Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

URL On Demand

URL On Demand allows you to upload a plain-text file containing a list of URLs, or an individual URL directly to your FortiSandbox device. Upon upload, the URLs inside the file, or the individual URL, is inspected. The Depth to which the URL is examined as well as the length of time that the URL is scanned can be set. You can then view the results and decide whether or not to allow access to the URL.

To view On Demand URLs and submit URLs to scan, go to Scan Input > URL On-Demand. You can drill down the information displayed and apply search filters.

The following options are available:

Submit File/URL

Click the button to submit a file containing a list of scanned URLs, or submit an individual URL.

Show Rescan Job

Jobs generated from a customized rescan of a URL can be shown/hidden by this option.

Refresh

Click the Refresh icon to refresh the entries displayed after applying search filters.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters.

Click the close icon in the search filter field to clear all search filters.

The search filter will be displayed below the search filter field. Click the close icon beside the search filter to remove the filter.

Search filters can be used to filter the information displayed in the GUI.

Clear all removable filters

Click the Trash can icon to clear all removable filters.

Export Data

Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period filter. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

View Jobs

Click the icon to view the scan job(s) associated with the entry. Click the Back button to return to the on-demand page.

Pagination

Use the pagination options to browse entries displayed.

This page displays the following information:

Submission Time

The date and time that the URL file or individual URL was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order.

Submitted Filename

The submitted URL file name. If the scan is about an individual URL, the name is scan_of_URL.

Submitted By

The name of the administrator that submitted the file scan.

Rating

Hover over the icon in this column to view the rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other.

During the URL scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating.

Status

The scan status can be Queued, In-Process, or Done.

URL Count

The number of URLs associated with the submission when the scan is done. When the scan is In-Progress, it shows (finished scan)/(total URLs of this submission).

Comments

The comments user enters when submitting the file scan.

To view the scan job(s) associated with the entry:
  1. Double-click an entry in the table or select the View Jobs icon to view the specific URLs that were scanned.
  2. This page displays the following information and options:

    Back

    Click the Back button to return to the on-demand page.

    Search

    Show or hide the search filter field.

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Add Search Filter

    Click the search filter field to add search filters.

    Click the Close icon in the search filter field to clear all search filters.

    Search filters can be used to filter the information displayed in the GUI.

    View Details

    Select the View Details icon to view file information.

    Scan Video

    When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it allows users to select the VM type in which the scan is performed and recorded. Select the VM type to play the video or save it to a local hard disk.

    Pagination

    Use the pagination options to browse entries displayed.

    The reset of displayed columns are determined by settings defined in System > Job View Settings > URL Detection Columns. For more information, refer to Job View Settings.

  3. Click the View Details icon to view file details. The View Details page will open a new tab. See Appendix A - View Details Page Reference for descriptions of the View Details page.
  4. Close the tab to exit the View Details page.
To submit a file containing a list of URLs or an individual URL to FortiSandbox:
  1. Click the Submit File / URL button from the toolbar. The Submit New File window opens.
  2. Enter the following information:

    Depth

    Enter the Recursive Depth in which URLs are examined. The original URL is considered level 0. A depth of 1 will open all links on the original URL page and crawl into them. The default value is define in the Scan Policy > Scan Profile page.

    Timeout

    Enter the Timeout Value. The Timeout Value controls how long the device will scan the URL. If the network bandwidth is low, the timeout value should be larger to accommodate higher depth values. The default value is defined in the Scan Policy > Scan Profile page.

    Direct URL

    To scan only a single URL, check the Direct URL checkbox. Enter the URL in the Enter a URL field.

    Select a File

    Click the Browse button and locate the plain-text file on your management computer. The maximum number of URLs in this file is determined by Maximum URL Value in Scan Policy > Scan Profile page.

    Comments

    You can choose to enter optional comments for future reference.

    Debug Options

    To display the advanced options, check the Debug Options toggle. Users can choose to follow scan profile settings or specify the VMs.

    Follow VM Association settings in Scan Profile

    The URL will be sent to its associated VMs for the WEBLink defined in the Scan Profile.

