Best Practices and

Troubleshooting Guide
FortiSandbox 4.2.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

July 04, 2023

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide
34-42-798662-20230704
 TABLE OF CONTENTS

Overview 5
Know your FortiSandbox 5
FortiSandbox and FortiGate process flow 5
FortiSandbox and FortiMail process flow 6
Additional information 7
Installing FortiSandbox 8
Upgrading cluster environments 8
Downgrading to previous firmware versions 8
Business continuity 9
General maintenance 10
Backing up the FortiSandbox configuration 10
Restoring the FortiSandbox configuration 10
Scheduling maintenance tasks for off-peak hours 10
Maintaining database integrity 10
Maintaining storage integrity 11
Hardening 12
Building security into FortiSandbox 12
Physical security 12
Vulnerability - monitoring PSIRT 12
Firmware 12
Encrypted protocols 13
Strong ciphers 13
FortiGuard databases 13
Penetration testing 13
Trusted Hosts 13
Limit login user’s access right 13
Other recommended actions user can take 14
Advanced procedures 15
Improving scan performance 15
Understanding Inline Block feature 16
Considerations 17
Hot-swapping hard disk 18
Recovering system using Rescue Mode 19
Revalidating Windows license key 25
Resetting user’s admin password 26
Resizing the data volume on AWS 27
Resizing the data disk for FortiSandbox on Azure 29
Setting up a FortiSandbox VM00 as Primary node for high availability 32
Troubleshooting guidelines 34
Troubleshooting Dashboard warnings 34
Windows VM 34

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 3

Fortinet Inc.
 FortiGuard connectivity servers 35
VM Internet access 36
Troubleshooting system resource issues 36
Troubleshooting cloning issues 37
Troubleshooting the Job Queue 38
Troubleshooting NetShare issues 38
NFSv4 error 39
Troubleshooting detection issues 39
Trace a file 39
Known malware not detected 40
Change Log 41

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 4

Fortinet Inc.
Overview

This guide is a collection of best practices and troubleshooting guidelines for using FortiSandbox. Use these guidelines
to get the most of your FortiSandbox products, maximize its performance, and avoid potential problems.

Know your FortiSandbox

Understanding the process flow of your FortiSandbox can provide additional awareness and information that may help
you in troubleshooting.
For configuring FortiSandbox, see Installing FortiSandbox on page 8. For troubleshooting, see Troubleshooting
guidelines on page 34.

FortiSandbox and FortiGate process flow

The FortiSandbox (acting as a server) receives files from FortiGate (acting as client). Then, it provides an updated
Threat Intelligence database back to the client.

1. FortiGate extracts files from the network traffic. It uses the AntiVirus scan profile for sandboxing feature. File size
limit apply. Before forwarding previously seen files, it crosschecks its cache (known as Threat Intelligence DB or
Malware package).
2. FortiGate queries FortiSandbox first if previously forwarded. If not, FortiGate forwards the file along with the serial
number, IP address, and VDOM information.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 5

Fortinet Inc.
 Overview

3. The submission goes through a series of scan flow stages. A verdict can be reached at any stage. The last stage is
VM Scan which takes 2-3 mins. FortiSandbox keeps the submissions and its results for 60 days for Malware verdict
and 3 days for Clean verdict.
4. FortiGate pulls the latest Threat Intelligence DB every 2 mins. The DB contains a list of malicious file checksums
and related URLs. FortiGate also queries the verdict for logging.
5. FortiSandbox checks FortiGuard every hour and downloads new packages and engines.
FortiSandbox can share malicious files and URL with FortiGuard when Sandbox Community is enabled.
FortiSandbox can forward detection statistics to FortiGuard for analysis of trending threats when enabled in
configuration.

FortiSandbox and FortiMail process flow

The FortiSandbox (acting as a server) receives files and URLs embedded in emails from FortiMail (acting as client). The
client waits for the verdict before releasing any email as safe (clean).

1. FortiMail receives email from the Internet or one of the clients. It uses the AntiVirus scan profile for sandboxing
feature. It checks for any file attachments and embedded URLs. On extracting URLs, the default count is 10.
2. FortiMail queries FortiSandbox first. If results are already known and up-to-date, then use the previous result.
Otherwise, it forwards the files and URLs to FortiSandbox. It waits for the verdict before releasing the email.
3. Upon receipt of submission from FortiMail, a job id is created. The submission goes through a series of scan flow
stages. A verdict can be reached at any stage. FortiSandbox keeps the submissions and its results for 60 days for
Malware verdict and 3 days for Clean verdict.
4. FortiMail pulls the result every 10 seconds of the submission until a verdict is reached.
5. FortiSandbox checks FortiGuard every hour and downloads new packages and engines.
FortiSandbox can share malicious files and URLs with FortiGuard when Sandbox Community is enabled.
FortiSandbox can forward detection statistics to FortiGuard for analysis of trending threats when enabled in
configuration.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 6

