Fortinet black logo

Administration Guide

Home FortiNDR 7.0.4 Administration Guide
7.0.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

FortiGuard

FortiGuard

FortiNDR relies on many local DB updates and some cloud lookups for detections to work. By default, the factory configuration of FortiNDR has local DB such as IPS and botnets loaded. Upon initial install it's important to get the most recent updates for accurate detection. The best way to get and install these updates is with an Internet connection. For offline deployments Please refer to Appendix D - FortiGuard Updates. To view a list of updates, go to System > FortiGuard.

The latest version of NDR packages can be offline updated using the following CLI commnad:

execute restore ipsdb / avdb/ kdb [disk/tftp/ftp] filename

Please refer to Appendix D - FortiGuard Updates and CLI guide for more detail.

Use System > FortiGuard to view or update the version of Entitlements of your machine. You can update the version of entitlement using the GUI or CLI. For Malware detection using ANN (artificial neural network) is several GB in size, using the CLI to update the ANN database locally might be faster.

The latest version and updates of ANN are at FortiGuard service update at https://www.fortiguard.com/services/fortindr.

Note

Currently, FortiNDR retrieves ANN updates from US and EMEA FortiGuard servers.

FortiNDR selects the update server based on proximity and location.

Besides ANN updates, FortiNDR also uses an AV engine for additional file scanning and accuracy, NDR and IPS engines for detecting network anomalies. Thus, regular updates to the AV/IPS/NDR databases are recommended. Note that AV signatures are used only when the ANN cannot determine if a file is malicious. If a file is determined to be malicious by ANN, then AV engine is not triggered.
To update the ANN database for malware detection using the GUI:
  1. Go to System > FortiGuard and click Check update.

  2. Click Update FortiGuard Neural Networks Engine.

    This triggers an install of the new ANN.

    Because the ANN update is several GB in size, this procedure might take several hours. You can log out of the GUI after the update has started.

To update the ANN database using the CLI:
  1. Go to the Fortinet support website and download the ANN network database files.

    There are two ANN network databases: pae_kdb and moat_kdb. pae_kdb has about six to eight individual files that you have to download.

    There is only one moat_kdb.tar.gz because it is small and doesn't have to be split. After downloading them for the pae_kdb, unzip them into pae_kdb.tar.gz.

  2. Unzip the downloaded files to pae_kdb.tar.gz and moat_kdb.tar.gz.

    In Windows:

    1. copy /B pae_kdb.zip.* pae_kdb.zip
    2. Right-click the pae_kdb.zip package and click Extract All.

    In Linux:

    1. cat pae_kdb.zip.* > pae_kdb.zip
    2. unzip pae_kdb.zip
  3. Put pae_kdb.tar.gz and moat_kdb.tar.gz on a disk that FortiNDR can access, such as a TFTP or FTP server, or a USB drive.

    If you use a USB drive, ensure its format is ext3 compatible, has only one partition, and the file is in the root directory.

  4. Use the CLI command execute restore kdb to update the kdbs. Run this command once for pae_kdb.tar.gz and once for pae_kdb.tar.gz.

    For example, if pae_kdb.tar.gz and moat_kdb.tar.gz are in the FTP (IP:2.2.2.2) home folder of /home/user/pae_kdb.tar.gz and /home/user/moat_kdb.tar.gz, then use these commands:

    execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password

    execute restore kdb ftp moat_kdb.tar.gz 2.2.2.2 user password

    This is an example of the output:

    # execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password
This operation will first replace the current scanner db files and then restart the scanner!
Do you want to continue? (y/n)y
Connect to ftp server 2.2.2.2 ...
Please wait...
Get file from ftp server OK.
Get file OK.
MD5 verification succeed!
KDB files restoration completed
Scanner restart completed
  5. Go to System > FortiGuard to verify the updated versions.

To schedule FortiGuard updates:
  1. Go to System > FortiGuard.
  2. In the FortiGuard Updates area, enable Scheduled Updates.

