Fortinet black logo

Administration Guide

Home FortiNDR 7.4.2 Administration Guide
7.4.2
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Appendix D: FortiGuard updates

Appendix D: FortiGuard updates

For deployments that have Internet connections, FortiNDR by default relies on the Internet to get updates via the FortiGuard Distribution Network. In the occasions where FortiNDR cannot reach the Internet, you have the following options:

Malware artificial neural network (ANN) updates: You can update the ANN manually. These updates (in several GB) can be obtained via support website (https://support.fortinet.com) with a registered support contract. The latest ANN version can be viewed at: https://www.fortiguard.com/services/fortindr

Note

For v7.0.1 and later, the offline package files have more data compared to the v1.0 and v7.0 packages. The number of packages has increased as well.

The v7.0.1 packages have additional data and they will fail to load in previous firmware versions. However, the v1.0/v7.0 ANN packages can be loaded in v7.0.1 and later firmware versions. Please download the corresponding packages according to the firmware version on the support website.

For more information about loading offline packages , see the exec restore kdb, exec restore avdb, and exec restore ipsdb commands in the CLI Reference Guide. IPSDB offline packages includes 3 DB (network attacks, botnet and JA3 encrypted attacks).

Other detection techniques:

The following table summarises whether detection will work on/off line (no internet access). All of the detection techniques below can be updated via FortiGuard Distribution Network (Internet).

Detection Techniques

Supports offline manual update

Comments

Malware via ANN

Yes

Can be updated manually via GUI or with an offline package via CLI.

AV engine

Yes

Shipped by default. Can be updated with internet via GUI or with an offline package via CLI.

Botnet detection

Yes

Has DB by default. Can be updated with internet via GUI or with an offline package via CLI.

Network Attacks / Application control

Yes

Has DB by default. Can be updated with internet via GUI or with an offline package via CLI.

Encrypted attacks (via JA3)

Yes

Has DB by default. Can be updated with internet via GUI or with an offline package via CLI.

Weak cipher/vulnerable protocol detection

NA

Comes with firmware, no updates required.

Device inventory

No

Lookup IOT services to determine device role/type/OS

FortiGuard IOC

No

Requires Internet to lookup URLs and IP for web campaigns associated.

ML Discovery

NA

Local ML algorithm updates via firmware.

Geo DB

No

Comes with firmware, does not update often, supports FortiGuard Update via internet.

Updating the ANN database from FDS for malware detection (GUI)

To update the ANN database from FDS:
  1. Go to System > FortiGuard.
  2. Check the License Status to ensure there is a valid license.

    If the license is not valid:

    • The unit cannot update from FDS.
    • Ensure the unit is not on internal FDS and the unit has a subscription for FortiGuard Neural Networks engine updates & baseline.

  3. Click Check Update.

    If there are updates, an Update Now button appears and the Status column shows the components with updates.

  4. Click Update Now.

    Due to the size of databases, the update might take several hours depending on your Internet speed. During the update, check the Status column.

Updating ANN for malware detection (CLI)

FortiNDR utilizes both FortiGuard updates to local DB as well as lookup for detecting network anomalies. FortiNDR comes with a trained ANN, but users can update it before placing solution live on network. The ANN version can be checked at FortiGuard webpage: https://www.fortiguard.com/services/fortindr. For full list of updates please refer to Appendix D: FortiGuard updates for details. The section below discusses one of the updates: ANN for malware detection.

The ANN (Artificial Neural Network) database enables scanning of malware using accelerated ANN. Unlike AV signatures, ANN DB does not require updates daily. ANN is only updated once or twice a week to enable detection of the latest malware.

There are two ways to update ANN. You can update using FDN (FortiGuard Distribution Network) if internet is available, or on Fortinet support website after the product is registered.

Currently FortiGuard updates are available via US, EMEA and Japan. Depending on your location, manual update might be faster. The average time of ANN update via Internet is about 1–2 hours. Using the local CLI takes about 10 minutes.

To update the ANN database using CLI:

execute restore kdb {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}

To update the ANN database by downloading from FDN to the FortiNDR device:
  1. Format a USB drive in another Linux machine using the command fdisk /dev/sdc.

    Ensure the USB drive has enough capacity and create one partition using EXT4 or EXT3 format.

  2. Format sdc1 using the mkfs.ext4 /dev/sdc1 command.

    Note

    FortiTester is a great companion for FortiNDR as FortiTester can send a malware strike pack over different protocols such as HTTP, SMB, SMTP, to simulate malware in the network. You can use FortiTester to generate malware and test FortiNDR for detection.

    The following is an example of the result.

  3. Copy moat_kdb_all.tar.gz and pae_kdb_all.tar.gz to the root directory of USB drive, in this example, /AI_DB.

    The following is an example of the result.

  4. Copy the files onto the FortiNDR by mounting the USB drive on the FortiNDR device and using the execute restore kdb disk pae_kdb_all.tar.gz and the execute restore kdb disk moat_kdb_all.tar.gz commands.

  5. To verify the ANN database in the GUI, go to System > FortiGuard. The latest version of ANN can be found on FortiGuard website: https://www.fortiguard.com/services/fortindr

  6. To verify the ANN database in the CLI, use the diagnose kdb command and check that there are four KDB Test Passed status lines.

