FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
- Hardening
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- OT Devices
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center and Standalone)
- NDR Detection tab
- Observation tab
- Connection tab
- Session tab
- Malware Attack Scenario
  - Attack scenario navigation and timeline
  - Understanding kill chain and scenario engine
- Malware Detection
Investigations (Center)
- Global query
- Advanced Query Language
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Cloud Storage
- Fabric Connectors
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integrations
  - Sending files to FortiSandbox
  - FortiNDR as prescan (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment (Standalone, Sensor and Center)
- Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
- Netflow ML discovery
- Netflow ML Configuration
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor/Center settings
- Firmware
- Settings
- SNMP
- Artifact Storage (Standalone and Sensor)
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
- Creating remote wildcard administrators
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
- NetFlow logs samples
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported IPS (including OT), Application Control, and protocols
Appendix H: File types and protocols
Appendix I: Center Sensor Deployment
Appendix J: Custom IPS signatures
- Detection Logic and tuning
- Example configuration
Change Log

Home FortiNDR 7.6.4 Administration Guide

7.6.4

Cloud Storage

Go to Security Fabric > Cloud Storage to scan remote cloud storage platforms.

Create a Cloud Storage profile to configure a Cloud Storage location for inspection. After the profile is configured, FortiNDR will scan the registered cloud storage’s contents.

Name	The cloud storage profile name.
Scan Scheduled	Indicates scheduled scan is enabled/disabled.
Type	The cloud storage platform.
Storage Path	The URL of the cloud storage.
Enabled	Indicates the cloud storage profile is enabled/disabled.
Status	The cloud storage configuration status. See Testing connectivity.

Creating a Cloud Storage profile

To create a Cloud Storage profile, go to Security Fabric > Cloud Storage. Register a new Cloud Storage by providing access information. You can also use the profile to schedule a scan cycle of the cloud storage.

To create a Cloud Storage profile:

Go to Security Fabric > Cloud Storage.
In the toolbar, click Create New. The New Cloud Storage page opens.

Enter the Cloud Storage access information.

Status	Enable or Disable. Enable is the default.
Cloud Type	Select a cloud storage platform from the list. The following platforms are supported: Amazon Web Service S3 Bucket
Cloud Storage Name	Enter a name for the Cloud Storage.
Bucket Name	(AWS S3 Only) Enter the name of the Cloud Storage container.
S3 Prefix	(AWS S3 Only) Enter the common prefix of the keys to scan. Leave empty to scan the entire bucket.
Access Key	Enter the access key for the cloud storage.
Secret Key	Enter the secret key for the cloud storage.
Enable Force Rescan	When enabled, FortiNDR will not use cache detection even if the files are previously scanned.

Click OK.

Testing connectivity

To validate the Cloud Storage configuration

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Test Connection to validate the Cloud Storage configuration.

A green check mark appears in the Status column next to a valid connection.

Scanning a cloud storage

To trigger a scan:

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Scan Now.

The Scan Now button will not create a new task when the Cloud Storage is:

Currently mounting
Scanning another task
Disabled
Not connected (Status is Down)

You can use a REST API call to start a scan.

Scheduling a scan

You can schedule routine scanning for a cloud storage on an hourly, daily, or monthly basis. The minimum time interval for each scan is 15 minutes.

To schedule a scan:

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Edit. The New Cloud Storage window opens.
Select Enable Scheduled Scan.
Configure the Schedule Type and the corresponding time interval.
Click OK.

Viewing scan results

View the scan history of the Cloud Storage directories.

To view the scan results:

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Scan Details. The scan history is displayed.

Total	The total number of files scanned.
Start Time	The date and time the scan started.
End Time	The date and time the scan completed.
Scan Finished	The scan progress as a percentage.
Critical Risk	The number of detected critical risk files.
High Risk	The number of detected critical high files.
Medium Risk	The number of detected medium risk files.
Low Risk	The number of detected critical low files.
Clean	The number of clean files.
Others	The number of detected other files.
Scan Status	The scan status as a string.

