The VM Association tab defines file type and VM type association. Association means files of a certain file type will be sandboxed by the associated VM type. This page displays all installed VM image(s), their clone numbers, versions, and status.
If a VM type is disabled (clone # is 0), its Clone # field will be red.
Click the VM image’s name. The left side panel shows installed applications and right side panel shows current associated file types.
For an associated file to be sandboxed in the VM image:
If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type; if sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned by associated VM type. Other files go through all scan steps except the Sandboxing scan step.
To improve the system scan performance, you can turn on the sandbox pre-filtering of a file type through the
sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the
sandboxing pre-filtering is OFF for
js/html files, all of them will be scanned inside associated VM types. This may use up system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable
sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox 3.0.6 CLI Reference Guide.
- Click Scanned File Types area and a file type list will be displayed.
- File types are grouped in different categories. Clicking the category title will toggle associations of all grouped file types. Clicking on an individual file type will toggle its own association. When the file type is displayed in full length, it means the file type is associated.
Make sure the user defined extension is enabled.
- Click the + sign and enter a non-existing extension.
- Click the green check mark. The user can then click on the new extension to toggle its association.
- After the user has finished the association configuration, click the Scanned File Types to finalize the list.
- Click the Apply button to apply the changes.
Files will then be scanned by the associated VM images.
For files with a user defined extension, they will be scanned by a VM image no matter what file types they really are. Only a file's extension counts.
FortiSandbox provides default scan profile settings.
In a cluster environment, it is highly recommended that all cluster nodes have the same enabled VM, although it is not enforced.
If cluster nodes do not have the same list of enabled VM types, a warning message will show up on top of the Scan Profile page for five seconds.
The Scan Profile can only be configured on the primary (master) node and the configurations will be synced to worker (slave) nodes. The primary (master) node will collected all installed VM image information. If a unique VM image is only installed on a worker (slave) node, the user can still configure on the primary (master) node and the result will be synchronized to that worker (slave) node.
There might be malicious URLs inside Office files and PDF files. Users can choose to scan randomly selected URLs along with the original file inside files' associated VM. To turn this feature ON, use the
A unit can join global threat network as Contributor to allow the Collector to control its Scan Profile, or it can work as Collector to manage Scan Profile of all units in the network. Only Standalone unit or primary (master) node in a cluster can join the network.
After you configure the Scan Profile on the Collector, the settings will be downloaded by all Contributors. On Contributor units, the Scan Profile page becomes read-only.