In a Proxy Mode antivirus profile, enabling Send Files to FortiGuard Sandbox for Inspection to causes your FortiGate unit to upload files to FortiGuard where the file will be executed and the resulting behavior analyzed for risk. You have the choice of uploading all files or only the suspicious ones. If the file exhibits risky behavior or is found to contain a virus, a new virus signature is created and added to the FortiGuard antivirus signature database. The next time your FortiGate unit updates its antivirus database it will have the new signature.

Currently, a file is considered suspicious if it does not contain a known virus and if it has some suspicious characteristics. The suspicious characteristics can change depending on the current threat climate and other factors. Fortinet optimizes how files are uploaded as required.

On the FortiGate, there are two ways to verify that files are being uploaded to the FortiCloud Sandbox. The first is to go to System > Config > FortiSandbox. The window is for configuring whether or not the FortiGate unit is to use the FortiCloud Sandbox or a FortiSandbox Appliance but it also shows the statistics of files submitted to the Sandbox over the last seven days.

The second method is to got System > Dashboard > Status and view the Advanced Threat Protection Statistics dashboard widget. This widget will show essentially the same information.This widget is not one of the default ones so you will have to add it to the Dashboard.

To view information relating to the Antivirus function from the FortiCloud side, go to System > Dashboard > Status and look at the License Information widget. In the FortiCloud subsection in the Account line, select the Launch Portal link. Once at the portal select the icon for the specific FortiGate that you view the information for.

Under the Logs & Archives tab of the menu bar you will find the UTM option. Once this option is selected, you will have the option of choosing AntiVirus. The site will display records within the designated time frame that refer to AntiVirus events recorded by the logs.

In addition to the normal UTM logs, there is a new menu item in that top menu bar that appears when your FortiGate is configured to submit files to the FortiSandbox. This page on the site will display more granular information on files with viruses that are submitted by your FortiGate unit.This information will include: