Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

AI Threat Analytics

AI Threat Analytics

Through the FortiADC integration with Fortinet AI Threat Analytics, you can forward FortiADC security logs to FortiWeb Cloud where the AI-based Threat Analytics engine identifies unknown attack patterns by parsing through all FortiADC security logs and then aggregating similar or related security logs into into meaningful security incidents. This allows you to use these identified attack patterns to protect your application against the identified threats.

AI Threat Analytics is not supported in AWS, AWS On-Demand, GCP On-Demand, and Azure On-Demand platforms.
Prerequisites for using AI Threat Analytics for FortiADC security logs:
  • You must have a valid AI Threat Analytics service license.
  • You must have the AI Threat Analytics service enabled in FortiADC.

14-day Evaluation license

A 14-day Evaluation license is offered to customers who would want to evaluate the AI Threat Analytics service. This 14-day Evaluation license can only be used once. To activate the 14-day Evaluation license, enable the Threat Analytics connector from Security Fabric > Fabric Connectors. During this 14-day trial period, you can disable and re-enable AI Threat Analytics anytime. The 14-day trial period starts from the first time Threat Analytics is enabled.

When you are ready to purchase the full license with the Threat Analytics service, contact the Fortinet Sales team.

Overview

Fortinet AI Threat Analytics leverages machine learning algorithms to identify attack patterns across your entire application attack surface and aggregate them into comprehensible security incidents. The solution separates significant threats from informational alerts and false positives by identifying patterns and assigning a severity to help your security team focus on the threats that matter.

AI Threat Analytics parses through all FortiADC attack logs and aggregates the attack events, grouping them into incidents by common characteristics. These groupings can allow you to identify attack patterns such as which attack types occur the most frequently, or which source IP is the most malicious.

You can drill down to view incident details by clicking the incident number. Incident Details include information such as the attack type, the target application, and source IPs.

You can use predefined tags for AI Threat Analytics incidents. You can edit the tag name according to your needs to help in labeling the incidents for future usage, such as sorting, filtering, and acknowledging incidents.

To enable AI Threat Analytics:
  1. Contact the Fortinet Sales team to purchase a license with the Fortinet AI Threat Analytics service, then register the license on the Fortinet Support site: https://support.fortinet.com/.
  2. Log in to FortiADC.
  3. Go to System > FortiGuard, log in to your Fortinet Support Contract.
    You must be logged into your Fortinet Support Contract to connect FortiADC with the AI Threat Analytics service as FortiWeb Cloud requires your Email ID to connect.
  4. In the Dashboard > Status License widget, check the status of AI Threat Analytics. The status should be displayed as Valid.
  5. Go to Security Fabric > Fabric Connectors. Under Other Fortinet Products section, locate the Threat Analytics connector.
  6. Enable the Threat Analytics connector.

    Note: When enabling the Threat Analytics connector for the first time, it may take 5-10 minutes to connect.
  7. Once the Threat Analytics connector successfully connects FortiADC to the Fortinet AI Threat Analytics service, a new local certificate and CA will be created. Check the certificates and CA to ensure they are present.
    1. Go to System > Manage Certificates to locate the new local certificate with the name Threat_analytics_cert_<date_of_today>.
    2. Go to System > Verify to locate the new CA with the name Threat_analytics_CA_<date_of_today.
    3. A new syslog global_remote server will be created with the FQDN address type and with the comment "fweb_cloud".
      The remote syslog server capacity is three. Prior to enabling AI Threat Analytics, ensure there is at least one syslog server entry available for the new remote syslog server created when AI Threat Analytics is enabled.
  8. Wait to allow FortiADC to generate attack logs and forward them to FortiWeb Cloud.
  9. Log in to FortiWeb Cloud with the account you used when registering your license on the Fortinet Support site.

Do not delete or modify the syslog remote and certificate/CA entry. AI Threat Analytics cannot be functional without these configurations.

AI Threat Analytics in VDOM

When AI Threat Analytics is enabled in VDOMs, Override in the Syslog Server configuration will be disabled in order to use the global syslog server. If you have previously enabled Override in the Syslog Server configuration, then the default global syslog server list would be removed and you may use a new syslog server list specifically defined in the VDOM. By default, the new syslog remote server would also be created in all the VDOMs with AI Threat Analytics enabled, which disables Override in order to use the global syslog server.

When AI Threat Analytics is enabled, it will always use the global or root DNS, and not the VDOM's DNS.

AI Threat Analytics in HA

In HA mode, only the primary node is connected to the FortiWeb Cloud server for the Fortinet AI Threat Analytics service. The certification and syslog configurations from the primary unit are then synchronized to the secondary unit. This workflow is designed to prevent HA synchronization issues that can arise with having both the primary and secondary nodes connect to the FortiWeb Cloud at the same time. Once the primary node is connected to the AI Threat Analytics service, the secondary node will synchronize the connection status and show as "Connected".

