Release Notes

FortiSandbox 4.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD CENTER
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

July 10, 2023

FortiSandbox 4.4.0 Release Notes
34-440-805708-20230710
 TABLE OF CONTENTS

Change Log 4
Introduction 5
Supported models 5
New features and enhancements 6
GUI 6
Fabric integration 6
Scan 7
System & Security 7
Logging & Reporting 8
API 8
CLI 8
Upgrade Information 9
Before and after any firmware upgrade 9
Tracer and Rating Engines 9
Upgrade path 10
Firmware image checksums 11
Upgrading cluster environments 11
Upgrade procedure 11
Downgrading to previous firmware versions 12
FortiSandbox VM firmware 12
Scan Profile 12
Product Integration and Support 13

FortiSandbox 4.4.0 Release Notes 3

Fortinet Inc.
Change Log

Date Change Description

2023-07-10 Initial release.

FortiSandbox 4.4.0 Release Notes 4

Fortinet Inc.
Introduction

This document provides the following information for FortiSandbox version 4.4.0 build 0349.
l Supported models
l New features and enhancements
l Upgrade Information
l Product Integration and Support
For more information on upgrading your FortiSandbox device, see the FortiSandbox 4.4.0 Administration Guide and
FortiSandbox 4.4.0 VM Install Guide.

Supported models

FortiSandbox FSA-3000F, FSA-3000E, FSA-2000E, FSA-1000F-DC, FSA-1000F, and FSA-500F

FortiSandbox-VM AWS, Azure, Hyper-V, KVM, VMware ESXi, GCP and OCI

FortiSandbox 4.4.0 Release Notes 5

Fortinet Inc.
New features and enhancements

The following is summary of new features and enhancements in version 4.4.0. For details, see the FortiSandbox4.4.0
Administration Guide in the Fortinet Document Library.

GUI

l Introduced Custom VM upload and updates directly via GUI.

l Enhanced and re-organized the setting-related configurations on System and Scan Profile settings to easily
navigate through the menus.
l Enhanced Settings page on Log & Report.
l Enhanced the System Resource widget of the dashboard.
l Enhanced File/URL On Demand page to support adjustable columns.
l Enhanced the FortiClient Security Fabric page by adding filtering and sorting functions and Last Seen column.
l Enhanced the VM Settings page for usability and improved status indicators.
l Enhanced Custom VM to upload meta information for installed applications list.
l Enhanced VM Setting page to combine Windows and MacOS Cloud and separate key counts for local and remote.
l Enhanced the Admin Profile page layout.
l Enhanced configuration and field labels on ICAP Adapter pages.
l Enhanced the Device Security Fabric page by adding filtering and sorting functions and Last Seen column.
l Enhanced the FortiClient Security Fabric page by adding filtering and sorting functions and Last Seen column.
l Updated Security statistics on the Scan Performance widget of the dashboard for the 0-day detections.
l Added Inline Block setting on the device page under Security Fabric.
l Added test connection on LDAP configuration for remote admin.
l Added port number field on the FortiAnalyzer device setting for logging.
l Added VM Interaction feature.
l Added auto-refresh on Cluster Management web pages to keep synchronized data among the Primary and Worker
nodes.
l Added refresh button on the Job Summary page under HA-Cluster.
l Renamed Scan Timeout labels on Advanced settings under Scan Profile menu for ease of differentiation.

Fabric integration

l Introduced FortiSandbox support on Oracle Cloud Infrastructure (OCI) platform.

l Enhanced ICAP Adapter to support imported certificate.
l Enhanced ICAP Adapter to support modification of default profile for the multiple ICAP feature.
l Upgraded SMB support to v3.1.1 for NetShare Scan feature.

FortiSandbox 4.4.0 Release Notes 6

Fortinet Inc.
New features and enhancements

l Added support on application/octet-stream in ICAP Adapter request mode.

l Added support for ICAP return code 202 indicating submission has been accepted.

Scan

l Introduced configurable filetype list for the Inline Block Scan to select and optimize deployment.
l Introduced hold feature on Dynamic Scan for submissions from ICAP adapter.
l Introduced Inline Block via TCP reset on Network Alert feature of Sniffer mode.
l Introduced Office 2021 support via a new Optional VM.
l Introduced prioritization of Netshare Scan jobs including proper user-rights and groupings.
l Introduced QR Code analysis of embedded URLs.
l Introduced Real-Time Anti-Phishing service to identify 0-day Phishing sites.
l Introduced Windows 11 OS support on Dynamic VM Scan.
l Introduced scan support of installer type archive file.
l Enhanced Custom VM setup to allow configuration of CPU and memory settings.
l Upgraded default configuration of embedded URL to enable.
l Upgraded DNS query to use port 3 on URL Scan.
l Upgraded Web Filtering categories to include Terrorism, URL Shortening, Crypto Mining and Potentially Unwanted
Program with default risk rating.
l Upgraded Yara engine to v4.2.3.
l Added configuration to define override rating for URL categories such as Phishing.
l Added an option to disable creation of placeholder file on NetShare scan for quarantined file.
l Added an option to configure scan timeout for executable files in addition to the Office and PDF files.
l Added Custom Linux VM on AWS platform.

