<profile_name>

Name of the LDAP profile.

auth-bind-dn {cnid | none | searchuser | upn}

none: Do not define a user authentication query.

cnid: Name of the user objects’ common name attribute, such as cn or uid.

searchuser: Form the user’s bind DN (distinguished name) by using the DN retrieved for that user.

upn: Form the user’s bind DN by prepending the user name portion of the email address ($u) to the user principal name (UPN such as example.com). By default, FortiAI uses the mail domain as the UPN. To use a UPN other than the mail domain, also configure upn-suffix <upns_str>.

authstate {enable | disable}

Enable to perform user authentication queries.

base-dn <basedn_str>

The DN of the part of the LDAP directory tree where FortiAI searches for user objects, such as ou=People,dc=example,dc=com.

User objects must be child nodes of this location.

bind-dn <binddn_str>

The bind DN of an LDAP user account with permissions to query the basedn, such as cn=FortiAI,dc=example,dc=com.

This command is optional if your LDAP server does not require FortiAI to authenticate when performing queries and you have enabled unauth-bind.

bind-password <bindpw_str>

The password of bind-dn.

cache-state {enable | disable}

Enable to cache LDAP query results.

Caching LDAP queries can reduce LDAP network traffic when there are frequent queries for information that does not change. However, caching might cause a delay from the time you update LDAP directory information and when FortiAI begins using that new information.

If you enable this option but queries are not cached, check the TTL value. A TTL value of 0 effectively disables caching.

cache-ttl <ttl_int>

The amount of time, in minutes, that FortiAI caches query results. After the time has elapsed, cached results expire and subsequent requests for that information requires FortiAI to query the LDAP server and refresh the cache.

The default TTL value is 1440 minutes (one day). The maximum is 10080 minutes (one week). A value of 0 effectively disables caching.

cnid-name <cnid_str>

Name of the user objects’ common name attribute, such as cn or uid.

dereferencing {never | always | search | find}

Method of de-referencing attributes whose values are references.

never: Do not de-reference.

always: Always de-reference.

search: De-reference only when searching.

find: De-reference only when finding the base search object.

fallback-port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number.

The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636.

If secure is set to ssl, FortiNDR uses SSL-secured LDAP to connect to the server.

fallback-server {<fqdn_str> | <server_ipv4>}

The FQDN or IP address of the backup LDAP server.

If there is no fallback server, enter an empty string ('').

port <port_int>

If you have configured a backup LDAP server that listens on a nonstandard port, enter the TCP port number.

The standard port for LDAP is 389. The standard port for SSL-secured LDAP is 636.

query <query_str>

An LDAP query filter, enclosed in single quotes ('), that selects a set of user objects from the LDAP directory.

The query filter string filters the result set based on attributes common to all user objects and excludes non-user objects. For example, if user objects in your directory have two characteristics, the objectClass and mail attributes, use the query filter:

(& (objectClass=inetOrgPerson) (mail=$m))

where $m is the FortiAI variable for a user's email address.

This command applies to user defined schema only.

For details on query syntax, see any standard LDAP query filter reference manual.

scope {base | one | sub}

The level of depth to query:

base: Query the basedn level.

one: Query only one level below the basedn in the LDAP directory tree.

sub: Query recursively all levels below the basedn in the LDAP directory tree.

secure {none | ssl}

Whether to connect to LDAP servers using an encrypted connection:

none: Use a non-secure connection.

ssl: Use an SSL-secured (LDAPS) connection.

server <name_str>

The FQDN or IP address of the LDAP server.

timeout <timeout_int>

The maximum length of time in seconds that FortiAI waits for query responses from the LDAP server.

unauth-bind {enable | disable}

Enable to perform queries in this profile without supplying a bind DN and password for the directory search.

Many LDAP servers require LDAP queries to be authenticated using a bind DN and password. If your LDAP server does not require FortiAI to authenticate before performing queries, you might enable this option.

If this option is disabled, you must configure bind-dn and bind-password.

upn-suffix <upns_str>

If you want to use a UPN other than the mail domain, enter that UPN. This is useful if users authenticate with a domain other than the mail server’s principal domain name.

server {<fqdn_str> | <host_ipv4>}

The IP address or FQDN of the POP3 server.

auth-prot {auto | chap | mschap | mschap2 | pap}

The authentication method for the RADIUS server.

nas-ip <ip_addr>

The NAS IP address and the Called Station ID. If you do not enter an IP address, FortiNDR uses the IP address that the FortiAI interface uses to communicate with the RADIUS server.

