Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Release Notes

    Home FortiNDR 7.6.0 Release Notes
    7.6.0
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.1
    7.1.0
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0

    New features and enhancements

    New features and enhancements

    The following is a summary of new features and enhancements in version 7.6.0. For details, see the FortiNDR 7.6.0 Administration Guide in the Document Library.

    Security Enhancements

    Netflow and ML Detections

    • Introduced Netflow ML Discovery and Netflow ML Configuration to the Netflow module.
      • Netflow ML Discovery: The Netflow ML Discovery monitor displays a list of anomalies detected by Netflow ML Configuration.
      • Netflow ML Configuration: Configure the Machine Learning (ML) profile of network traffic to identify anomalies.

    • The Netflow ML Discovery widget was added to the Netflow dashboard. This widget provides a brief summary of the current Netflow ML baselining status and number of anomalies detected in the selected time period.

    • Suspicious Netflow traffic (matching botnet/proxy/spam/TOR IP DBs/Phishing) will be treated as detections, where FortiNDR will send SYSLOG and CEF. However, the enforcement profile and automation is not supported at this stage.

    Global Internal Query Language and tagging for Investigation

    • Users can copy and paste system defined queries, as well as customized queries to query the database of network metadata collected. This feature is supported on FortiNDR-3600G only (available Oct 2024).

    Malware Observed and Attack Scenario

    • Host Story has been renamed Malware Observed and relocated to the Network Insights module. Attack Scenario has been moved under Network Insights, and renamed Malware Attack scenario.

    MITRE ATT&CK

    • Expanded the Mitre ATT&CK matrix to include ICS techniques. These techniques are also displayed as a widget in the in the NDR Overview dashboard.

    File type pre-filter

    • FortiNDR now can apply pre-scan profile to include/exclude certain file types (for example, MS Office, PDFs, text documents). CLI feature, refer to "execute filtype-prefilter' for details

    S3 bucket scan

    • FortiNDR can now map to S3 bucket for malware scanning

    OT Enhancements

    IOT device identification

    • IOT device identification queries to FortiGuard servers are now local inside FortiNDR (once you have updated FortiNDR's databases from FortiGuard Servers). The DB in use can found under System > FortiGuard: IOT Single and IOT Range.

    IOT new column fields under OT devices tab

    • FortiNDR now supports detecting OT devices, firmware, versions and product information by inspecting OT traffic using OTAPPDB.

    Purdue model View

    • FortiNDR now supports displaying OT devices in Purdue model under Network Insights > Device Inventory (configurable with the GUI for each device), device traffic and Purdue level will be plotted in the topology view.

    System Enhancements

    Log & Report

    • Introduced a Forensics tab to Log & Report > NDR Log to allow users to view and download packet capture information. This tab is used when Conditional Attack PCAP is configured and enabled with the CLI.

    API to retrieve malware files

    • We have introduced new API to support download of infected files.

    Email alert settings

    Two new triggers were added to the email alert settings:

    • Netflow: Netflow Suspicious Activity
    • Netflow: Netflow Machine Learning Detection

    Artifact storage

    • Introduced Artifact Storage under the System module to manage storage profiles and PCAP configuration. This external storage is used for attack PCAP storage.

    FortiGuard Anycast servers support

    • By default, FortiNDR will now use Anycast FortiGuard servers globalupdate.fortinet.net instead of unicast servers update.fortiguard.net. This is to download latest IOT DB for device classification.

    System integration and support

    FortiManager support

    • FortiGuard database updates can be downloaded directly from FortiManager (starting in FortiManager v7.6.2).

    ML baseline

    We have added the ability to backup and restore ML baseline. This is useful when the device is replaced or undergoes the RMA process. This is a CLI-based feature, see execute backup system-db ml-baseline.

    New hardware model support

    FortiNDR-3600G is released as a center-only appliance with global investigation query and tagging features (not supported on CM-VM).

