Fortinet black logo

Administration Guide

Home FortiNDR 7.2.3 Administration Guide
7.2.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Operating mode, protocols, and file type support

Operating mode, protocols, and file type support

FortiNDR can operate in both detecting network anomalies as well as malware analysis using ANN. If FortiNDR functionalities are not needed, and you prefer pure file analysis, NDR functionalities can be switched off with the command "execute ndrd {on|off}"

For more information, see the FortiNDR CLI Reference Guide.

Operating Mode Supported Devices * Communication Protocol File/Malware Analysis Protocols supported NDR Network Anomalies Protocols Supported Notes
Sniffer HTTP, SMBv2, IMAP, POP3, SMTP, FTP TCP, UDP, ICMP, ICMP6, TLS, HTTP, SMB, SMTP,SSH, FTP, POP3, DNS, IRC, IMAP, RTSP, RPC, SIP, RDP, SNMP, MYSQL, MSSQL, PGSQL, and their behaviors Using SPAN port or network TAP
Integrated FortiGate OFTP (v5.6-v6.x), HTTP2 (v7.0.1 FOS) HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP FortiGate v7.0.1 and later supports INLINE blocking with AV profile
FortiProxy HTTP2 HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP
ICAP FortiWeb ICAP HTTP, HTTPS Supports using FortiNDR as ICAP server and multiple
FortiProxy ICAP HTTP, HTTPS FortiGates, FortiWeb and FortiProxy or third-party ICAP client such as Squid.
Other / API FortiSOAR HTTPS API upload HTTPS Using API available from FortiNDR for file upload
FortiMail HTTPS API upload HTTPS Using API available from FortiNDR for file upload
FortiSandbox HTTPS API upload HTTPS Using API available from FortiNDR for file upload
Scripts (refer to Appendix for sample scripts) HTTPS API upload

NFS and SMB file shares

SMB/NFS

Direct map and scan
Supported file types for all operating modes:

32 bit and 64 bit PE - Web based, text, and PE files such as EXE, PDF, MSOFFICE, DEX, HTML, ELF, ZIP, VBS, VBA, JS, HWP Hangul_Office, TAR, XZ, GZIP, BZIP, BZIP2, RAR, LZH, LZW,ARJ, CAB, _7Z, PHP, XML, POWERSHELL, BAT, HTA, UPX, ACTIVEMIME, MIME, HLP, BASE64, BINHEX, UUE, FSG, ASPACK, GENSCRIPT, SHELLSCRIPT, PERLSCRIPT, MSC, PETITE, ACCESS, SIS, HOSTS, NSIS, SISX, INF, E32IMAGE, FATMACH, CPIO, AUTOIT, MSOFFICEX, OPENOFFICE, TNEF, SWF, UNICODE, PYARCH, EGG, RTF, DLL, DOC, XLS, PPT, DOCX, XLSX, PPTX, LNK, KGB, Z, ACE, JAR, APK, MSI, MACH_O, DMG, DOTNET, XAR, CHM, ISO, CRX, INNO, THMX, FLAC, XXE, WORDML, WORDBASIC, OTF, WOFF, VSDX, EMF, DAA, GPG, PYTHON, CSS, AUTOITSCRIPT, RPM, EML, REGISTRY, PFILE, CEF, PRC, CLASS, JAD, COD, JPEG, GIF, TIFF, PNG, BMP, MPEG, MOV, MP3, WMA, WAV, AVI, RM, TOR, HIBUN

Note
  • A sample that cannot be parsed as one of the types above is categorized as Other. Detection of these types is not supported by Artificial Neural Networks (ANN).
  • The sniffer will not save unsupported file types or supported but corrupted files. For example, if the traffic contains a corrupted zip file that cannot be unzipped, the sniffer will not save it to the Log & Report >Malware Log.

FortiNDR supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes. For FortiNDR to quarantine via FortiGate, you must provide VDOM information to FortiGate. For details, see Automation Framework.

Supported file types for ANN:

For ANN supported file types, ANN will process and provide a feature breakdown between different attack scenarios (like Ransomware, banking trojan etc) 32 bit and 64 bit PE, PDF, MSOFFICE, HTML, ELF, VBS, VBA, JS, PHP, HWP Hangul_Office, XML, POWERSHELL, UPX, ASPACK, NSIS, AUTOIT, MSOFFICEX, RTF, DLL, DOC, XLS, PPT, DOCX, XLSX, PPTX, DOTNET, INNO, IFRAME

Note

File types supported by ANN will be scanned by the ANN and AV engines. Other supported file types will be scanned by AV engine only.
Previous
Next

Operating mode, protocols, and file type support

FortiNDR can operate in both detecting network anomalies as well as malware analysis using ANN. If FortiNDR functionalities are not needed, and you prefer pure file analysis, NDR functionalities can be switched off with the command "execute ndrd {on|off}"

For more information, see the FortiNDR CLI Reference Guide.