For information about RADIUS attribute 31, see Microsoft Vendor-specific RADIUS Attributes.

port <port_int>

If the RADIUS server listens on a nonstandard port number, enter the port number of the RADIUS server.

The standard port number for RADIUS is 1812.

secret <password_str>

The password of the RADIUS server.

send-domain {enable | disable}

Enable if the RADIUS server requires both the user name and the domain when authenticating.

<profile_name>

Name of the access profile.

system-access {none | read | read-write}

Specify the account permission associated with this access profile. The read-write permission gives access to settings critical to FortiNDR network accessibility, including GUI console, network, administrator, admin profiles, certificates, and RADIUS/LDAP authentication.

system-config {none | read | read-write}

Specify the account permission associated with this access profile. The read-write permission gives access to modify other system settings such as system time settings, system FortiGuard update, and Security Fabric settings.

system-maintenance {none | read | read-write}

Specify the account permission associated with this access profile. The read-write permission gives access to system maintenance settings such as back up system configuration, restore configuration, and restore firmware.

<name_str>

Name of the administrator account.

access-profile <profile_name>

Name of an access profile that determines which functional areas the administrator account may view or affect.

auth-strategy {local | local-plus-radius | ldap | radius}

Select the local or remote type of authentication that the administrator can use.

name <name>

Name of user.

password <password_str>

If auth-strategy is local or local-plus-radius, enter the password for the administrator account.

Do not use an administrator password shorter than six characters. For better security, use a longer password with a complex combination of characters and numbers. Change the password regularly. A weak password might compromise the security of your FortiAI unit.

radius-permission-check {enable | disable}

If auth-strategy is local or local-plus-radius, enable this option to query the RADIUS server for the permissions attribute.

radius-subtype-id <subtype_int>]

If auth-strategy is local or local-plus-radius, and radius-permission-check is enabled, enter the RADIUS subtype identifier.

radius-vendor-id <vendor_int>

If auth-strategy is local or local-plus-radius, and radius-permission-check is enabled, enter the RADIUS vendor identifier.

sshkey <key_str>

Enter the SSH key string inside single straight quote marks (').

When connecting from an SSH client that presents this key, administrators do not need to enter the account name and password to log in to the CLI.

status

Enable or disable admin users.

theme {Neutrino| Jade | Mariner | Graphite | Melongene | Onyx | Dark_Matter | Eclipse | Cloud_App_Light | Cloud_App_Dark}

Theme of the GUI for this admin.

name <string>

Automation Profile name

type {fgt-quarantine|fnac-quarantine|generic-webhook}

FortiNDR supports three types of automated quarantine : fgt-quarantine, fnac-quarantine, and generic-webhook

vdom <vdom_str>

The VDOM of the FortiGate. Only applicable to fgt-quarantine.

api-key <apikey_str>

API key of the device. Only applicable to fgt-quarantine and fnac-quarantine.

webhook-config <config_str>

The webhook configuration to be used by FortiNDR enforcement.

Only applicable to fgt-quarantine and generic-webhook.

For fgt-quarantine:

{"webhook_exec" :"ip_blocker", "webhook_undo": "ip_unblocker"}

For generic-webhook:

}

To enter the JSON data through CLI, the JSON string must be formatted as one line and enclosed in single quotes (').

ip <ip_addr>

IP address of the device. Only applicable to fgt-quarantine and fnac-quarantine.

port <port_int>

Port number of the device. Only applicable for fgt-quarantine and fnac-quarantine.

status {enable | disable}

Enable or disable the automation profile.

source {fabric-device | sniffer}

Set the source of detection that applies to the current profile. Only applicable for fgt-quarantine.

<name_str>

The name of this certificate.

scheduled-update-day <day_int>

Enter the day of the week at which FortiNDR will request updates where the range is from 0-6 and 0 means Sunday and 6 means Saturday.

scheduled-update-frequency {every | daily | weekly}

Enter the frequency at which FortiNDR will request updates. You also need to configure scheduled-update-day <day_int> and scheduled-update-time <time_str>.

scheduled-update-status {enable | disable}

Enable to perform updates according to the configured schedule.

ipaddr <ip_address>

IP address of FortiAnalyzer server.

port <port>

Port number of FortiAnalyzer server used to receive syslog.