    Comment Event Format support

    FortiNDR can now send out CEF formatted logs. This is CLI feature only. Please refer to: config system syslog settings, set format {default|cef}.

    Endace support

    New security fabric connector Endace is supported. Once configured, under NDR log, forensic tab users can pivot to Endace for PCAP analysis.This can be used instead of the FortiNDR conditional attack PCAP feature so users do not experience degradation in performance.

    CLI

    New CLI commands:

    • execute filetype-prefilter sniffer [file-type-groups]:Set the file type to be processed in sniffer mode.

    • execute backup system-db ml-baseline: Backup FortiNDR ML baseline information in Standalone or Center mode.

    • execute restore system-db ml-baseline: Restore FortiNDR ML baseline informaiton in Standalone or Center mode.

    • execute export top-queries: Export the FortiNDR top queries as a zip file with password.

    • configure system ndr settings: New otapp option was added to ips-dbs setting. Introduced new settings to manage pcap capturing which support local and remote storage.

    • config system syslog fortianalyzer settings: Add support to the new Netflow anomaly and ML detection log.

    • config system syslog1 settings: Add support to the new Netflow anomaly and ML detection log. Add CEF log format support.

    • config system syslog2 settings: Add support to the new Netflow anomaly and ML detection log. Add CEF log format support.

    • execute filetype-prefilter: Enhanced to included file type groups to allows user to choose which file types to process.
    Updated CLI commands:
    • exec reset-ml-baseline-time netflow: Enhanced to include a sensor group id.

    • diagnose hardware sensorinfo: Now supported in FortiNDR 3500F, 1000F and 3600G.

    • The set sniffer {off | ndrd | snifferd} option was added to config system interface. Use this option to change the Sniffer mode of the network interface.

    • execute cleanup netflow_ml: Added support to clean up all Netflow ML Discovery logs.

    • execute raidlevel: Added support for disk encryption in FortiNDR 1000F and 3600G platforms.

    • diagnose debug for ctrl/sync daemon in center and sensor mode.

    Previous
    Next

    New features and enhancements

    New features and enhancements

    The following is a summary of new features and enhancements in version 7.6.0. For details, see the FortiNDR 7.6.0 Administration Guide in the Document Library.

    Security Enhancements

    Netflow and ML Detections

    • Introduced Netflow ML Discovery and Netflow ML Configuration to the Netflow module.
      • Netflow ML Discovery: The Netflow ML Discovery monitor displays a list of anomalies detected by Netflow ML Configuration.
      • Netflow ML Configuration: Configure the Machine Learning (ML) profile of network traffic to identify anomalies.

    • The Netflow ML Discovery widget was added to the Netflow dashboard. This widget provides a brief summary of the current Netflow ML baselining status and number of anomalies detected in the selected time period.

    • Suspicious Netflow traffic (matching botnet/proxy/spam/TOR IP DBs/Phishing) will be treated as detections, where FortiNDR will send SYSLOG and CEF. However, the enforcement profile and automation is not supported at this stage.

    Global Internal Query Language and tagging for Investigation

    • Users can copy and paste system defined queries, as well as customized queries to query the database of network metadata collected. This feature is supported on FortiNDR-3600G only (available Oct 2024).

    Malware Observed and Attack Scenario

    • Host Story has been renamed Malware Observed and relocated to the Network Insights module. Attack Scenario has been moved under Network Insights, and renamed Malware Attack scenario.

    MITRE ATT&CK

    • Expanded the Mitre ATT&CK matrix to include ICS techniques. These techniques are also displayed as a widget in the in the NDR Overview dashboard.

    File type pre-filter

    • FortiNDR now can apply pre-scan profile to include/exclude certain file types (for example, MS Office, PDFs, text documents). CLI feature, refer to "execute filtype-prefilter' for details

    S3 bucket scan

    • FortiNDR can now map to S3 bucket for malware scanning

    OT Enhancements

    IOT device identification

    • IOT device identification queries to FortiGuard servers are now local inside FortiNDR (once you have updated FortiNDR's databases from FortiGuard Servers). The DB in use can found under System > FortiGuard: IOT Single and IOT Range.