System & Security

l Introduced Self-Check on configurations, connectivity and services.

l Introduced Single Sign On for admin authentication.
l Enhanced hardware status on MIB and CLI to include the internal temperature, fan, disk and power supply status.
l Enhanced Effective Sandboxing Throughput by 5x to 10x.
l Upgraded System Kernel to latest stable released.
l Upgraded Python code and library to latest stable version.
l Upgraded OpenSSL code and library to latest stable version.
l Upgraded Apache code and library to latest stable version.
l Added database cleanup for the NetShare Scan based on retention.
l Added deletion of the built-in admin account.
l Added admin user type to control access on device groups and netshare submissions.

FortiSandbox 4.4.0 Release Notes 7

Fortinet Inc.
New features and enhancements

Logging & Reporting

l Enhanced display settings and renamed fields of the Job Details.

l Enhanced Job Detail report on URL Scan to display the Web Filtering category rating and if available the redirected
URL.
l Upgraded MITRE ATT&CK support to version 11 used on Job Detail report.
l Added File Type info to the event log.
l Added indicator of using Overflow VMs on the job details.
l Added warning message on GUI and logging when email accounts processed for MTA adapter exceeds license
limit.

API

l Introduced file submission from a remote and netshare filepaths via API.

CLI

l Introduced low-level hard disk format to erase all data and still keeping all default licenses.
l Added a CLI command to display MTA queue.

FortiSandbox 4.4.0 Release Notes 8

Fortinet Inc.
Upgrade Information

Before and after any firmware upgrade

Before any firmware upgrade, save a copy of your FortiSandbox configuration by going to Dashboard > System
Configuration > Backup.
After any firmware upgrade, if you are using the web UI, clear the browser cache before logging into FortiSandbox so
that web UI screens display properly.

Tracer and Rating Engines

The tracer and rating engines are automatically downloaded by the FortiSandbox from FortiGuard. For air-gapped
mode, the engines are available for download from our Support site.

To download the latest engine:

1. Log in to FortiCloud.
2. In the banner, click Support > Service Updates.

3. On the FortiGuard Updates page, click FortiSandbox and select the OS version.

FortiSandbox 4.4.0 Release Notes 9

Fortinet Inc.
Upgrade Information

Upgrade path

FortiSandbox 4.4.0 officially supports the following upgrade path.

If you are upgrading from 4.2.0 – 4.2.3 to 4.2.4, see Scan Profile below.

Upgrade from Upgrade to

4.2.4 4.4.0

4.2.0 – 4.2.3 4.2.4

4.0.0 – 4.0.2 4.2.0

3.2.3 4.0.2

3.2.0 – 3.2.2 3.2.3

3.1.4 3.2.0

3.0.6 – 3.1.3 3.1.4

3.0.0 – 3.0.5 3.0.6

If you are using KVM or Hyper-V, the upgrade path must be 3.1.3 > 3.2.0, then follow the
upgrade table.
As with all VM upgrades, take a snapshot or make a checkpoint before upgrading.

After upgrading, FortiSandbox might stop processing files until the latest rating engine is
installed either by FDN update or manually. The rating engine is large so schedule time for the
download.

Every time FortiSandbox boots up, it checks FDN for the latest rating engine.
If the rating engine is not available or out-of-date, you get these notifications:
l A warning message informs you that you must have an updated rating engine.
l The Dashboard System Information widget displays a red blinking No Rating Engine message besides Unit Type.
If necessary, you can manually download an engine package from Fortinet Customer Service & Support.
If the rating engine is not available or out-of-date, FortiSandbox functions in the following ways:
l FortiSandbox still accepts on-demand, network share, and RPC submissions, but all jobs are pending.
l FortiSandbox does not accept new devices or FortiClients.
l FortiSandbox does not accept new submissions from Sniffer, Device, FortiClient, or Adapter.

FortiSandbox 4.4.0 Release Notes 10

Fortinet Inc.
Upgrade Information

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Fortinet Customer Service &
Support portal located at https://support.fortinet.com. After logging in select Download > Firmware Image Checksums,
enter the image file name including the extension, and select Get Checksum Code.

Upgrading cluster environments

Before upgrading, it is highly recommended that you set up a cluster IP set so the failover between primary (master) and
secondary (primary slave) can occur smoothly.
In a cluster environment, use this upgrade order:
1. Upgrade the workers (regular slaves) and install the new rating and tracer engine. Then wait until the devices fully
boot up.
2. Upgrade the secondary (primary slave) and install the new rating and tracer engine. Then wait until the device fully
boots up.
3. Upgrade the primary (master). This causes HA failover.
4. Install the new rating and tracer engine on the old primary (master) node. This node might take over as primary
(master) node.

