Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.4
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiNDR 7.6.4 Administration Guide
    7.6.4
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.0
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0

    Weak/Vulnerable Communication

    Weak/Vulnerable Communication

    The Weak/Vulnerable Communication monitor displays the list of weak or vulnerable communications detected on sniffer port(s) on NDR interfaces. Detection of weak and vulnerable communications in the network can be signs of weak or compromised network security that administrators should pay attention to.

    FortiNDR supports detection of weak cipher with the following protocols:

    • TLS
    • FTP
    • HTTP
    • IRC
    • POP3
    • RTSP
    • SMB
    • SMTP
    • IMAP
    • SSH
    • RDP
    • DNS
    • SNMP
    • MySQL
    • MSSQL
    • PostgreSQL
    • SIP

    The Weak/Vulnerable Communication displays the following information:

    Sensor (Center mode) The network sensor. Hover over the sensors ID to view the IP Address, Serial number (S/N), Last Sync Time and Status.
    Latest Timestamp The date record was updated.
    Type
    Communication type Description
    Weak record version Weak TLS record layer version.
    Weak version Weak TLS handshake version.
    Weak support version Weak TLS handshake extension supported version.
    Weak cipher Weak TLS handshake cipher suite.
    Weak security mode SMB protocol uses level security mode.
    Weak extended security SMB protocol uses outdated extended security negotiation option.
    Weak dialect SMB uses outdated dialect version.
    Weak encryption SMB or SSH uses risky encryption algorithm. For example, SMB protocol with encryption disabled.
    Weak authentication Email protocols are using risky authentication methods. For example, POP3 uses authentication cram-md5, Postgres uses MD5 password as authentication type.
    Weak server HTTP or RTSP server version is outdated.
    Weak method HTTP, SIP or RTSP protocol uses weak request method. For example, HTTP protocol uses DELETE as request method.
    Weak banner Weak or outdated email server version. For example, Outdated Cyrus IMAP server
    Weak encrypt algo server client Weak encryption option is used in SSH, such as rc4, rc3, rc2.
    Weak capability IMAP or POP3 capability command uses option AUTH=PLAIN.
    Weak security SMB protocol uses low level security mode.
    Weak encrypt method RDP protocol uses low level encryption methods such as ENCRYPTION_METHOD_40BIT.
    Weak encrypt level RDP protocol uses low encryption level such as ENCRYPTION_LEVEL_NONE
    Weak msg flags SNMP protocol uses risky flags such as 0x00-02, 0x04-06 and 0x08-ff.
    Weak server version MYSQL, TDS, Posgres or SIP server version is outdated.
    Weak auth algo POP3, SMTP or IMAP authentication method option is too risky. For example, POP3 uses PLAIN authentication option.
    Weak protocol version MYSQL protocol version outdated.
    Weak encrypt TDS encryption option is disabled.
    Weak fedauth TDS protocol disables FedAuthRequired option.
    Protocol The communication protocol.
    Severity The event severity ( Low, Medium, High or Critical).
    Count (Historic) The total number of times the event was observed.
    Count (Past week) The total number of times the event was observed during the past week .
    First Timestamp The date the record was created.

    General tab

    The General tab displays the following information:

    General
    • Event Type
    • Severity
    • Reason
    Additional Information
    • HTTP Version
    • HTTP Response Code
    • HTTP Server Name
    • HTTP URL
    • Malicious Behavior
    Last Occurrence
    • Latest Occurrence
    • Count( Past Week)
    • Count( Historic)
    • Latest Source IP
    • Latest Source Port
    • Latest Source MAC
    • Latest Source Packet Size
    • Latest Source Country
    • Latest Source Device Model
    • Latest Source OS
    • Latest Source Device Category
    • Latest Source Device Sub Category
    • Latest Destination IP
    • Latest Destination Port
    • Latest Destination MAC
    • Latest Destination Packet Size
    • Latest Destination Country
    • Latest Destination Device Model
    • Latest Destination OS
    • Latest Destination Device Category
    • Latest Destination Device Sub Category

    Analytic tab

    The Analytic tab displays the following information about he the connection pair:

    Src IP The source IP. Hover over the record to view the view the IP Address, Country and Related Service.
    Source Network

    The source network.

    You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

    Dst Ip The destination IP. Hover over the record to view the view the IP Address, Country and Related Service.
    Destination Network

    The destination network.

    You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

    Count (Historic) The total number of times the event was observed.
    Count (Past week) The total number of times the event was observed during the past week .
    To view the source and destination devices:
    • Select a record in the table and click View Device > View Source Device, or View Destination Device.
    To view the session logs for a condition:
    • Double-click a record in the Information pane. The Sessions Log for selected condition pane opens.