    IOT new column fields under OT devices tab

    • FortiNDR now supports detecting OT devices, firmware, versions and product information by inspecting OT traffic using OTAPPDB.

    Purdue model View

    • FortiNDR now supports displaying OT devices in Purdue model under Network Insights > Device Inventory (configurable with the GUI for each device), device traffic and Purdue level will be plotted in the topology view.

    System Enhancements

    Log & Report

    • Introduced a Forensics tab to Log & Report > NDR Log to allow users to view and download packet capture information. This tab is used when Conditional Attack PCAP is configured and enabled with the CLI.

    API to retrieve malware files

    • We have introduced new API to support download of infected files.

    Email alert settings

    Two new triggers were added to the email alert settings:

    • Netflow: Netflow Suspicious Activity
    • Netflow: Netflow Machine Learning Detection

    Artifact storage

    • Introduced Artifact Storage under the System module to manage storage profiles and PCAP configuration. This external storage is used for attack PCAP storage.

    FortiGuard Anycast servers support

    • By default, FortiNDR will now use Anycast FortiGuard servers globalupdate.fortinet.net instead of unicast servers update.fortiguard.net. This is to download latest IOT DB for device classification.

    System integration and support

    FortiManager support

    • FortiGuard database updates can be downloaded directly from FortiManager (starting in FortiManager v7.6.2).

    ML baseline

    We have added the ability to backup and restore ML baseline. This is useful when the device is replaced or undergoes the RMA process. This is a CLI-based feature, see execute backup system-db ml-baseline.

    New hardware model support

    FortiNDR-3600G is released as a center-only appliance with global investigation query and tagging features (not supported on CM-VM).

    Comment Event Format support

    FortiNDR can now send out CEF formatted logs. This is CLI feature only. Please refer to: config system syslog settings, set format {default|cef}.

    Endace support

    New security fabric connector Endace is supported. Once configured, under NDR log, forensic tab users can pivot to Endace for PCAP analysis.This can be used instead of the FortiNDR conditional attack PCAP feature so users do not experience degradation in performance.

    CLI

    New CLI commands:

    • execute filetype-prefilter sniffer [file-type-groups]:Set the file type to be processed in sniffer mode.

    • execute backup system-db ml-baseline: Backup FortiNDR ML baseline information in Standalone or Center mode.

    • execute restore system-db ml-baseline: Restore FortiNDR ML baseline informaiton in Standalone or Center mode.

    • execute export top-queries: Export the FortiNDR top queries as a zip file with password.

    • configure system ndr settings: New otapp option was added to ips-dbs setting. Introduced new settings to manage pcap capturing which support local and remote storage.

    • config system syslog fortianalyzer settings: Add support to the new Netflow anomaly and ML detection log.

    • config system syslog1 settings: Add support to the new Netflow anomaly and ML detection log. Add CEF log format support.

    • config system syslog2 settings: Add support to the new Netflow anomaly and ML detection log. Add CEF log format support.

    • execute filetype-prefilter: Enhanced to included file type groups to allows user to choose which file types to process.
    Updated CLI commands:
    • exec reset-ml-baseline-time netflow: Enhanced to include a sensor group id.

    • diagnose hardware sensorinfo: Now supported in FortiNDR 3500F, 1000F and 3600G.

    • The set sniffer {off | ndrd | snifferd} option was added to config system interface. Use this option to change the Sniffer mode of the network interface.

    • execute cleanup netflow_ml: Added support to clean up all Netflow ML Discovery logs.

    • execute raidlevel: Added support for disk encryption in FortiNDR 1000F and 3600G platforms.

    • diagnose debug for ctrl/sync daemon in center and sensor mode.

    Previous
    Next