Previous
Next

AI Threat Analytics

Through the FortiADC integration with Fortinet AI Threat Analytics, you can forward FortiADC security logs to FortiWeb Cloud where the AI-based Threat Analytics engine identifies unknown attack patterns by parsing through all FortiADC security logs and then aggregating similar or related security logs into into meaningful security incidents. This allows you to use these identified attack patterns to protect your application against the identified threats.

AI Threat Analytics is not supported in AWS, AWS On-Demand, GCP On-Demand, and Azure On-Demand platforms.
Prerequisites for using AI Threat Analytics for FortiADC security logs:
  • You must have a valid AI Threat Analytics service license.
  • You must have the AI Threat Analytics service enabled in FortiADC.

14-day Evaluation license

A 14-day Evaluation license is offered to customers who would want to evaluate the AI Threat Analytics service. This 14-day Evaluation license can only be used once. To activate the 14-day Evaluation license, enable the Threat Analytics connector from Security Fabric > Fabric Connectors. During this 14-day trial period, you can disable and re-enable AI Threat Analytics anytime. The 14-day trial period starts from the first time Threat Analytics is enabled.

When you are ready to purchase the full license with the Threat Analytics service, contact the Fortinet Sales team.

Overview

Fortinet AI Threat Analytics leverages machine learning algorithms to identify attack patterns across your entire application attack surface and aggregate them into comprehensible security incidents. The solution separates significant threats from informational alerts and false positives by identifying patterns and assigning a severity to help your security team focus on the threats that matter.

AI Threat Analytics parses through all FortiADC attack logs and aggregates the attack events, grouping them into incidents by common characteristics. These groupings can allow you to identify attack patterns such as which attack types occur the most frequently, or which source IP is the most malicious.

You can drill down to view incident details by clicking the incident number. Incident Details include information such as the attack type, the target application, and source IPs.

You can use predefined tags for AI Threat Analytics incidents. You can edit the tag name according to your needs to help in labeling the incidents for future usage, such as sorting, filtering, and acknowledging incidents.

To enable AI Threat Analytics:
  1. Contact the Fortinet Sales team to purchase a license with the Fortinet AI Threat Analytics service, then register the license on the Fortinet Support site: https://support.fortinet.com/.
  2. Log in to FortiADC.
  3. Go to System > FortiGuard, log in to your Fortinet Support Contract.
    You must be logged into your Fortinet Support Contract to connect FortiADC with the AI Threat Analytics service as FortiWeb Cloud requires your Email ID to connect.
  4. In the Dashboard > Status License widget, check the status of AI Threat Analytics. The status should be displayed as Valid.
  5. Go to Security Fabric > Fabric Connectors. Under Other Fortinet Products section, locate the Threat Analytics connector.
  6. Enable the Threat Analytics connector.

    Note: When enabling the Threat Analytics connector for the first time, it may take 5-10 minutes to connect.
  7. Once the Threat Analytics connector successfully connects FortiADC to the Fortinet AI Threat Analytics service, a new local certificate and CA will be created. Check the certificates and CA to ensure they are present.
    1. Go to System > Manage Certificates to locate the new local certificate with the name Threat_analytics_cert_<date_of_today>.
    2. Go to System > Verify to locate the new CA with the name Threat_analytics_CA_<date_of_today.
    3. A new syslog global_remote server will be created with the FQDN address type and with the comment "fweb_cloud".
      The remote syslog server capacity is three. Prior to enabling AI Threat Analytics, ensure there is at least one syslog server entry available for the new remote syslog server created when AI Threat Analytics is enabled.
  8. Wait to allow FortiADC to generate attack logs and forward them to FortiWeb Cloud.
  9. Log in to FortiWeb Cloud with the account you used when registering your license on the Fortinet Support site.

Do not delete or modify the syslog remote and certificate/CA entry. AI Threat Analytics cannot be functional without these configurations.

AI Threat Analytics in VDOM

When AI Threat Analytics is enabled in VDOMs, Override in the Syslog Server configuration will be disabled in order to use the global syslog server. If you have previously enabled Override in the Syslog Server configuration, then the default global syslog server list would be removed and you may use a new syslog server list specifically defined in the VDOM. By default, the new syslog remote server would also be created in all the VDOMs with AI Threat Analytics enabled, which disables Override in order to use the global syslog server.

When AI Threat Analytics is enabled, it will always use the global or root DNS, and not the VDOM's DNS.

AI Threat Analytics in HA

In HA mode, only the primary node is connected to the FortiWeb Cloud server for the Fortinet AI Threat Analytics service. The certification and syslog configurations from the primary unit are then synchronized to the secondary unit. This workflow is designed to prevent HA synchronization issues that can arise with having both the primary and secondary nodes connect to the FortiWeb Cloud at the same time. Once the primary node is connected to the AI Threat Analytics service, the secondary node will synchronize the connection status and show as "Connected".

Previous
Next