Fortinet black logo

Release Notes

Home FortiSandbox 4.4.1 Release Notes
4.4.1
4.4.5
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.0.5
4.0.4
4.0.3
4.0.2
4.0.1
4.0.0
3.2.4
3.2.3
3.2.2
3.2.1
3.2.0
3.1.5
3.1.4
3.1.3
3.1.2
3.1.1
3.1.0
3.0.7
3.0.6
3.0.5
3.0.4
3.0.3
3.0.2
3.0.1
3.0.0

Upgrade Information

Upgrade Information

Before and after any firmware upgrade

Before any firmware upgrade, save a copy of your FortiSandbox configuration by going to Dashboard > System Configuration > Backup.

After any firmware upgrade, if you are using the web UI, clear the browser cache before logging into FortiSandbox so that web UI screens display properly.

Caution

This firmware has a known critical issue. For details, see Known Issues (v4.4.3).

To check if you are affected by this issue, run the status command to see if the Inode Usage is relatively high (i.e. more than 70%).

This issue has been fixed in a special build that has not yet been released. You can contact Customer Support to request a copy of that build.

Tracer and Rating Engines

The tracer and rating engines are automatically downloaded by the FortiSandbox from FortiGuard. For air-gapped mode, the engines are available for download from our Support site.

To download the latest engine:
  1. Log in to FortiCloud.
  2. In the banner, click Support > Service Updates.

  3. On the FortiGuard Updates page, click FortiSandbox and select the OS version.

Upgrade path

FortiSandbox 4.4.1 officially supports the following upgrade path.

Note

If you are upgrading from 4.2.0 – 4.2.3 to 4.2.4, see Scan Profile below.

Upgrade from

Upgrade to

4.4.0

4.4.1

4.2.0 – 4.2.5

4.4.0

4.0.0 – 4.0.3

4.2.0

3.2.3

4.0.2

3.2.0 – 3.2.2

3.2.3

3.1.4

3.2.0

3.0.6 – 3.1.3

3.1.4

3.0.0 – 3.0.5

3.0.6
Caution

Automatic Upgrade:

The GUI recommended upgrade path does not support upgrading FortiSandbox for GCP and OCI from v4.2.3 to v4.2.4 and higher.

Workaround:

GCP and OCI platforms only support upgrade from v 4.2.3 GA directly to 4.4.0 GA.

If you are using KVM or Hyper-V, the upgrade path must be 3.1.3 > 3.2.0, then follow the upgrade table.

As with all VM upgrades, take a snapshot or make a checkpoint before upgrading.

After upgrading, FortiSandbox might stop processing files until the latest rating engine is installed either by FDN update or manually. The rating engine is large so schedule time for the download.

Every time FortiSandbox boots up, it checks FDN for the latest rating engine.

If the rating engine is not available or out-of-date, you get these notifications:

  • A warning message informs you that you must have an updated rating engine.
  • The Dashboard System Information widget displays a red blinking No Rating Engine message besides Unit Type.

If necessary, you can manually download an engine package from Fortinet Customer Service & Support.

If the rating engine is not available or out-of-date, FortiSandbox functions in the following ways:

  • FortiSandbox still accepts on-demand, network share, and RPC submissions, but all jobs are pending.
  • FortiSandbox does not accept new devices or FortiClients.
  • FortiSandbox does not accept new submissions from Sniffer, Device, FortiClient, or Adapter.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Fortinet Customer Service & Support portal located at https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Upgrading cluster environments

Before upgrading, it is highly recommended that you set up a cluster IP set so the failover between primary (master) and secondary (primary slave) can occur smoothly.

In a cluster environment, use this upgrade order:

  1. Upgrade the workers (regular slaves) and install the new rating and tracer engine. Then wait until the devices fully boot up.
  2. Upgrade the secondary (primary slave) and install the new rating and tracer engine. Then wait until the device fully boots up.
  3. Upgrade the primary (master). This causes HA failover.
  4. Install the new rating and tracer engine on the old primary (master) node. This node might take over as primary (master) node.