<interface_name>

Enter the interface name of which you want to apply HA configuration.

action-on-primary {ignore-vip | use-vip}

Enable/disable virtual IP configured on this interface.

• ignore-vip: Do not use the virtual ip configuration when HA mode is primary

• Use-vip: Add the specified virtual IP address and netmask to the network interface when HA mode is primary. This option results in the network interface having two IP addresses: the actual and the virtual.

heartbeat-status {disable | primary | secondary}

Specify if this interface will be used for HA heartbeat and synchronization.

• Disable: Do not use this interface for HA heartbeat and synchronization.

• primary: Select the primary network interface for heartbeat and synchronization traffic.

  This network interface must be connected directly or through a switch to the Primary heartbeat network interface of other member in the HA group.

• secondary: Select the secondary network interface for heartbeat and synchronization traffic.

  The secondary heartbeat interface is the backup heartbeat link between the units in the HA group. If the primary heartbeat link is functioning, the secondary heartbeat link is only used for the HA heartbeat. Otherwise the secondary link is used for both the HA heartbeat and synchronization.

In general, you should isolate the network interfaces that are used for heartbeat traffic from your overall network. Heartbeat and synchronization packets contain sensitive configuration information, are latency-sensitive, and can consume considerable network bandwidth.

peer-ip <ipv4mask>

Enter the IP address of the matching heartbeat network interface of the other member of the HA group.

If you are configuring the primary unit’s primary heartbeat network interface, enter the IP address of the secondary unit’s primary heartbeat network interface.

For the secondary heartbeat network interface, enter the IP address of the other unit’s secondary heartbeat network interface.

port-monitor <enable | disable>

Enable to monitor a network interface for failure. If the port fails, the primary unit will trigger a failover.

virtual-ip <ipv4mask>

Enter the virtual IP address and netmask for this interface.

hb-base-port <hb-port_int>

Enter the first of four total TCP port numbers that will be used for:

• The heartbeat signal

• Synchronization control

• Data synchronization

• Configuration synchronization

hb-lost-threshold <hb-threshold_int>

Enter the total span of time, in seconds, for which the primary unit can be unresponsive before it triggers a failover and the secondary unit assumes the role of the primary unit.

If the failure detection time is too short, the secondary unit may falsely detect a failure during periods of high load.

mode {off | primary | secondary}

Enter the HA operating mode or disable HA

ipaddr <ip_address>

IP address of a remote server.

port <port>

Port number of remote server used to receive syslog.

<name_str>

The name of this certificate revocation list.

<name_str>

The name of the certificate to be imported.

password

The password of the certificate.

private-key

The private key of the certificate.

certificate <cert_str>

Enter or paste the certificate in PEM format to import it.

csr <csr_str>

Enter or paste the certificate signing request in PEM format to import it.

<name_str>

The name of the certificate to be imported.

configuration-sync {local | sync}

Configuration synchronization mode.

managment-ip <ip_str>

Management IP address of FortiNDR to join the Security Fabric.

managment-port <port_int>

Management port number of the unit to join the Security Fabric. Set the value between 1-65535.

status {enable | disable}

Enable or disable Security Fabric configuration.

upstream-ip <ip_str>

IP address of upstream FortiGate.

edit <serverName>

The server name of this DHCP server.

config exclude-range

DHCP excluded IP range.

config ip-range

DHCP IP address range.

config reserved-address

DHCP reserved IP address.

auto-configuration {enable | disable}

Enable or disable auto configuration.

conflicted-ip-timeout <int>

IP address conflict timeout in seconds.

default-gateway <IP Address>

Default gateway IP address.

dns-service {default | specify}

DNS server options.

domain <domain name>

Domain name of the DHCP server.

enable {enable | disable}

Enable or disable this DHCP server.

htype {normal | other}

Device/port name.

interface <interface name>

Interface name.

lease-time <lease time in seconds>

Lease time in seconds.

cache {enable | disable}

Enable to cache DNS query results to improve performance. If memory is low, disable to free up more memory.

cache-min-ttl <time_in_sec>

Minimum TTL for cached DNS records in seconds.

primary <dns_ipv4>

IP address of the primary DNS server.

