Fortinet black logo

Overview

Copy Link
Copy Doc ID 609ceb0c-313f-11e9-94bf-00505692583a:621838
Download PDF

Overview

This guide is a collection of best practices and troubleshooting guidelines for using FortiSandbox. Use these guidelines to get the most of your FortiSandbox products, maximize its performance, and avoid potential problems.

Know your FortiSandbox

Understanding the process flow of your FortiSandbox can provide additional awareness and information that may help you in troubleshooting.

For configuring FortiSandbox, see Installing FortiSandbox. For troubleshooting, see Troubleshooting guidelines.

FortiSandbox and FortiGate process flow

The FortiSandbox (acting as a server) receives files from FortiGate (acting as client). Then, it provides an updated Threat Intelligence database back to the client.

  1. FortiGate extracts files from the network traffic. It uses the AntiVirus scan profile for sandboxing feature. File size limit apply. Before forwarding previously seen files, it crosschecks its cache (known as Threat Intelligence DB or Malware package).
  2. FortiGate queries FortiSandbox first if previously forwarded. If not, FortiGate forwards the file along with the serial number, IP address, and VDOM information.
  3. The submission goes through a series of scan flow stages. A verdict can be reached at any stage. The last stage is VM Scan which takes 2-3 mins. FortiSandbox keeps the submissions and its results for 60 days for Malware verdict and 3 days for Clean verdict.
  4. FortiGate pulls the latest Threat Intelligence DB every 2 mins. The DB contains a list of malicious file checksums and related URLs. FortiGate also queries the verdict for logging.
  5. FortiSandbox checks FortiGuard every hour and downloads new packages and engines.

    FortiSandbox can share malicious files and URL with FortiGuard when Sandbox Community is enabled.

    FortiSandbox can forward detection statistics to FortiGuard for analysis of trending threats when enabled in configuration.

FortiSandbox and FortiMail process flow

The FortiSandbox (acting as a server) receives files and URLs embedded in emails from FortiMail (acting as client). The client waits for the verdict before releasing any email as safe (clean).

  1. FortiMail receives email from the Internet or one of the clients. It uses the AntiVirus scan profile for sandboxing feature. It checks for any file attachments and embedded URLs. On extracting URLs, the default count is 10.
  2. FortiMail queries FortiSandbox first. If results are already known and up-to-date, then use the previous result. Otherwise, it forwards the files and URLs to FortiSandbox. It waits for the verdict before releasing the email.
  3. Upon receipt of submission from FortiMail, a job id is created. The submission goes through a series of scan flow stages. A verdict can be reached at any stage. FortiSandbox keeps the submissions and its results for 60 days for Malware verdict and 3 days for Clean verdict.
  4. FortiMail pulls the result every 10 seconds of the submission until a verdict is reached.
  5. FortiSandbox checks FortiGuard every hour and downloads new packages and engines.

    FortiSandbox can share malicious files and URLs with FortiGuard when Sandbox Community is enabled.

    FortiSandbox can forward detection statistics to FortiGuard for analysis of trending threats when enabled in configuration.

Overview

This guide is a collection of best practices and troubleshooting guidelines for using FortiSandbox. Use these guidelines to get the most of your FortiSandbox products, maximize its performance, and avoid potential problems.

Know your FortiSandbox

Understanding the process flow of your FortiSandbox can provide additional awareness and information that may help you in troubleshooting.

For configuring FortiSandbox, see Installing FortiSandbox. For troubleshooting, see Troubleshooting guidelines.

FortiSandbox and FortiGate process flow

The FortiSandbox (acting as a server) receives files from FortiGate (acting as client). Then, it provides an updated Threat Intelligence database back to the client.

  1. FortiGate extracts files from the network traffic. It uses the AntiVirus scan profile for sandboxing feature. File size limit apply. Before forwarding previously seen files, it crosschecks its cache (known as Threat Intelligence DB or Malware package).
  2. FortiGate queries FortiSandbox first if previously forwarded. If not, FortiGate forwards the file along with the serial number, IP address, and VDOM information.
  3. The submission goes through a series of scan flow stages. A verdict can be reached at any stage. The last stage is VM Scan which takes 2-3 mins. FortiSandbox keeps the submissions and its results for 60 days for Malware verdict and 3 days for Clean verdict.
  4. FortiGate pulls the latest Threat Intelligence DB every 2 mins. The DB contains a list of malicious file checksums and related URLs. FortiGate also queries the verdict for logging.
  5. FortiSandbox checks FortiGuard every hour and downloads new packages and engines.

    FortiSandbox can share malicious files and URL with FortiGuard when Sandbox Community is enabled.

    FortiSandbox can forward detection statistics to FortiGuard for analysis of trending threats when enabled in configuration.

FortiSandbox and FortiMail process flow

The FortiSandbox (acting as a server) receives files and URLs embedded in emails from FortiMail (acting as client). The client waits for the verdict before releasing any email as safe (clean).

  1. FortiMail receives email from the Internet or one of the clients. It uses the AntiVirus scan profile for sandboxing feature. It checks for any file attachments and embedded URLs. On extracting URLs, the default count is 10.
  2. FortiMail queries FortiSandbox first. If results are already known and up-to-date, then use the previous result. Otherwise, it forwards the files and URLs to FortiSandbox. It waits for the verdict before releasing the email.
  3. Upon receipt of submission from FortiMail, a job id is created. The submission goes through a series of scan flow stages. A verdict can be reached at any stage. FortiSandbox keeps the submissions and its results for 60 days for Malware verdict and 3 days for Clean verdict.
  4. FortiMail pulls the result every 10 seconds of the submission until a verdict is reached.
  5. FortiSandbox checks FortiGuard every hour and downloads new packages and engines.

    FortiSandbox can share malicious files and URLs with FortiGuard when Sandbox Community is enabled.

    FortiSandbox can forward detection statistics to FortiGuard for analysis of trending threats when enabled in configuration.