Fortinet black logo

Administration Guide

Home FortiNDR 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

Introduction

Introduction

FortiNDR (On-premise) is Fortinet’s Network Detection and Response product, targeted for on-premises installation where no network metadata leaves the network, supporting OT and air-gapped infrastructure. FortiNDR form factor include appliances, VM/KVM and public cloud (BYOL), with distributed sensor and center support. FortiNDR can classify both network based and file based (malware) threats, provide network visibility including East West traffic in Datacenter/Cloud environment. Artificial neural networks (ANN) is equipped with the solution to classify malware into attack scenarios, surface outbreak alerts and trace source of malware infections. Network Based attacks such as intrusions, botnet, compromised IOCs, weak ciphers and vulnerable protocols can also be detected. Supervised and unsupervised machine learning (ML) continuously analyze metadata across networks to identify threats, remediation can be leveraged via Fortinet Security Fabric.

FortiNDR is a product family with both on-premises option and FortiNDR Cloud, a SaaS based offering. This administration guide is targeted for FortiNDR on-premises deployment.

FortiNDR is the next generation of Fortinet breach detection technology, using both ML and Artificial Neural Networks (ANN) which can detect network anomalies and high velocity malware detection and verdict using patented Artificial Neural Networks (abbreviated with ANN in document, US patent US11574051B2).

FortiNDR combined Network Detetion Anomalies features along with ANN that scans and classify malware in file based attacks. These functions are usually provided by your security operations analyst, hence in FortiNDR there's a concept of Virtual Security Analyst TM, which is capable of the following:

  • Detect encrypted attack (via JA3 hashs), look for presence of malicious web campaigns visited , weaker ciphers, vulnerable protocols, network intrusions and botnet-based attacks.

  • Profile ML traffic and identify anomalies with user feedback mechanism.

  • Quickly detect malicious files through neural network analysis including NFS file scan shares.

  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • Outbreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) and other Fortinet Security Fabric solutions, along with 3rd party API calls, to quarantine infected hosts.

FortiNDR on premise solution can run in both appliance and Virtual Machine format. Please refer to the datasheet for hardware models and specifications. VM comes in VM16 or VM32 subscription license. Both form factors will have Netflow and Operational Technology (OT)/SCADA licensed seperately. The Netflow license will allow intake of Netflow data and inspection for security detections, while the OT/SCADA license will enable FortiNDR to detect and update industrial IPS and OT (Industroyer) malware classification, as well as identify OT applications for machine learning purpose. (See appendix I for list of OT applications support)

FortiNDR can receive both network traffic and inspect files using neural networks for scanning from different ways: sniffer mode where it captures traffic on network from SPAN port (or mirrored if deployed as VM), integrated mode with FortiGate devices and input from other Fortinet devices (see release notes for supported devices), with inline blocking with FortiOS AV profiles (7.0.1 and higher). You can also configure FortiNDR as an ICAP server to serve ICAP clients such as FortiProxy and Squid. All modes can operate simultaneously.

Key advantages of FortiNDR include the following:

  • Detect network anomalies with different techniques where traditional security solutions might fail. The NDR solution is a passive solution with analyzing network metadata and uses it to determine if an attack occurs. FortiNDR can:
  • Provide more context to attacks such as malware campaign name, web campaign devices and users participate in, intrusions and botnet attacks
  • Tracing and correlate source of malware events such as worm based detection
  • Upon attacks or anomalies detected, FortiNDR can perform manual and automatic mitigation (AKA Response) with Fortinet Security Fabric devices (such as FortiGate, FortiSwitch, FortiNAC), as well as 3rd Party solutions (via API calls).

FortiNDR software and license are not limited by the number of devices/IPs supported. Without this limit, FortiNDR-1000F for example, can easily support more than 10K IPs which should be sufficient for most network deployments. For performance/sizing for other platforms, please consult with your local Fortinet system engineering team.

Previous
Next

Introduction

FortiNDR (On-premise) is Fortinet’s Network Detection and Response product, targeted for on-premises installation where no network metadata leaves the network, supporting OT and air-gapped infrastructure. FortiNDR form factor include appliances, VM/KVM and public cloud (BYOL), with distributed sensor and center support. FortiNDR can classify both network based and file based (malware) threats, provide network visibility including East West traffic in Datacenter/Cloud environment. Artificial neural networks (ANN) is equipped with the solution to classify malware into attack scenarios, surface outbreak alerts and trace source of malware infections. Network Based attacks such as intrusions, botnet, compromised IOCs, weak ciphers and vulnerable protocols can also be detected. Supervised and unsupervised machine learning (ML) continuously analyze metadata across networks to identify threats, remediation can be leveraged via Fortinet Security Fabric.

FortiNDR is a product family with both on-premises option and FortiNDR Cloud, a SaaS based offering. This administration guide is targeted for FortiNDR on-premises deployment.

FortiNDR is the next generation of Fortinet breach detection technology, using both ML and Artificial Neural Networks (ANN) which can detect network anomalies and high velocity malware detection and verdict using patented Artificial Neural Networks (abbreviated with ANN in document, US patent US11574051B2).

FortiNDR combined Network Detetion Anomalies features along with ANN that scans and classify malware in file based attacks. These functions are usually provided by your security operations analyst, hence in FortiNDR there's a concept of Virtual Security Analyst TM, which is capable of the following:

  • Detect encrypted attack (via JA3 hashs), look for presence of malicious web campaigns visited , weaker ciphers, vulnerable protocols, network intrusions and botnet-based attacks.

  • Profile ML traffic and identify anomalies with user feedback mechanism.

  • Quickly detect malicious files through neural network analysis including NFS file scan shares.

  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • Outbreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) and other Fortinet Security Fabric solutions, along with 3rd party API calls, to quarantine infected hosts.

FortiNDR on premise solution can run in both appliance and Virtual Machine format. Please refer to the datasheet for hardware models and specifications. VM comes in VM16 or VM32 subscription license. Both form factors will have Netflow and Operational Technology (OT)/SCADA licensed seperately. The Netflow license will allow intake of Netflow data and inspection for security detections, while the OT/SCADA license will enable FortiNDR to detect and update industrial IPS and OT (Industroyer) malware classification, as well as identify OT applications for machine learning purpose. (See appendix I for list of OT applications support)

FortiNDR can receive both network traffic and inspect files using neural networks for scanning from different ways: sniffer mode where it captures traffic on network from SPAN port (or mirrored if deployed as VM), integrated mode with FortiGate devices and input from other Fortinet devices (see release notes for supported devices), with inline blocking with FortiOS AV profiles (7.0.1 and higher). You can also configure FortiNDR as an ICAP server to serve ICAP clients such as FortiProxy and Squid. All modes can operate simultaneously.

Key advantages of FortiNDR include the following:

  • Detect network anomalies with different techniques where traditional security solutions might fail. The NDR solution is a passive solution with analyzing network metadata and uses it to determine if an attack occurs. FortiNDR can:
  • Provide more context to attacks such as malware campaign name, web campaign devices and users participate in, intrusions and botnet attacks
  • Tracing and correlate source of malware events such as worm based detection
  • Upon attacks or anomalies detected, FortiNDR can perform manual and automatic mitigation (AKA Response) with Fortinet Security Fabric devices (such as FortiGate, FortiSwitch, FortiNAC), as well as 3rd Party solutions (via API calls).

FortiNDR software and license are not limited by the number of devices/IPs supported. Without this limit, FortiNDR-1000F for example, can easily support more than 10K IPs which should be sufficient for most network deployments. For performance/sizing for other platforms, please consult with your local Fortinet system engineering team.

Previous
Next