Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    2024.9.0
    2024.10.0
    2024.9.0
    2024.7.0

    Sensor specifications

    Sensor specifications

    Sensor Types

    The following table lists the available sensor types and the maximum sustained throughput each type can consume.

    Sensor Type Form Max Sustained Bandwdith*
    Small 1U Server 2Gbps
    Large 1U Server 10Gbps
    Virtual OVF File 1.5Gbps

    *Under optimal conditions.

    Network interfaces for physical sensors

    • 1 x 1Gbps Ethernet interface for management

    • 1 x 1Gbps Ethernet interface for monitoring

    • 2 x 10Gbps Ethernet interfaces for monitoring

    • 2 x 10Gbps SFP (fiber) interfaces for monitoring

    Minimum virtual sensor (ESX) host requirement

    For details, the ESXi Sensor Installation Guide.

    Network data sources

    A network data source must be configured for the sensor. Sensors collect and process network data using standard network packet capture sources such as a network switch Switched Port Analyzer (SPAN) port or Test Access Port (TAP) device connected to a monitoring interface on the sensor. Virtual sensors do not currently support ERSPAN data sources.

    SPAN (mirror) port

    A SPAN port (sometimes called a mirror port) is a software feature built into a switch that creates a copy of selected packets passing through the device and sends them to a designated SPAN port. Using software on the network switch, an administrator can easily configure what data is monitored by a FortiNDR Cloud sensor connected to the SPAN port.

    If the switch CPU is already heavily utilized prior to configuring a SPAN, SPAN data will likely be given a lower priority on the switch. The SPAN also uses a single egress port to aggregate multiple links, so it may become oversubscribed.

    When to consider a SPAN port

    • Limited ad hoc monitoring in locations with SPAN capabilities where a network TAP does not currently exist.

    • Production emergencies where there is no maintenance window in which to install a TAP.

    • Remote locations with modest traffic that cannot justify a full-time TAP on the link.

    • Access to traffic that either stays within a switch or never reaches a physical link where the traffic can be TAPed.

    • Locations with limited light budgets where the split ratio of a TAP may consume too much light.

    Network TAP

    A network TAP (Test Access Point) is a device that connects directly to the cabling infrastructure. Instead of two switches or routers connecting directly to each other, the network TAP sits between the two devices and all data flows through the TAP. Using an internal splitter, the TAP creates a copy of the data for monitoring while the original data continues unimpeded through the network.

    This ensures every packet of any size will be copied. This technique also eliminates any chance of subscription overage. Once the data is TAPed, the duplicate copy can be sent to a FortiNDR Cloud sensor.

    Note

    Inserting a TAP into an existing network link requires a brief cable disconnect. TAPs are typically installed during a maintenance window.

    When to consider a network TAP

    • Switch CPU already highly utilized and may drop packets.

    • When additional load on the switch could impact network performance.

    • No ports available on the switch.

    • Hardware does not support SPAN functionality.

    • When legal regulations or corporate compliance mandate that all traffic for a particular segment be monitored.

    Not sure which data source(s) to use? Ask your FortiNDR Cloud representative.

    Network aggregator

    For many organizations, a network aggregator is configured to monitor traffic at several key locations within the network. FortiNDR Cloud sensors can deploy off a network aggregator if one is available within the network. Some network aggregation appliances also have the ability to decrypt network traffic, which can greatly increase the fidelity and visibility of the FortiNDR Cloud sensor.

    Network aggregators are also commonly used to monitor traffic from networks with 40Gbps links. In this case, an aggregator is utilized to split traffic from a 40Gbps line to four separate FortiNDR Cloud appliances monitoring up to 10Gbps per sensor.

    Complex or combination deployments

    Multiple FortiNDR Cloud sensors can be deployed to obtain full visibility across the environment. Each sensor reports back to the FortiNDR Cloud, providing cross-enterprise visibility through a single, unified platform. Queries can be executed against data from all sensors, or a subset as specified by an analyst.

