? Or you have a dedicated FortiSandbox to do the sandboxing? 

NSE8
Manabu
New Contributor

Thanks Reply heng.

 

Yes, we have the FortiSandbox2000E with a valid license. FortiSandbox is being tested on OS 4.4.2. When set to 'All Supported Files' in the Antivirus Profile, files downloaded from FortiGuard Labs are correctly integrated into the sandbox and properly assessed for risks. However, setting it to 'Suspicious File Only' prevents integration into the sandbox, thus hindering the testing process. We are seeking a method to test the integration into the sandbox using 'Suspicious File Only.

 

FGlicense.PNGSandboxlicense.PNG

heng

Hi there,

 

If sandbox integration is working fine with all supported files, that mean you have to look at the FGT.

 

If you are in pre version 7.0, the suspicious file behaviors is scanned by heuristic scanning. From version 7.0 onward, it was scanned by AV Engine AI.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/773410/ai-based-malware-detection

 

For your case, if you do not have any suspicious file send to sanboxing, that mean the files that scanned by AV engine simply do not  contain any characteristics that suggest it as malware. You need do look for some suspicious file to test for your configuration use case.

 

At the same time, you can run the following debug and look at the messages when testing on a certain file to see whether the file being flagged as suspicious before the FGT can send it to sandbox.

 

# diagnose sys scanunit debug quarantine enable

# diagnose sys scanunit debug analytics enable

# diagnose debug enable

NSE8
Manabu
New Contributor

Thank you for the debugging commands.

We were able to find testable files.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors