Operating mode, protocols, and file type support
FortiNDR can operate in both detecting network anomalies as well as malware analysis using ANN. If FortiNDR functionalities are not needed, and you prefer pure file analysis, NDR functionalities can be switched off with the command "execute ndrd {on|off}"
For more information, see the FortiNDR CLI Reference Guide.
| Operating Mode | Supported Devices * | Communication Protocol | File/Malware Analysis Protocols supported | NDR Network Anomalies Protocols Supported | Notes |
|---|---|---|---|---|---|
| Sniffer | N/A | N/A | HTTP, SMBv2, IMAP, POP3, SMTP, FTP | TCP, UDP, ICMP, ICMP6, TLS, HTTP, SMB, SMTP,SSH, FTP, POP3, DNS, IRC, IMAP, RTSP, RPC, SIP, RDP, SNMP, MYSQL, MSSQL, PGSQL, and their behaviors | Using SPAN port or network TAP |
| Integrated | FortiGate | OFTP (v5.6-v6.x), HTTP2 (v7.0 FOS) | HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP, | N/A | FortiGate v7.0.1 supports INLINE blocking with AV profile |
| FortiMail | HTTP2 | SMTP | Configure under AV profile under FortiMail. | ||
| FortiSandbox | HTTP2 | MAPI, FTP, CIFS | |||
| ICAP | FortiWeb | ICAP | HTTP, HTTPS | N/A | Supports using FortiNDR as ICAP server and multiple |
| FortiProxy | ICAP | HTTP, HTTPS | FortiGates, FortiWeb and FortiProxy or third-party ICAP client such as Squid. | ||
| Other / API | FortiSOAR | HTTPS API upload | HTTPS | N/A | Using API available from FortiNDR for file upload |
| Scripts (refer to Appendix for sample scripts) | HTTPS API upload | ||||
|
|
NFS and SMB file shares |
SMB/NFS |
N/A |
N/A |
Direct map and scan |
Supported file types for all operating modes:
32 bit and 64 bit PE - Web based, text, and PE files such as EXE, PDF, MSOFFICE, DEX, HTML, ELF, ZIP, VBS, VBA, JS, HWP Hangul_Office, TAR, XZ, GZIP, BZIP, BZIP2, RAR, LZH, LZW,ARJ, CAB, _7Z, PHP, XML, POWERSHELL, BAT, HTA, UPX, ACTIVEMIME, MIME, HLP, BASE64, BINHEX, UUE, FSG, ASPACK, GENSCRIPT, SHELLSCRIPT, PERLSCRIPT, MSC, PETITE, ACCESS, SIS, HOSTS, NSIS, SISX, INF, E32IMAGE, FATMACH, CPIO, AUTOIT, MSOFFICEX, OPENOFFICE, TNEF, SWF, UNICODE, PYARCH, EGG, RTF, DLL, DOC, XLS, PPT, DOCX, XLSX, PPTX, LNK, KGB, Z, ACE, JAR, APK, MSI, MACH_O, DMG, DOTNET, XAR, CHM, ISO, CRX, INNO, THMX, FLAC, XXE, WORDML, WORDBASIC, OTF, WOFF, VSDX, EMF, DAA, GPG, PYTHON, CSS, AUTOITSCRIPT, RPM, EML, REGISTRY, PFILE, CEF, PRC, CLASS, JAD, COD, JPEG, GIF, TIFF, PNG, BMP, MPEG, MOV, MP3, WMA, WAV, AVI, RM, TOR, HIBUN
FortiNDR supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes. For FortiNDR to quarantine via FortiGate, you must provide VDOM information to FortiGate. For details, see Automation Framework.
Supported file types for ANN:
For ANN supported file types, ANN will process and provide a feature breakdown between different attack scenarios (like Ransomware, banking trojan etc) 32 bit and 64 bit PE, PDF, MSOFFICE, HTML, ELF, VBS, VBA, JS, PHP, HWP Hangul_Office, XML, POWERSHELL, UPX, ASPACK, NSIS, AUTOIT, MSOFFICEX, RTF, DLL, DOC, XLS, PPT, DOCX, XLSX, PPTX, DOTNET, INNO, IFRAME
|
File types supported by ANN will be scanned by the ANN and AV engines. Other supported file types will be scanned by AV engine only. |