Fortinet black logo

Administration Guide

Home FortiNDR 7.4.2 Administration Guide
7.4.2
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

ML Configuration

ML Configuration

Go to the Virtual Security Analyst > ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training. You can also use the page to create IP range groups. ML Configuration is not available in Sensor mode.

The ML Configuration page has two tabs:

  • Source IP: Use this tab to categorize IP ranges. Each group of IP ranges can be individually trained based on the ML configuration. This allows for varying levels of severity to be applied to distinct IP ranges for custom anomaly detection.
  • Default (Standalone mode) : Use this tab to view and adjust the machine learning baseline features for traffic anomaly detection and to monitor the status of baseline training.

  • Sensor Group ID (Center mode): Use this tab to set up IP ranges, each with its desired Severity and chosen features to be incorporated in the baseline. There is an additional option to specify the Sensor Group that this specific Source IP corresponds to. After changes are applied to a Source IP range in this tab, the associated Sensor Group will automatically initiate baseline retraining

The ML Configuration displays the following information:

Source IP The source IP address of the IP range.
Severity The severity level assigned to the IP (Low, Medium, High or Critical).
Number of Features The number of features enabled in the Default tab.
Last Modified Time The date and time the ML configuration was modified.

Start Training Time

The date and time baseline training started.

End Training Time

The date and time baseline training was completed.
To customize the ML Configuration page:
  • In the table header, click the gear icon and select Best Fit Columns, Reset Table, or show or hide columns.
  • In column header click the ellipses and select Resize to Contents or Group By This Column.

Source IP tab

When creating an IP range group, careful attention needs to be paid to the groupings and the number of features in the Source IP tab. Proper organization ensures that each IP range group functions correctly for effective anomaly detection.

Example:

The organization and categorization of IP ranges can have a significant effect on the ML baseline's functionality. In the image below, the second Source IP group is comprised of the IP range 172.19.122.0 with a Class C Netmask applied. This will mask all IPs within the range 172.19.122.0/24.

However, the broad masking of the second group, interferes with the functioning of the third Source IP group which is set up for exclusively the IP 172.19.122.220. This is because the broader second group supersedes the more specific settings of the third group.

To create an IP range group:
  1. Go to Virtual Security Analyst > ML Configuration.
  2. In the Source IP tab, click Create. The ML Configuration for Source IP pane opens.

    You cannot create an IP group if the baseline is training.

  3. Configure the source IP settings.

    Source IP and Severity

    Source IP

    Enter the source IP.

    Severity

    Select Low, Medium, High or Critical.

    Device Info

    Source IP Mask

    The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Destination IP Mask

    The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Source Device MAC Address

    Source device MAC address.

    Destination Device Model

    Device model such as: FortiGate, Workstation, IDRAC, etc.

    Destination Device Geolocation

    Device geographical country such as United States.

    Destination Device Category

    Device category such as: NAS, Virtual Machine,Firewall, etc.

    Destination Device Vendor

    Device vendor such as VMware, Dell, Synology, etc.

    Destination MAC Address

    Destination device MAC address.

    Destination Device OS

    Device Operating system such as Windows, Linux, etc.

    Protocol and Application Behavior

    Transport Layer Protocol

    UPD, ICMP, TCP, etc

    Application Layer Protocol

    TLS, HTTP, SMB, etc

    Protocol/Application Behaviors/Action

    Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

    Others

    Session Packet Size

    FortiNDR categorizes the packet size into 3 groups:

    • Small: Less than 100 bytes
    • Medium: 101- 99999 bytes
    • Larger: Equal to and greater than 100000 bytes

    Destination Port

    Port number such as, 22, 445, none reserved port, etc.

    Source Port

    Port number such as, 22, 445, none reserved port, etc.

  4. Click Apply.

Default Tab

View and adjust the machine learning baseline features for traffic anomaly detection and monitor the status of baseline training. Typically, it will take 7 days for baseline of traffic. Choosing different features to train a new baseline will cause the ML system start another 7 day training period. The old baseline is discarded during the re-training. You will not be able to get ML detection during that time.

