ML Configuration
Use the ML Configuration page to view and edit the machine learning baseline features for the traffic anomaly detection, as well as the status of the baseline training.
Key concepts
- Baseline Status: Baselining means the current training is still in progress.
- Baseline ready: Means the baseline training is done and is ready for anomaly detection.
The following features are enabled by default: Source Device IP, Destination Device IP, Destination Device Geolocation, Transport Layer Protocol, Application Layer Protocol, Protocol/Application Behaviors/Action, Destination Port. We do not recommend editing these features, unless you have strong understanding of what they do. |
ML Configuration contains the following settings:
Device Info |
|
---|---|
Source Device IP |
The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly. |
Destination Device IP |
The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly |
Destination MAC Address |
Destination device MAC address. |
Destination Device Model |
Device model such as: FortiGate, Workstation, IDRAC, etc. |
Destination Device Geolocation |
Device geographical country such as United States. |
Destination Device Category |
Device category such as: NAS, Virtual Machine,Firewall, etc. |
Destination Device Vendor |
Device vendor such as VMware, Dell, Synology, etc. |
Destination Device OS |
Device Operating system such as Windows, Linux, etc. |
Protocol and Application behavior |
|
---|---|
Transport Layer Protocol |
UPD, ICMP, TCP, etc |
Application Layer Protocol |
TLS, HTTP, SMB, etc |
Protocol/Application Behaviors/Action |
Specific application actions such as. Adobe Reader form creation, WebDAV reload, Wasabi file upload, etc |
Others |
|
---|---|
Session Packet Size |
FortiNDR categorizes the packet size into 3 groups:
|
Destination Port |
Port number such as, 22, 445, none reserved port, etc. |
TLS Version |
The TLS version if TLS is being used. |
Typically, it will take 7 days for baseline of traffic. Choosing different features to train new baseline will cause the ML system start another 7 day training period. The old baseline is discarded during the re-training. You will not be able to get ML detection during that time.
The CLI command |