FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mmontes
Staff
Staff
Article Id 196228
Purpose
FortiGate is commonly configured to send files for inspection to FortiSandbox. This article describes which information can be checked and reviewed to make sure the files are sent the right way.

Expectations, Requirements
1) Reviewing logs in FortiGate and FortiSandbox.
2) Running some troubleshooting commands in FortiGate and FortiSandbox.


Troubleshooting
FortiGate Side:

1) On the GUI interface, go to the "Log&Report" section and look for the AntiVirus logs - they will either be directly here or they will have to be downloaded.
Look for a log like the following one:
date=XXXX-XX-XX time=XX:XX:XX itime="XXXX-XX-XX XX:XX:XX" logver=52 logid=0201009233 type=utm subtype=virus level=notice devid=FGXXXXXXXXXX vd=root msg="File submitted to Sandbox." action=analytics service=HTTP srcip=X.X.X.X dstip=X.X.X.X srcport=51779 dstport=80 sessionid=2013193656 direction=incoming filename=File name sent for inspection quarskip=No-skip url=http://dl.google.com/release2/JYM2KPQ8t30/File sent for inspection profile=AV-Profile agent=Mozilla/5.0 proto=6 eventtype=analytics analyticscksum=52b0dda51113acec993dbbb40a2ff7f1024d0fc998de2d61d6b479ffe26d9be4 analyticssubmit=true policyid=510 srcintf=portXX dstintf=portXX dtime="XXXX-XX-XX XX:XX:XX" itime_t=1492446015 devname=HA_Perimetral
2) The quarantine process is used in the FortiGates to send files to ForitSandbox; the following debug commands can also be run to review how the files are sent:
# diag debug reset
# diag debug disable
# diag debug application quarantine -1
# diag debug enable
Leave the debug running for some minutes then disable this as follow:
# diag debug reset
# diag debug disable
FortiSandbox side:
1) On the GUI interface go to Logs & Report -> All Events; select "History Logs" and look for the serial number of the FortiGate.

2) Run the debug to check all file sending processes and connections to the FortiGate:
> diagnose-debug device FortiGate_Serial_Number
Leave the debug program running for a few minutes before stopping it with CTRL+C.

Contributors