Fortinet Inc.
Overview

Additional information

For product and feature guides, go to the Fortinet Document Library at http://docs.fortinet.com.
For procedures on how to implement these best practices, see the FortiSandbox Administration Guide in the Fortinet
Document Library.
For customer service and technical support, go to https://support.fortinet.com.
For technical notes, how-to articles, FAQs, and links to the technical forum and technical documentation, go to the
Fortinet Knowledge Base at http://kb.fortinet.com/kb.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 7

Fortinet Inc.
Installing FortiSandbox

Plan your installation carefully and select the FortiSandbox model(s) that meet your requirements.
l Plan the size of your installation appropriately. Ensure you also plan for future sandboxing requirements. Refer to
the FortiSandbox Data Sheet for performance information of each model.
l Ensure you have remote serial console or virtual console access.
l Ensure that a local FTP or SCP server is available on a network local to the FortiSandbox.
Before any firmware upgrade, save a copy of your FortiSandbox configuration by going to Dashboard > Status System
Information widget, and clicking the Backup/Restore icon in the System Configuration line.
After any firmware upgrade, if you are using the web UI, clear the browser cache before logging into the FortiSandbox
unit to ensure proper display of the web UI screens.

Upgrading cluster environments

In a cluster environment, we recommended upgrading the cluster in the following order:

1. Worker devices
2. Secondary device
3. Primary device
Upgrade a unit after the previous one fully boots up. After upgrade, we highly recommend
setting up a cluster level failover IP set for a smooth failover between primary and secondary.

Downgrading to previous firmware versions

Downgrading to previous firmware versions is not supported.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 8

Fortinet Inc.
Business continuity

l Ensure the FortiSandbox has a valid subscription to the Sandbox Threat Intelligence in order to continue the
download of the latest engines and databases and access the FortiGuard for File and Web Filtering Queries.
l Ensure the FortiSandbox environment has a stable and/or uninterruptible power supply. A power loss can damage
FortiSandbox databases.
l If there is unexpected power loss, revert to a known good backup of the configuration. See Restoring the
FortiSandbox configuration on page 10.
l If a shut down or reboot is necessary, always perform gracefully. Removing power without a graceful shutdown
can damage FortiSandbox databases. See Maintaining database integrity on page 10.
l Ensure there are spare parts on site such as fans, power supplies, disks, and so on.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 9

Fortinet Inc.
General maintenance

Perform general maintenance tasks such as backup and restore so that you can revert to a previous configuration if
necessary.

Backing up the FortiSandbox configuration

l Perform regular backups to ensure you have a recent copy of your FortiSandbox configuration.
l If your FortiSandbox is a virtual machine, you can also use VM snapshots.

Restoring the FortiSandbox configuration

Restore configuration backups to the same FortiSandbox model with the same firmware. Do not restore a configuration
backup to a FortiSandbox model with different firmware.

Scheduling maintenance tasks for off-peak hours

We recommend scheduling maintenance tasks for off-peak hours whenever possible including tasks such as:
l Firmware upgrade
l System topology change
l Swapping failed hard disk

Maintaining database integrity

To maintain database integrity, never power off a FortiSandbox unit without a graceful shutdown. Removing power
without a proper shutdown can damage FortiSandbox databases. Always use the following shutdown command before
powering off.
shutdown

We highly recommend connecting FortiSandbox units to an uninterruptible power supply (UPS) to prevent unexpected
power issues that might damage internal databases.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 10

Fortinet Inc.
General maintenance

Maintaining storage integrity

To keep FortiSandbox storage healthy, we recommend regularly checking the Disk Usage in the System Resources
widget or you may setup external logging.
If disk usage is increasing rapidly and does not stabilize after a period of time, then review your policy for retaining
submitted files. To do that, go to Scan Policy and Object > General Settings to the Delete all traces of jobs of Clean or
Other rating after setting and set a shorter time period.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 11

Fortinet Inc.
Hardening

Hardening

System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface.
This section covers some actions that can be used.

Building security into FortiSandbox

The FortiSandbox firmware, FortiSandbox hardware devices, and FortiSandbox virtual machines (VMs) are built with
security in mind, so many security features are built into the hardware and software. Fortinet maintains an ISO:9001
certified software and hardware development processes to ensure that FortiSandbox products are developed in a
secure manner.

Physical security

Install the FortiSandbox in a physically secure location. Physical access to the FortiSandbox can allow it to be bypassed,
or other firmware could be loaded after a manual reboot. Optionally, disable the maintainer account with CLI command
set-maintainer. Note that doing this will make you unable to recover administrator access using a console
connection as all of the administrator credentials are lost.

Vulnerability - monitoring PSIRT

Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware
and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development
teams, and serious issues are described, along with protective solutions, in advisories listed at
https://www.fortiguard.com/psirt.

Firmware

Keep the FortiSandbox firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and
should be the most stable. Firmware is periodically updated to add new features and resolve important issues.
l Read the release notes. The known issues may include issues that affect your business.
l Do not use out of support firmware. Review the product lifecycle and plan to upgrade before the firmware expires.
l Optionally, subscribe to the Fortinet firmware RSS feed: https://pub.kb.fortinet.com/rss/firmware.xml.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 12

Fortinet Inc.
 Hardening

Encrypted protocols

Use encrypted protocols whenever possible, for example, SNMPv3 instead of SNMP, SMTPS instead of SMTP, ICAP
over SSL instead of ICAP, SSH instead of telnet,HTTPS instead of HTTP for Webpage visit and JSON API calls, and
encrypted logging instead of TCP.

