FortiNDR traffic and files input types
FortiNDR can operate in both detecting network anomalies as well as malware analysis using ANN. If Network Detection Anomalies functionalities are not needed, and you prefer using FortiNDR as pure file and malware detection and analysis,NDR functionalities can be switched off with the command "execute ndrd {on|off}
"
For more information, see the FortiNDR CLI Reference Guide.
Traffic input type | Supported Devices * | Communication Protocol | File/Malware Analysis Protocols supported | NDR Network Anomalies Protocols Supported | Notes |
---|---|---|---|---|---|
Sniffer | HTTP, SMBv2, IMAP, POP3, SMTP, FTP | TCP, UDP, ICMP, ICMP6, TLS, HTTP, SMB, SMTP,SSH, FTP, POP3, DNS, IRC, IMAP, RTSP, RPC, SIP, RDP, SNMP, MYSQL, MSSQL, PGSQL, and their behaviors |
Using SPAN port or network TAP. Using SPAN port, network tap or packet brokers to mirror traffic. |
||
Fabric devices | FortiGate |
HTTP2 (v7.0 FOS) OFTP (v5.6-6.0 FOS, legacy support) |
HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP, | FortiGate v7.0.1 supports INLINE blocking with AV profile | |
FortiMail | HTTP2 | SMTP | Configure under AV profile under FortiMail. | ||
FortiSandbox | HTTP2 | MAPI, FTP, CIFS | |||
FortiProxy | HTTP2 | HTTP, HTTPS | Supports FortiProxy 7.0.0 and higher | ||
ICAP | FortiWeb | ICAP | HTTP, HTTPS | Supports using FortiNDR as ICAP server. | |
FortiProxy | ICAP | HTTP, HTTPS | FortiGates, FortiWeb and FortiProxy or third-party ICAP client such as Squid. | ||
Other / API | FortiSOAR | HTTPS API upload | HTTPS | Using API available from FortiNDR for file upload | |
Scripts (refer to Appendix for sample scripts) | HTTPS API upload | ||||
|
NFS and SMB file shares |
SMB/NFS |
|
Direct map and scan |
For a complete list of supported file types, see Appendix H: File types and protocols
FortiNDR supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes. For FortiNDR to quarantine via FortiGate, you must provide VDOM information to FortiGate. For details, see Automation Framework.