Fortinet black logo

Administration Guide

Home FortiNDR 7.0.0 Administration Guide
7.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

ML Configuration

ML Configuration

Use the ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training.

Key concepts
  • Baseline Status: Baselining means the current training is still in progress.
  • Baseline ready: Means the baseline training is done and is ready for anomaly detection.
Note

The following features are enabled by default: Device IP, Device MAC, Transport Layer Protocol, Application Layer Protocol, Protocol or Application Behaviors or Action, Session Packet Size and Source Port Number.

We do not recommend editing these features, unless you have strong understanding of what they do.

ML Configuration contains the following settings:

Device Info

Device IP

Destination device IP

Device MAC Address

Destination device MAC address

Source Device IP

Source device IP

Device Model:

Device model such as: FortiGate, Workstation, IDRAC, etc

Device Geo Country

Device geographical country such as United States

Device Category

Device category such as: NAS, Virtual Machine, Firewall, etc

Device Vendor

Device vendor such as VMware, Dell, Synology, etc

Device OS

Windows, Linux,etc

Protocol and Application behavior

Transport Layer Protocol

UPD,ICMP,TCP,etc

Application Layer Protocol

TLS, HTTP, SMB, etc

Protocol or Application Behaviors or Action

Specific application actions such as: Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

Application Type

IE, Office, MySQL, P2P, SCADA, etc

Others

Session Packet Size

We categorize the packet size into 3 groups. less than 100 bytes is small, bigger and equal to 100000 is large, and in between is medium.

Source Port Number:

Port number such as: 22, 445, none reserved port, etc

TLS Version:

The TLS version if TLS is being used

Vulnerability Type

Traffic session vulnerability type such as: Anomaly, Dos, SQL Injection, Malware, etc

Typically, it will take a week for baseline of traffic. If changes are made to the settings, a new baseline will replace the existing baseline for detection. The re-train process takes approximately three or more days depending on the existing volume of traffic in the database. The old baseline is in taking effect during the re-training. You will not be able to disable the ML detection during that time.

Previous
Next

ML Configuration

Use the ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training.

Key concepts
  • Baseline Status: Baselining means the current training is still in progress.
  • Baseline ready: Means the baseline training is done and is ready for anomaly detection.
Note

The following features are enabled by default: Device IP, Device MAC, Transport Layer Protocol, Application Layer Protocol, Protocol or Application Behaviors or Action, Session Packet Size and Source Port Number.

We do not recommend editing these features, unless you have strong understanding of what they do.

ML Configuration contains the following settings:

Device Info

Device IP

Destination device IP

Device MAC Address

Destination device MAC address

Source Device IP

Source device IP

Device Model:

Device model such as: FortiGate, Workstation, IDRAC, etc

Device Geo Country

Device geographical country such as United States

Device Category

Device category such as: NAS, Virtual Machine, Firewall, etc

Device Vendor

Device vendor such as VMware, Dell, Synology, etc

Device OS

Windows, Linux,etc

Protocol and Application behavior

Transport Layer Protocol

UPD,ICMP,TCP,etc

Application Layer Protocol

TLS, HTTP, SMB, etc

Protocol or Application Behaviors or Action

Specific application actions such as: Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

Application Type

IE, Office, MySQL, P2P, SCADA, etc

Others

Session Packet Size

We categorize the packet size into 3 groups. less than 100 bytes is small, bigger and equal to 100000 is large, and in between is medium.

Source Port Number:

Port number such as: 22, 445, none reserved port, etc

TLS Version:

The TLS version if TLS is being used

Vulnerability Type

Traffic session vulnerability type such as: Anomaly, Dos, SQL Injection, Malware, etc

Typically, it will take a week for baseline of traffic. If changes are made to the settings, a new baseline will replace the existing baseline for detection. The re-train process takes approximately three or more days depending on the existing volume of traffic in the database. The old baseline is in taking effect during the re-training. You will not be able to disable the ML detection during that time.

Previous
Next