Strong ciphers

Force higher levels of encryption and strong ciphers for HTTPS access to web site and JSON API calls:
set-tlsver -e3

FortiSandbox already sets to use higher levels of encryption and strong ciphers for communications with Fortinet fabric
devices.

FortiGuard databases

Ensure that FortiGuard databases and engines, such as AntiVirus, Network Alerts, Rating and Tracer, are updated
punctually.

Penetration testing

Test your FortiSandbox to try to gain unauthorized access, or hire a penetration testing company to verify your work.

Trusted Hosts

Limit access to the FortiSandbox to a management interface on a management network. Trusted hosts can also be used
to specify the IP addresses or subnets that can log in to the FortiSandbox. When authenticating to the FortiSandbox,
implement two-factor authentication (2FA). This makes it significantly more difficult for an attacker to gain access to the
FortiSandbox.

Limit login user’s access right

The features that a login user can access should be limited to the scope of that user's work to reduce possible attack
vectors. The admin profile tied to the user account defines the areas on the FortiSandbox that the user can access, and
what they can do in those areas. The list of users with access should be audited regularly to ensure that it is current.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 13

Fortinet Inc.
Hardening

Other recommended actions user can take

The following general administrative settings are recommended:

l Set the idle timeout time for login users to a low value, preferably less than ten minutes.
l In Interfaces page, limit access rights for network ports.
l Replace the certificate that is offered for HTTPS access with a trusted certificate that has the FQDN or IP address of
the FortiSandbox.
l Do not use shared accounts to access the FortiSandbox. Shared accounts are more likely to be compromised, are
more difficult to maintain as password updates must be disseminated to all users, and make it impossible to audit
access to the FortiSandbox.
l Set an encryption key for backed up configuration files with CLI command set-cfg-backup-key.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 14

Fortinet Inc.
Advanced procedures

These topics contain advanced best practices to help you make better use of FortiSandbox.
l Improving scan performance on page 15
l Understanding Inline Block feature on page 16
l Hot-swapping hard disk on page 18
l Recovering system using Rescue Mode on page 19
l Revalidating Windows license key on page 25
l Resetting user’s admin password on page 26
l Resizing the data volume on AWS on page 27
l Resizing the data disk for FortiSandbox on Azure on page 29
l Setting up a FortiSandbox VM00 as Primary node for high availability on page 32

Improving scan performance

A unit processes files at a certain rate. There are ways to improve the unit’s scan power. The following suggestions help
to optimize your system's scan performance.
1. Only keep jobs with a clean rating for a short period.
If you are not concerned about processed files with a clean rating, you can configure the system to remove them
after a short period. This saves system resources and improves system performance.
To do that, go to Scan Policy and Object > General Settings and set a short time period in the Delete all traces of
jobs of Clean or Other rating after section.
2. Turn on FortiGuard Pre-Filtering of certain file types.
By default, if a file type is associated with a Windows VM image, all files of this file type are scanned inside it.
Sandboxing scans inside a Windows VM is a slow and intensive process. For information about throughput, see the
FortiSandbox datasheet for your model.
You can enable FortiGuard Pre-Filtering on some file types. When enabled, files of that file type are inspected by an
advanced FortiGuard Pre-Filtering engine and only suspicious files inside a VM are scanned. The Log & Report >
File Scan Summary Report > Top File Type > Scanned by Sandboxing page gives you hints on which file types can
skip sandboxing.
Use the CLI command sandboxing-prefilter -e to enable sandboxing.
3. Associate every file type to only one VM type.
Theoretically, one file should be scanned inside all enabled VM types to get best malware catch rate. However, to
improve scan performance, every file type should be associated with only one VM type.
4. Allocate clone numbers of each VM type according to the distribution of file types.
Each unit can only prepare a limited number of guest image clones. The number is determined by installed
Windows license keys. Allocate clone numbers according to the distribution of file types. For example, if there are a
lot of Office files and WIN7X86VM is associated with Office files, you can decrease the clone number of other VM
types and increase the clone number of the WIN7X86VM image.
If there are many pending jobs, use the pending-jobs CLI command or go to Scan Job > Job Queue to check
which file type has the longest queue and increase clone numbers of its associated VM type.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 15

Fortinet Inc.
Advanced procedures

5. Reduce enabled Windows VM types.

Each enabled Windows VM type requires system memory runtime to store them. The more enabled types, the less
system memory is available for scanning. This is especially the case when you enable customized images of a large
size. To improve scan performance and clone system stability, we recommended reducing enabled VM types.
6. Do not associate VM types to archive files.
FortiSandbox checks every file inside an archive file and puts it in its own job queues according to Scan Profile
settings. If an archive file is scanned inside a VM, the archive file is opened but the files inside the archive file are not
scanned; so sandboxing scan an archive file itself is not effective in detecting malware. Therefore we recommend
not associating VM types with archive files.

