FortiGuard
FortiNDR relies on many local DB updates and some cloud lookups for detections to work. By default, the factory configuration of FortiNDR has local DB such as IPS and botnets loaded. Upon initial install it's important to get the most recent updates for accurate detection. The best way to get and install these updates is with an Internet connection. For offline deployments Please refer to Appendix D: FortiGuard updates. To view a list of updates, go to System > FortiGuard.
The latest version of NDR packages can be offline updated using the following CLI commnad:
execute restore ipsdb / avdb/ kdb [disk/tftp/ftp] filename
Please refer to Appendix D: FortiGuard updates and CLI guide for more detail.
Use System > FortiGuard to view or update the version of Entitlements of your machine. You can update the version of entitlement using the GUI or CLI. For Malware detection using ANN (artificial neural network) is several GB in size, using the CLI to update the ANN database locally might be faster.
The latest version and updates of ANN are at FortiGuard service update at https://www.fortiguard.com/services/fortindr.
Currently, FortiNDR retrieves ANN updates from US and EMEA FortiGuard servers. FortiNDR selects the update server based on proximity and location. Besides ANN updates, FortiNDR also uses an AV engine for additional file scanning and accuracy, NDR and IPS engines for detecting network anomalies. Thus, regular updates to the AV/IPS/NDR databases are recommended. Note that AV signatures are used only when the ANN cannot determine if a file is malicious. If a file is determined to be malicious by ANN, then AV engine is not triggered. |
To update the ANN database for malware detection using the GUI:
- Go to System > FortiGuard and click Check update.
- Click Update FortiGuard Neural Networks Engine.
This triggers an install of the new ANN.
Because the ANN update is several GB in size, this procedure might take several hours. You can log out of the GUI after the update has started.
To update the ANN database using the CLI:
- Go to the Fortinet support website and download the ANN network database files.
There are two ANN network databases:
pae_kdb
andmoat_kdb
.pae_kdb
has about six to eight individual files that you have to download.There is only one
moat_kdb.tar.gz
because it is small and doesn't have to be split. After downloading them for thepae_kdb
, unzip them intopae_kdb.tar.gz
. - Unzip the downloaded files to
pae_kdb.tar.gz
andmoat_kdb.tar.gz
.In Windows:
copy /B pae_kdb.zip.* pae_kdb.zip
- Right-click the
pae_kdb.zip
package and click Extract All.
In Linux:
cat pae_kdb.zip.* > pae_kdb.zip
unzip pae_kdb.zip
- Put
pae_kdb.tar.gz
andmoat_kdb.tar.gz
on a disk that FortiNDR can access, such as a TFTP or FTP server, or a USB drive.If you use a USB drive, ensure its format is ext3 compatible, has only one partition, and the file is in the root directory.
- Use the CLI command
execute restore kdb
to update the kdbs. Run this command once forpae_kdb.tar.gz
and once forpae_kdb.tar.gz
.For example, if
pae_kdb.tar.gz
andmoat_kdb.tar.gz
are in the FTP (IP:2.2.2.2) home folder of/home/user/pae_kdb.tar.gz
and/home/user/moat_kdb.tar.gz
, then use these commands:execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password
execute restore kdb ftp moat_kdb.tar.gz 2.2.2.2 user password
This is an example of the output:
# execute restore kdb ftp pae_kdb.tar.gz 2.2.2.2 user password This operation will first replace the current scanner db files and then restart the scanner! Do you want to continue? (y/n)y Connect to ftp server 2.2.2.2 ... Please wait... Get file from ftp server OK. Get file OK. MD5 verification succeed! KDB files restoration completed Scanner restart completed
- Go to System > FortiGuard to verify the updated versions.
To schedule FortiGuard updates:
- Go to System > FortiGuard.
- In the FortiGuard Updates area, enable Scheduled Updates.
- From the frequency dropdown, select Daily or Weekly.
- In the Hours field a numeric fall for the frequency.
- Click OK.
FDS server override
In special cases such as network connection problems, there may be a need to force FDS updates to go to a specific server or a set of specific servers instead of the default ones. By default, the FDS updates will talk to fai.fortinet.net and update.fortiguard.net to get a list of the close-by FDS servers. The updater will use the closest ones. The current list of FDS servers that are retreived this way can be found by using the CLI diagnose fds list
. if you wants to use a specific server, you can specify the override servers to connect to. Please note that both override-server-address-main and override-server-address-alt have to be set to get all the updates.
Example 1: Use specific IPs for the FDS servers and do not fall back to default servers if none of the specified override servers can be reached.
config system fortiguard update
set override-server-status enable
set override-include-default-servers disable
set override-server-port 443
set override-server-address-main 208.184.237.78 140.174.22.36
set override-server-address-alt 208.184.237.66
end
This configuration will use the servers 208.18.237.78
and 140.174.22.36
to replace fai.fortinet.net and 208.184.237.66 to replace update.fortiguard.net when downloading from FDS servers.
Example 2: The FortiNDR device cannot perform DNS lookups and a proxy is in use.
By default, a FortiNDR device will use the list of IPs returned from the FDS servers after initially talking to fai.fortinet.net and update.fortiguard.net. However, if a proxy server is used to connect to the FDS servers and you would like the DNS resolution to be done by the proxy server, the following configuration can be used:
config system fortiguard update
set override-server-status enable
set override-include-default-servers disable
set override-server-port 443
set override-server-address-main fai.fortinet.net
set override-server-address-alt update.fortiguard.net
set tunneling-status enable
set tunneling-address 192.168.1.50
set tunneling-port 8080
end
This setting will defer the DNS resolution to the proxy server 192.168.1.50
and a proxy and/or firewall policy can be used with FQDNs instead of individual FDS server IPs.