Tooltip

The CLI command execute reset-ml-baseline-time can be used to shorten the baselining time and commit training. For details , see the FortiNDR CLI reference guide.
Note

The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port.

We do not recommend editing these features, unless you have strong understanding of what they do.

The Default tab displays the following information and features:

Status

Baseline Status

The current baseline training status:

  • Baselining:The current training is still in progress.
  • Baseline ready: The baseline training is done and is ready for anomaly detection.

ML Discovery Detection

Click to Enable or Disable baseline training.

Latest Training Completion

The date and time of the last baseline training.

Feature Enabled for Learning

Default Feature Configuration

Click to enable the default ML configuration settings.

Severity

Select Low, Medium, High or Critical.

Device Info

Source IP Mask

The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

Select one of the following options:

  • Do Not Apply Netmask: This is the default.
  • Apply Class C Netmask: /24
  • Apply Class B Netmask: /16

Destination IP Mask

The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

Select one of the following options:

  • Do Not Apply Netmask: This is the default.
  • Apply Class C Netmask: /24
  • Apply Class B Netmask: /16

Source Device MAC Address

Source device MAC address.

Destination Device Model

Device model such as: FortiGate, Workstation, IDRAC, etc.

Destination Device Geolocation

Device geographical country such as United States.

Destination Device Category

Device category such as: NAS, Virtual Machine,Firewall, etc.

Destination Device Vendor

Device vendor such as VMware, Dell, Synology, etc.

Destination MAC Address

Destination device MAC address.

Destination Device OS

Device Operating system such as Windows, Linux, etc.

Protocol and Application Behavior

Transport Layer Protocol

UPD, ICMP, TCP, etc

Application Layer Protocol

TLS, HTTP, SMB, etc

Protocol/Application Behaviors/Action

Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

Others

Session Packet Size

FortiNDR categorizes the packet size into 3 groups:

  • Small: Less than 100 bytes
  • Medium: 101- 99999 bytes
  • Larger: Equal to and greater than 100000 bytes

Destination Port

Port number such as, 22, 445, none reserved port, etc.

Source Port

Port number such as, 22, 445, none reserved port, etc.
Note

The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port.

We do not recommend editing these features, unless you have strong understanding of what they do.

Sensor Group ID Tab (Center mode)

To create a Sensor Group:

In Center mode, go to

  1. Go to Virtual Security Analyst > ML Configuration.
  2. Click the Sensor Group ID tab.
  3. Click Create. The Sensor Group ID pane opens.
  4. Configure the group settings and click OK

    Sensor Group

    Sensor Group

    This value is populated by the system.

    Sensor Selection

    Click the plus (+)sign to select the sensor and then click Close.

    Feature Enabled for Learning

    Default Feature Configuration

    Click to enable the default ML configuration settings.

    Severity

    Select Low, Medium, High or Critical.

    Device Info

    Source IP Mask

    The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Destination IP Mask

    The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Source Device MAC Address

    Source device MAC address.

    Destination Device Model

    Device model such as: FortiGate, Workstation, IDRAC, etc.

    Destination Device Geolocation

    Device geographical country such as United States.

    Destination Device Category

    Device category such as: NAS, Virtual Machine,Firewall, etc.

    Destination Device Vendor

    Device vendor such as VMware, Dell, Synology, etc.

    Destination MAC Address

    Destination device MAC address.

    Destination Device OS

    Device Operating system such as Windows, Linux, etc.

    Protocol and Application Behavior

    Transport Layer Protocol

    UPD, ICMP, TCP, etc

    Application Layer Protocol

    TLS, HTTP, SMB, etc

    Protocol/Application Behaviors/Action

    Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

    Others

    Session Packet Size

    FortiNDR categorizes the packet size into 3 groups:

    • Small: Less than 100 bytes
    • Medium: 101- 99999 bytes
    • Larger: Equal to and greater than 100000 bytes

    Destination Port

    Port number such as, 22, 445, none reserved port, etc.