Click the numbers to view the detection information for the samples that belong to the category.
Click the link in the column to view the detected and quarantined files.
- Select a sample in the list then click View Sample Detail.
- Click Back to return to the Scan Details.
Click Back to return to the Cloud Storage pane.

Scanning Zip files

FortiNDR can extract and process Zip files up to 10 levels. When any of the files inside the Zip file is detected, the whole zip file will be marked as malicious.

FortiNDR does not process password-protected zip files.

Cloud Storage

Go to Security Fabric > Cloud Storage to scan remote cloud storage platforms.

Create a Cloud Storage profile to configure a Cloud Storage location for inspection. After the profile is configured, FortiNDR will scan the registered cloud storage’s contents.

Name	The cloud storage profile name.
Scan Scheduled	Indicates scheduled scan is enabled/disabled.
Type	The cloud storage platform.
Storage Path	The URL of the cloud storage.
Enabled	Indicates the cloud storage profile is enabled/disabled.
Status	The cloud storage configuration status. See Testing connectivity.

Creating a Cloud Storage profile

To create a Cloud Storage profile:

Go to Security Fabric > Cloud Storage.
In the toolbar, click Create New. The New Cloud Storage page opens.

Enter the Cloud Storage access information.

Status	Enable or Disable. Enable is the default.
Cloud Type	Select a cloud storage platform from the list. The following platforms are supported: Amazon Web Service S3 Bucket
Cloud Storage Name	Enter a name for the Cloud Storage.
Bucket Name	(AWS S3 Only) Enter the name of the Cloud Storage container.
S3 Prefix	(AWS S3 Only) Enter the common prefix of the keys to scan. Leave empty to scan the entire bucket.
Access Key	Enter the access key for the cloud storage.
Secret Key	Enter the secret key for the cloud storage.
Enable Force Rescan	When enabled, FortiNDR will not use cache detection even if the files are previously scanned.

Click OK.

Testing connectivity

To validate the Cloud Storage configuration

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Test Connection to validate the Cloud Storage configuration.

A green check mark appears in the Status column next to a valid connection.

Scanning a cloud storage

To trigger a scan:

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Scan Now.

The Scan Now button will not create a new task when the Cloud Storage is:

Currently mounting
Scanning another task
Disabled
Not connected (Status is Down)

You can use a REST API call to start a scan.

Scheduling a scan

You can schedule routine scanning for a cloud storage on an hourly, daily, or monthly basis. The minimum time interval for each scan is 15 minutes.

To schedule a scan:

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Edit. The New Cloud Storage window opens.
Select Enable Scheduled Scan.
Configure the Schedule Type and the corresponding time interval.
Click OK.

Viewing scan results

View the scan history of the Cloud Storage directories.

To view the scan results:

Go to Security Fabric > Cloud Storage and select a profile.
In the toolbar, click Scan Details. The scan history is displayed.

Total	The total number of files scanned.
Start Time	The date and time the scan started.
End Time	The date and time the scan completed.
Scan Finished	The scan progress as a percentage.
Critical Risk	The number of detected critical risk files.
High Risk	The number of detected critical high files.
Medium Risk	The number of detected medium risk files.
Low Risk	The number of detected critical low files.
Clean	The number of clean files.
Others	The number of detected other files.
Scan Status	The scan status as a string.

Click the numbers to view the detection information for the samples that belong to the category.
Click the link in the column to view the detected and quarantined files.
- Select a sample in the list then click View Sample Detail.
- Click Back to return to the Scan Details.
Click Back to return to the Cloud Storage pane.

Scanning Zip files

FortiNDR can extract and process Zip files up to 10 levels. When any of the files inside the Zip file is detected, the whole zip file will be marked as malicious.

FortiNDR does not process password-protected zip files.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Cloud Storage

Cloud Storage

Creating a Cloud Storage profile

To create a Cloud Storage profile:

Testing connectivity

To validate the Cloud Storage configuration

Scanning a cloud storage

To trigger a scan:

Scheduling a scan

To schedule a scan:

Viewing scan results