FortiGuard
FortiNDR relies on many local DB updates and some cloud lookups for detections to work. By default, the factory configuration of FortiNDR has local DB such as IPS and botnets loaded. Upon initial install it's important to get the most recent updates for accurate detection. The best way to get and install these updates is with an Internet connection. For offline deployments Please refer to Appendix D - FortiGuard Updates. To view a list of updates, go to System > FortiGuard.
The latest version of NDR packages can be offline updated using the following CLI commnad:
execute restore ipsdb / avdb/ kdb [disk/tftp/ftp] filename
Please refer to Appendix D - FortiGuard Updates and CLI guide for more detail.
Use System > FortiGuard to view or update the version of Entitlements of your machine. You can update the version of entitlement using the GUI or CLI. For Malware detection using ANN (artificial neural network) is several GB in size, using the CLI to update the ANN database locally might be faster.
The latest version and updates of ANN are at FortiGuard service update at https://www.fortiguard.com/services/fortindr.
Currently, FortiNDR retrieves ANN updates from US and EMEA FortiGuard servers. FortiNDR selects the update server based on proximity and location. Besides ANN updates, FortiNDR also uses an AV engine for additional file scanning and accuracy, NDR and IPS engines for detecting network anomalies. Thus, regular updates to the AV/IPS/NDR databases are recommended. Note that AV signatures are used only when the ANN cannot determine if a file is malicious. If a file is determined to be malicious by ANN, then AV engine is not triggered. |
To update the ANN database for malware detection using the GUI:
- Go to System > FortiGuard and click Check update.
- Click Update FortiGuard Neural Networks Engine.
This triggers an install of the new ANN.
Because the ANN update is several GB in size, this procedure might take several hours. You can log out of the GUI after the update has started.
To update the ANN database using the CLI:
- Go to the Fortinet support website and download the ANN network database files.
There are two ANN network databases:
pae_kdb
andmoat_kdb
.pae_kdb
has about six to eight individual files that you have to download.There is only one
moat_kdb.tar.gz
because it is small and doesn't have to be split. After downloading them for thepae_kdb
, unzip them intopae_kdb.tar.gz
. - Unzip the downloaded files to
pae_kdb.tar.gz
andmoat_kdb.tar.gz
.In Windows:
copy /B pae_kdb.zip.* pae_kdb.zip
- Right-click the
pae_kdb.zip
package and click Extract All.
In Linux:
cat pae_kdb.zip.* > pae_kdb.zip
unzip pae_kdb.zip
- Put
pae_kdb.tar.gz
andmoat_kdb.tar.gz
on a disk that FortiNDR can access, such as a TFTP or FTP server, or a USB drive.If you use a USB drive, ensure its format is ext3 compatible, has only one partition, and the file is in the root directory.
- Use the CLI command
execute restore kdb
to update the kdbs. Run this command once forpae_kdb.tar.gz
and once forpae_kdb.tar.gz
.For example, if
pae_kdb.tar.gz
andmoat_kdb.tar.gz
are in the FTP (IP:2.2.2.2) home folder of/home/user/pae_kdb.tar.gz
and/home/user/moat_kdb.tar.gz
, then use these commands:execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password
execute restore kdb ftp moat_kdb.tar.gz 2.2.2.2 user password
This is an example of the output:
# execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password This operation will first replace the current scanner db files and then restart the scanner! Do you want to continue? (y/n)y Connect to ftp server 2.2.2.2 ... Please wait... Get file from ftp server OK. Get file OK. MD5 verification succeed! KDB files restoration completed Scanner restart completed
- Go to System > FortiGuard to verify the updated versions.
To schedule FortiGuard updates:
- Go to System > FortiGuard.
- In the FortiGuard Updates area, enable Scheduled Updates.
- From the frequency dropdown, select Daily or Weekly.
- In the Hours field a numeric fall for the frequency.
- Click OK.