Upgrade procedure

When upgrading from 3.1.0 or later and the new firmware is ready, you will see a blinking New firmware available link on the dashboard. Click the link and you will be redirected to a page where you can either choose to download and install an available firmware or manually upload a new firmware.

Upgrading FortiSandbox firmware consists of the following steps:

  1. Download the firmware image from the Fortinet Customer Service & Support portal.
  2. When upgrading via the CLI, put the firmware image on a host that supports file copy with the SCP or FTP command. The FortiSandbox must be able to access the SCP or FTP server.

    In a console window, enter the following command string to download and install the firmware image:

    fw-upgrade -b -s<SCP/FTP server IP address> -u<user name> -t<ftp|scp> -f<file path>

  3. When upgrading via the Web UI, go to System > Dashboard . In the System Information widget, click the Update link next to Firmware Version. The Firmware Upgrade page is displayed. Browse to the firmware image on the management computer and select the Submit button.
  4. Microsoft Windows Sandbox VMs must be activated against the Microsoft activation server if they have not been already. This is done automatically after a system reboot. To ensure the activation is successful, port3 of the system must be able to access the Internet and the DNS servers should be able to resolve the Microsoft activation servers.

Downgrading to previous firmware versions

Downgrading to previous firmware versions is not supported.

FortiSandbox VM firmware

Fortinet provides FortiSandbox VM firmware images for VMware ESXi, Hyper-V, Nutanix, and Kernel Virtual Machine (KVM) virtualization environments.

For more information, see the VM Installation Guide in the Fortinet Document Library.

Scan Profile

After upgrading to 4.2.4 the VM Association in the Scan Profile changes the CSV extension category from User defined extension to Office Documents as intended. When a CSV file is scanned by the VM, the CSV file type is displayed as userdefined in the Job Detail.

To work around this issue after upgrade:
  1. Go to Scan Policy and Object > Scan profile.
  2. Click the VM Association tab and remove csv from the Office documents category.
  3. Click Save.
  4. Add csv back to the Office documents category and click Save.
  5. Submit a csv file to be scanned. The file type will display 'csv' in the Job Detail.
Previous
Next

Upgrade Information

Before and after any firmware upgrade

Before any firmware upgrade, save a copy of your FortiSandbox configuration by going to Dashboard > System Configuration > Backup.

After any firmware upgrade, if you are using the web UI, clear the browser cache before logging into FortiSandbox so that web UI screens display properly.

Caution

This firmware has a known critical issue. For details, see Known Issues (v4.4.3).

To check if you are affected by this issue, run the status command to see if the Inode Usage is relatively high (i.e. more than 70%).

This issue has been fixed in a special build that has not yet been released. You can contact Customer Support to request a copy of that build.

Tracer and Rating Engines

The tracer and rating engines are automatically downloaded by the FortiSandbox from FortiGuard. For air-gapped mode, the engines are available for download from our Support site.

To download the latest engine:
  1. Log in to FortiCloud.
  2. In the banner, click Support > Service Updates.

  3. On the FortiGuard Updates page, click FortiSandbox and select the OS version.

Upgrade path

FortiSandbox 4.4.1 officially supports the following upgrade path.

Note

If you are upgrading from 4.2.0 – 4.2.3 to 4.2.4, see Scan Profile below.

Upgrade from

Upgrade to

4.4.0

4.4.1

4.2.0 – 4.2.5

4.4.0

4.0.0 – 4.0.3

4.2.0

3.2.3

4.0.2

3.2.0 – 3.2.2

3.2.3

3.1.4

3.2.0

3.0.6 – 3.1.3

3.1.4

3.0.0 – 3.0.5

3.0.6
Caution

Automatic Upgrade:

The GUI recommended upgrade path does not support upgrading FortiSandbox for GCP and OCI from v4.2.3 to v4.2.4 and higher.

