Fortinet Document Library

Version:


Table of Contents

2.5.0
Download PDF
Copy Link

Improve System Scan Performance

A unit processes files at a certain rate. There are ways to improve the unit’s scan power. The following suggestions help to optimize your system's scan performance.

  1. Only keep jobs with Clean Rating for a short period.

    If you are not concerned about processed files with a Clean rating, you can configure the system to remove them after a short period. This saves system resources and improves system performance.

    To do that, go to Scan Policy > General and set a short time period in the Delete all traces of jobs of Clean or Other rating after section.

  2. Turn on FortiGuard Pre-Filtering of certain file types.

    By default, if a file type is associated with a Windows VM image, all files of this file type are scanned inside it. Sandboxing scan inside a Windows VM is a slow and intensive process. For example, a FSA-1000D unit can only scan an average of 160 files/hour inside a VM.

    You can enable FortiGuard Pre-Filtering on certain file types. If it is enabled, files of that file type are inspected by an advanced FortiGuard Pre-Filtering engine and only suspicious files inside a VM are scanned. The File Detection > Summary Report > Top File Type > Scanned by Sandboxing page gives you hints on which file types should skip sandboxing.

    Use the CLI command sandboxing-prefilter -e to enable Sandboxing.

  3. Associate every file type to only one VM type.

    Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to improve scan performance, every file type should be associated with only one VM type.

  4. Allocate clone numbers of each VM type according to the distribution of file types.

    Each unit can only prepare a limited number of guest image clones. The number is determined by installed Windows license keys. Allocate clone numbers according to the distribution of file types. For example, if there are a lot of Office files and WIN7X86VM is associated with Office files, you can decrease the clone number of other VM types and increase the clone number of the WIN7X86VM image.

    If there is a larger number of pending jobs, you can use the pending-jobs CLI command, go to the Scan Input > Job Queue page to find out which file type has the longest queue and increase clone numbers of its associated VM type.

  5. Reduce enabled Windows VM types.

    Each enabled Windows VM type requires system memory runtime to store them. The more enabled types, the less system memory is available for scanning. This is especially the case when you enable customized images of a large size. To improve scan performance and clone system stability, we recommended reducing enabled VM types.

  6. Do not associate VM types to archive files.

    FortiSandbox checks every file inside an archive file and puts it to its own job queues according to Scan Profile settings. If an archive file is scanned inside a VM, the archive file is opened but the files inside the archive file are not scanned; so sandboxing scan an archive file itself is not effective in detecting malware. Therefore we recommend not associating VM types to archive files.

Improve System Scan Performance

A unit processes files at a certain rate. There are ways to improve the unit’s scan power. The following suggestions help to optimize your system's scan performance.

  1. Only keep jobs with Clean Rating for a short period.

    If you are not concerned about processed files with a Clean rating, you can configure the system to remove them after a short period. This saves system resources and improves system performance.

    To do that, go to Scan Policy > General and set a short time period in the Delete all traces of jobs of Clean or Other rating after section.

  2. Turn on FortiGuard Pre-Filtering of certain file types.

    By default, if a file type is associated with a Windows VM image, all files of this file type are scanned inside it. Sandboxing scan inside a Windows VM is a slow and intensive process. For example, a FSA-1000D unit can only scan an average of 160 files/hour inside a VM.

    You can enable FortiGuard Pre-Filtering on certain file types. If it is enabled, files of that file type are inspected by an advanced FortiGuard Pre-Filtering engine and only suspicious files inside a VM are scanned. The File Detection > Summary Report > Top File Type > Scanned by Sandboxing page gives you hints on which file types should skip sandboxing.

    Use the CLI command sandboxing-prefilter -e to enable Sandboxing.

  3. Associate every file type to only one VM type.

    Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to improve scan performance, every file type should be associated with only one VM type.

  4. Allocate clone numbers of each VM type according to the distribution of file types.

    Each unit can only prepare a limited number of guest image clones. The number is determined by installed Windows license keys. Allocate clone numbers according to the distribution of file types. For example, if there are a lot of Office files and WIN7X86VM is associated with Office files, you can decrease the clone number of other VM types and increase the clone number of the WIN7X86VM image.

    If there is a larger number of pending jobs, you can use the pending-jobs CLI command, go to the Scan Input > Job Queue page to find out which file type has the longest queue and increase clone numbers of its associated VM type.

  5. Reduce enabled Windows VM types.

    Each enabled Windows VM type requires system memory runtime to store them. The more enabled types, the less system memory is available for scanning. This is especially the case when you enable customized images of a large size. To improve scan performance and clone system stability, we recommended reducing enabled VM types.

  6. Do not associate VM types to archive files.

    FortiSandbox checks every file inside an archive file and puts it to its own job queues according to Scan Profile settings. If an archive file is scanned inside a VM, the archive file is opened but the files inside the archive file are not scanned; so sandboxing scan an archive file itself is not effective in detecting malware. Therefore we recommend not associating VM types to archive files.