Managing FortiNDR disk usage
FortiNDR analyzes files and packets ‘on the fly’ and requires plenty of disk space to store attacks. FortiNDR-3500F comes with two SSD drives by default and can add up to 16 SSD in total.
By default FortiNDR stores all detected events (network anomalies, sessions and malware detection). When the disk reaches:
Disc Usage |
Description |
---|---|
50% |
FortiNDR will start deleting older clean files and detections. Malicious and anomalies detection will remain. This process will stop if the free storage space goes below 50%. |
90% | FortiNDR will stop the services (including logging, detection, sniffer, network share scanning, file uploading, oftp, icap and NDR) if it is operating at bandwidth capacity and inserting events faster than the deletion rate at the same time. The GUI and CLI console will still operate in this scenario. |
Tip 1: Daemons will auto-restart when the disk falls below the above percentage thresholds.
Tip 2: With FortiNDR and FortiNDR 3500F, users can purchase more SSDs. Please see the data sheet and ordering guide for details.
Tip 3: Users should consider using CLIs to clean up the DB:
exec cleanup
to clear the log history to free up space.exec db restore
to clean all the data (including some of the AI db updated from FortiGuard).
To view the disk usage:
Go to Dashboard > System Status.
To expand FortiNDR VM storage with the CLI:
execute expandspooldisk
.
For more information, see the FortiNDR CLI Reference Guide.
Exporting detected malware files
You can export detected malware files with the CLI or with the GUI under Attack Scenario or Log & Report as a PDF, JSON and STIX2 file.
To export detected malware files with the CLI:
execute export file-report
For more information, see the FortiNDR CLI Reference Guide.
To export detected malware files with the GUI:
- To export detected files under Attack Scenario:
- Go to Attack Scenario and click an attack type such as Ransomware.
- Select an infected host and then in the timeline, hover over the detection name until the dialog appears.
- Click View Sample Info. The sample information is displayed.
- Click Generate Report and select PDF, JSON, or STIX2 format.
- To export detected files under Log & Report :
- Go to Log & Report > Malware Log.
- Double-click a log in the list. The Details pane opens.
- Click View Detail Report. The sample information is displayed.
- Click Generate Report and select PDF, JSON, or STIX2 format.
Formatting the database
To format the database with the CLI:
execute db restore
Using Use caution when executing this command and backup detection beforehand if required. |