    Source Port

    Port number such as, 22, 445, none reserved port, etc.

    Status

    Baseline Status

    The current baseline training status:

    • Baselining:The current training is still in progress.
    • Baseline ready: The baseline training is done and is ready for anomaly detection.

    ML Discovery Detection

    Click to Enable or Disable baseline training.

    Latest Training Completion

    The date and time of the last baseline training.

    Feature Enabled for Learning

    Default Feature Configuration

    Click to enable the default ML configuration settings.

    Severity

    Select Low, Medium, High or Critical.

    Device Info

    Source IP Mask

    The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Destination IP Mask

    The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Source Device MAC Address

    Source device MAC address.

    Destination Device Model

    Device model such as: FortiGate, Workstation, IDRAC, etc.

    Destination Device Geolocation

    Device geographical country such as United States.

    Destination Device Category

    Device category such as: NAS, Virtual Machine,Firewall, etc.

    Destination Device Vendor

    Device vendor such as VMware, Dell, Synology, etc.

    Destination MAC Address

    Destination device MAC address.

    Destination Device OS

    Device Operating system such as Windows, Linux, etc.

    Protocol and Application Behavior

    Transport Layer Protocol

    UPD, ICMP, TCP, etc

    Application Layer Protocol

    TLS, HTTP, SMB, etc

    Protocol/Application Behaviors/Action

    Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

    Others

    Session Packet Size

    FortiNDR categorizes the packet size into 3 groups:

    • Small: Less than 100 bytes
    • Medium: 101- 99999 bytes
    • Larger: Equal to and greater than 100000 bytes

    Destination Port

    Port number such as, 22, 445, none reserved port, etc.

    Source Port

    Port number such as, 22, 445, none reserved port, etc.

    .
Previous
Next

ML Configuration

Go to the Virtual Security Analyst > ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training. You can also use the page to create IP range groups. ML Configuration is not available in Sensor mode.

The ML Configuration page has two tabs:

  • Source IP: Use this tab to categorize IP ranges. Each group of IP ranges can be individually trained based on the ML configuration. This allows for varying levels of severity to be applied to distinct IP ranges for custom anomaly detection.
  • Default (Standalone mode) : Use this tab to view and adjust the machine learning baseline features for traffic anomaly detection and to monitor the status of baseline training.

  • Sensor Group ID (Center mode): Use this tab to set up IP ranges, each with its desired Severity and chosen features to be incorporated in the baseline. There is an additional option to specify the Sensor Group that this specific Source IP corresponds to. After changes are applied to a Source IP range in this tab, the associated Sensor Group will automatically initiate baseline retraining

The ML Configuration displays the following information:

Source IP The source IP address of the IP range.
Severity The severity level assigned to the IP (Low, Medium, High or Critical).
Number of Features The number of features enabled in the Default tab.
Last Modified Time The date and time the ML configuration was modified.

Start Training Time

The date and time baseline training started.

End Training Time

The date and time baseline training was completed.
To customize the ML Configuration page:
  • In the table header, click the gear icon and select Best Fit Columns, Reset Table, or show or hide columns.
  • In column header click the ellipses and select Resize to Contents or Group By This Column.

Source IP tab

When creating an IP range group, careful attention needs to be paid to the groupings and the number of features in the Source IP tab. Proper organization ensures that each IP range group functions correctly for effective anomaly detection.

Example:

The organization and categorization of IP ranges can have a significant effect on the ML baseline's functionality. In the image below, the second Source IP group is comprised of the IP range 172.19.122.0 with a Class C Netmask applied. This will mask all IPs within the range 172.19.122.0/24.

However, the broad masking of the second group, interferes with the functioning of the third Source IP group which is set up for exclusively the IP 172.19.122.220. This is because the broader second group supersedes the more specific settings of the third group.

