Fortinet black logo

Administration Guide

Home FortiNDR 7.0.3 Administration Guide
7.0.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Managing FortiNDR disk usage

Managing FortiNDR disk usage

FortiNDR analyzes files and packets ‘on the fly’ and requires plenty of disk space to store attacks. FortiNDR-3500F comes with two SSD drives by default and can add up to 16 SSD in total.

By default FortiNDR stores all detected events (network anomalies, sessions and malware detection). When the disk reaches:

Disc Usage

Description
50%

FortiNDR will start deleting older clean files and detections. Malicious and anomalies detection will remain. This process will stop if the free storage space goes below 50%.

90% FortiNDR will stop the services (including logging, detection, sniffer, network share scanning, file uploading, oftp, icap and NDR) if it is operating at bandwidth capacity and inserting events faster than the deletion rate at the same time. The GUI and CLI console will still operate in this scenario.

Tip 1: Daemons will auto-restart when the disk falls below the above percentage thresholds.

Tip 2: With FortiNDR and FortiNDR 3500F, users can purchase more SSDs. Please see the data sheet and ordering guide for details.

Tip 3: Users should consider using CLIs to clean up the DB:

  • exec cleanup to clear the log history to free up space.
  • exec db restore to clean all the data (including some of the AI db updated from FortiGuard).
To view the disk usage:

Go to Dashboard > System Status.

To expand FortiNDR VM storage with the CLI:

execute expandspooldisk.

For more information, see the FortiNDR CLI Reference Guide.

Exporting detected malware files

You can export detected malware files with the CLI or with the GUI under Attack Scenario or Log & Report as a PDF, JSON and STIX2 file.

To export detected malware files with the CLI:

execute export file-report

For more information, see the FortiNDR CLI Reference Guide.

To export detected malware files with the GUI:
  1. To export detected files under Attack Scenario:
    1. Go to Attack Scenario and click an attack type such as Ransomware.
    2. Select an infected host and then in the timeline, hover over the detection name until the dialog appears.

    3. Click View Sample Info. The sample information is displayed.
    4. Click Generate Report and select PDF, JSON, or STIX2 format.

  2. To export detected files under Log & Report :
    1. Go to Log & Report > Malware Log.
    2. Double-click a log in the list. The Details pane opens.

    3. Click View Detail Report. The sample information is displayed.
    4. Click Generate Report and select PDF, JSON, or STIX2 format.

Formatting the database

To format the database with the CLI:

execute db restore

Caution

Using execute db restore will format and delete the entire database.

Use caution when executing this command and backup detection beforehand if required.

Previous
Next

Managing FortiNDR disk usage

FortiNDR analyzes files and packets ‘on the fly’ and requires plenty of disk space to store attacks. FortiNDR-3500F comes with two SSD drives by default and can add up to 16 SSD in total.

By default FortiNDR stores all detected events (network anomalies, sessions and malware detection). When the disk reaches:

Disc Usage

Description
50%

FortiNDR will start deleting older clean files and detections. Malicious and anomalies detection will remain. This process will stop if the free storage space goes below 50%.

90% FortiNDR will stop the services (including logging, detection, sniffer, network share scanning, file uploading, oftp, icap and NDR) if it is operating at bandwidth capacity and inserting events faster than the deletion rate at the same time. The GUI and CLI console will still operate in this scenario.

Tip 1: Daemons will auto-restart when the disk falls below the above percentage thresholds.

Tip 2: With FortiNDR and FortiNDR 3500F, users can purchase more SSDs. Please see the data sheet and ordering guide for details.

Tip 3: Users should consider using CLIs to clean up the DB:

  • exec cleanup to clear the log history to free up space.
  • exec db restore to clean all the data (including some of the AI db updated from FortiGuard).
To view the disk usage:

Go to Dashboard > System Status.

To expand FortiNDR VM storage with the CLI:

execute expandspooldisk.

For more information, see the FortiNDR CLI Reference Guide.

Exporting detected malware files

You can export detected malware files with the CLI or with the GUI under Attack Scenario or Log & Report as a PDF, JSON and STIX2 file.

To export detected malware files with the CLI:

execute export file-report

For more information, see the FortiNDR CLI Reference Guide.

To export detected malware files with the GUI:
  1. To export detected files under Attack Scenario:
    1. Go to Attack Scenario and click an attack type such as Ransomware.
    2. Select an infected host and then in the timeline, hover over the detection name until the dialog appears.

    3. Click View Sample Info. The sample information is displayed.
    4. Click Generate Report and select PDF, JSON, or STIX2 format.

  2. To export detected files under Log & Report :
    1. Go to Log & Report > Malware Log.
    2. Double-click a log in the list. The Details pane opens.

    3. Click View Detail Report. The sample information is displayed.
    4. Click Generate Report and select PDF, JSON, or STIX2 format.

Formatting the database

To format the database with the CLI:

execute db restore

Caution

Using execute db restore will format and delete the entire database.

Use caution when executing this command and backup detection beforehand if required.

Previous
Next