Upgrade procedure

When upgrading from 3.1.0 or later and the new firmware is ready, you will see a blinking New
firmware available link on the dashboard. Click the link and you will be redirected to a page
where you can either choose to download and install an available firmware or manually upload
a new firmware.

Upgrading FortiSandbox firmware consists of the following steps:

1. Download the firmware image from the Fortinet Customer Service & Support portal.
2. When upgrading via the CLI, put the firmware image on a host that supports file copy with the SCP or FTP
command. The FortiSandbox must be able to access the SCP or FTP server.
In a console window, enter the following command string to download and install the firmware image:
fw-upgrade -b -s<SCP/FTP server IP address> -u<user name> -t<ftp|scp> -f<file path>
3. When upgrading via the Web UI, go to System > Dashboard . In the System Information widget, click the Update link
next to Firmware Version. The Firmware Upgrade page is displayed. Browse to the firmware image on the
management computer and select the Submit button.
4. Microsoft Windows Sandbox VMs must be activated against the Microsoft activation server if they have not been
already. This is done automatically after a system reboot. To ensure the activation is successful, port3 of the system
must be able to access the Internet and the DNS servers should be able to resolve the Microsoft activation servers.

FortiSandbox 4.4.0 Release Notes 11

Fortinet Inc.
Upgrade Information

Downgrading to previous firmware versions

Downgrading to previous firmware versions is not supported.

FortiSandbox VM firmware

Fortinet provides FortiSandbox VM firmware images for VMware ESXi, Hyper-V, Nutanix, and Kernel Virtual Machine
(KVM) virtualization environments.
For more information, see the VM Installation Guide in the Fortinet Document Library.

Scan Profile

After upgrading to 4.2.4 the VM Association in the Scan Profile changes the CSV extension category from User defined
extension to Office Documents as intended. When a CSV file is scanned by the VM, the CSV file type is displayed as
userdefined in the Job Detail.

To work around this issue after upgrade:

1. Go to Scan Policy and Object > Scan profile.

2. Click the VM Association tab and remove csv from the Office documents category.
3. Click Save.
4. Add csv back to the Office documents category and click Save.
5. Submit a csv file to be scanned. The file type will display 'csv' in the Job Detail.

FortiSandbox 4.4.0 Release Notes 12

Fortinet Inc.
Product Integration and Support

The following table lists FortiSandbox 4.4.0 product integration and support information.

Web browsers lGoogle Chrome version 114

lMicrosoft Edge version 114
l Mozilla Firefox version 114

Other web browsers may function correctly but are not supported by Fortinet.

FortiOS/FortiOS Carrier l 7.4.0
7.2.0 and later
l 7.0.0 and later
l 6.4.0 and later
l 6.2.0 and later

FortiAnalyzer l 7.4.0
l 7.2.0 and later
l 7.0.0 and later
l 6.4.0 and later
l 6.2.0 and later

FortiManager l 7.4.0
l 7.2.0 and later
l 7.0.0 and later
l 6.4.0 and later
l 6.2.0 and later

FortiMail l 7.4.0
l 7.2.0 and later
l 7.0.0 and later
l 6.4.0 and later
l 6.2.0 and later

FortiClient l 7.2.0 and later

l 7.0.0 and later
l 6.4.0 and laster
l 6.2.0 and later

FortiEMS l 7.2.0 and later

l 7.0.0 and later
l 6.4.0 and later
l 6.2.0 and later

FortiADC l 7.2.0 and later

l 7.1.0 and 7.1.1
l 7.0.0 and 7.0.3
l 6.2.0 and later

FortiSandbox 4.4.0 Release Notes 13

Fortinet Inc.
Product Integration and Support

l 6.1.0 and later

l 6.0.0 and later
l 5.4.0 and later
l 5.3.0 and later

FortiProxy l 7.2.1 and later

l 7.0.0 and later
l 2.0.0 and later
l 1.2.3 and later

FortiWeb l 7.2.0 and later

l 7.0.0 and later
l 6.4.0 and later
l 6.3.5 and later
l 6.3.2 and later
l 6.2.0 and later

FortiIsolator l 2.4.3

FortiEDR l 5.2.0 and later

AV engine l 00006.00285

FortiSandbox System tool l 04004.00039

Traffic Sniffer Engine l 00007.00169

Virtualization environment l VMware ESXi: 5.1, 5.5, 6.0, 6.5, 6.7, and 7.0.1.
l KVM: Linux version 4.15.0 qemu-img v2.5.0
l Microsoft Hyper-V: Windows server 2016 and 2019

FortiSandbox 4.4.0 Release Notes 14

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.