To create an IP range group:
  1. Go to Virtual Security Analyst > ML Configuration.
  2. In the Source IP tab, click Create. The ML Configuration for Source IP pane opens.

    You cannot create an IP group if the baseline is training.

  3. Configure the source IP settings.

    Source IP and Severity

    Source IP

    Enter the source IP.

    Severity

    Select Low, Medium, High or Critical.

    Device Info

    Source IP Mask

    The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Destination IP Mask

    The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Source Device MAC Address

    Source device MAC address.

    Destination Device Model

    Device model such as: FortiGate, Workstation, IDRAC, etc.

    Destination Device Geolocation

    Device geographical country such as United States.

    Destination Device Category

    Device category such as: NAS, Virtual Machine,Firewall, etc.

    Destination Device Vendor

    Device vendor such as VMware, Dell, Synology, etc.

    Destination MAC Address

    Destination device MAC address.

    Destination Device OS

    Device Operating system such as Windows, Linux, etc.

    Protocol and Application Behavior

    Transport Layer Protocol

    UPD, ICMP, TCP, etc

    Application Layer Protocol

    TLS, HTTP, SMB, etc

    Protocol/Application Behaviors/Action

    Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

    Others

    Session Packet Size

    FortiNDR categorizes the packet size into 3 groups:

    • Small: Less than 100 bytes
    • Medium: 101- 99999 bytes
    • Larger: Equal to and greater than 100000 bytes

    Destination Port

    Port number such as, 22, 445, none reserved port, etc.

    Source Port

    Port number such as, 22, 445, none reserved port, etc.

  4. Click Apply.

Default Tab

View and adjust the machine learning baseline features for traffic anomaly detection and monitor the status of baseline training. Typically, it will take 7 days for baseline of traffic. Choosing different features to train a new baseline will cause the ML system start another 7 day training period. The old baseline is discarded during the re-training. You will not be able to get ML detection during that time.

Tooltip

The CLI command execute reset-ml-baseline-time can be used to shorten the baselining time and commit training. For details , see the FortiNDR CLI reference guide.
Note

The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port.

We do not recommend editing these features, unless you have strong understanding of what they do.

The Default tab displays the following information and features:

Status

Baseline Status

The current baseline training status:

  • Baselining:The current training is still in progress.
  • Baseline ready: The baseline training is done and is ready for anomaly detection.

ML Discovery Detection

Click to Enable or Disable baseline training.

Latest Training Completion

The date and time of the last baseline training.

Feature Enabled for Learning

Default Feature Configuration

Click to enable the default ML configuration settings.

Severity

Select Low, Medium, High or Critical.

Device Info

Source IP Mask

The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

Select one of the following options:

  • Do Not Apply Netmask: This is the default.
  • Apply Class C Netmask: /24
  • Apply Class B Netmask: /16

Destination IP Mask

The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

Select one of the following options:

  • Do Not Apply Netmask: This is the default.
  • Apply Class C Netmask: /24
  • Apply Class B Netmask: /16

Source Device MAC Address

Source device MAC address.

Destination Device Model

Device model such as: FortiGate, Workstation, IDRAC, etc.

Destination Device Geolocation

Device geographical country such as United States.

Destination Device Category

Device category such as: NAS, Virtual Machine,Firewall, etc.

Destination Device Vendor

Device vendor such as VMware, Dell, Synology, etc.

Destination MAC Address

Destination device MAC address.

Destination Device OS

Device Operating system such as Windows, Linux, etc.

Protocol and Application Behavior

Transport Layer Protocol

UPD, ICMP, TCP, etc

Application Layer Protocol

TLS, HTTP, SMB, etc

Protocol/Application Behaviors/Action

Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

Others

Session Packet Size

FortiNDR categorizes the packet size into 3 groups:

  • Small: Less than 100 bytes
  • Medium: 101- 99999 bytes
  • Larger: Equal to and greater than 100000 bytes

Destination Port

Port number such as, 22, 445, none reserved port, etc.