Operating Mode Supported Devices * Communication Protocol File/Malware Analysis Protocols supported NDR Network Anomalies Protocols Supported Notes
Sniffer HTTP, SMBv2, IMAP, POP3, SMTP, FTP TCP, UDP, ICMP, ICMP6, TLS, HTTP, SMB, SMTP,SSH, FTP, POP3, DNS, IRC, IMAP, RTSP, RPC, SIP, RDP, SNMP, MYSQL, MSSQL, PGSQL, and their behaviors Using SPAN port or network TAP
Integrated FortiGate OFTP (v5.6-v6.x), HTTP2 (v7.0.1 FOS) HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP FortiGate v7.0.1 and later supports INLINE blocking with AV profile
FortiProxy HTTP2 HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP
ICAP FortiWeb ICAP HTTP, HTTPS Supports using FortiNDR as ICAP server and multiple
FortiProxy ICAP HTTP, HTTPS FortiGates, FortiWeb and FortiProxy or third-party ICAP client such as Squid.
Other / API FortiSOAR HTTPS API upload HTTPS Using API available from FortiNDR for file upload
FortiMail HTTPS API upload HTTPS Using API available from FortiNDR for file upload
FortiSandbox HTTPS API upload HTTPS Using API available from FortiNDR for file upload
Scripts (refer to Appendix for sample scripts) HTTPS API upload

NFS and SMB file shares

SMB/NFS

Direct map and scan
Supported file types for all operating modes:

32 bit and 64 bit PE - Web based, text, and PE files such as EXE, PDF, MSOFFICE, DEX, HTML, ELF, ZIP, VBS, VBA, JS, HWP Hangul_Office, TAR, XZ, GZIP, BZIP, BZIP2, RAR, LZH, LZW,ARJ, CAB, _7Z, PHP, XML, POWERSHELL, BAT, HTA, UPX, ACTIVEMIME, MIME, HLP, BASE64, BINHEX, UUE, FSG, ASPACK, GENSCRIPT, SHELLSCRIPT, PERLSCRIPT, MSC, PETITE, ACCESS, SIS, HOSTS, NSIS, SISX, INF, E32IMAGE, FATMACH, CPIO, AUTOIT, MSOFFICEX, OPENOFFICE, TNEF, SWF, UNICODE, PYARCH, EGG, RTF, DLL, DOC, XLS, PPT, DOCX, XLSX, PPTX, LNK, KGB, Z, ACE, JAR, APK, MSI, MACH_O, DMG, DOTNET, XAR, CHM, ISO, CRX, INNO, THMX, FLAC, XXE, WORDML, WORDBASIC, OTF, WOFF, VSDX, EMF, DAA, GPG, PYTHON, CSS, AUTOITSCRIPT, RPM, EML, REGISTRY, PFILE, CEF, PRC, CLASS, JAD, COD, JPEG, GIF, TIFF, PNG, BMP, MPEG, MOV, MP3, WMA, WAV, AVI, RM, TOR, HIBUN

Note
  • A sample that cannot be parsed as one of the types above is categorized as Other. Detection of these types is not supported by Artificial Neural Networks (ANN).
  • The sniffer will not save unsupported file types or supported but corrupted files. For example, if the traffic contains a corrupted zip file that cannot be unzipped, the sniffer will not save it to the Log & Report >Malware Log.

FortiNDR supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes. For FortiNDR to quarantine via FortiGate, you must provide VDOM information to FortiGate. For details, see Automation Framework.

Supported file types for ANN:

For ANN supported file types, ANN will process and provide a feature breakdown between different attack scenarios (like Ransomware, banking trojan etc) 32 bit and 64 bit PE, PDF, MSOFFICE, HTML, ELF, VBS, VBA, JS, PHP, HWP Hangul_Office, XML, POWERSHELL, UPX, ASPACK, NSIS, AUTOIT, MSOFFICEX, RTF, DLL, DOC, XLS, PPT, DOCX, XLSX, PPTX, DOTNET, INNO, IFRAME

Note

File types supported by ANN will be scanned by the ANN and AV engines. Other supported file types will be scanned by AV engine only.
Previous
Next