Understanding Inline Block feature

The Inline Block feature allows FortiGate device fabric integration to perform inline blocking on known and unknown
malware. This feature was introduced in FortiSandbox 4.2.0 and FortiOS 7.2.0.
To configure Inline Block on:
l FortiSandbox, see Inline Block Policy.
l FortiGate, see FortiSandbox inline scanning. Make sure that the Inspection Mode is set to proxy.
When Inline Block is enabled, FortiGate holds part of the file until the FortiSandbox has provided its rating. The
FortiSandbox performs a series of Static Scan modules:
l Active Content check searches for any executable code, macro and scripts.
l Pre-filtering is a Scan Profile configuration.
l FortiSandbox Community Cloud check queries the FortiGuard for any submissions by other FortiSandbox devices
located worldwide who contributes to the community.
l Static Scan engines are the Antivirus and AI engines using pattern matching and models.
In most cases, these scans only take a few seconds.
When the FortiSandbox determines that a Dynamic Scan is required, the turnaround time may take a minute for Office
and PDF files and a few minutes for executable files.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 16

Fortinet Inc.
 Advanced procedures

Considerations

Office and PDF files

The FortiSandbox 2000E and higher models allow for the lowering of the Dynamic Scan timeout. We recommend you
lower timeout time to 45 seconds (or, as low as 30 seconds) to allow the FortiSandbox to provide the rating within the
expected time limit of the FortiGate. That is configurable via Scan Profile > Advanced tab.

Executable files

FortiSandbox scans executable files thoroughly by sending the files to its Static AI and Dynamic AI Analysis stages. If
FortiSandbox can provide its rating based on static AI analysis back to the FortiGate, then the file can be allowed for
clean or blocked if suspicious rating. If the FortiSandbox needs to continue with the dynamic AI analysis, it sends a
notification to FortiGate for continuity that it requires more time. Meanwhile, the FortiGate will take action on the file
based on its configuration. The default FortiGate setting is to allow download of files on time out or scan error from
FortiSandbox. The configuration can be changed to block the file with a replacement message and try downloading
again at a later time. When the user tries to download again, FortiSandbox will have known the rating and should be able
to response quickly.

Other considerations:

l Inline Block relies on the resources of the FortiSandbox to be able to quickly bring up the VMs for Dynamic Scan.
Only the following models can meet the resource requirement: 3000F, 3000E and 2000E. The other deployment
models can possibly meet the requirement depending on its current capacity.
l Enable sandboxing prefiltering on all file types with CLI command sandboxing-prefiltering. Enable
sandboxing cache with CLI command sandboxing-cache.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 17

Fortinet Inc.
Advanced procedures

l Review the capacity of the FortiSandbox based on the Scan Performance widget and dashboard. If the pending
time is too high, monitor and evaluate if the current deployment needs additional FortiSandbox units.

Hot-swapping hard disk

If a hard disk on a FortiSandbox unit fails, it must be replaced. FortiSandbox devices support hardware RAID and the
hard disk can be replaced while the FortiSandbox unit is running, also known as hot-swapping.
The following table shows the RAID level on different models.

FortiSandbox model RAID Level

FSA-500F N/A

FSA-1000F/-DC RAID-1

FSA-2000E RAID-1

FSA-3000E RAID-10

FSA-3000F RAID-10

To identify which hard disk failed the following diagnostic commands are available:

hardware-info Display general hardware status information. Use this command to view CPU,
memory, disk, and RAID information, and system time settings.
disk-attributes Display system disk attributes.
disk-errors Display any system disk errors.
disk-health Display disk health information.
disk-info Display disk hardware status information.
raid-hwinfo Display RAID hardware status information.

To hot-swap a hard disk on a device that supports hardware RAID, simply remove the faulty hard disk and replace it.

Electrostatic discharge (ESD) can damage FortiSandbox equipment. Only perform the
procedures described in this document from an ESD workstation. If no such station is
available, you can provide some ESD protection by wearing an anti-static wrist or ankle strap
and attaching it to an ESD connector or to a metal part of a FortiSandbox chassis.
When replacing a hard disk, you need to first verify that the new disk has the same size as
those supplied by Fortinet and has at least the same capacity as the old one in the
FortiSandbox unit. Installing a smaller hard disk will affect the RAID setup and may cause data
loss. Due to possible differences in sector layout between disks, the only way to guarantee
that two disks have the same size is to use the same brand and model.
The size provided by the hard drive manufacturer for a given disk model is only an
approximation. The exact size is determined by the number of sectors present on the disk.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 18

Fortinet Inc.
Advanced procedures

The FortiSandbox unit will automatically add the new disk to the current RAID array. The status appears on the console.
The RAID Management page will display a green checkmark icon for all disks and the RAID Status area will display the
progress of the RAID re-synchronization/rebuild.

Once a RAID array is built, adding another disk with the same capacity will not affect the array
size until you rebuild the array by restarting the FortiSandbox unit.

Recovering system using Rescue Mode

The purpose of Rescue Mode is to provide the ability to boot using some other boot method instead of the system's boot
loader or hard drive when encountering a failure. Using Rescue Mode through the console port, you can restore the
system using a firmware image located on an external server or USB drive.