Source Port

Port number such as, 22, 445, none reserved port, etc.
Note

The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port.

We do not recommend editing these features, unless you have strong understanding of what they do.

Sensor Group ID Tab (Center mode)

To create a Sensor Group:

In Center mode, go to

  1. Go to Virtual Security Analyst > ML Configuration.
  2. Click the Sensor Group ID tab.
  3. Click Create. The Sensor Group ID pane opens.
  4. Configure the group settings and click OK

    Sensor Group

    Sensor Group

    This value is populated by the system.

    Sensor Selection

    Click the plus (+)sign to select the sensor and then click Close.

    Feature Enabled for Learning

    Default Feature Configuration

    Click to enable the default ML configuration settings.

    Severity

    Select Low, Medium, High or Critical.

    Device Info

    Source IP Mask

    The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Destination IP Mask

    The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Source Device MAC Address

    Source device MAC address.

    Destination Device Model

    Device model such as: FortiGate, Workstation, IDRAC, etc.

    Destination Device Geolocation

    Device geographical country such as United States.

    Destination Device Category

    Device category such as: NAS, Virtual Machine,Firewall, etc.

    Destination Device Vendor

    Device vendor such as VMware, Dell, Synology, etc.

    Destination MAC Address

    Destination device MAC address.

    Destination Device OS

    Device Operating system such as Windows, Linux, etc.

    Protocol and Application Behavior

    Transport Layer Protocol

    UPD, ICMP, TCP, etc

    Application Layer Protocol

    TLS, HTTP, SMB, etc

    Protocol/Application Behaviors/Action

    Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

    Others

    Session Packet Size

    FortiNDR categorizes the packet size into 3 groups:

    • Small: Less than 100 bytes
    • Medium: 101- 99999 bytes
    • Larger: Equal to and greater than 100000 bytes

    Destination Port

    Port number such as, 22, 445, none reserved port, etc.

    Source Port

    Port number such as, 22, 445, none reserved port, etc.

    Status

    Baseline Status

    The current baseline training status:

    • Baselining:The current training is still in progress.
    • Baseline ready: The baseline training is done and is ready for anomaly detection.

    ML Discovery Detection

    Click to Enable or Disable baseline training.

    Latest Training Completion

    The date and time of the last baseline training.

    Feature Enabled for Learning

    Default Feature Configuration

    Click to enable the default ML configuration settings.

    Severity

    Select Low, Medium, High or Critical.

    Device Info

    Source IP Mask

    The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly.

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Destination IP Mask

    The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly

    Select one of the following options:

    • Do Not Apply Netmask: This is the default.
    • Apply Class C Netmask: /24
    • Apply Class B Netmask: /16

    Source Device MAC Address

    Source device MAC address.

    Destination Device Model

    Device model such as: FortiGate, Workstation, IDRAC, etc.

    Destination Device Geolocation

    Device geographical country such as United States.

    Destination Device Category

    Device category such as: NAS, Virtual Machine,Firewall, etc.

    Destination Device Vendor

    Device vendor such as VMware, Dell, Synology, etc.

    Destination MAC Address

    Destination device MAC address.

    Destination Device OS

    Device Operating system such as Windows, Linux, etc.

    Protocol and Application Behavior

    Transport Layer Protocol

    UPD, ICMP, TCP, etc

    Application Layer Protocol

    TLS, HTTP, SMB, etc

    Protocol/Application Behaviors/Action

    Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc

    Others

    Session Packet Size

    FortiNDR categorizes the packet size into 3 groups:

    • Small: Less than 100 bytes
    • Medium: 101- 99999 bytes
    • Larger: Equal to and greater than 100000 bytes

    Destination Port

    Port number such as, 22, 445, none reserved port, etc.

    Source Port

    Port number such as, 22, 445, none reserved port, etc.

    .
Previous
Next