Fortinet black logo

Administration Guide

Home FortiNDR 7.4.3 Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Standalone, Center and Sensor operating mode

Standalone, Center and Sensor operating mode

Starting in FortiNDR v7.4.0, FortiNDR supports three operating modes:

  • Standalone: Supports all the features and functionality of FortiNDR. FNR-1000F, VM16/32, FNR-3500F can all operate as standalone mode.
  • Center: Supports centralized management of configurations and data collected by sensors. Most, but not all features and functionality are available.

    • FortiNDR 7.4 supports Center Mode in for FNDR-3500F, VMCM (VM, KVM) and AWS.

    • Center Mode is supported in VMs. See, Licensing.
  • Sensor: Supports Sensor configuration upon first login. A minimal amount of features and functionality are available.
    • FortiNDR 7.4.0 supports sensor mode in FNR-1000F and VM models (VM, KVM).
    • FortiNDR 7.4.1 supports sensor mode in FNR-1000F and VM models (VM, KVM, AWS).

There is a separate image to be loaded for each mode in the customer support website.

The mode you use is determined by the firmware image. A new firmware update package contains three types of firmware image (Standalone image, Center image, and Sensor image). After the Center and Sensor images are installed, the mode is displayed in brackets next to the image name at the top-left side of the GUI. A unit in standalone mode unit will not display Center or Sensor next to the image name.

The following table identifies the features available in Standalone, Center, and Sensor modes and how they behave:

Feature

Standalone

Center

Sensor

Notes

Dashboard

In Center mode, the widgets are used to monitor the sensors.

Security Fabric

Security Fabric is configured in the Sensor mode or via the Center mode settings.

Attack Scenario

This feature is incidental in Sensor and Standalone modes.

Center mode collects and presents all Attack Scenarios reported from every Sensor connected to this Center.

Host Story

This feature is incidental in Sensor and Standalone modes.

Center mode consolidates and displays all Host Stories from all Sensors associated with the Center.

Virtual Security Analyst > Express Malware Analysis

Virtual Security Analyst > Static Filter

Static Filters, including the Allow List and Deny List, are employed in Center mode and associated with specific sensors. These filters provide users with the capability to formulate and modify an Allow or Deny list for targeted sensors.

Please note that these Static Filters cannot be set through the Sensor's GUI.

Virtual Security Analyst > NDR Muting

NDR Muting rules can be established in Center and Sensor mode. However, these rules only mask or hide specific NDR attack detections for that specific Center or Sensor. For instance, if you hide an attack on a Center, it does not automatically hide the same attack on the Sensor's user interface.

Virtual Security Analyst > ML Discovery

Both the ML Discovery dashboard widget and ML Discovery module are not available in Sensor mode.
Virtual Security Analyst > Device Enrichment

Virtual Security Analyst > ML Configuration

Netflow

Sensor mode maintains the same design and functionality for the Netflow Dashboard and Netflow Log as seen in Standalone mode.

Center mode's Netflow Dashboard and Netflow Log display the data collated from the Sensors.
System > Admin Profiles

In Center mode, users can select which Sensor(s) are linked with the current profile. If a Sensor is selected to be included in this Admin Profile, the profile user will be able to view and manage the corresponding Sensor when they log into the FortiNDR Center.
System > Center Settings

System > High Availability (HA)

Log & Report > Daily Feature Learned

In Center mode, the Log Settings can be configured to send the center's system event log to the syslog servers. Detection logs, including malware logs and NDR logs that record events occurring in the sensors, are sent directly from the sensors themselves. These sensors' syslog configurations can be edited and uploaded via the Center's System > Sensor Settings page using the Restore Configuration button.

FortiNDR Center and Licensing requirement

FortiNDR v7.4.0 and above supports running FNR-3500F as Center Mode managing up to 20 sensors. FNR-3500F has 8 hard disks by default (15TB) which can be expanded to 16 hard disks with 30TB (RAID 10). The more sensors and bandwidth you have for the deployment, the larger disk size you should prepare for center deployment.

FortiNDR center VM will be available in Q4 2023 as subscription service, with two license tiers (up to 10 sensors, or unlimited [up to 20]), please refer to FortiNDR ordering guide for reference.

Licensing

As of v7.4.0 sensors NDR, ANN, Netflow (optional) and OT/SCADA (optional) security services are all licensed separately and required for all sensors to operate and detect attacks. Users of FNR-3500F can operate in Standalone, Center mode (not Sensor). If FNR-3500F is to be run as standalone then netflow and OT security service licences maybe required.

In Center Mode, the system does require a Neflow license to access the Netflow module.

You cannot load a VM Center license directly to an existing FortiNDR VM (Sensor or Standalone mode), because they have a different SKU.

Dual Center mode support

Center mode can support both single and dual Center mode. Data redundancy can be achieved with dual center. There is no synchronization between dual centers hence there are no geographical limitations. Users can operate on either centers IP to view/filter sensors data by logging in with standard browsers.

Single NDR center support:

Dual NDR center support:

Sensors data are synchronized periodically between sensors and center using HTTPS port 443, connections are initiated by sensor to center. For a complete list of FortiNDR ports required, seeAppendix C: FortiNDR ports. If network issues occurs, sensors will resume synchronization again after network restores. Last updates can be viewed from both sensors and center, as follows:

Center’s view of status and last update to center:

Sensor’s view of status and last update to center:

For information about sensors operations, seeSensor Settings (Center Standalone) .