    Enabled VM means its clone number is larger than 0.

    Note: To use WindowsCloud VM, you need to purchase the subscription service. URL will be sent to Fortinet Sandboxing cloud to scan.

    Force to Scan the URL Inside VM

    A VM type must be selected. Settings from the Scan Profile will be overridden and the URL will only be scanned in selected VM types. If VM images are not ready, the VM list will not be displayed.

    Allow Interaction

    Select the Allow Interaction checkbox to interact with the Windows VM. See To use the To use the Allow Interaction Feature: for more information.

    Record scan process in video

    Select to enable video recording. After scan finishes, a video icon will show in the second level detail page. Clicking it will trigger a download or play the video.

    Add URL sample to threat package

    Select to add the sample to malware package, if the result meets settings in Package Options

  3. Click Submit.
To use the Allow Interaction Feature:
  1. Go to Scan Input > URL On-Demand and click Submit File/URL from the toolbar.
  2. In the Submit New File window, check the Allow Interaction checkbox.
    When selected, only one VM can be specified.
  3. Click Submit.
  4. Go to the Virtual Machine > VM Status page. The job will be launched when a clone of a selected VM is available.

There are two ways to interact with the Windows VM.

  1. Use a VNC client and connect to fsa_ip:port. The port number can be found in the Interaction icon tooltip. Click the Interaction icon and the login password will appear in the address bar.
  2. Click the Interaction icon to use web based VNC client.
  3. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?

    Click Yes to stop the scan and VNC session will be closed. Go back to On Demand page to check the scan result.

The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically.

VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled.

URL On Demand

URL On Demand allows you to upload a plain-text file containing a list of URLs, or an individual URL directly to your FortiSandbox device. Upon upload, the URLs inside the file, or the individual URL, is inspected. The Depth to which the URL is examined as well as the length of time that the URL is scanned can be set. You can then view the results and decide whether or not to allow access to the URL.

To view On Demand URLs and submit URLs to scan, go to Scan Input > URL On-Demand. You can drill down the information displayed and apply search filters.

The following options are available:

Submit File/URL

Click the button to submit a file containing a list of scanned URLs, or submit an individual URL.

Show Rescan Job

Jobs generated from a customized rescan of a URL can be shown/hidden by this option.

Refresh

Click the Refresh icon to refresh the entries displayed after applying search filters.

Search

Show or hide the search filter field.

Add Search Filter

Click the search filter field to add search filters.

Click the close icon in the search filter field to clear all search filters.

The search filter will be displayed below the search filter field. Click the close icon beside the search filter to remove the filter.

Search filters can be used to filter the information displayed in the GUI.

Clear all removable filters

Click the Trash can icon to clear all removable filters.

Export Data

Click the Export Data button to create a PDF or CSV snapshot report. The time period of included jobs in the report depends on the selection of Time Period filter. You can wait until the report is ready to view, or navigate away and find the report later in Log & Report > Report Center.

View Jobs

Click the icon to view the scan job(s) associated with the entry. Click the Back button to return to the on-demand page.

Pagination

Use the pagination options to browse entries displayed.

This page displays the following information:

Submission Time

The date and time that the URL file or individual URL was submitted to FortiSandbox. Use the column filter to sort the entries in ascending or descending order.

Submitted Filename

The submitted URL file name. If the scan is about an individual URL, the name is scan_of_URL.

Submitted By

The name of the administrator that submitted the file scan.

Rating

Hover over the icon in this column to view the rating. The rating can be one or more of the following: Clean, Low Risk, Medium Risk, High Risk, Malicious, or Other.

During the URL scan, the rating is displayed as N/A. If a scan times out or is terminated by the system, the file will have an Other rating.

Status

The scan status can be Queued, In-Process, or Done.

URL Count

The number of URLs associated with the submission when the scan is done. When the scan is In-Progress, it shows (finished scan)/(total URLs of this submission).

Comments

The comments user enters when submitting the file scan.

To view the scan job(s) associated with the entry:
  1. Double-click an entry in the table or select the View Jobs icon to view the specific URLs that were scanned.
  2. This page displays the following information and options:

    Back

    Click the Back button to return to the on-demand page.

