Hi
I’m testing the Sandbox integration with FortiOS7.2.6, but when I set it to “suspicious file Only”, no files are linked to the Sandbox at all. I’m having trouble because even when I use the test file provided at the following URL by Fortiguard lab, it is not linked to the Sandbox. https://www.fortiguard.com/sample-files
Do you have any advice on how to test this? Also, is there anyone else with the same symptoms?
Solved! Go to Solution.
Hi there,
If sandbox integration is working fine with all supported files, that mean you have to look at the FGT.
If you are in pre version 7.0, the suspicious file behaviors is scanned by heuristic scanning. From version 7.0 onward, it was scanned by AV Engine AI.
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/773410/ai-based-malware-detection
For your case, if you do not have any suspicious file send to sanboxing, that mean the files that scanned by AV engine simply do not contain any characteristics that suggest it as malware. You need do look for some suspicious file to test for your configuration use case.
At the same time, you can run the following debug and look at the messages when testing on a certain file to see whether the file being flagged as suspicious before the FGT can send it to sandbox.
# diagnose sys scanunit debug quarantine enable
# diagnose sys scanunit debug analytics enable
# diagnose debug enable
Hello manabu,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi Sir,
Do you have FortiGuard Sanbox service in your ATP subscription? Or you have a dedicated FortiSandbox to do the sandboxing?
Thanks Reply heng.
Yes, we have the FortiSandbox2000E with a valid license. FortiSandbox is being tested on OS 4.4.2. When set to 'All Supported Files' in the Antivirus Profile, files downloaded from FortiGuard Labs are correctly integrated into the sandbox and properly assessed for risks. However, setting it to 'Suspicious File Only' prevents integration into the sandbox, thus hindering the testing process. We are seeking a method to test the integration into the sandbox using 'Suspicious File Only.
Hi there,
If sandbox integration is working fine with all supported files, that mean you have to look at the FGT.
If you are in pre version 7.0, the suspicious file behaviors is scanned by heuristic scanning. From version 7.0 onward, it was scanned by AV Engine AI.
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/773410/ai-based-malware-detection
For your case, if you do not have any suspicious file send to sanboxing, that mean the files that scanned by AV engine simply do not contain any characteristics that suggest it as malware. You need do look for some suspicious file to test for your configuration use case.
At the same time, you can run the following debug and look at the messages when testing on a certain file to see whether the file being flagged as suspicious before the FGT can send it to sandbox.
# diagnose sys scanunit debug quarantine enable
# diagnose sys scanunit debug analytics enable
# diagnose debug enable
Thank you for the debugging commands.
We were able to find testable files.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.