Best Practices

Home FortiSandbox 4.2.0 Best Practices

Troubleshooting Dashboard warnings

4.2.0

Copy Link

Copy Doc ID 82606edb-b6b8-11ec-9fd1-fa163e15d75b:498864

Download PDF

Troubleshooting Dashboard warnings

In the Dashboard, the color of the Connectivity and Services icons indicates their status. When FortiSandbox is fully operational, the icons are green. When FortiSandbox detects a potential issue, the icons are yellow.

This topic provides troubleshooting recommendations for the following services:

Windows VM
FortiGuard connectivity servers
VM Internet access

Windows VM

When Windows VM is initializing, it is normal for the yellow icon to be displayed in the Dashboard. If the yellow icon persists, the Windows VM was not initialized successfully.

To troubleshoot a Windows VM:

Issue	Recommendations	Description
VM image not installed	Go to Scan Policy and Object > VM Settings. Or Run the folling CLI command to display the installed VM images: `vm-status –l`	Verify that Windows VM images are installed and at least one is enabled and the clone number is not zero.
Invalid Windows license key	Run the following CLI command: `vm-license –l`	Check that a Windows 8 image in Optional VMs group is enabled. If not, a valid Windows 8 key should be purchased and installed.
Microsoft server failed to activate	Go to Log & Report > Events > VM Events or All Events.	Verify the logs from the time of the system boot up. For example, errors from Microsoft activation server may help you find the cause of failed activation.

Issue

Recommendations

Description

VM image not installed

Go to Scan Policy and Object > VM Settings.

Run the folling CLI command to display the installed VM images:

vm-status –l

Verify that Windows VM images are installed and at least one is enabled and the clone number is not zero.

Invalid Windows license key

Run the following CLI command:

vm-license –l

Check that a Windows 8 image in Optional VMs group is enabled. If not, a valid Windows 8 key should be purchased and installed.

Microsoft server failed to activate

Go to Log & Report > Events > VM Events or All Events.

Verify the logs from the time of the system boot up.

For example, errors from Microsoft activation server may help you find the cause of failed activation.

FortiGuard connectivity servers

FortiGuard connectivity servers include FDN update, community cloud, or web filtering.

To troubleshoot connectivity servers:

Issue	Recommendations	Description
Invalid Antivirus DB and Web Filtering Contracts	Go to Dashboard > Status.	Verify Antivirus DB Contract and Web Filtering Contract on Dashboard are valid. If the contracts are valid, the unit may have a bad network connection to external FortiGuard services.
The network is blocking the ping	Run the CLI command: `test-network`	This can provide detailed information about the network condition. Sometimes the network is blocking the ping and errors about the ping are expected. The output shows connection speed and connectivity to related servers.
Firewall is blocking web filtering query	Take the web filtering server IP (available in @@@ testing Web Filtering service @@@ part of test-network command). Go to System > FortiGuard. Use the IP and port 8888 to overwrite the web filtering server. Additionally, enable Use override server port of the community cloud server query and select port 8888 in the Community Cloud & Threat Intelligence Settings section.	Check to see if the firewalls are configured to block packets to UDP port 53. This blocks the web filtering query.

Issue

Recommendations

Description

Invalid Antivirus DB and Web Filtering Contracts

Go to Dashboard > Status.

Verify Antivirus DB Contract and Web Filtering Contract on Dashboard are valid.

If the contracts are valid, the unit may have a bad network connection to external FortiGuard services.

The network is blocking the ping

Run the CLI command:

test-network

This can provide detailed information about the network condition. Sometimes the network is blocking the ping and errors about the ping are expected.

The output shows connection speed and connectivity to related servers.

Firewall is blocking web filtering query

Take the web filtering server IP (available in @@@ testing Web Filtering service @@@ part of test-network command).
Go to System > FortiGuard.
Use the IP and port 8888 to overwrite the web filtering server.

Additionally, enable Use override server port of the community cloud server query and select port 8888 in the Community Cloud & Threat Intelligence Settings section.

Check to see if the firewalls are configured to block packets to UDP port 53. This blocks the web filtering query.

VM Internet access

A yellow icon means the Windows VM cannot access the Internet through port3. This affects the catch rate even if FortiSandbox has a SIMNET feature. For example, the Downloader type for malware needs access to an outside network to download a malicious payload.