    Search

    Show or hide the search filter field.

    Refresh

    Click the Refresh icon to refresh the entries displayed after applying search filters.

    Add Search Filter

    Click the search filter field to add search filters.

    Click the Close icon in the search filter field to clear all search filters.

    Search filters can be used to filter the information displayed in the GUI.

    View Details

    Select the View Details icon to view file information.

    Scan Video

    When the scan is submitted, if Record scan process in video is selected, a video icon is displayed. Clicking it allows users to select the VM type in which the scan is performed and recorded. Select the VM type to play the video or save it to a local hard disk.

    Pagination

    Use the pagination options to browse entries displayed.

    The reset of displayed columns are determined by settings defined in System > Job View Settings > URL Detection Columns. For more information, refer to Job View Settings.

  3. Click the View Details icon to view file details. The View Details page will open a new tab. See Appendix A - View Details Page Reference for descriptions of the View Details page.
  4. Close the tab to exit the View Details page.
To submit a file containing a list of URLs or an individual URL to FortiSandbox:
  1. Click the Submit File / URL button from the toolbar. The Submit New File window opens.
  2. Enter the following information:

    Depth

    Enter the Recursive Depth in which URLs are examined. The original URL is considered level 0. A depth of 1 will open all links on the original URL page and crawl into them. The default value is define in the Scan Policy > Scan Profile page.

    Timeout

    Enter the Timeout Value. The Timeout Value controls how long the device will scan the URL. If the network bandwidth is low, the timeout value should be larger to accommodate higher depth values. The default value is defined in the Scan Policy > Scan Profile page.

    Direct URL

    To scan only a single URL, check the Direct URL checkbox. Enter the URL in the Enter a URL field.

    Select a File

    Click the Browse button and locate the plain-text file on your management computer. The maximum number of URLs in this file is determined by Maximum URL Value in Scan Policy > Scan Profile page.

    Comments

    You can choose to enter optional comments for future reference.

    Debug Options

    To display the advanced options, check the Debug Options toggle. Users can choose to follow scan profile settings or specify the VMs.

    Follow VM Association settings in Scan Profile

    The URL will be sent to its associated VMs for the WEBLink defined in the Scan Profile.

    Enabled VM means its clone number is larger than 0.

    Note: To use WindowsCloud VM, you need to purchase the subscription service. URL will be sent to Fortinet Sandboxing cloud to scan.

    Force to Scan the URL Inside VM

    A VM type must be selected. Settings from the Scan Profile will be overridden and the URL will only be scanned in selected VM types. If VM images are not ready, the VM list will not be displayed.

    Allow Interaction

    Select the Allow Interaction checkbox to interact with the Windows VM. See To use the To use the Allow Interaction Feature: for more information.

    Record scan process in video

    Select to enable video recording. After scan finishes, a video icon will show in the second level detail page. Clicking it will trigger a download or play the video.

    Add URL sample to threat package

    Select to add the sample to malware package, if the result meets settings in Package Options

  3. Click Submit.
To use the Allow Interaction Feature:
  1. Go to Scan Input > URL On-Demand and click Submit File/URL from the toolbar.
  2. In the Submit New File window, check the Allow Interaction checkbox.
    When selected, only one VM can be specified.
  3. Click Submit.
  4. Go to the Virtual Machine > VM Status page. The job will be launched when a clone of a selected VM is available.

There are two ways to interact with the Windows VM.

  1. Use a VNC client and connect to fsa_ip:port. The port number can be found in the Interaction icon tooltip. Click the Interaction icon and the login password will appear in the address bar.
  2. Click the Interaction icon to use web based VNC client.
  3. Click Yes in the Do you want to start the scan? popup, the scan will start and the question becomes Do you want to stop the scan?

    Click Yes to stop the scan and VNC session will be closed. Go back to On Demand page to check the scan result.

The user has 30 minutes to finish the interaction. After that, the VNC session will be closed automatically.

VM Interaction and Scan video recording features are only available to users whose admin profile has Allow On-Demand Scan Interaction enabled.