Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiAnalyzer 8.0.0 CLI Reference
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.8
    5.6.7
    5.6.7
    5.6.6
    5.6.6
    5.6.5
    5.6.5
    5.6.4
    5.6.4
    5.6.3
    5.6.3
    5.6.2
    5.6.2
    5.6.1
    5.6.1
    5.6.0
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.5
    5.4.4
    5.4.4
    5.4.3
    5.4.3
    5.4.2
    5.4.2
    5.4.1
    5.4.1
    5.4.0
    5.4.0
    5.2.10
    5.2.9
    5.2.9
    5.2.7
    5.2.7
    5.2.6
    5.2.6
    5.2.5
    5.2.5
    5.2.4
    5.2.4
    5.2.3
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.13
    5.0.11
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    5.0.1
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    mlflow

    mlflow

    Use this command to enable and configure the machine learning flow.

    For more information about the Machine Learning Anomaly Detection feature, see the FortiAnalyzer Administration Guide.

    Syntax

    config system mlflow

    set status {enable | disable}

    config models

    edit <name>

    set status {enable | disable}

    set model-type {login-anomaly | traffic-download-anomaly | traffic-upload-anomaly}

    set train-schedule-range <string>

    set train-repeat-at <string>

    set train-data-days <integer>

    set train-test-days <integer>

    set train-test-sensitivity {high | low | medium}

    set asset-max-count <integer>

    set auto-deploy {enable | disable}

    set inference-interval <integer>

    set artifact-retention <integer>

    set artifact-max-count <integer>

    next

    end

    end

    Variable

    Description

    status {enable | disable}

    Enable or disable the Machine Learning Anomaly Detection feature (default = disable).

    Variables for config models subcommand:

    status {enable | disable}

    Default disable, enable to allow training and inference of mlflow related logic for a specific model.

    model-type {login-anomaly | traffic-download-anomaly | traffic-upload-anomaly}

    Only one of each model-type allowed in config.

    train-schedule-range <string>

    Use system timezone. Start scheduled training after the start time. End scheduled training after end time.

    Training schedule range formats:

    • Continuous training: 'YYYY-MM-DD HH:MM'

      For example: '2025-01-01 00:00'

    • Bounded range: 'YYYY-MM-DD HH:MM -- YYYY-MM-DD HH:MM'

      For example: '2025-01-01 00:00 -- 2026-01-01 00:00'

    Default: Start from current time (continuous).

    train-repeat-at <string>

    Training repeat schedule formats:

    • Daily: 'Daily HH:MM'

      For example: 'Daily 02:00'

    • Weekly: 'Weekly <Day> HH:MM'

      For example: 'Weekly Monday 02:00' or 'Weekly Mon 02:00'

    • Monthly (day of month): 'Monthly <DD> HH:MM'

      For example: 'Monthly 15 02:00' (15th of each month)

    • Monthly (nth weekday): 'Monthly <N> <Day> HH:MM'

      For example: 'Monthly 3 Monday 02:00' (3rd Monday of each month)

    • Interval: '<N>d'

      For example: '7d' (every 7 days)

    Default: 7d (train every 7 days since the start time of train-schedule-range).

    train-data-days <integer>

    Number of days of historical data to use for model training. More training data generally improves model accuracy but increases training time and resource usage (1 - 365, default = 90).

    train-test-days <integer>

    Number of days used for testing the trained model. Must be less than or equal to train-data-days (1 - 90, default = 7).

    During testing, assets that fail to meet the sensitivity criteria are added to the exclusion list.

    train-test-sensitivity {high | low | medium}

    Training test sensitivity.

    • high: High sensitivity. Uses strict criteria during testing, more assets in exclusion list.

    • low: Low sensitivity. Uses lenient criteria during testing, fewer assets in exclusion list.

    • medium: Medium sensitivity. Balanced testing criteria, moderate asset in exclusion list.

    asset-max-count <integer>

    Maximum number of assets to track. Assets include endusers and endpoints depending on the model type. Higher values require more memory and processing resources (100 - 100000, default = 1000).

    auto-deploy {enable | disable}

    Deploy artifact automatically when model is trained on schedule.

    inference-interval <integer>

    Inference interval in minutes (1 - 1440, default = 20).

    Defines how frequently the model analyzes new data for anomalies. Shorter intervals provide faster detection but use more resources.

    Recommended values by model type:

    • login-anomaly: 20 minutes

    • traffic-download-anomaly: 60 minutes (must be multiple of 60)

    • traffic-upload-anomaly: 60 minutes (must be multiple of 60)

    Traffic models require inference-interval to be a multiple of 60.

    artifact-retention <integer>

    Artifact retention period in days (1 - 365, default = 30).

