Fortinet Document Library

Version:

Version:


Table of Contents

Related Videos

Introduction to FortiAI

  • 3,449 views
  • 7 months ago
Download PDF
Copy Link

Introduction

FortiAI is the next generation of Fortinet's malware detection technology, using Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict.

ANN is able to mimic human behavior using the Virtual Security Analyst (VSA). In this version, the VSA can do the following:

  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • OutBreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) to quarantine infected hosts.

Unlike traditional defenses where malware detection relies on antivirus engines and signatures updates, FortiAI is pretrained with over 20 million clean and malicious files, so that FortiAI can extract millions of features that are available in the box. FortiAI's neural networks run in a 2U form factor using accelerated hardware with a custom GPU such as FortiAI-3500F, as well as using VMs with 16 or 32 vCPU support.

FortiAI can operate in one or both modes: sniffer mode and integrated mode with FortiGate devices.

Key advantages of FortiAI include the following:

  • Reduce malware identification time from minutes to seconds, unlike traditional technology like sandboxing where behaviors are extracted from file execution when the file is run in a VM within the sandbox. FortiAI does not need to run or execute a file to get a verdict.
  • Provide extensive information about the malware attack by identifying the features used in the malware. This helps SOC analysts to determine the intention of the malware or attack.
  • Correlate and link the source of attack, for example, finding the source of the worm infection over SMB, so that SOC analysts can act and fix the original problem—the patient-zero on the network.
  • Show the big picture to assist in the threat investigation of malware attack forensic data for incident analysis.
  • Participate in Fortinet Security Fabric with FortiGate NGFW for quarantine.

Using FortiAI

To use FortiGate to submit files to FortiAI, FortiGate must be running FortiOS 5.6.0 or later. For quarantine, FortiOS 6.4.0 and higher supports using FortiOS automation stitch with incoming webhook.

Use the CLI for initial device configuration. You can enable SSH access on the port1 administration interface or any other administrative port set through the CLI command including RAID. You can also connect to the CLI using the console port. Some troubleshooting steps also use the CLI.

Use the GUI to configure and manage FortiAI from a web browser on a management computer. We recommend using Google Chrome.

To connect to the FortiAI GUI:
  1. Connect to the port1 management interface using the following CLI commands:
    config sys interface
        edit port1
        set ip x.x.x.x/24
    end
  2. In a web browser (Chrome recommended), browse to https://192.168.1.88.

    The GUI requires TCP port 443.

  3. Use admin as the name and leave the password blank. Click Login.

Operating mode and deployment options

FortiAI can operate in two modes. Each mode supports different protocols.

Operating mode Supported protocols Notes

Sniffer mode

SMBv2, HTTP, SMTP, POP3, IMAP

Ideal for DMZ, internal networks, and areas with heavy browsing traffic.

Supports 32-bit and 64-bitp portable executable (PE) files including DLLs and self extracting zip files.

Supports web-based and text traffic such as HTML, VBA, JavaScript, VBS, VBA, Office documents, and PDFs.

Integrated mode (with FortiGate)

HTTP, SMTP, POP3, IMAP, MAPI, FTP

Encrypted OFTP over SSL upload from FortiGate to FortiAI.

Supports PE, PDF, HTML, JavaScript, VBS, VBA, Microsoft Office, Excel, and PowerPoint.

Supports file submission from FortiOS 6.2 and higher (compatible with version 5.6 and higher). Supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes.

Manual and REST API uploads support .tar, .gz, .tar.gz, .tgz, .zip, .bz2, and .rar.

Similar to FortiSandbox, FortiAI can support both sniffer and integrated modes either independently or simultaneously, that is, you can use port2 to sniff multiple VLANs spanned across networks.

Planning deployment—estimating data storage

FAI-3500F uses 2X3.8TB SSD in RAID1. FAI-VM comes with 4 different size disk images.

Model

Default data storage (GB)

Max. process rate* (files/hour)

Storage retention (approx. days / months / year)

FAI-3500F 3517 100000 540 days / 18 months / 1.5 years
FAI-VM 1024 25000 530 days / 17 months / 1.5 years
FAI-VM 2048 25000 1250 days / 41 months / 3.4 years
FAI-VM 4096 25000 2690 days / 89 months / 7.4 years
FAI-VM 8192 25000 5400 days / 180 months / 14.8 years

* The max. process rate depends on the average size and composition of file types.