    Examples

    Wireshark pcap

    Weak security mode

    Weak extended security

    Weak dialect

    Weak authentication

    Previous
    Next

    Weak/Vulnerable Communication

    Weak/Vulnerable Communication

    The Weak/Vulnerable Communication monitor displays the list of weak or vulnerable communications detected on sniffer port(s) on NDR interfaces. Detection of weak and vulnerable communications in the network can be signs of weak or compromised network security that administrators should pay attention to.

    FortiNDR supports detection of weak cipher with the following protocols:

    • TLS
    • FTP
    • HTTP
    • IRC
    • POP3
    • RTSP
    • SMB
    • SMTP
    • IMAP
    • SSH
    • RDP
    • DNS
    • SNMP
    • MySQL
    • MSSQL
    • PostgreSQL
    • SIP

    The Weak/Vulnerable Communication displays the following information:

    Sensor (Center mode) The network sensor. Hover over the sensors ID to view the IP Address, Serial number (S/N), Last Sync Time and Status.
    Latest Timestamp The date record was updated.
    Type
    Communication type Description
    Weak record version Weak TLS record layer version.
    Weak version Weak TLS handshake version.
    Weak support version Weak TLS handshake extension supported version.
    Weak cipher Weak TLS handshake cipher suite.
    Weak security mode SMB protocol uses level security mode.
    Weak extended security SMB protocol uses outdated extended security negotiation option.
    Weak dialect SMB uses outdated dialect version.
    Weak encryption SMB or SSH uses risky encryption algorithm. For example, SMB protocol with encryption disabled.
    Weak authentication Email protocols are using risky authentication methods. For example, POP3 uses authentication cram-md5, Postgres uses MD5 password as authentication type.
    Weak server HTTP or RTSP server version is outdated.
    Weak method HTTP, SIP or RTSP protocol uses weak request method. For example, HTTP protocol uses DELETE as request method.
    Weak banner Weak or outdated email server version. For example, Outdated Cyrus IMAP server
    Weak encrypt algo server client Weak encryption option is used in SSH, such as rc4, rc3, rc2.
    Weak capability IMAP or POP3 capability command uses option AUTH=PLAIN.
    Weak security SMB protocol uses low level security mode.
    Weak encrypt method RDP protocol uses low level encryption methods such as ENCRYPTION_METHOD_40BIT.
    Weak encrypt level RDP protocol uses low encryption level such as ENCRYPTION_LEVEL_NONE
    Weak msg flags SNMP protocol uses risky flags such as 0x00-02, 0x04-06 and 0x08-ff.
    Weak server version MYSQL, TDS, Posgres or SIP server version is outdated.
    Weak auth algo POP3, SMTP or IMAP authentication method option is too risky. For example, POP3 uses PLAIN authentication option.
    Weak protocol version MYSQL protocol version outdated.
    Weak encrypt TDS encryption option is disabled.
    Weak fedauth TDS protocol disables FedAuthRequired option.
    Protocol The communication protocol.
    Severity The event severity ( Low, Medium, High or Critical).
    Count (Historic) The total number of times the event was observed.
    Count (Past week) The total number of times the event was observed during the past week .
    First Timestamp The date the record was created.

    General tab

    The General tab displays the following information:

    General
    • Event Type
    • Severity
    • Reason
    Additional Information
    • HTTP Version
    • HTTP Response Code
    • HTTP Server Name
    • HTTP URL
    • Malicious Behavior
    Last Occurrence
    • Latest Occurrence
    • Count( Past Week)
    • Count( Historic)
    • Latest Source IP
    • Latest Source Port
    • Latest Source MAC
    • Latest Source Packet Size
    • Latest Source Country
    • Latest Source Device Model
    • Latest Source OS
    • Latest Source Device Category
    • Latest Source Device Sub Category
    • Latest Destination IP
    • Latest Destination Port
    • Latest Destination MAC
    • Latest Destination Packet Size
    • Latest Destination Country
    • Latest Destination Device Model
    • Latest Destination OS
    • Latest Destination Device Category
    • Latest Destination Device Sub Category

    Analytic tab

    The Analytic tab displays the following information about he the connection pair:

    Src IP The source IP. Hover over the record to view the view the IP Address, Country and Related Service.
    Source Network

    The source network.

    You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

    Dst Ip The destination IP. Hover over the record to view the view the IP Address, Country and Related Service.
    Destination Network

    The destination network.

    You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.

    Count (Historic) The total number of times the event was observed.
    Count (Past week) The total number of times the event was observed during the past week .
    To view the source and destination devices:
    • Select a record in the table and click View Device > View Source Device, or View Destination Device.
    To view the session logs for a condition:
    • Double-click a record in the Information pane. The Sessions Log for selected condition pane opens.

    Examples

    Wireshark pcap

    Weak security mode

    Weak extended security

    Weak dialect

    Weak authentication

    Previous
    Next