Main menu

To access the Rescue Mode feature, first log in to the FortiSandbox from the console port and open the CLI window.
Execute the CLI command reboot then respond yes [y] when prompted to get into Rescue Mode. The console will
disconnect, then after one or two minutes, the rescue menu will display. It will continue to boot up if no options are
selected within 10 seconds.

The options are Q, G,W,T,U,I,F,C or H.

l Q will quit the menu and continue to boot into the FortiSandbox system.

Retrieving the firmware image from the TFTP server

Entering G from the main menu will open a sub-menu with options for retrieving and upgrading the firmware image from
the TFTP server.
l Entering C from this sub-menu allows you to configure the network and image parameters

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 19

Fortinet Inc.
Advanced procedures

Enter R to review the parameters:

Enter N to test the network:

Enter T to download the image and install a new image, and theFortiSandbox will reboot automatically:

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 20

Fortinet Inc.
Advanced procedures

Once successfully booted up, you can log in again with your username and password:

Retrieving the firmware image from the HTTP server

Entering W from the main menu will open a sub-menu with options for retrieving and upgrading the firmware image from
the HTTP server.
l Entering C from this sub-menu allows you to configure the network and image parameters:

Enter R to review the parameters.

Enter N to test the networking.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 21

Fortinet Inc.
Advanced procedures

Enter T to download and install the new image, and the FortiSandbox will reboot automatically.

Once successfully booted up, you can log in again with your username and password:

Retrieving the firmware image from the FTP server

Enter T from the main menu to retrieve and upgrade the firmware image from the FTP server.
l Enter C to configure the network and image parameters

Enter R to review the parameters.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 22

Fortinet Inc.
Advanced procedures

Enter N to test the networking.

Enter T to download image and install new image, and the FortiSandbox will reboot automatically.

Once successfully booted up, you can log in again with your username and password.

Retrieving the firmware image from a USB drive

Enter U to retrieve and upgrade the firmware image from a USB drive.

FortiSandbox VM and KVM products do not support USB options.

Enter U to upgrade firmware from a USB drive, and the FortiSandbox will reboot automatically.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 23

Fortinet Inc.
Advanced procedures

Enter F to Format device data.

When formatting, all the data on the data device will be lost, such as Windows VMs and log
files. After the data device is formatted, installed VMs need to be installed and activated again.
Data such as the configuration files on the boot device and the Windows VM license files will
not be lost.

Enter I to show the current system information.

Enter C to check the device's file system information.

a. Enter B to check boot device information.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 24

Fortinet Inc.
Advanced procedures

e. Enter D to check data device information.

Revalidating Windows license key

FortiSandbox requires reactivating its Windows licenses if the system has been altered. To reactivate, Microsoft has only
provided an activation process by phone.

To revalidate and reactivate Windows license key:

1. In FortiSandbox, go to the System Event log to get the installation id and key.
The System Event log lists all failed activation.
2. Search for Failed to activate. For example:
2021-05-01 13:10:52 VMINIT: WIN7X64VM Windows activation error message:
Failed to activate Windows with key XBBQP-39J47-HFDWW-Y4XJD-XXXXX:
015883135155791636357353814274721005003805545726714080, 0x80072F8F

In this example, the installation ID is 015883135155791636357353814274721005003805545726714080

and the key is XBBQP-39J47-HFDWW-Y4XJD-XXXXX.
3. Select a pair of installation ID and key for each failed VM type, and perform the following steps to activate them.
You don’t need to activate all keys, you only need to activate one key for each failed VM type.
4. Call the Microsoft 24-hour automated system to get a confirmation ID:
Canada/US: 1-888-725-1047
Japan: 0120-801-734
France: 0 805 11 02 35
The automated system will ask you to input the ID (6 characters at a time) and ask some questions about the
activation. After that, the system will provide a confirmation ID which will be in a similar format.
5. Go to the FortiSandbox CLI console and use the confirm-id command to add the activated ID. For example,
confirm-id -a -kGGC2J-Q9M7J-8KKBH-342FP-XXXXX
-c042532258754869596628901610621951021013844450525

Confirmation ID has been added.

Confirm that the entry have been handle by the FSA :

6. Confirm that the ID is activated.

confirm-id -l
GGC2J-Q9M7J-8KKBH-342FP-XXXXX 042532258754869596628901610621951021013844450525

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 25

Fortinet Inc.
Advanced procedures

7. Repeat the above steps to get a confirmation ID and activate it for each failed VM type.
8. To load the activated IDs, reboot your device.

Resetting user’s admin password

This procedure requires rebooting the FortiSandbox unit.

You can reset the admin password if you have physical access to the device and the following tools:
l Console cable.
l Terminal software such as Putty.exe (Microsoft Windows) or Terminal (Mac OS X).
l Serial number of the FortiSandbox device.