  3. From the frequency dropdown, select Daily or Weekly.
  4. In the Hours field a numeric fall for the frequency.
  5. Click OK.
Previous
Next

FortiGuard

FortiNDR relies on many local DB updates and some cloud lookups for detections to work. By default, the factory configuration of FortiNDR has local DB such as IPS and botnets loaded. Upon initial install it's important to get the most recent updates for accurate detection. The best way to get and install these updates is with an Internet connection. For offline deployments Please refer to Appendix D - FortiGuard Updates. To view a list of updates, go to System > FortiGuard.

The latest version of NDR packages can be offline updated using the following CLI commnad:

execute restore ipsdb / avdb/ kdb [disk/tftp/ftp] filename

Please refer to Appendix D - FortiGuard Updates and CLI guide for more detail.

Use System > FortiGuard to view or update the version of Entitlements of your machine. You can update the version of entitlement using the GUI or CLI. For Malware detection using ANN (artificial neural network) is several GB in size, using the CLI to update the ANN database locally might be faster.

The latest version and updates of ANN are at FortiGuard service update at https://www.fortiguard.com/services/fortindr.

Note

Currently, FortiNDR retrieves ANN updates from US and EMEA FortiGuard servers.

FortiNDR selects the update server based on proximity and location.

Besides ANN updates, FortiNDR also uses an AV engine for additional file scanning and accuracy, NDR and IPS engines for detecting network anomalies. Thus, regular updates to the AV/IPS/NDR databases are recommended. Note that AV signatures are used only when the ANN cannot determine if a file is malicious. If a file is determined to be malicious by ANN, then AV engine is not triggered.
To update the ANN database for malware detection using the GUI:
  1. Go to System > FortiGuard and click Check update.

  2. Click Update FortiGuard Neural Networks Engine.

    This triggers an install of the new ANN.

    Because the ANN update is several GB in size, this procedure might take several hours. You can log out of the GUI after the update has started.

To update the ANN database using the CLI:
  1. Go to the Fortinet support website and download the ANN network database files.

    There are two ANN network databases: pae_kdb and moat_kdb. pae_kdb has about six to eight individual files that you have to download.

    There is only one moat_kdb.tar.gz because it is small and doesn't have to be split. After downloading them for the pae_kdb, unzip them into pae_kdb.tar.gz.

  2. Unzip the downloaded files to pae_kdb.tar.gz and moat_kdb.tar.gz.

    In Windows:

    1. copy /B pae_kdb.zip.* pae_kdb.zip
    2. Right-click the pae_kdb.zip package and click Extract All.

    In Linux:

    1. cat pae_kdb.zip.* > pae_kdb.zip
    2. unzip pae_kdb.zip
  3. Put pae_kdb.tar.gz and moat_kdb.tar.gz on a disk that FortiNDR can access, such as a TFTP or FTP server, or a USB drive.

    If you use a USB drive, ensure its format is ext3 compatible, has only one partition, and the file is in the root directory.

  4. Use the CLI command execute restore kdb to update the kdbs. Run this command once for pae_kdb.tar.gz and once for pae_kdb.tar.gz.

    For example, if pae_kdb.tar.gz and moat_kdb.tar.gz are in the FTP (IP:2.2.2.2) home folder of /home/user/pae_kdb.tar.gz and /home/user/moat_kdb.tar.gz, then use these commands:

    execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password

    execute restore kdb ftp moat_kdb.tar.gz 2.2.2.2 user password

    This is an example of the output:

    # execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password
This operation will first replace the current scanner db files and then restart the scanner!
Do you want to continue? (y/n)y
Connect to ftp server 2.2.2.2 ...
Please wait...
Get file from ftp server OK.
Get file OK.
MD5 verification succeed!
KDB files restoration completed
Scanner restart completed
  5. Go to System > FortiGuard to verify the updated versions.

To schedule FortiGuard updates:
  1. Go to System > FortiGuard.
  2. In the FortiGuard Updates area, enable Scheduled Updates.

  3. From the frequency dropdown, select Daily or Weekly.
  4. In the Hours field a numeric fall for the frequency.
  5. Click OK.
Previous
Next