Description
When files are sent to FortiSandbox Cloud, it is possible to get submission failures:
Example.
date=2020-06-03 time=09:05:34 idseq=5567260827583117 bid=8370948 dvid=1030 itime="2020-06-03 09:05:34" euid=3 epid=9150 dsteuid=0 dstepid=101 logver=60 logid=0201009238 type="utm" subtype="virus" level="notice" action="monitored" service="HTTP" srcip=1.2.3.4 dstip=2.3.4.5 srcport=53657 dstport=80 filename="XXX_2b92f11a5bc2266b2cdaba9216cf35e65b4da2c6.exe" dtype="fortisandbox" eventtype="analytics" analyticscksum="03d9082a1128f97441d925d6b95033721d9d0f1a0ed4c446f9a31103abe51442" fsaverdict="submission failed"
This article describes how to fix failure.
Solution
Run the following commands to make sure that FortiGate is successfully communicating with FortiCloud.
# diagnose test application forticldd 1
System=FGT Platform=FGT60E
Management vdom: root, id=0, ha=master.
acct_id=support@fortinet.com
acct_st=OK <-----
FortiGuard interface selection:
method=auto specify=FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
# diagnose test application forticldd 3
Debug zone info:
Domain: EUROPE
Home log server: 62.209.37.73:514
Alt log server: 81.201.101.251:514
Active Server IP: 62.209.37.73
Active Server status: up
Log quota: 3145728MB
Log used: 5830MB
Daily volume: 20480MB
fams archive pause: 0
APTContract : 1
APT server: 154.45.1.51:514
APT Altserver: 154.45.1.52:514
Active APTServer IP: 154.45.1.51
Active APTServer status: up <-----
1) Enable the below command to send only suspicious files instead of all files.
Go to Security Profiles -> AntiVirus.
Under Send files to FortiSandbox select 'Suspicious Files Only'.
If the FortiGate is not registered with a paid AntiVirus license, the FortiGate will use the free FortiCloud license. This license limits the FortiGate to 100 FortiSandbox Cloud submissions per day.