To verify the VM is using port3 to connect to the Internet:

Go to Scan Policy and Object > General Settings.
- Verify Allow Virtual Machines to access external network through outgoing port is enabled.
- Verify the Gateway is valid and can access the Internet.
If no DNS server is set, the system DNS is used.
Run the following command to show network condition through port3.
test-network

Troubleshooting Dashboard warnings

This topic provides troubleshooting recommendations for the following services:

Windows VM
FortiGuard connectivity servers
VM Internet access

Windows VM

When Windows VM is initializing, it is normal for the yellow icon to be displayed in the Dashboard. If the yellow icon persists, the Windows VM was not initialized successfully.

To troubleshoot a Windows VM:

Issue	Recommendations	Description
VM image not installed	Go to Scan Policy and Object > VM Settings. Or Run the folling CLI command to display the installed VM images: `vm-status –l`	Verify that Windows VM images are installed and at least one is enabled and the clone number is not zero.
Invalid Windows license key	Run the following CLI command: `vm-license –l`	Check that a Windows 8 image in Optional VMs group is enabled. If not, a valid Windows 8 key should be purchased and installed.
Microsoft server failed to activate	Go to Log & Report > Events > VM Events or All Events.	Verify the logs from the time of the system boot up. For example, errors from Microsoft activation server may help you find the cause of failed activation.

Issue

Recommendations

Description

VM image not installed

Go to Scan Policy and Object > VM Settings.

Run the folling CLI command to display the installed VM images:

vm-status –l

Verify that Windows VM images are installed and at least one is enabled and the clone number is not zero.

Invalid Windows license key

Run the following CLI command:

vm-license –l

Check that a Windows 8 image in Optional VMs group is enabled. If not, a valid Windows 8 key should be purchased and installed.

Microsoft server failed to activate

Go to Log & Report > Events > VM Events or All Events.

Verify the logs from the time of the system boot up.

For example, errors from Microsoft activation server may help you find the cause of failed activation.

FortiGuard connectivity servers

FortiGuard connectivity servers include FDN update, community cloud, or web filtering.

To troubleshoot connectivity servers:

Issue	Recommendations	Description
Invalid Antivirus DB and Web Filtering Contracts	Go to Dashboard > Status.	Verify Antivirus DB Contract and Web Filtering Contract on Dashboard are valid. If the contracts are valid, the unit may have a bad network connection to external FortiGuard services.
The network is blocking the ping	Run the CLI command: `test-network`	This can provide detailed information about the network condition. Sometimes the network is blocking the ping and errors about the ping are expected. The output shows connection speed and connectivity to related servers.
Firewall is blocking web filtering query	Take the web filtering server IP (available in @@@ testing Web Filtering service @@@ part of test-network command). Go to System > FortiGuard. Use the IP and port 8888 to overwrite the web filtering server. Additionally, enable Use override server port of the community cloud server query and select port 8888 in the Community Cloud & Threat Intelligence Settings section.	Check to see if the firewalls are configured to block packets to UDP port 53. This blocks the web filtering query.

Issue

Recommendations

Description

Invalid Antivirus DB and Web Filtering Contracts

Go to Dashboard > Status.

Verify Antivirus DB Contract and Web Filtering Contract on Dashboard are valid.

If the contracts are valid, the unit may have a bad network connection to external FortiGuard services.

The network is blocking the ping

Run the CLI command:

test-network

This can provide detailed information about the network condition. Sometimes the network is blocking the ping and errors about the ping are expected.

The output shows connection speed and connectivity to related servers.

Firewall is blocking web filtering query

Take the web filtering server IP (available in @@@ testing Web Filtering service @@@ part of test-network command).
Go to System > FortiGuard.
Use the IP and port 8888 to overwrite the web filtering server.

Additionally, enable Use override server port of the community cloud server query and select port 8888 in the Community Cloud & Threat Intelligence Settings section.

Check to see if the firewalls are configured to block packets to UDP port 53. This blocks the web filtering query.

VM Internet access

To verify the VM is using port3 to connect to the Internet:

Go to Scan Policy and Object > General Settings.
- Verify Allow Virtual Machines to access external network through outgoing port is enabled.
- Verify the Gateway is valid and can access the Internet.
If no DNS server is set, the system DNS is used.
Run the following command to show network condition through port3.
test-network