Previous
Next

Standalone, Center and Sensor operating mode

Starting in FortiNDR v7.4.0, FortiNDR supports three operating modes:

  • Standalone: Supports all the features and functionality of FortiNDR. FNR-1000F, VM16/32, FNR-3500F can all operate as standalone mode.
  • Center: Supports centralized management of configurations and data collected by sensors. Most, but not all features and functionality are available.

    • FortiNDR 7.4 supports Center Mode in for FNDR-3500F, VMCM (VM, KVM) and AWS.

    • Center Mode is supported in VMs. See, Licensing.
  • Sensor: Supports Sensor configuration upon first login. A minimal amount of features and functionality are available.
    • FortiNDR 7.4.0 supports sensor mode in FNR-1000F and VM models (VM, KVM).
    • FortiNDR 7.4.1 supports sensor mode in FNR-1000F and VM models (VM, KVM, AWS).

There is a separate image to be loaded for each mode in the customer support website.

The mode you use is determined by the firmware image. A new firmware update package contains three types of firmware image (Standalone image, Center image, and Sensor image). After the Center and Sensor images are installed, the mode is displayed in brackets next to the image name at the top-left side of the GUI. A unit in standalone mode unit will not display Center or Sensor next to the image name.

The following table identifies the features available in Standalone, Center, and Sensor modes and how they behave:

Feature

Standalone

Center

Sensor

Notes

Dashboard

In Center mode, the widgets are used to monitor the sensors.

Security Fabric

Security Fabric is configured in the Sensor mode or via the Center mode settings.

Attack Scenario

This feature is incidental in Sensor and Standalone modes.

Center mode collects and presents all Attack Scenarios reported from every Sensor connected to this Center.

Host Story

This feature is incidental in Sensor and Standalone modes.

Center mode consolidates and displays all Host Stories from all Sensors associated with the Center.

Virtual Security Analyst > Express Malware Analysis

Virtual Security Analyst > Static Filter

Static Filters, including the Allow List and Deny List, are employed in Center mode and associated with specific sensors. These filters provide users with the capability to formulate and modify an Allow or Deny list for targeted sensors.

Please note that these Static Filters cannot be set through the Sensor's GUI.

Virtual Security Analyst > NDR Muting

NDR Muting rules can be established in Center and Sensor mode. However, these rules only mask or hide specific NDR attack detections for that specific Center or Sensor. For instance, if you hide an attack on a Center, it does not automatically hide the same attack on the Sensor's user interface.

Virtual Security Analyst > ML Discovery

Both the ML Discovery dashboard widget and ML Discovery module are not available in Sensor mode.
Virtual Security Analyst > Device Enrichment

Virtual Security Analyst > ML Configuration

Netflow

Sensor mode maintains the same design and functionality for the Netflow Dashboard and Netflow Log as seen in Standalone mode.

Center mode's Netflow Dashboard and Netflow Log display the data collated from the Sensors.
System > Admin Profiles

In Center mode, users can select which Sensor(s) are linked with the current profile. If a Sensor is selected to be included in this Admin Profile, the profile user will be able to view and manage the corresponding Sensor when they log into the FortiNDR Center.
System > Center Settings

System > High Availability (HA)

Log & Report > Daily Feature Learned

In Center mode, the Log Settings can be configured to send the center's system event log to the syslog servers. Detection logs, including malware logs and NDR logs that record events occurring in the sensors, are sent directly from the sensors themselves. These sensors' syslog configurations can be edited and uploaded via the Center's System > Sensor Settings page using the Restore Configuration button.

FortiNDR Center and Licensing requirement

FortiNDR v7.4.0 and above supports running FNR-3500F as Center Mode managing up to 20 sensors. FNR-3500F has 8 hard disks by default (15TB) which can be expanded to 16 hard disks with 30TB (RAID 10). The more sensors and bandwidth you have for the deployment, the larger disk size you should prepare for center deployment.

FortiNDR center VM will be available in Q4 2023 as subscription service, with two license tiers (up to 10 sensors, or unlimited [up to 20]), please refer to FortiNDR ordering guide for reference.

Licensing

As of v7.4.0 sensors NDR, ANN, Netflow (optional) and OT/SCADA (optional) security services are all licensed separately and required for all sensors to operate and detect attacks. Users of FNR-3500F can operate in Standalone, Center mode (not Sensor). If FNR-3500F is to be run as standalone then netflow and OT security service licences maybe required.

In Center Mode, the system does require a Neflow license to access the Netflow module.

You cannot load a VM Center license directly to an existing FortiNDR VM (Sensor or Standalone mode), because they have a different SKU.

Dual Center mode support

Center mode can support both single and dual Center mode. Data redundancy can be achieved with dual center. There is no synchronization between dual centers hence there are no geographical limitations. Users can operate on either centers IP to view/filter sensors data by logging in with standard browsers.

Single NDR center support:

Dual NDR center support:

Sensors data are synchronized periodically between sensors and center using HTTPS port 443, connections are initiated by sensor to center. For a complete list of FortiNDR ports required, seeAppendix C: FortiNDR ports. If network issues occurs, sensors will resume synchronization again after network restores. Last updates can be viewed from both sensors and center, as follows:

Center’s view of status and last update to center:

Sensor’s view of status and last update to center:

For information about sensors operations, seeSensor Settings (Center Standalone) .

Previous
Next