Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Manabu
New Contributor

Created on ‎12-19-2023 07:05 AM Edited on ‎02-26-2024 03:36 AM By Community Manager

FortiSandbox Send files to FortiSandbox for inspection not work

Hi

 

I’m testing the Sandbox integration with FortiOS7.2.6, but when I set it to “suspicious file Only”, no files are linked to the Sandbox at all. I’m having trouble because even when I use the test file provided at the following URL by Fortiguard lab, it is not linked to the Sandbox. https://www.fortiguard.com/sample-files

Do you have any advice on how to test this? Also, is there anyone else with the same symptoms?

 

 

Labels:
1694
0 Kudos
1 Solution
heng
Staff
Staff
In response to Manabu

Created on ‎12-23-2023 10:13 AM Edited on ‎12-23-2023 10:14 AM

Hi there,

 

If sandbox integration is working fine with all supported files, that mean you have to look at the FGT.

 

If you are in pre version 7.0, the suspicious file behaviors is scanned by heuristic scanning. From version 7.0 onward, it was scanned by AV Engine AI.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/773410/ai-based-malware-detection

 

For your case, if you do not have any suspicious file send to sanboxing, that mean the files that scanned by AV engine simply do not  contain any characteristics that suggest it as malware. You need do look for some suspicious file to test for your configuration use case.

 

At the same time, you can run the following debug and look at the messages when testing on a certain file to see whether the file being flagged as suspicious before the FGT can send it to sandbox.

 

# diagnose sys scanunit debug quarantine enable

# diagnose sys scanunit debug analytics enable

# diagnose debug enable

NSE8

View solution in original post

1595
0 Kudos
5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Created on ‎12-21-2023 09:08 PM

Hello manabu,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
1645
0 Kudos
heng
Staff
Staff

Created on ‎12-22-2023 12:21 AM

Hi Sir,

Do you have FortiGuard Sanbox service in your ATP subscription? Or you have a dedicated FortiSandbox to do the sandboxing? 

NSE8
1634
Manabu
New Contributor
In response to heng

Created on ‎12-22-2023 07:20 AM

Thanks Reply heng.

 

Yes, we have the FortiSandbox2000E with a valid license. FortiSandbox is being tested on OS 4.4.2. When set to 'All Supported Files' in the Antivirus Profile, files downloaded from FortiGuard Labs are correctly integrated into the sandbox and properly assessed for risks. However, setting it to 'Suspicious File Only' prevents integration into the sandbox, thus hindering the testing process. We are seeking a method to test the integration into the sandbox using 'Suspicious File Only.

 

FGlicense.PNGSandboxlicense.PNG

1625
0 Kudos
heng
Staff
Staff
In response to Manabu

Created on ‎12-23-2023 10:13 AM Edited on ‎12-23-2023 10:14 AM

Hi there,

 

If sandbox integration is working fine with all supported files, that mean you have to look at the FGT.

 

If you are in pre version 7.0, the suspicious file behaviors is scanned by heuristic scanning. From version 7.0 onward, it was scanned by AV Engine AI.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/773410/ai-based-malware-detection

 

For your case, if you do not have any suspicious file send to sanboxing, that mean the files that scanned by AV engine simply do not  contain any characteristics that suggest it as malware. You need do look for some suspicious file to test for your configuration use case.

 

At the same time, you can run the following debug and look at the messages when testing on a certain file to see whether the file being flagged as suspicious before the FGT can send it to sandbox.

 

# diagnose sys scanunit debug quarantine enable

# diagnose sys scanunit debug analytics enable

# diagnose debug enable

NSE8
1596
0 Kudos
Manabu
New Contributor
In response to heng

Created on ‎01-13-2024 02:37 AM

Thank you for the debugging commands.

We were able to find testable files.

1424
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.