To reset the user’s admin password:

1. Connect the computer to the FortiSandbox via the console port on the back of the unit.
2. Start a terminal emulation program on the management computer.
3. Select the COM port and use the following settings:

Speed (baud) 9600

Data bits 8

Stop bits 1

Parity None

Flow Control None

4. Press Open to connect to the FortiSandbox CLI.

5. FortiSandbox responds with its name or hostname. If it does not, press Enter.
6. Reboot the FortiSandbox using the power button.
7. Wait for the FortiSandbox name and login prompt to appear.
8. Type the username: maintainer.
9. The password is bcpb + the serial number of the firmware. The letters of the serial number must be in uppercase.
You are now connected to the FortiSandbox.
10. To change the admin password, enter the following CLI command:

v3.2.2 and later reset-admin-pwd

v3.2.0 and earlier admin-pwd-reset <password_string>

11. Log into the FortiSandbox using admin and the password you set in the previous step.

You can disable this maintainer user using the set-maintainer command. See the
FortiSandbox CLI Reference Guide in the Fortinet Document Library.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 26

Fortinet Inc.
Advanced procedures

Resizing the data volume on AWS

Before proceeding, back up all the data you need as all data is lost in resizing.
Resizing without data loss is not currently supported.

To resize the data volume on AWS:

1. Stop the FortiSandbox AWS instance. Ensure the instance is stopped from the AWS EC2 console.
2. Go to AWS EC2 console > ELASTIC BLOCK STORE > Volumes and click Create Volume.

3. Specify the volume settings and click Create Volume.

For Volume Type, select General Purpose SSD (gp2).
Enter a Size (GiB).
If you want, add tags.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 27

Fortinet Inc.
Advanced procedures

4. To detach the current FortiSandbox AWS data volume, select the current FortiSandbox AWS data volume and go to
Actions > Detach Volume.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 28

Fortinet Inc.
Advanced procedures

5. Select the volume you just created and go to Actions > Attach Volume.

6.  Select the FortiSandbox AWS instance-ID and in the Device field, enter /dev/sdb. Then click Attach.

7. Go to AWS EC2 > Instances and select the FortiSandbox AWS instance. In the Description on the bottom, go to
Block devices and select /dev/sdb/, then check the size of new volume you just attached.
8. Start AWS instance.
9. Run the CLI command status and verify that the Disk Size is correct.

Resizing the data disk for FortiSandbox on Azure

Use the Size + performance settings to maintain the data disk on FortiSandbox on Azure and monitor the disk usage to
ensure the data disk does not break.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 29

Fortinet Inc.
Advanced procedures

Scenario 1: Modify FSA data disk without data lost and before disk broken

1. On the Azure Portal, stop the FortiSandbox instance.

2. Go to FSA Virtual Machine > Overview > Disks > datadisk > Size + performance.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 30

Fortinet Inc.
Advanced procedures

3. Expand Disk SKU and click Resize.

4. Refresh the Azure Portal and ensure the disk size has been updated.
5. On the Azure Portal, start FortiSandbox.

6. Run the following CLI command: resize-hd

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 31

Fortinet Inc.
Advanced procedures

7. After FortiSandbox reboots, run the CLI command status commnad to verify the Disk Size is correct.

Scenario 2: Detach/Attach a new FortiSandbox data disk without losing data

1. On the Azure Portal, stop the FortiSandbox instance.

2. Go to Data disk > Create snapshot.

3. Use the snap shot to create a data disk and set the size to 256G or more if needed.

4. Detach the old data disk.

5. Attach the new data disk you created from the snap shot.

6. Refresh the Azure Portal, and confirm the disk has been updated.
a. Run the CLI command: resize-hd.
b. After FortiSandbox reboots use the CLI command status to verify the Disk Size is correct.

Setting up a FortiSandbox VM00 as Primary node for high

availability

A popular FortiSandbox HA-cluster deployment is based on using FortiSandbox VM00 as a Primary node and one or
more FortiSandbox appliances or virtual machines as Worker nodes. A second FortiSandbox VM00 as a Secondary
node is highly recommended to make Sandboxing services fault tolerant and configuration simpler.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 32

Fortinet Inc.
Advanced procedures

To set up and operate a healthy and scalable cluster with VM00:

1. H/W Requirements of Primary and Secondary nodes:

l Minimum configuration: Set up the with minimum of: 4 vCPU, 8 GB RAM and 200 GB SSD drive.
l Recommended configuration: 16 vCPU, 32 GB RAM and 1 TB SSD drive.
2. Network Setup:
l Make sure that network topology, routing and DNS settings of Primary and Secondary nodes are the same.
l Configure a cluster level failover IP on all ports to provide Sandboxing accessibility (admin-port, api-port, ICAP
and MTA/BCC ports).
l Enable Promiscuous mode in the hypervisor settings (if applicable) to ensure correct operation of failover IP.
3. Configurations on Primary and Secondary nodes;
l Do not install Windows VMs on these nodes. If these nodes already have them installed, set VM clone number
to zero (0)
4. Licenses:
l Make sure to acquire a Sandbox Threat Intelligence subscription for all the nodes.
l Additional licenses (such as Windows, Office and Custom VM) are not required on both Primary and
Secondary nodes.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 33

Fortinet Inc.
Troubleshooting guidelines

The following topics show guidelines on troubleshooting your system.

l Troubleshooting Dashboard warnings on page 34
l Troubleshooting system resource issues on page 36
l Troubleshooting cloning issues on page 37
l Troubleshooting the Job Queue on page 38
l Troubleshooting NetShare issues on page 38
l Troubleshooting detection issues on page 39

Troubleshooting Dashboard warnings

In the Dashboard, the color of the Connectivity and Services icons indicates their status. When FortiSandbox is fully
operational, the icons are green. When FortiSandbox detects a potential issue, the icons are yellow.