Workaround:

GCP and OCI platforms only support upgrade from v 4.2.3 GA directly to 4.4.0 GA.

If you are using KVM or Hyper-V, the upgrade path must be 3.1.3 > 3.2.0, then follow the upgrade table.

As with all VM upgrades, take a snapshot or make a checkpoint before upgrading.

After upgrading, FortiSandbox might stop processing files until the latest rating engine is installed either by FDN update or manually. The rating engine is large so schedule time for the download.

Every time FortiSandbox boots up, it checks FDN for the latest rating engine.

If the rating engine is not available or out-of-date, you get these notifications:

  • A warning message informs you that you must have an updated rating engine.
  • The Dashboard System Information widget displays a red blinking No Rating Engine message besides Unit Type.

If necessary, you can manually download an engine package from Fortinet Customer Service & Support.

If the rating engine is not available or out-of-date, FortiSandbox functions in the following ways:

  • FortiSandbox still accepts on-demand, network share, and RPC submissions, but all jobs are pending.
  • FortiSandbox does not accept new devices or FortiClients.
  • FortiSandbox does not accept new submissions from Sniffer, Device, FortiClient, or Adapter.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Fortinet Customer Service & Support portal located at https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image file name including the extension, and select Get Checksum Code.

Upgrading cluster environments

Before upgrading, it is highly recommended that you set up a cluster IP set so the failover between primary (master) and secondary (primary slave) can occur smoothly.

In a cluster environment, use this upgrade order:

  1. Upgrade the workers (regular slaves) and install the new rating and tracer engine. Then wait until the devices fully boot up.
  2. Upgrade the secondary (primary slave) and install the new rating and tracer engine. Then wait until the device fully boots up.
  3. Upgrade the primary (master). This causes HA failover.
  4. Install the new rating and tracer engine on the old primary (master) node. This node might take over as primary (master) node.

Upgrade procedure

When upgrading from 3.1.0 or later and the new firmware is ready, you will see a blinking New firmware available link on the dashboard. Click the link and you will be redirected to a page where you can either choose to download and install an available firmware or manually upload a new firmware.

Upgrading FortiSandbox firmware consists of the following steps:

  1. Download the firmware image from the Fortinet Customer Service & Support portal.
  2. When upgrading via the CLI, put the firmware image on a host that supports file copy with the SCP or FTP command. The FortiSandbox must be able to access the SCP or FTP server.

    In a console window, enter the following command string to download and install the firmware image:

    fw-upgrade -b -s<SCP/FTP server IP address> -u<user name> -t<ftp|scp> -f<file path>

  3. When upgrading via the Web UI, go to System > Dashboard . In the System Information widget, click the Update link next to Firmware Version. The Firmware Upgrade page is displayed. Browse to the firmware image on the management computer and select the Submit button.
  4. Microsoft Windows Sandbox VMs must be activated against the Microsoft activation server if they have not been already. This is done automatically after a system reboot. To ensure the activation is successful, port3 of the system must be able to access the Internet and the DNS servers should be able to resolve the Microsoft activation servers.

Downgrading to previous firmware versions

Downgrading to previous firmware versions is not supported.

FortiSandbox VM firmware

Fortinet provides FortiSandbox VM firmware images for VMware ESXi, Hyper-V, Nutanix, and Kernel Virtual Machine (KVM) virtualization environments.

For more information, see the VM Installation Guide in the Fortinet Document Library.

Scan Profile

After upgrading to 4.2.4 the VM Association in the Scan Profile changes the CSV extension category from User defined extension to Office Documents as intended. When a CSV file is scanned by the VM, the CSV file type is displayed as userdefined in the Job Detail.

To work around this issue after upgrade:
  1. Go to Scan Policy and Object > Scan profile.
  2. Click the VM Association tab and remove csv from the Office documents category.
  3. Click Save.
  4. Add csv back to the Office documents category and click Save.
  5. Submit a csv file to be scanned. The file type will display 'csv' in the Job Detail.
Previous
Next