The VM Association tab defines file type and VM type association. Association means files of a certain file type are sandboxed by the associated VM type. This page displays all installed VM image(s), their clone numbers, versions, and status.
Click the edit icon. The left panel shows installed applications and the right panel shows current associated file types.
For an associated file to be sandboxed in the VM image:
If sandboxing pre-filtering is OFF for a file type, it will be scanned by each associated VM type; if sandboxing pre-filtering is ON, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned by associated VM type. Other files go through all scan steps except the Sandboxing scan step.
To improve the system scan performance, you can turn on the sandbox pre-filtering of a file type through the
sandboxing-prefilter CLI command. For example, you can associate web files to VM types. If the
sandboxing pre-filtering is OFF for
js/html files, all of them will be scanned inside associated VM types. This may use up system's sandboxing scan capacity because web files are usually large in amount. It is recommended to enable
sandboxing pre-filtering for web files. For more details, refer to the FortiSandbox 4.2.1 CLI Reference Guide.
- Click Scanned File Types area and a file type list will be displayed.
- File types are grouped in different categories. Clicking the category title will toggle associations of all grouped file types. Clicking on an individual file type will toggle its own association. When the file type is displayed in full width, it means the file type is associated.
Make sure the user defined extension is enabled.
- Click the + sign and enter a non-existing extension.
- Click the green check mark. The user can then click on the new extension to toggle its association.
- After the user has finished the association configuration, click the Scanned File Types to finalize the list.
- Click the Apply button to apply the changes.
Files will then be scanned by the associated VM images.
FortiSandbox provides default scan profile settings.
For files with a user defined extension, they will be scanned by a VM image no matter what file types they really are. Only a file's extension counts.
In an HA cluster environment, it is highly recommended that all cluster nodes have the same enabled VM. The Scan Profile can only be configured on the primary node, and these configurations are synchronized to the worker nodes. The primary node will collect all enabled VM image information. If a unique VM image is only installed on a worker node, you can still configure the primary node and the result will be synchronized to that worker node.
In a cluster environment, it is highly recommended that all cluster nodes have the same enabled VM, although it is not enforced. If cluster nodes do not have the same list of enabled VM types, a warning message will show up on top of the Scan Profile page for five seconds.
This page displays all cluster nodes enabled VM images and their enabled extensions. If the clone number is 0, the VM type is disabled. In this case, the enabled simulator VM is not listed.
The tips beside each cluster nodes display the unassociated file types on this node. The fix now link opens a configuration page for the file type associations. It is highly recommended that all cluster nodes have the same associated file types as the enabled VM.
Cluster nodes will be grouped with same enabled VM image. The tips and fix now link disappear when there are no longer any unassociated file types.
Click the pencil icon or the fix now link to edit the corresponding HA node.
A new page will appear, with the left side panel displaying the installed applications and the right side panel displaying the currently associated file types.
- Click the Scanned File Types area. The Select Extensions pane is displayed.
- Click the name of the extension to toggle associations of grouped file types. The file types are grouped in different categories. Click an individual file type to toggle the corresponding association on or off.
When the file type is displayed in the full width of the Select Extensions pane, it means the file type is associated (for example, the .jse extension above). When the file type is displayed in partial width, it means the file type is not currently associated (for example, the .exe extension above).
First, make sure the user-defined extension is enabled in the Pre-Filter tab.
- Scroll to the bottom of the Select Extensions pane and click the + icon next to User defined extensions.
- Enter a new extension in the text window.
- Click the green check mark to confirm.
- You can then click the new extension to toggle its association.
- Click the + icon.
- Enter the extension defined by other cluster nodes in the text window.
- Click the green check mark to confirm.
- You can then click on the new extension to toggle its association.
- After you have finished the VM association, click Scanned File Types to finalize the list.
- Click the Apply button to apply the changes. The configuration on the primary node will be synchronized with the edited node in real-time. Files will then be scanned by the associated VM images.
- On the primary node, an alert message may appear in the bell icon in the upper right corner after updating the configuration. Click this, and the bell icon shows Scan Profile requires your action. Clicking the alert message redirects to the Scan Profile > VM Association page where you can use the fix now links to resolve issues with file extensions.
There might be malicious URLs, including direct download links, inside Office files and PDF files. You can scan selected URLs along with the original file inside files' associated VM. To turn on this feature, use the