FortiAI is the next generation of Fortinet's malware detection technology, using Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict.
ANN is able to mimic human behavior using the Virtual Security Analyst (VSA). In this version, the VSA can do the following:
- Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
- Trace the origins of the attack, for example, worm infection.
- OutBreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
- Take advantage of Fortinet's Security Fabric with FortiGate(s) to quarantine infected hosts.
Unlike traditional defenses where malware detection relies on antivirus engines and signatures updates, FortiAI is pretrained with over 20 million clean and malicious files, so that FortiAI can extract millions of features that are available in the box. FortiAI's neural networks run in a 2U form factor using accelerated hardware with a custom GPU such as FortiAI-3500F, as well as using VMs with 16 or 32 vCPU support.
FortiAI can operate in one or both modes: sniffer mode and integrated mode with FortiGate devices.
Key advantages of FortiAI include the following:
- Reduce malware identification time from minutes to seconds, unlike traditional technology like sandboxing where behaviors are extracted from file execution when the file is run in a VM within the sandbox. FortiAI does not need to run or execute a file to get a verdict.
- Provide extensive information about the malware attack by identifying the features used in the malware. This helps SOC analysts to determine the intention of the malware or attack.
- Correlate and link the source of attack, for example, finding the source of the worm infection over SMB, so that SOC analysts can act and fix the original problem—the patient-zero on the network.
- Show the big picture to assist in the threat investigation of malware attack forensic data for incident analysis.
- Participate in Fortinet Security Fabric with FortiGate NGFW for quarantine.
To use FortiGate to submit files to FortiAI, FortiGate must be running FortiOS 5.6.0 or later. For quarantine, FortiOS 6.4.0 and higher supports using FortiOS automation stitch with incoming webhook.
Use the CLI for initial device configuration. You can enable SSH access on the port1 administration interface or any other administrative port set through the CLI command including RAID. You can also connect to the CLI using the console port. Some troubleshooting steps also use the CLI.
Use the GUI to configure and manage FortiAI from a web browser on a management computer. We recommend using Google Chrome.
To connect to the FortiAI GUI:
- Connect to the port1 management interface using the following CLI commands:
config sys interface edit port1 set ip x.x.x.x/24 end
- In a web browser (Chrome recommended), browse to
The GUI requires TCP port 443.
- Use admin as the name and leave the password blank. Click Login.
FortiAI can operate in two modes. Each mode supports different protocols.
|Operating mode||Supported protocols||Notes|
SMBv2, HTTP, SMTP, POP3, IMAP
Ideal for DMZ, internal networks, and areas with heavy browsing traffic.
Supports 32-bit and 64-bitp portable executable (PE) files including DLLs and self extracting zip files.
Integrated mode (with FortiGate)
HTTP, SMTP, POP3, IMAP, MAPI, FTP
Encrypted OFTP over SSL upload from FortiGate to FortiAI.
Supports file submission from FortiOS 6.2 and higher (compatible with version 5.6 and higher). Supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes.
Manual and REST API uploads support .tar, .gz, .tar.gz, .tgz, .zip, .bz2, and .rar.
Similar to FortiSandbox, FortiAI can support both sniffer and integrated modes either independently or simultaneously, that is, you can use port2 to sniff multiple VLANs spanned across networks.
Planning deployment—estimating data storage
FAI-3500F uses 2X3.8TB SSD in RAID1. FAI-VM comes with 4 different size disk images.
Default data storage (GB)
Max. process rate* (files/hour)
Storage retention (approx. days / months / year)
|FAI-3500F||3517||100000||540 days / 18 months / 1.5 years|
|FAI-VM||1024||25000||530 days / 17 months / 1.5 years|
|FAI-VM||2048||25000||1250 days / 41 months / 3.4 years|
|FAI-VM||4096||25000||2690 days / 89 months / 7.4 years|
|FAI-VM||8192||25000||5400 days / 180 months / 14.8 years|
* The max. process rate depends on the average size and composition of file types.