DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
- Hardening
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- OT Devices
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center and Standalone)
- Anomaly tab
- Connection tab
- Session tab
- Malware Attack Scenario
  - Attack scenario navigation and timeline
  - Understanding kill chain and scenario engine
- Malware Observed
Investigations (Center)
- Global query
- Advanced Query Language
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Cloud Storage
- Fabric Connectors
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment (Standalone, Sensor and Center)
- Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
- Netflow ML discovery
- Netflow ML Configuration
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor/Center settings
- Firmware
- Settings
- SNMP
- Artifact Storage (Standalone and Sensor)
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
- Creating remote wildcard administrators
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
- NetFlow logs samples
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported IPS (including OT), Application Control, and protocols
Appendix H: File types and protocols
Appendix I: Center Sensor Deployment
Appendix J: Custom IPS signatures
- Detection Logic and tuning
- Example configuration
Change Log

Home FortiNDR 7.6.3 Administration Guide

7.6.3

Netflow ML Configuration

Configure the Machine Learning (ML) profile of network traffic to identify anomalies.

The ML Configuration page has two tabs:

Default (Standalone mode): Use this tab to view and adjust the machine learning baseline features for traffic anomaly detection and to monitor the status of baseline training.
Source IP: Use this tab to categorize IP ranges. Each group of IP ranges can be individually trained based on the ML configuration. This allows for varying levels of severity to be applied to distinct IP ranges for custom anomaly detection.

Default tab

To configure the ML Configuration profile:

Go to Netflow > Netflow ML Configuration.

Configure the following settings:

Status
Baseline Status	The current baseline training status: Baselining:The current training is still in progress. Baseline ready: The baseline training is done and is ready for anomaly detection.
ML Discovery Detection	Click to Enable or Disable baseline training.
Latest Training Completion	The date and time of the last baseline training.
Feature Enabled for Learning
Default Feature Configuration	Click to enable the default ML configuration settings.
Severity	Select Low, Medium, High or Critical.
Device Info
Source IP Mask	The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly. Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Destination IP	The Destination Device IP. Apply netmask if you do not want to treat certain range changes in the IP as an anomaly Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Source Port	Port number such as, 22, 445, none reserved port, etc.
Destination Port	Port number such as, 22, 445, none reserved port, etc.
Source MAC	Source device MAC address.
VLAN IP	The VLAN IP.
Protocol and Application Behavior
Ethernet type	Enable to monitor the Ethernet type.
Protocol	Enable to enter the protocol.
IP Type of Service	Enable to monitor the IP service type.
TCP Flags	Enable to monitor the TCP Flags.
ICMP Type	Enable to monitor the ICMP type.
ICMP Code	Enable to monitor the ICMP code.
Others
Number of Bytes	FortiNDR categorizes Bytes into 3 groups: Small: Less than 100 bytes Medium: 100-9999999 Larger: Equal to and greater than 10000000 bytes
Number of packets	FortiNDR categorizes Packets into 3 groups: Small:Less than 2 Medium: 2-6249 Larger: Equal to and greater than 6250
Operation Mode
Source IP Only Mode	When enabled, ML will only monitor the traffic for IPs in the Source IP tab. Other traffic will be skipped.

Source IP tab

To configure the Source IP:

Go to Netflow > Netflow ML Configuration and click the Source IP tab.
Click Create. The ML Configuration for Source IP pane opens.

Configure the following settings:

Source IP and Severity
Source IP	Enter the source IP address.
Severity	Select Low, Medium, High or Critical.
Device Info
Source IP Mask	The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly. Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Destination IP	The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Source Port	Port number such as, 22, 445, none reserved port, etc.
Destination Port	Port number such as, 22, 445, none reserved port, etc.
Source MAC	Source device MAC address.
VLAN IP	The VLAN IP.
Protocol and Application Behavior
Ethernet type	Enable to monitor the Ethernet type.
Protocol	Enable to enter the protocol.
IP Type of Service	Enable to monitor the IP service type.
TCP Flags	Enable to monitor the TCP Flags.
ICMP Type	Enable to monitor the ICMP type.
ICMP Code	Enable to monitor the ICMP code.
Others
Number of Bytes	FortiNDR categorizes Bytes into 3 groups: Small: Less than 100 bytes Medium: 100-9999999 Larger: Equal to and greater than 10000000 bytes
Number of packets	FortiNDR categorizes Packets into 3 groups: Small:Less than 2 Medium: 2-6249 Larger:Equal to and greater than 6250

Netflow ML Configuration

Configure the Machine Learning (ML) profile of network traffic to identify anomalies.

