Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Rename FortiAI to FortiNDR

FortiAI has been renamed FortiNDR in the GUI and CLI to align with the FortiNDR rebranding. Previous CLI-only settings for sending files to FortiNDR for inspection can be configured from the AntiVirus profile Page in the GUI.

Note

FortiNDR is still referred to as fai or FAI in debug traces from diagnose sys scanunit debug all.

Summary of GUI changes

The Fabric connector Type has been updated to FortiNDR, which is visible in the connector tooltip. In this example, the connector is running version 1.5.3, so the connector name still begins with FAI.

In this example, the connector is running version 7.0.0, so the connector name has changed to FortiNDR-VM.

When creating or editing an antivirus profile, there is an option in the ATP Protection Options section to Send files to FortiNDR for inspection. FortiNDR must be configured and inspecting at least one protocol to enable this option.

The replacement message for blocked files by FortiNDR follows the Virus Block Page format (antivirus scan).

Summary of CLI changes

To enable FortiNDR:
config system fortindr
    set status {enable | disable}
end
To configure FortiNDR settings in an antivirus profile:
config antivirus profile
    edit <name>
        set feature-set proxy
        config {http | ftp | imap | pop3 | smtp | mapi | nntp | cifs | ssh}
            set fortindr {disable | block | monitor}
        end
        set fortindr-error-action {ignore | log-only | block}
        set fortindr-timeout-action {ignore | log-only | block}
    next
end

Summary of log changes

The eventtype, msg, dtype, faiaction, faiseverity, faiconfidence, faifileid, and faifiletype fields have been updated to reference FortiNDR.

Sample log
1: date=2022-03-14 time=11:22:43 eventtime=1647282163586828798 tz="-0700" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="vdom1" policyid=1 poluuid="d2dc90d4-a011-51ec-2248-f6a8174bc745" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="HTTP" sessionid=115020 srcip=10.1.100.221 dstip=172.16.200.224 srcport=57396 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" srcuuid="9a84ed44-a011-51ec-2550-75ae29f786ce" dstuuid="9a84ed44-a011-51ec-2550-75ae29f786ce" proto=6 direction="incoming" filename="detected_samples.zip" quarskip="Quarantine-disabled" virus="MSIL/Kryptik.KVH!tr" viruscat="Trojan" dtype="fortindr" ref="http://www.fortinet.com/ve?vn=MSIL%2FKryptik.KVH%21tr" virusid=0 url="http://172.16.200.224/avengine_ai/detected_samples.zip" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fndraction="deny" fndrseverity="high" fndrconfidence="high" fndrfileid=155804 fndrfiletype="ZIP" crscore=50 craction=2 crlevel="critical"

Rename FortiAI to FortiNDR

FortiAI has been renamed FortiNDR in the GUI and CLI to align with the FortiNDR rebranding. Previous CLI-only settings for sending files to FortiNDR for inspection can be configured from the AntiVirus profile Page in the GUI.

Note

FortiNDR is still referred to as fai or FAI in debug traces from diagnose sys scanunit debug all.

Summary of GUI changes

The Fabric connector Type has been updated to FortiNDR, which is visible in the connector tooltip. In this example, the connector is running version 1.5.3, so the connector name still begins with FAI.

In this example, the connector is running version 7.0.0, so the connector name has changed to FortiNDR-VM.

When creating or editing an antivirus profile, there is an option in the ATP Protection Options section to Send files to FortiNDR for inspection. FortiNDR must be configured and inspecting at least one protocol to enable this option.

The replacement message for blocked files by FortiNDR follows the Virus Block Page format (antivirus scan).

Summary of CLI changes

To enable FortiNDR:
config system fortindr
    set status {enable | disable}
end
To configure FortiNDR settings in an antivirus profile:
config antivirus profile
    edit <name>
        set feature-set proxy
        config {http | ftp | imap | pop3 | smtp | mapi | nntp | cifs | ssh}
            set fortindr {disable | block | monitor}
        end
        set fortindr-error-action {ignore | log-only | block}
        set fortindr-timeout-action {ignore | log-only | block}
    next
end

Summary of log changes

The eventtype, msg, dtype, faiaction, faiseverity, faiconfidence, faifileid, and faifiletype fields have been updated to reference FortiNDR.

Sample log
1: date=2022-03-14 time=11:22:43 eventtime=1647282163586828798 tz="-0700" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="vdom1" policyid=1 poluuid="d2dc90d4-a011-51ec-2248-f6a8174bc745" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="HTTP" sessionid=115020 srcip=10.1.100.221 dstip=172.16.200.224 srcport=57396 dstport=80 srccountry="Reserved" dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" srcuuid="9a84ed44-a011-51ec-2550-75ae29f786ce" dstuuid="9a84ed44-a011-51ec-2550-75ae29f786ce" proto=6 direction="incoming" filename="detected_samples.zip" quarskip="Quarantine-disabled" virus="MSIL/Kryptik.KVH!tr" viruscat="Trojan" dtype="fortindr" ref="http://www.fortinet.com/ve?vn=MSIL%2FKryptik.KVH%21tr" virusid=0 url="http://172.16.200.224/avengine_ai/detected_samples.zip" profile="av" agent="curl/7.68.0" httpmethod="GET" analyticssubmit="false" fndraction="deny" fndrseverity="high" fndrconfidence="high" fndrfileid=155804 fndrfiletype="ZIP" crscore=50 craction=2 crlevel="critical"