    Previous
    Next

    Sensor specifications

    Sensor specifications

    Sensor Types

    The following table lists the available sensor types and the maximum sustained throughput each type can consume.

    Sensor Type Form Max Sustained Bandwdith*
    Small 1U Server 2Gbps
    Large 1U Server 10Gbps
    Virtual OVF File 1.5Gbps

    *Under optimal conditions.

    Network interfaces for physical sensors

    • 1 x 1Gbps Ethernet interface for management

    • 1 x 1Gbps Ethernet interface for monitoring

    • 2 x 10Gbps Ethernet interfaces for monitoring

    • 2 x 10Gbps SFP (fiber) interfaces for monitoring

    Minimum virtual sensor (ESX) host requirement

    For details, the ESXi Sensor Installation Guide.

    Network data sources

    A network data source must be configured for the sensor. Sensors collect and process network data using standard network packet capture sources such as a network switch Switched Port Analyzer (SPAN) port or Test Access Port (TAP) device connected to a monitoring interface on the sensor. Virtual sensors do not currently support ERSPAN data sources.

    SPAN (mirror) port

    A SPAN port (sometimes called a mirror port) is a software feature built into a switch that creates a copy of selected packets passing through the device and sends them to a designated SPAN port. Using software on the network switch, an administrator can easily configure what data is monitored by a FortiNDR Cloud sensor connected to the SPAN port.

    If the switch CPU is already heavily utilized prior to configuring a SPAN, SPAN data will likely be given a lower priority on the switch. The SPAN also uses a single egress port to aggregate multiple links, so it may become oversubscribed.

    When to consider a SPAN port

    • Limited ad hoc monitoring in locations with SPAN capabilities where a network TAP does not currently exist.

    • Production emergencies where there is no maintenance window in which to install a TAP.

    • Remote locations with modest traffic that cannot justify a full-time TAP on the link.

    • Access to traffic that either stays within a switch or never reaches a physical link where the traffic can be TAPed.

    • Locations with limited light budgets where the split ratio of a TAP may consume too much light.

    Network TAP

    A network TAP (Test Access Point) is a device that connects directly to the cabling infrastructure. Instead of two switches or routers connecting directly to each other, the network TAP sits between the two devices and all data flows through the TAP. Using an internal splitter, the TAP creates a copy of the data for monitoring while the original data continues unimpeded through the network.

    This ensures every packet of any size will be copied. This technique also eliminates any chance of subscription overage. Once the data is TAPed, the duplicate copy can be sent to a FortiNDR Cloud sensor.

    Note

    Inserting a TAP into an existing network link requires a brief cable disconnect. TAPs are typically installed during a maintenance window.

    When to consider a network TAP

    • Switch CPU already highly utilized and may drop packets.

    • When additional load on the switch could impact network performance.

    • No ports available on the switch.

    • Hardware does not support SPAN functionality.

    • When legal regulations or corporate compliance mandate that all traffic for a particular segment be monitored.

    Not sure which data source(s) to use? Ask your FortiNDR Cloud representative.

    Network aggregator

    For many organizations, a network aggregator is configured to monitor traffic at several key locations within the network. FortiNDR Cloud sensors can deploy off a network aggregator if one is available within the network. Some network aggregation appliances also have the ability to decrypt network traffic, which can greatly increase the fidelity and visibility of the FortiNDR Cloud sensor.

    Network aggregators are also commonly used to monitor traffic from networks with 40Gbps links. In this case, an aggregator is utilized to split traffic from a 40Gbps line to four separate FortiNDR Cloud appliances monitoring up to 10Gbps per sensor.

    Complex or combination deployments

    Multiple FortiNDR Cloud sensors can be deployed to obtain full visibility across the environment. Each sensor reports back to the FortiNDR Cloud, providing cross-enterprise visibility through a single, unified platform. Queries can be executed against data from all sensors, or a subset as specified by an analyst.

    Previous
    Next