Fortinet Document Library

Version:


Table of Contents

Related Videos

Introduction to FortiAI

  • 2,166 views
  • 1 months ago
1.1.0
Download PDF
Copy Link

Introduction

FortiAI is the next generation of Fortinet's malware detection technology.

FortiAI uses Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict.

ANN is able to mimic human behavior known as the Virtual Analyst (VA). In version 1.1, VA can do the following:

  • Scientifically analyze malware by classifying malware based on features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.

Unlike traditional defenses where malware detection relies on antivirus engines and signatures updates, FortiAI is "pretrained" with over 20 million clean and malicious files, so that FortiAI can make use of millions of features right out of the box. FortiAI's neural networks are run in accelerated hardware in a 2U form factor. FortiAI-3500F can operate in two modes: sniffer mode and integrated mode (with FortiGate).

Key advantages of FortiAI include the following:

  • Reduce malware identification time from minutes to seconds, unlike traditional technology like sandboxing where behaviors are extracted from file execution when the file is run in a VM within the Sandbox. FortiAI does not need to run or execute a file to obtain a verdict.
  • Provide extensive information about the malware attack by identifying the features used in the malware. This helps SOC analysts to determine the intention of the malware or attack.
  • Correlate and link the source of attack, for example, finding the source of the worm infection over SMB, so that SOC analysts can act and fix the original problem–the patient-zero on the network.
  • Show the big picture to assist in the threat investigation of malware attack forensic data for incident analysis.

Using FortiAI

To use FortiGate to submit files to FortiAI, FortiGate must be running FortiOS 5.6.0 or later.

You must use CLI commands for initial device configuration. Some troubleshooting steps also use the CLI.

You can enable SSH access on the port1 administration interface or any other administrative port set through the CLI command including RAID. You can also connect to the CLI using the console port.

Use the GUI to configure and manage FortiAI from a web browser on a management computer. We recommend using Google Chrome.

To connect to the FortiAI GUI:
  1. Connect to the port1 management interface using the following CLI commands:
    config sys interface
        edit port1
        set ip x.x.x.x/24
    end
  2. In a web browser (Chrome recommended), browse to https://192.168.1.88.

    Do not use TCP ports 443 or 9001 as they are needed by the GUI.

  3. Use admin as the name and leave the password blank. Click Login.

Operating mode and deployment options

FortiAI can operate in two modes. Each mode supports different protocols.

Operating mode Supported protocols Notes

Sniffer mode

SMBv2 and HTTP

Ideal for DMZ, internal networks, and areas with heavy browsing traffic.

Integrated mode (with FortiGate)

HTTP, SMTP, POP3, IMAP, MAPI, FTP

Encrypted OFTP over SSL upload from FortiGate to FortiAI.

Similar to FortiSandbox, FortiAI can support both sniffer and integrated modes either independently or simultaneously, that is, you can use port2 to sniff multiple VLANs spanned across networks.

Note

For integrated mode, version 6.4 officially supports FortiGate and FortiAI integration. However, version 5.6+ were tested. For details, see the release notes.

Related Videos

Introduction to FortiAI

  • 2,166 views
  • 1 months ago

Introduction

FortiAI is the next generation of Fortinet's malware detection technology.

FortiAI uses Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict.

ANN is able to mimic human behavior known as the Virtual Analyst (VA). In version 1.1, VA can do the following:

  • Scientifically analyze malware by classifying malware based on features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.

Unlike traditional defenses where malware detection relies on antivirus engines and signatures updates, FortiAI is "pretrained" with over 20 million clean and malicious files, so that FortiAI can make use of millions of features right out of the box. FortiAI's neural networks are run in accelerated hardware in a 2U form factor. FortiAI-3500F can operate in two modes: sniffer mode and integrated mode (with FortiGate).

Key advantages of FortiAI include the following:

  • Reduce malware identification time from minutes to seconds, unlike traditional technology like sandboxing where behaviors are extracted from file execution when the file is run in a VM within the Sandbox. FortiAI does not need to run or execute a file to obtain a verdict.
  • Provide extensive information about the malware attack by identifying the features used in the malware. This helps SOC analysts to determine the intention of the malware or attack.
  • Correlate and link the source of attack, for example, finding the source of the worm infection over SMB, so that SOC analysts can act and fix the original problem–the patient-zero on the network.
  • Show the big picture to assist in the threat investigation of malware attack forensic data for incident analysis.

Using FortiAI

To use FortiGate to submit files to FortiAI, FortiGate must be running FortiOS 5.6.0 or later.

You must use CLI commands for initial device configuration. Some troubleshooting steps also use the CLI.

You can enable SSH access on the port1 administration interface or any other administrative port set through the CLI command including RAID. You can also connect to the CLI using the console port.

Use the GUI to configure and manage FortiAI from a web browser on a management computer. We recommend using Google Chrome.

To connect to the FortiAI GUI:
  1. Connect to the port1 management interface using the following CLI commands:
    config sys interface
        edit port1
        set ip x.x.x.x/24
    end
  2. In a web browser (Chrome recommended), browse to https://192.168.1.88.

    Do not use TCP ports 443 or 9001 as they are needed by the GUI.

  3. Use admin as the name and leave the password blank. Click Login.

Operating mode and deployment options

FortiAI can operate in two modes. Each mode supports different protocols.

Operating mode Supported protocols Notes

Sniffer mode

SMBv2 and HTTP

Ideal for DMZ, internal networks, and areas with heavy browsing traffic.

Integrated mode (with FortiGate)

HTTP, SMTP, POP3, IMAP, MAPI, FTP

Encrypted OFTP over SSL upload from FortiGate to FortiAI.

Similar to FortiSandbox, FortiAI can support both sniffer and integrated modes either independently or simultaneously, that is, you can use port2 to sniff multiple VLANs spanned across networks.

Note

For integrated mode, version 6.4 officially supports FortiGate and FortiAI integration. However, version 5.6+ were tested. For details, see the release notes.