Fortinet black logo

Administration Guide

Home FortiNDR 7.4.3 Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

FortiNDR traffic and files input types

FortiNDR traffic and files input types

FortiNDR can operate in both detecting network anomalies as well as malware analysis using ANN. If Network Detection Anomalies functionalities are not needed, and you prefer using FortiNDR as pure file and malware detection and analysis,NDR functionalities can be switched off with the command "execute ndrd {on|off}"

For more information, see the FortiNDR CLI Reference Guide.

Traffic input type Supported Devices * Communication Protocol File/Malware Analysis Protocols supported NDR Network Anomalies Protocols Supported Notes
Sniffer HTTP, SMBv2, IMAP, POP3, SMTP, FTP TCP, UDP, ICMP, ICMP6, TLS, HTTP, SMB, SMTP,SSH, FTP, POP3, DNS, IRC, IMAP, RTSP, RPC, SIP, RDP, SNMP, MYSQL, MSSQL, PGSQL, and their behaviors

Using SPAN port or network TAP.

Using SPAN port, network tap or packet brokers to mirror traffic.
Fabric devices FortiGate

HTTP2 (v7.0 FOS)

OFTP (v5.6-6.0 FOS, legacy support)

 HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP, FortiGate v7.0.1 supports INLINE blocking with AV profile
FortiMail HTTP2 SMTP Configure under AV profile under FortiMail.
FortiSandbox HTTP2 MAPI, FTP, CIFS
FortiProxy HTTP2 HTTP, HTTPS Supports FortiProxy 7.0.0 and higher
ICAP FortiWeb ICAP HTTP, HTTPS Supports using FortiNDR as ICAP server.
FortiProxy ICAP HTTP, HTTPS FortiGates, FortiWeb and FortiProxy or third-party ICAP client such as Squid.
Other / API FortiSOAR HTTPS API upload HTTPS Using API available from FortiNDR for file upload
Scripts (refer to Appendix for sample scripts) HTTPS API upload

NFS and SMB file shares

SMB/NFS

Direct map and scan

For a complete list of supported file types, see Appendix H: File types and protocols

FortiNDR supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes. For FortiNDR to quarantine via FortiGate, you must provide VDOM information to FortiGate. For details, see Automation Framework .

Previous
Next

FortiNDR traffic and files input types

FortiNDR can operate in both detecting network anomalies as well as malware analysis using ANN. If Network Detection Anomalies functionalities are not needed, and you prefer using FortiNDR as pure file and malware detection and analysis,NDR functionalities can be switched off with the command "execute ndrd {on|off}"

For more information, see the FortiNDR CLI Reference Guide.

Traffic input type Supported Devices * Communication Protocol File/Malware Analysis Protocols supported NDR Network Anomalies Protocols Supported Notes
Sniffer HTTP, SMBv2, IMAP, POP3, SMTP, FTP TCP, UDP, ICMP, ICMP6, TLS, HTTP, SMB, SMTP,SSH, FTP, POP3, DNS, IRC, IMAP, RTSP, RPC, SIP, RDP, SNMP, MYSQL, MSSQL, PGSQL, and their behaviors

Using SPAN port or network TAP.

Using SPAN port, network tap or packet brokers to mirror traffic.
Fabric devices FortiGate

HTTP2 (v7.0 FOS)

OFTP (v5.6-6.0 FOS, legacy support)

 HTTP, HTTPS (with SSL decryption), SMTP, POP3, IMAP, FortiGate v7.0.1 supports INLINE blocking with AV profile
FortiMail HTTP2 SMTP Configure under AV profile under FortiMail.
FortiSandbox HTTP2 MAPI, FTP, CIFS
FortiProxy HTTP2 HTTP, HTTPS Supports FortiProxy 7.0.0 and higher
ICAP FortiWeb ICAP HTTP, HTTPS Supports using FortiNDR as ICAP server.
FortiProxy ICAP HTTP, HTTPS FortiGates, FortiWeb and FortiProxy or third-party ICAP client such as Squid.
Other / API FortiSOAR HTTPS API upload HTTPS Using API available from FortiNDR for file upload
Scripts (refer to Appendix for sample scripts) HTTPS API upload

NFS and SMB file shares

SMB/NFS

Direct map and scan

For a complete list of supported file types, see Appendix H: File types and protocols

FortiNDR supports quarantine with incoming webhook from FortiOS 6.4 and higher. For details, see the Release Notes. For FortiNDR to quarantine via FortiGate, you must provide VDOM information to FortiGate. For details, see Automation Framework .

Previous
Next