This topic provides troubleshooting recommendations for the following services:

l Windows VM
l FortiGuard connectivity servers
l VM Internet access

Windows VM

When Windows VM is initializing, it is normal for the yellow icon to be displayed in the Dashboard. If the yellow icon
persists, the Windows VM was not initialized successfully.

To troubleshoot a Windows VM:

Issue Recommendations Description

VM image not Go to Scan Policy and Object > VM Settings. Verify that Windows VM images are installed
installed Or and at least one is enabled and the clone
Run the folling CLI command to display the number is not zero.
installed VM images:
vm-status –l

Invalid Windows Run the following CLI command: Check that a Windows 8 image in Optional

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 34

Fortinet Inc.
 Troubleshooting guidelines

Issue Recommendations Description

license key vm-license –l VMs group is enabled. If not, a valid Windows

8 key should be purchased and installed.

Microsoft server Go to Log & Report > Events > VM Events or Verify the logs from the time of the system
failed to activate All Events. boot up.
For example, errors from Microsoft activation
server may help you find the cause of failed
activation.

FortiGuard connectivity servers

FortiGuard connectivity servers include FDN update, community cloud, or web filtering.

To troubleshoot connectivity servers:

Issue Recommendations Description

Invalid Antivirus Go to Dashboard > Status. Verify Antivirus DB Contract and Web
DB and Web Filtering Contract on Dashboard are valid.
Filtering Contracts If the contracts are valid, the unit may have a
bad network connection to external
FortiGuard services.

The network is Run the CLI command: This can provide detailed information about
blocking the ping test-network the network condition. Sometimes the
network is blocking the ping and errors about
the ping are expected.
The output shows connection speed and
connectivity to related servers.

Firewall is blocking 1. Take the web filtering server IP Check to see if the firewalls are configured to
web filtering query (available in @@@ testing Web Filtering block packets to UDP port 53. This blocks the
service @@@ part of test-network web filtering query.
command).
2. Go to System > FortiGuard.
3. Use the IP and port 8888 to overwrite the
web filtering server.
Additionally, enable Use override server port
of the community cloud server query and
select port 8888 in the Community Cloud &
Threat Intelligence Settings section.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 35

Fortinet Inc.
 Troubleshooting guidelines

VM Internet access

A yellow icon means the Windows VM cannot access the Internet through port3. This affects the catch rate even if
FortiSandbox has a SIMNET feature. For example, the Downloader type for malware needs access to an outside
network to download a malicious payload.

To verify the VM is using port3 to connect to the Internet:

1. Go to Scan Policy and Object > General Settings.

l Verify Allow Virtual Machines to access external network through outgoing port is enabled.

l Verify the Gateway is valid and can access the Internet.

If no DNS server is set, the system DNS is used.

2. Run the following command to show network condition through port3.

test-network

Troubleshooting system resource issues

High CPU or memory usage might indicate a shortage of resources or system-wide issues.

To troubleshoot system issues:

Issue Recommendation Description

Increased submissions Go to Security Fabric > Device. Check to see if there are any recently-
added devices or increases in
submissions from devices.

System configuration Go to Dashboard > Status > System Check for recently changes to the
Information widget. System Configuration.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 36

Fortinet Inc.
Troubleshooting guidelines

Issue Recommendation Description

System usage Go to Dashboard > Status > System Check the CPU, Memory, and Disk
Resources widget. Usage reports.

Large pending queue Go to Scan Job > Job Queue. Check for large pending jobs. For
information, see Troubleshooting the
Job Queue on page 38.

System-wide issues Run the tac-report CLI command to Check the output for possible issues,
execute a series of CLI commands for especially the status and diagnose-
a comprehensive report. sys-top.

If you cannot resolve the issue and you need to contact technical support at https://support.fortinet.com, provide the
above information to help with troubleshooting.

Troubleshooting cloning issues

This topic provides troubleshooting guidelines when FortiSandbox fails to finish cloning a custom image.

To troubleshoot this issue:

1. Log in as and Admin user.

2. Go to Scan Policy and Object > VM Settings and change all other VM types' clone # to 0, and the failed one
(customized image) to 1.
3. Click Apply to trigger the cloning.
4. Click the VM Screenshot button on this page. In the dialog box, keep clicking the VM Screenshot button of the failed
VM.
5. Click the PNG Link image icon to show the screen shot. The image might provide the reason for the failure.

