Fortinet black logo

Administration Guide

Introduction

Copy Link
Copy Doc ID 6ed2872f-1806-11ed-9eba-fa163e15d75b:932517
Download PDF

Introduction

FortiNDR (formerly FortiAI) is the first Fortinet Network Detection and Response product from Fortinet. Apart from the Virtual Security AnalystTM with rapid malware detection technology based on neural networks, FortiNDR is built on FortiAI’s high throughput malware scanning technology with extended features to detect Network Anomalies with auto and manual mitigation techniques.

FortiNDR is the next generation of Fortinet breach detection technology, using both ML and Artificial Neural Networks (ANN) which can detect network anomalies and high velocity malware detection and verdict.

ANN is able to mimic human behavior using the Virtual Security Analyst (VSA)TM, which is capable of the following:

  • Detect encrypted attack (via JA3 hashs), look for presence of malicious web campaigns visited , weaker ciphers, vulnerable protocols, network intrusions and botnet-based attacks.

  • Profile ML traffic and identify anomalies with user feedback mechanism.

  • Quickly detect malicious files through neural network analysis including NFS file scan shares.

  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • Outbreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) and other Fortinet Security Fabric solutions, along with 3rd party API calls, to quarantine infected hosts.

FortiNDR's neural networks run in a 2U form factor using accelerated hardware with a custom GPU such as FortiNDR-3500F, as well as using VMs with 16 or 32 vCPU support.

FortiNDR can operate in different modes: sniffer mode where it captures traffic on network from SPAN port (or mirrored if deployed as VM), integrated mode with FortiGate devices and input from other Fortinet devices (see release notes for supported devices), with inline blocking with FortiOS AV profiles (7.0.1 and higher). You can also configure FortiNDR as an ICAP server to serve ICAP clients such as FortiProxy and Squid. All modes can operate simultaneously.

Key advantages of FortiNDR include the following:

Detect network anomalies with different techniques where traditional security solutions might fail

  • Provide more context to attacks such as malware campaign name, web campaign devices and users participate in, intrusions and botnet attacks
  • Tracing and correlate source of malware events such as worm based detection
  • Manual and automatic mitigation (AKA Response) with Fortinet Security Fabric devices (such as FortiGate, FortiSwitch, FortiNAC), as well as 3rd Party solutions (via API calls).

Introduction

FortiNDR (formerly FortiAI) is the first Fortinet Network Detection and Response product from Fortinet. Apart from the Virtual Security AnalystTM with rapid malware detection technology based on neural networks, FortiNDR is built on FortiAI’s high throughput malware scanning technology with extended features to detect Network Anomalies with auto and manual mitigation techniques.

FortiNDR is the next generation of Fortinet breach detection technology, using both ML and Artificial Neural Networks (ANN) which can detect network anomalies and high velocity malware detection and verdict.

ANN is able to mimic human behavior using the Virtual Security Analyst (VSA)TM, which is capable of the following:

  • Detect encrypted attack (via JA3 hashs), look for presence of malicious web campaigns visited , weaker ciphers, vulnerable protocols, network intrusions and botnet-based attacks.

  • Profile ML traffic and identify anomalies with user feedback mechanism.

  • Quickly detect malicious files through neural network analysis including NFS file scan shares.

  • Analyze malware scientifically by classifying malware based on its detected features, for example, ransomware, downloader, coinminer, and so on.
  • Trace the origins of the attack, for example, worm infection.
  • Outbreak search can use the similarity engine to search for malware outbreaks with hashes and similar variants in the network.
  • Take advantage of Fortinet's Security Fabric with FortiGate(s) and other Fortinet Security Fabric solutions, along with 3rd party API calls, to quarantine infected hosts.

FortiNDR's neural networks run in a 2U form factor using accelerated hardware with a custom GPU such as FortiNDR-3500F, as well as using VMs with 16 or 32 vCPU support.

FortiNDR can operate in different modes: sniffer mode where it captures traffic on network from SPAN port (or mirrored if deployed as VM), integrated mode with FortiGate devices and input from other Fortinet devices (see release notes for supported devices), with inline blocking with FortiOS AV profiles (7.0.1 and higher). You can also configure FortiNDR as an ICAP server to serve ICAP clients such as FortiProxy and Squid. All modes can operate simultaneously.

Key advantages of FortiNDR include the following:

Detect network anomalies with different techniques where traditional security solutions might fail

  • Provide more context to attacks such as malware campaign name, web campaign devices and users participate in, intrusions and botnet attacks
  • Tracing and correlate source of malware events such as worm based detection
  • Manual and automatic mitigation (AKA Response) with Fortinet Security Fabric devices (such as FortiGate, FortiSwitch, FortiNAC), as well as 3rd Party solutions (via API calls).