Document
Library

Administration Guide

Introduction
- Getting started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center Standalone)
- Anomaly tab
- Connection tab
- Session tab
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Fabric Connectors
  - ICAP Connectors
  - Security Fabric Connector
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Attack Scenario
- Attack scenario navigation and timeline
- Understanding kill chain and scenario engine
Host Story
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment
  - Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor Settings (Center Standalone)
- Firmware
- Settings
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
Troubleshooting
- FortiNDR troubleshooting tips
- FortiNDR health checks
- Rebuild RAID disk
- Managing FortiNDR disk usage for Center mode
- Managing FortiNDR disk usage for Standalone and Sensor mode
- Export malware
- Working with false positives and false negatives
- Troubleshoot ICAP and OFTP connection issues
- Troubleshoot Log Settings
- Troubleshoot Network Share
- Troubleshooting the VM License
- Troubleshooting the updater
- Troubleshooting tips for Network File Share
- Sensor logs not displaying in Center GUI
- Troubleshooting FortiNDR VM high CPU usage
- Troubleshooting inactive Netflow status
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G : Supported Application Protocol List
Appendix H: File types and protocols
Appendix I: Operational Technology / SCADA vendor and application list
Appendix J: Center Sensor Deployment
Change Log

Home FortiNDR 7.4.2 Administration Guide

7.4.2

Automation Framework

Automation Framework

Go to Security Fabric > Automation Framework to create single enforcement profile that can be selected with different automation profiles. This provides you with more flexibility in the response action. The following diagram illustrates the relationship between Enforcement and Automation profiles.

To create an automation profile:

Go to Security Fabric > Automation Framework.
In the toolbar, click Create New.

Configure the Automation Framework settings:

Automation Framework
Profile Name	Enter a name for the profile.
Enable	Click to enable or disable the framework.
Enforcement Profile	Click to select an Enforcement Settings profiles.
Action	Select one of the following actions: FortiGate Quarantine FortiNAC Quarantine FortiSwitch Quarantine via FortiLink Generic Webhook

Configure the quarantine settings. These settings will vary depending on the Action setting.

Manage FortiGate Settings and FortiSwitch Quarantine via FortiLink.

Manage FortiGate Settings and FortiSwitch Quarantine Settings
Source	Fabric Device: If the source of detection came from OFTP, the enforcement is only executed to a matching automation profile with a matching IP address and VDOM. Sniffer: If the source of detection came from a sniffer, the enforcement is adapted by all profiles where Trigger Source is Sniffer. Since detection sourced from sniffer does not contain information about which fabric device monitors the infected IP address, it is your responsibility to specify the correct device IP address and VDOM.
API Key	Enter the device API key
IP	Enter the device IP address.
Port	Enter the device port number.
VDOM	Enter the VDOM name.
WebHook Name for Execution	Select the FortiGate webhook for execution action, such as `ip_blocker`.
WebHook Name for Undo	Select the FortiGate webhook for undo action, such as `ip_unblocker`.

FortiNac Quarantine

FortiNac Quarantine Settings
API Key	Click Change to update the API key.
IP	Enter the FortiNac IP address.
Port	Enter the FortiNac port number.

Generic Webhook

Webhook Execution Settings
URL	Enter the webhook URL.
Method	Select POST, PUT, GET, PATCH or DELETE.
Header	Click the plus sign (+) and enter a value of the authorization key.
HTTP Body Template	Enter the HTTP Body Template.
Webhook Undo Settings
URL	Enter the webhook URL.
Method	Select POST, PUT, GET, PATCH or DELETE.
Header	Click the plus sign (+) and enter a value of the authorization key.
HTTP Body Template	Enter the HTTP Body Template.

Click Test Current Configuration to validate the settings. This option is displayed when FortiGate Quarantine and FortiSwitch Quarantine via FortiLink are selected.
Click OK.

Previous

Next

Automation Framework

Go to Security Fabric > Automation Framework to create single enforcement profile that can be selected with different automation profiles. This provides you with more flexibility in the response action. The following diagram illustrates the relationship between Enforcement and Automation profiles.

To create an automation profile:

Go to Security Fabric > Automation Framework.
In the toolbar, click Create New.

Configure the Automation Framework settings:

Automation Framework
Profile Name	Enter a name for the profile.
Enable	Click to enable or disable the framework.
Enforcement Profile	Click to select an Enforcement Settings profiles.
Action	Select one of the following actions: FortiGate Quarantine FortiNAC Quarantine FortiSwitch Quarantine via FortiLink Generic Webhook

Configure the quarantine settings. These settings will vary depending on the Action setting.

Manage FortiGate Settings and FortiSwitch Quarantine via FortiLink.

Manage FortiGate Settings and FortiSwitch Quarantine Settings
Source	Fabric Device: If the source of detection came from OFTP, the enforcement is only executed to a matching automation profile with a matching IP address and VDOM. Sniffer: If the source of detection came from a sniffer, the enforcement is adapted by all profiles where Trigger Source is Sniffer. Since detection sourced from sniffer does not contain information about which fabric device monitors the infected IP address, it is your responsibility to specify the correct device IP address and VDOM.
API Key	Enter the device API key
IP	Enter the device IP address.
Port	Enter the device port number.
VDOM	Enter the VDOM name.
WebHook Name for Execution	Select the FortiGate webhook for execution action, such as `ip_blocker`.
WebHook Name for Undo	Select the FortiGate webhook for undo action, such as `ip_unblocker`.

FortiNac Quarantine

FortiNac Quarantine Settings
API Key	Click Change to update the API key.
IP	Enter the FortiNac IP address.
Port	Enter the FortiNac port number.

Generic Webhook

Webhook Execution Settings
URL	Enter the webhook URL.
Method	Select POST, PUT, GET, PATCH or DELETE.
Header	Click the plus sign (+) and enter a value of the authorization key.
HTTP Body Template	Enter the HTTP Body Template.
Webhook Undo Settings
URL	Enter the webhook URL.
Method	Select POST, PUT, GET, PATCH or DELETE.
Header	Click the plus sign (+) and enter a value of the authorization key.
HTTP Body Template	Enter the HTTP Body Template.

Click Test Current Configuration to validate the settings. This option is displayed when FortiGate Quarantine and FortiSwitch Quarantine via FortiLink are selected.
Click OK.

Previous

Next