private_ip_query {enable | disable}

Enable to perform reverse DNS lookups on private network IP addresses, as defined in RFC 1918. The DNS server must have PTR records for your private network’s IP addresses. Not having records for those IP addresses might increase DNS query time and cause query results to show Host not found.

protected-domain-dns-servers <class_ip>

IP addresses of DNS servers for protected domains.

protected-domain-dns-state {enable | disable}

Enable or disable using DNS servers for protected domains.

secondary <dns_ipv4>

IP address of the secondary DNS serve.

allowlist <allowlist_ipv4mask>

The IP addresses and netmasks in the allowlist (white list) are excluded from enforcement consideration. Separate each pair of IP address and netmask with a comma (,).

risk-level <risk_lvl_int>

Malicious detected records with the entered risk level and above are considered when executing enforcement by FortiNDR.

Valid values are 2 (medium risk), 3 (high risk), or 4 (critical risk).

<physical_interface_str>

Name of the physical network interface, such as port1.

allowaccess {ping | https | ssh | telnet}

Add one or more protocols to the list of protocols that allow administrative access to FortiNDR through this network interface:

ping: Allow ICMP ping responses from this network interface.

https: Allow secure HTTP (HTTPS) access to the web-based manager and per-recipient quarantines.

ssh: Allow SSH access to the CLI.

telnet: Allow Telnet access to the CLI.

HTTP and Telnet connections are not secure and can be intercepted by a third party. To reduce risk, enable this option only on network interfaces connected directly to your management computer.

discover {enable | disable}

Allow discovery of the interface on this port.

ip <ipv4mask>

IP address and netmask of the network interface.

mode {static | dhcp}

Interface mode.

speed {auto | 10full | 10half | 100full | 100half | 1000full}

Speed of the network interface. Some network interfaces might not support all speeds.

<route_int>

Index number of the route in the routing table.

destination <destination_ipv4mask>

Destination IP address and netmask of traffic that is subject to this route, separated by a space.

To indicate all traffic regardless of IP address and netmask, enter 0.0.0.0 0.0.0.0.

gateway <gateway_ipv4>

IP address of the gateway router.

daylight-saving-time {disable | enable}

Enable to automatically adjust the system time for daylight-saving time (DST).

ntpserver {<address_ipv4> | <fqdn_str>}

IP address or FQDN of an NTP server.

You can add a maximum of ten NTP servers. FortiAI uses the first NTP server based on the selection mechanism of the NTP protocol.

To locate a public NTP server, visit http://www.ntp.org/.

ntpsync {enable | disable}

Enable to synchronize FortiAI with an NTP server instead of manually configuring the system time.

conf-level <confidence_level_int>

The confidence of detection. Value is between 0 and 100.

interface {port1 | port2}

Interface name.

enable {1 | 0}

Set to 1 to enable ICAP server. Set to 0 to disable the ICAP server.

rtavscan {1|0}

Set to 1 to enable realtime FAI scan. Set to 0 to disable.

timeout <timeout_int>

The maximum waiting time for realtime FAI scan.

ssl-port <ssl_port_int>

ICAP server SSL port number.

ssl-support {1 | 0}

Set to 1 to enable SSL support. Set to 0 to disable it.

Name <string>

Profile name

ipaddr <ipv4mask>

The IP address of the remote server. Only IPv4 is supported.

port <int>

The port number of the remote server for syslog services.

status {enable, disable}

Enable or disable sending logs to this remote server.

type {event, malware, ndr}

FortiNDR supports three types of logs: event, malware and ndr.

Multiple choices are supported.

Name <string>

Profile name

ipaddr <ipv4mask>

The IP address of the remote server. Only IPv4 is supported.

port <int>

The port number of the remote server for syslog services.

status {enable, disable}

Enable or disable sending logs to this remote server.

type {event, malware, ndr}

FortiNDR supports three types of logs: event, malware and ndr.

Multiple choices are supported.

Name <string>

Profile name

ipaddr <ipv4mask>

The IP address of the remote server. Only IPv4 is supported.

port <int>

The port number of the remote server for syslog services.

status {enable, disable}

Enable or disable sending logs to this remote server.

type {event, malware, ndr}

FortiNDR supports to three types of logs, including event, malware and ndr.

Multiple choices are supported.

name

Name/IP of the mailing server.

openssl

Enable/disable security connection for the email transaction.

password

Password of the user in the mailing server.

port

The port used to send email.

sendername

The email sender's name. This is different from username.