The ML Configuration page has two tabs:

Default (Standalone mode): Use this tab to view and adjust the machine learning baseline features for traffic anomaly detection and to monitor the status of baseline training.
Source IP: Use this tab to categorize IP ranges. Each group of IP ranges can be individually trained based on the ML configuration. This allows for varying levels of severity to be applied to distinct IP ranges for custom anomaly detection.

Default tab

To configure the ML Configuration profile:

Go to Netflow > Netflow ML Configuration.

Configure the following settings:

Status
Baseline Status	The current baseline training status: Baselining:The current training is still in progress. Baseline ready: The baseline training is done and is ready for anomaly detection.
ML Discovery Detection	Click to Enable or Disable baseline training.
Latest Training Completion	The date and time of the last baseline training.
Feature Enabled for Learning
Default Feature Configuration	Click to enable the default ML configuration settings.
Severity	Select Low, Medium, High or Critical.
Device Info
Source IP Mask	The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly. Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Destination IP	The Destination Device IP. Apply netmask if you do not want to treat certain range changes in the IP as an anomaly Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Source Port	Port number such as, 22, 445, none reserved port, etc.
Destination Port	Port number such as, 22, 445, none reserved port, etc.
Source MAC	Source device MAC address.
VLAN IP	The VLAN IP.
Protocol and Application Behavior
Ethernet type	Enable to monitor the Ethernet type.
Protocol	Enable to enter the protocol.
IP Type of Service	Enable to monitor the IP service type.
TCP Flags	Enable to monitor the TCP Flags.
ICMP Type	Enable to monitor the ICMP type.
ICMP Code	Enable to monitor the ICMP code.
Others
Number of Bytes	FortiNDR categorizes Bytes into 3 groups: Small: Less than 100 bytes Medium: 100-9999999 Larger: Equal to and greater than 10000000 bytes
Number of packets	FortiNDR categorizes Packets into 3 groups: Small:Less than 2 Medium: 2-6249 Larger: Equal to and greater than 6250
Operation Mode
Source IP Only Mode	When enabled, ML will only monitor the traffic for IPs in the Source IP tab. Other traffic will be skipped.

Source IP tab

To configure the Source IP:

Go to Netflow > Netflow ML Configuration and click the Source IP tab.
Click Create. The ML Configuration for Source IP pane opens.

Configure the following settings:

Source IP and Severity
Source IP	Enter the source IP address.
Severity	Select Low, Medium, High or Critical.
Device Info
Source IP Mask	The Source Device IP. Apply a netmask if you do not want to treat certain range changes in the IP as an anomaly. Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Destination IP	The Destination Device IP. Apply netmask if you don’t want to treat certain range change in the IP as anomaly Select one of the following options: Do Not Apply Netmask: This is the default. Apply Class C Netmask: /24 Apply Class B Netmask: /16
Source Port	Port number such as, 22, 445, none reserved port, etc.
Destination Port	Port number such as, 22, 445, none reserved port, etc.
Source MAC	Source device MAC address.
VLAN IP	The VLAN IP.
Protocol and Application Behavior
Ethernet type	Enable to monitor the Ethernet type.
Protocol	Enable to enter the protocol.
IP Type of Service	Enable to monitor the IP service type.
TCP Flags	Enable to monitor the TCP Flags.
ICMP Type	Enable to monitor the ICMP type.
ICMP Code	Enable to monitor the ICMP code.
Others
Number of Bytes	FortiNDR categorizes Bytes into 3 groups: Small: Less than 100 bytes Medium: 100-9999999 Larger: Equal to and greater than 10000000 bytes
Number of packets	FortiNDR categorizes Packets into 3 groups: Small:Less than 2 Medium: 2-6249 Larger:Equal to and greater than 6250

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Netflow ML Configuration

Netflow ML Configuration

Default tab

To configure the ML Configuration profile:

Source IP tab

To configure the Source IP:

Netflow ML Configuration

Netflow ML Configuration

Default tab

To configure the ML Configuration profile:

Source IP tab