Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.4
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiNDR 7.6.4 Administration Guide
    7.6.4
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.0
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0

    Hardening

    Hardening

    System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface.

    Physical security

    Install the FortiNDR in a physically secure location. Physical access to the FortiNDR can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

    Vulnerability - monitoring PSIRT

    Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

    Firmware

    Keep the FortiNDR firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

    • Read the release notes. The known issues may include issues that affect your business.

    • Do not use out of support firmware. Review the Product Life Cycle > Software page and plan to upgrade before the FortiNDR End of Support (EOS) date, which is when Fortinet Support services for the firmware version expire.

    • Enable Restrict login to trusted hosts in the Administrator settings to restrict admins to log in using a trusted host. For information, see Administrators.

    Encrypted protocols

    Use encrypted protocols whenever possible, for example:

    • LDAPS instead of LDAP

    • SNMPv3 instead of early SNMP versions

    • SSH instead of telnet

    • SCP instead of FTP or TFTP

    When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

    • To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See Configuring an LDAP server and Configuring client certificate authentication on the LDAP server.
    • Apply the principle of least privilege. For the LDAP regular bind operation, do not use credentials that provide full administrative access to the Windows server when using credentials. See Configuring least privileges for LDAP admin account authentication in Active Directory.

    To secure RADIUS connections, consider using RADSEC over TLS instead. See Configuring a RADSEC client.

    FortiGuard databases

    Ensure that FortiGuard databases, such as IPS, AV, ANN and other NDR related DBs are updated punctually.

    Penetration testing

    Test your FortiNDR to try to gain unauthorized access, or use internal tools or third-party tools and companies to verify FortiNDR access and configuration.

    Password policies

    Create a secure password policy to ensure user passwords meeting the minimum number of characters, numbers, symbols and letters. For information, see config system password-policy.

    Disable Unnecessary Services

    To protect FortiNDR from unnecessary exposure, consider disabling the following features when not in use:

    • Interface connectivity (ping/snmp/telnet etc)
    • Netflow

      Run CLI: execute netflow <on/off>

    • For pure malware scanning deployment, NDR daemon can be disabled:

      Run CLI: execute ndrd <on|off>

    • If the deployment does not require malware scanning by AV/ANN, you can disable sniffer malware detection. Manual submission, HTTP2 and OFTP will still work as file input sources.

      Run CLI: execute snifferd <on|off>

    • Disable ICAP server configuration if not required. This feature is disabled by default.

      See ICAP Connectors.

    Configuration backup

    The FortiNDR configuration file has important information that should always be kept secured, including details about your network, users, credentials, etc. There are many reasons to back up your configuration, such as disaster recovery, preparing for migrating to another device, and troubleshooting. Evaluate the risk involved if your configurations were exposed, and manage your risk accordingly. Store the configuration file in a secure location. Delete old configuration files that are no longer needed.

    Logging

    Logging generates system event, traffic, user login, and many other types of records that can be used for alerts, analysis, and troubleshooting. The records can be stored locally (data at rest) or remotely (data in motion). Due to the sensitivity of the log data, it is important to encrypt data in motion through the logging transmission channel. When logging to third party devices, make sure that the channel is secure. If it is not secure, it is recommended that you form a VPN to the remote logging device before transmitting logs to it.

    Logging options include FortiAnalyzer, Syslog, and a local disk. Logging with Syslog only stores the log messages. Logging to FortiAnalyzer stores the logs and provides log analysis. If a Security Fabric is established, you can create rules to trigger actions based on the logs. For example, sending an email if the FortiNDR configuration is changed, or running a CLI script if a host is compromised.

    FortiSIEM (Security Information and Event Management) and FortiSOAR (Security Orchestration, Automation, and Response) both aggregate security data from various sources into alerts and supports logging from FortiNDR.

    Previous
    Next

    Hardening

    Hardening

    System hardening reduces security risk by eliminating potential attack vectors and shrinking the system's attack surface.

    Physical security

    Install the FortiNDR in a physically secure location. Physical access to the FortiNDR can allow it to be bypassed, or other firmware could be loaded after a manual reboot.

