FortiNDR health checks
When FortiNDR is set up, use the CLI command diag sys top
to check that the following key FortiNDR processes are running. For NDR to function correctly the following processes are required to run: ndrd
, isniff4ndr
|
Sniffer daemon. |
|
NDR daemon. |
|
Second Sniffer daemon. |
|
Upload file daejmon |
|
OFTP daemon that receives files from FortiGate. |
|
Portable executable AI engine. |
|
Portable executable AI learner. If no features have been learned, this process does not appear. |
|
Script AI engine. |
|
Script AI learner. |
To turn network traffic detection on and off:
Run the following command:
exec ndrd <on/off>
To turn sniffer malware detection on and off for troubleshooting:
Run the following command:
exec snifferd <on/off>
The current version of the Malware sniffer only sniffs traffic on Port2. |
When FortiNDR sniffer malware detection feature is operating normally, Log & Report > Malware Log > Accepted shows the following accepted traffic:
Log & Report > NDR Log > Session shows the incoming sessions.
Sniffer diagnosis
Use the CLI command diag sniffer file ?
to show sniffer output for port2. The TFTP server is required to store sniffer output.
The sniffer will not save unsupported file types or supported but corrupted files. For example, if the traffic contains a corrupted zip file that cannot be unzipped, the sniffer will not save it to the Log & Report >Malware Log. |