Note

When you have finished using the USB or SSD drive, remove the drive from FortiNDR. Some disk-related CLI commands such as execute factoryreset, execute partitiondisk, or diagnose hardware sysinfo might treat the additional disk as the primary data partition.
Previous
Next

Appendix D: FortiGuard updates

For deployments that have Internet connections, FortiNDR by default relies on the Internet to get updates via the FortiGuard Distribution Network. In the occasions where FortiNDR cannot reach the Internet, you have the following options:

Malware artificial neural network (ANN) updates: You can update the ANN manually. These updates (in several GB) can be obtained via support website (https://support.fortinet.com) with a registered support contract. The latest ANN version can be viewed at: https://www.fortiguard.com/services/fortindr

Note

For v7.0.1 and later, the offline package files have more data compared to the v1.0 and v7.0 packages. The number of packages has increased as well.

The v7.0.1 packages have additional data and they will fail to load in previous firmware versions. However, the v1.0/v7.0 ANN packages can be loaded in v7.0.1 and later firmware versions. Please download the corresponding packages according to the firmware version on the support website.

For more information about loading offline packages , see the exec restore kdb, exec restore avdb, and exec restore ipsdb commands in the CLI Reference Guide. IPSDB offline packages includes 3 DB (network attacks, botnet and JA3 encrypted attacks).

Other detection techniques:

The following table summarises whether detection will work on/off line (no internet access). All of the detection techniques below can be updated via FortiGuard Distribution Network (Internet).

Detection Techniques

Supports offline manual update

Comments

Malware via ANN

Yes

Can be updated manually via GUI or with an offline package via CLI.

AV engine

Yes

Shipped by default. Can be updated with internet via GUI or with an offline package via CLI.

Botnet detection

Yes

Has DB by default. Can be updated with internet via GUI or with an offline package via CLI.

Network Attacks / Application control

Yes

Has DB by default. Can be updated with internet via GUI or with an offline package via CLI.

Encrypted attacks (via JA3)

Yes

Has DB by default. Can be updated with internet via GUI or with an offline package via CLI.

Weak cipher/vulnerable protocol detection

NA

Comes with firmware, no updates required.

Device inventory

No

Lookup IOT services to determine device role/type/OS

FortiGuard IOC

No

Requires Internet to lookup URLs and IP for web campaigns associated.

ML Discovery

NA

Local ML algorithm updates via firmware.

Geo DB

No

Comes with firmware, does not update often, supports FortiGuard Update via internet.

Updating the ANN database from FDS for malware detection (GUI)

To update the ANN database from FDS:
  1. Go to System > FortiGuard.
  2. Check the License Status to ensure there is a valid license.

    If the license is not valid:

    • The unit cannot update from FDS.
    • Ensure the unit is not on internal FDS and the unit has a subscription for FortiGuard Neural Networks engine updates & baseline.

  3. Click Check Update.

    If there are updates, an Update Now button appears and the Status column shows the components with updates.

  4. Click Update Now.

    Due to the size of databases, the update might take several hours depending on your Internet speed. During the update, check the Status column.

Updating ANN for malware detection (CLI)

FortiNDR utilizes both FortiGuard updates to local DB as well as lookup for detecting network anomalies. FortiNDR comes with a trained ANN, but users can update it before placing solution live on network. The ANN version can be checked at FortiGuard webpage: https://www.fortiguard.com/services/fortindr. For full list of updates please refer to Appendix D: FortiGuard updates for details. The section below discusses one of the updates: ANN for malware detection.

The ANN (Artificial Neural Network) database enables scanning of malware using accelerated ANN. Unlike AV signatures, ANN DB does not require updates daily. ANN is only updated once or twice a week to enable detection of the latest malware.

There are two ways to update ANN. You can update using FDN (FortiGuard Distribution Network) if internet is available, or on Fortinet support website after the product is registered.

Currently FortiGuard updates are available via US, EMEA and Japan. Depending on your location, manual update might be faster. The average time of ANN update via Internet is about 1–2 hours. Using the local CLI takes about 10 minutes.

To update the ANN database using CLI:

execute restore kdb {disk <filename> | ftp <file name> <server_ipv4> | scp <file name> <server_ipv4> | tftp <file name> <server_ipv4>}

To update the ANN database by downloading from FDN to the FortiNDR device:
  1. Format a USB drive in another Linux machine using the command fdisk /dev/sdc.

    Ensure the USB drive has enough capacity and create one partition using EXT4 or EXT3 format.

  2. Format sdc1 using the mkfs.ext4 /dev/sdc1 command.

    Note

    FortiTester is a great companion for FortiNDR as FortiTester can send a malware strike pack over different protocols such as HTTP, SMB, SMTP, to simulate malware in the network. You can use FortiTester to generate malware and test FortiNDR for detection.

    The following is an example of the result.

  3. Copy moat_kdb_all.tar.gz and pae_kdb_all.tar.gz to the root directory of USB drive, in this example, /AI_DB.

    The following is an example of the result.

  4. Copy the files onto the FortiNDR by mounting the USB drive on the FortiNDR device and using the execute restore kdb disk pae_kdb_all.tar.gz and the execute restore kdb disk moat_kdb_all.tar.gz commands.

  5. To verify the ANN database in the GUI, go to System > FortiGuard. The latest version of ANN can be found on FortiGuard website: https://www.fortiguard.com/services/fortindr

  6. To verify the ANN database in the CLI, use the diagnose kdb command and check that there are four KDB Test Passed status lines.

Note

When you have finished using the USB or SSD drive, remove the drive from FortiNDR. Some disk-related CLI commands such as execute factoryreset, execute partitiondisk, or diagnose hardware sysinfo might treat the additional disk as the primary data partition.
Previous
Next