    Vulnerability - monitoring PSIRT

    Product Security Incident Response Team (PSIRT) continually tests and gathers information about Fortinet hardware and software products, looking for vulnerabilities and weaknesses. The findings are sent to the Fortinet development teams, and serious issues are described, along with protective solutions, in advisories listed at https://www.fortiguard.com/psirt.

    Firmware

    Keep the FortiNDR firmware up to date. The latest patch release has the most fixed bugs and vulnerabilities, and should be the most stable. Firmware is periodically updated to add new features and resolve important issues.

    • Read the release notes. The known issues may include issues that affect your business.

    • Do not use out of support firmware. Review the Product Life Cycle > Software page and plan to upgrade before the FortiNDR End of Support (EOS) date, which is when Fortinet Support services for the firmware version expire.

    • Enable Restrict login to trusted hosts in the Administrator settings to restrict admins to log in using a trusted host. For information, see Administrators.

    Encrypted protocols

    Use encrypted protocols whenever possible, for example:

    • LDAPS instead of LDAP

    • SNMPv3 instead of early SNMP versions

    • SSH instead of telnet

    • SCP instead of FTP or TFTP

    When configuring an LDAP connection to an Active Directory server, an administrator must provide Active Directory user credentials.

    • To secure this connection, use LDAPS on both the Active Directory server and FortiGate. See Configuring an LDAP server and Configuring client certificate authentication on the LDAP server.
    • Apply the principle of least privilege. For the LDAP regular bind operation, do not use credentials that provide full administrative access to the Windows server when using credentials. See Configuring least privileges for LDAP admin account authentication in Active Directory.

    To secure RADIUS connections, consider using RADSEC over TLS instead. See Configuring a RADSEC client.

    FortiGuard databases

    Ensure that FortiGuard databases, such as IPS, AV, ANN and other NDR related DBs are updated punctually.

    Penetration testing

    Test your FortiNDR to try to gain unauthorized access, or use internal tools or third-party tools and companies to verify FortiNDR access and configuration.

    Password policies

    Create a secure password policy to ensure user passwords meeting the minimum number of characters, numbers, symbols and letters. For information, see config system password-policy.

    Disable Unnecessary Services

    To protect FortiNDR from unnecessary exposure, consider disabling the following features when not in use:

    • Interface connectivity (ping/snmp/telnet etc)
    • Netflow

      Run CLI: execute netflow <on/off>

    • For pure malware scanning deployment, NDR daemon can be disabled:

      Run CLI: execute ndrd <on|off>

    • If the deployment does not require malware scanning by AV/ANN, you can disable sniffer malware detection. Manual submission, HTTP2 and OFTP will still work as file input sources.

      Run CLI: execute snifferd <on|off>

    • Disable ICAP server configuration if not required. This feature is disabled by default.

      See ICAP Connectors.

    Configuration backup

    The FortiNDR configuration file has important information that should always be kept secured, including details about your network, users, credentials, etc. There are many reasons to back up your configuration, such as disaster recovery, preparing for migrating to another device, and troubleshooting. Evaluate the risk involved if your configurations were exposed, and manage your risk accordingly. Store the configuration file in a secure location. Delete old configuration files that are no longer needed.

    Logging

    Logging generates system event, traffic, user login, and many other types of records that can be used for alerts, analysis, and troubleshooting. The records can be stored locally (data at rest) or remotely (data in motion). Due to the sensitivity of the log data, it is important to encrypt data in motion through the logging transmission channel. When logging to third party devices, make sure that the channel is secure. If it is not secure, it is recommended that you form a VPN to the remote logging device before transmitting logs to it.

    Logging options include FortiAnalyzer, Syslog, and a local disk. Logging with Syslog only stores the log messages. Logging to FortiAnalyzer stores the logs and provides log analysis. If a Security Fabric is established, you can create rules to trigger actions based on the logs. For example, sending an email if the FortiNDR configuration is changed, or running a CLI script if a host is compromised.

    FortiSIEM (Security Information and Event Management) and FortiSOAR (Security Orchestration, Automation, and Response) both aggregate security data from various sources into alerts and supports logging from FortiNDR.

    Previous
    Next