Related Videos

Introduction to FortiAI

  • 3,449 views
  • 7 months ago

Introduction

FortiAI is the next generation of Fortinet's malware detection technology, using Artificial Neural Networks (ANN) which can deliver sub-second malware detection and verdict.

ANN is able to mimic human behavior using the Virtual Security Analyst (VSA). In this version, the VSA can do the following:

  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • OutBreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) to quarantine infected hosts.

Unlike traditional defenses where malware detection relies on antivirus engines and signatures updates, FortiAI is pretrained with over 20 million clean and malicious files, so that FortiAI can extract millions of features that are available in the box. FortiAI's neural networks run in a 2U form factor using accelerated hardware with a custom GPU such as FortiAI-3500F, as well as using VMs with 16 or 32 vCPU support.

FortiAI can operate in one or both modes: sniffer mode and integrated mode with FortiGate devices.

Key advantages of FortiAI include the following:

  • Reduce malware identification time from minutes to seconds, unlike traditional technology like sandboxing where behaviors are extracted from file execution when the file is run in a VM within the sandbox. FortiAI does not need to run or execute a file to get a verdict.
  • Provide extensive information about the malware attack by identifying the features used in the malware. This helps SOC analysts to determine the intention of the malware or attack.
  • Correlate and link the source of attack, for example, finding the source of the worm infection over SMB, so that SOC analysts can act and fix the original problem—the patient-zero on the network.
  • Show the big picture to assist in the threat investigation of malware attack forensic data for incident analysis.
  • Participate in Fortinet Security Fabric with FortiGate NGFW for quarantine.

Using FortiAI

To use FortiGate to submit files to FortiAI, FortiGate must be running FortiOS 5.6.0 or later. For quarantine, FortiOS 6.4.0 and higher supports using FortiOS automation stitch with incoming webhook.

Use the CLI for initial device configuration. You can enable SSH access on the port1 administration interface or any other administrative port set through the CLI command including RAID. You can also connect to the CLI using the console port. Some troubleshooting steps also use the CLI.

Use the GUI to configure and manage FortiAI from a web browser on a management computer. We recommend using Google Chrome.

To connect to the FortiAI GUI:
  1. Connect to the port1 management interface using the following CLI commands:
    config sys interface
        edit port1
        set ip x.x.x.x/24
    end
  2. In a web browser (Chrome recommended), browse to https://192.168.1.88.

    The GUI requires TCP port 443.

  3. Use admin as the name and leave the password blank. Click Login.

Operating mode and deployment options

FortiAI can operate in two modes. Each mode supports different protocols.

Operating mode Supported protocols Notes

Sniffer mode

SMBv2, HTTP, SMTP, POP3, IMAP

Ideal for DMZ, internal networks, and areas with heavy browsing traffic.

Supports 32-bit and 64-bitp portable executable (PE) files including DLLs and self extracting zip files.

Supports web-based and text traffic such as HTML, VBA, JavaScript, VBS, VBA, Office documents, and PDFs.

Integrated mode (with FortiGate)

HTTP, SMTP, POP3, IMAP, MAPI, FTP

Encrypted OFTP over SSL upload from FortiGate to FortiAI.

Supports PE, PDF, HTML, JavaScript, VBS, VBA, Microsoft Office, Excel, and PowerPoint.

Supports file submission from FortiOS 6.2 and higher (compatible with version 5.6 and higher). Supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes.

Manual and REST API uploads support .tar, .gz, .tar.gz, .tgz, .zip, .bz2, and .rar.

Similar to FortiSandbox, FortiAI can support both sniffer and integrated modes either independently or simultaneously, that is, you can use port2 to sniff multiple VLANs spanned across networks.

Planning deployment—estimating data storage

FAI-3500F uses 2X3.8TB SSD in RAID1. FAI-VM comes with 4 different size disk images.

Model

Default data storage (GB)

Max. process rate* (files/hour)

Storage retention (approx. days / months / year)

FAI-3500F 3517 100000 540 days / 18 months / 1.5 years
FAI-VM 1024 25000 530 days / 17 months / 1.5 years
FAI-VM 2048 25000 1250 days / 41 months / 3.4 years
FAI-VM 4096 25000 2690 days / 89 months / 7.4 years
FAI-VM 8192 25000 5400 days / 180 months / 14.8 years

* The max. process rate depends on the average size and composition of file types.