Common reasons for failure:

Reason Solution

The custom image is too large for l Reduce the size of the custom image with Windows Disk
amount the of system memory Defragmentation tool, or
l Reduce the clone number

The customized image license is Activate the customized image license.

deactivated

The system is not configured properly See the FortiSandbox Cloud Deployment Guide in the Fortinet
Document Libary.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 37

Fortinet Inc.
Troubleshooting guidelines

Troubleshooting the Job Queue

When there is a backlog of scans in the Job Queue or the jobs have stopped or stalled, the queue may be saturated or
the jobs may need to be adjusted.

To troubleshoot scans in the Job Queue:

Issue Recommendations Description

Scan is processing Go to Log & Report > Summary Report > Top View the logs to check if the scan is still
with errors File Type > Scanned by Sandboxing. processing with errors. If it is, this usually
means most jobs entering the VM and the
Scan Profile should be adjusted.
The logs can provide clues about which file
type should skip sandboxing.

Queue is saturated Go to Scan Input > Job Queue. Click the Load Chart of each VM type to see if
it is saturated. If it is saturated, allocate a
higher clone number to it.

VM errors View the logs to see if there are VM related

errors. VM related errors might mean VM
clones are corrupted and cannot be
recovered.
In this case, the clones need to be rebuilt. To
do that, change any clone number in VM
Images and click Apply. Wait a few moments
and change the clone number back and click
Apply again.

If the above does not resolve the issue, you need advanced troubleshooting that require a debug package. Contact
technical support at https://support.fortinet.com.

Troubleshooting NetShare issues

NetShare issues may occur in older versions of FortiSandbox or when the unit does not have the correct permissions.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 38

Fortinet Inc.
 Troubleshooting guidelines

To troubleshoot NetShare scan general issues:

1. Ensure you are running version 3.1.1 or above.

2. Check the following:
l Review the configuration as this is a common error.

l Check the output of diagnose-debug netshare to check the scan process.

NFSv4 error

When Network Share is enabled in NFSv4, the Kernel log may display messages such as NFS: state manager: check
lease failed on NFSv4 server x.x.x.A with error 13.
In NFSv4, code 13 means Permission denied. The caller does not have the correct permission to perform the requested
operation.

To troubleshoot this error:

l Check the /etc/exports file on the server side to make sure the FortiSandbox unit has the correct permissions
for the Network Share folder.
If the above does not resolve the issue, you need advanced troubleshooting that require a debug package. Contact
technical support at https://support.fortinet.com,

Troubleshooting detection issues

Trace a file

Trace a file to follow the file's route. This is useful when you want to confirm that files are using the route you expect them
to take on your network.
To trace a file, you need to know either its checksum or file name.

To trace a file with the checksum:

In the Log & Report > Events > All Events page, put the file’s checksum or name in the Message filter.

To trace a file with a file within a time-range:

1. In the Scan Job > File Job Search page.

2. In the Detection filter, set the time-range and then enter the file’s checksum.
3. Click Show Detail to show the job’s detailed information.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 39

Fortinet Inc.
 Troubleshooting guidelines

Known malware not detected

If a known malware is not detected, check the following:

Issue Recommendation Description

Scan profile Go to Scan Policy and Object > Scan Verify the filter settings have not
Profile. changed.
Check the logs to see if the Scan Profile
was changed or a new signature was
installed.

Signature or rating engine Go to System > FortiGuard. Check to see if a new AntiVirus
Signature, Rating Engine, or Tracer
Engine was installed.

VM settings Go to Scan Policy and Object > VM The malware might not be able to run in
Settings. certain VMs.

Network Go to Log & Report > Network Alerts View the logs to see if a network
condition was changed.

Port3 connection Go to Scan Policy and Object > Check to see if the Port3 connection to
General Settings. the Internet was modified.

Firmware Go to Dashboard > Status > System Checkt to see if new firmware was
Information widget. installed.

Execution condition Go to Scan Policy and Object > Global If Global Network is enabled, check to
Network. see if the malware execution condition
was changed, such as down C&C, time
bomb, etc.

Verdicts Go to: Check the logs for any manual

l Scan Policy and Object >
Allowlist/Blocklist
l Scan Policy and Object > Yara
Rules
l Scan Job > Overridden Verdicts
l Log & Report > Network Alerts
overridden verdicts, white/black list, or
YARA rule modifications.
The Detailed Report in Network Alerts
shows how the file was rated. You can
also compare the report with a previous
version to troubleshoot further.

Interface Go to System > Interfaces. Verify the path for the port3 next hop
gateway for the policy is clean.

Other l Try an On-Demand scan of the malware and use the VM Interaction and
Scan video features.
l Contact Fortinet Support for possible rating/tracer engine bugs.
l Report to [email protected] for further investigation.

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 40

Fortinet Inc.
Change Log

Date Change Description

2022-04-12 Initial release.

2022-04-22 Added Setting up a FortiSandbox VM00 as Primary node for high availability on page 32.

2022-08-04 Added Hardening on page 12

2022-10-24 Updated Understanding Inline Block feature on page 16.

2022-01-11 Updated Resetting user’s admin password on page 26.

2023-04-07

FortiSandbox 4.2.0 Best Practices and Troubleshooting Guide 41

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.