    Artifacts older than this period are automatically deleted. The most recent artifact-max-count artifacts are always retained regardless of age.

    artifact-max-count <integer>

    Maximum number of artifacts to retain per model (1 - 100, default = 10).

    Older artifacts beyond this count are deleted automatically. This limit is enforced regardless of artifact-retention setting.
    Previous
    Next

    mlflow

    mlflow

    Use this command to enable and configure the machine learning flow.

    For more information about the Machine Learning Anomaly Detection feature, see the FortiAnalyzer Administration Guide.

    Syntax

    config system mlflow

    set status {enable | disable}

    config models

    edit <name>

    set status {enable | disable}

    set model-type {login-anomaly | traffic-download-anomaly | traffic-upload-anomaly}

    set train-schedule-range <string>

    set train-repeat-at <string>

    set train-data-days <integer>

    set train-test-days <integer>

    set train-test-sensitivity {high | low | medium}

    set asset-max-count <integer>

    set auto-deploy {enable | disable}

    set inference-interval <integer>

    set artifact-retention <integer>

    set artifact-max-count <integer>

    next

    end

    end

    Variable

    Description

    status {enable | disable}

    Enable or disable the Machine Learning Anomaly Detection feature (default = disable).

    Variables for config models subcommand:

    status {enable | disable}

    Default disable, enable to allow training and inference of mlflow related logic for a specific model.

    model-type {login-anomaly | traffic-download-anomaly | traffic-upload-anomaly}

    Only one of each model-type allowed in config.

    train-schedule-range <string>

    Use system timezone. Start scheduled training after the start time. End scheduled training after end time.

    Training schedule range formats:

    • Continuous training: 'YYYY-MM-DD HH:MM'

      For example: '2025-01-01 00:00'

    • Bounded range: 'YYYY-MM-DD HH:MM -- YYYY-MM-DD HH:MM'

      For example: '2025-01-01 00:00 -- 2026-01-01 00:00'

    Default: Start from current time (continuous).

    train-repeat-at <string>

    Training repeat schedule formats:

    • Daily: 'Daily HH:MM'

      For example: 'Daily 02:00'

    • Weekly: 'Weekly <Day> HH:MM'

      For example: 'Weekly Monday 02:00' or 'Weekly Mon 02:00'

    • Monthly (day of month): 'Monthly <DD> HH:MM'

      For example: 'Monthly 15 02:00' (15th of each month)

    • Monthly (nth weekday): 'Monthly <N> <Day> HH:MM'

      For example: 'Monthly 3 Monday 02:00' (3rd Monday of each month)

    • Interval: '<N>d'

      For example: '7d' (every 7 days)

    Default: 7d (train every 7 days since the start time of train-schedule-range).

    train-data-days <integer>

    Number of days of historical data to use for model training. More training data generally improves model accuracy but increases training time and resource usage (1 - 365, default = 90).

    train-test-days <integer>

    Number of days used for testing the trained model. Must be less than or equal to train-data-days (1 - 90, default = 7).

    During testing, assets that fail to meet the sensitivity criteria are added to the exclusion list.

    train-test-sensitivity {high | low | medium}

    Training test sensitivity.

    • high: High sensitivity. Uses strict criteria during testing, more assets in exclusion list.

    • low: Low sensitivity. Uses lenient criteria during testing, fewer assets in exclusion list.

    • medium: Medium sensitivity. Balanced testing criteria, moderate asset in exclusion list.

    asset-max-count <integer>

    Maximum number of assets to track. Assets include endusers and endpoints depending on the model type. Higher values require more memory and processing resources (100 - 100000, default = 1000).

    auto-deploy {enable | disable}

    Deploy artifact automatically when model is trained on schedule.

    inference-interval <integer>

    Inference interval in minutes (1 - 1440, default = 20).

    Defines how frequently the model analyzes new data for anomalies. Shorter intervals provide faster detection but use more resources.

    Recommended values by model type:

    • login-anomaly: 20 minutes

    • traffic-download-anomaly: 60 minutes (must be multiple of 60)

    • traffic-upload-anomaly: 60 minutes (must be multiple of 60)

    Traffic models require inference-interval to be a multiple of 60.

    artifact-retention <integer>

    Artifact retention period in days (1 - 365, default = 30).

    Artifacts older than this period are automatically deleted. The most recent artifact-max-count artifacts are always retained regardless of age.

    artifact-max-count <integer>

    Maximum number of artifacts to retain per model (1 - 100, default = 10).

    Older artifacts beyond this count are deleted automatically. This limit is enforced regardless of artifact-retention setting.
    Previous
    Next