Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.2.10 Administration Guide
    7.2.10
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Using FortiNDR inline scanning with antivirus

    Using FortiNDR inline scanning with antivirus

    FortiNDR (formerly FortiAI) can be used with antivirus profiles in FortiProxy. FortiNDR inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiNDR can log, block, ignore, or monitor (allow) the file based on the verdict.

    A licensed FortiNDR appliance with version 1.5.1 or later is required to use this feature.
    To configure FortiNDR inline inspection with an AV profile:

    1. Configure FortiNDR to join a Security Fabric in FortiProxy:

      1. Enable Security Fabric on FortiProxy using the following command:

        config system csf
	set status enable
	set group-name "fabric-ai"
end

      2. Configure the interface to allow other devices to join the FortiProxy Security Fabric:

        config system interface
    edit "port1"
        set allowaccess ping https ssh http fgfm fabric
    next
end

      3. In FortiNDR, configure the device to join the Security Fabric:

        config system csf
	set status enable
	set upstream-ip 10.6.30.14
	set managment-ip 10.6.30.251
end

      4. Authorize the FortiNDR in FortiProxy:

        config system csf
	config trusted-list
		edit "FAIVMSTM21000000"
			set authorization-type certificate
			set certificate "*******************"
		next
	end
end
    2. In the FortiProxy CLI, enable inline inspection:
      config system fortindr
    set status enable
end
    3. Configure an AV profile in FortiProxy to use inline inspection and block detected infections (see also Create or edit an antivirus profile):
      config antivirus profile
    edit "av"
        set feature-set proxy
        config http
            set fortindr block
        end
        config ftp
            set fortindr block
        end
        config imap
            set fortindr block
        end
        config pop3
            set fortindr block
        end
        config smtp
            set fortindr block
        end
        config mapi
            set fortindr block
        end
        config nntp
            set fortindr block
        end
        config cifs
            set fortindr block
        end
        config ssh
            set fortindr block
        end
    next
end

    4. To configure the action to take when FortiNDR encounters an error, use the set fortindr-error-action {log-only | block | ignore} option of the config antivirus profile command. The default is log-only.

    5. Add the AV profile to a policy. See Create or edit a policy.

      When potential infections are blocked by FortiNDR inline inspection, a replacement message appears. See Replacement Messages for more information. An infection blocked over HTTP looks similar to the following:

      Sample log

      1: date=2024-03-11 time=18:45:52 eventtime=1710207952440247519 tz="-0700" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="root" policyid=2 poluuid="516c4d58-7d9d-51ee-d4f1-7addc4e7603d" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="HTTPS" sessionid=1460043885 srcip=10.40.1.44 dstip=172.18.20.226 srcport=35726 dstport=443 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 direction="incoming" filename="606C9848.zip" quarskip="File-was-not-quarantined" virus="W32/Industroyer.A!tr" viruscat="Industroyer" dtype="fortindr" ref=" http://www.fortinet.com/ve?vn=W32%2FIndustroyer.A%21tr" virusid=0 url=" https://172.18.20.226/files/606C9848.zip" profile="av" agent="curl/7.76.1" analyticssubmit="false" fndraction="deny" fndrseverity="critical" fndrconfidence="high" fndrfileid=466490 fndrfiletype="ZIP" crscore=50 craction=2 crlevel="critical"

    FortiNDR inline inspection with other AV inspection methods

    The following inspection logic applies when FortiNDR inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

    HTTP, FTP, SSH, and CIFS protocols:
    1. AV engine scan; AV database and FortiSandbox database (if applicable).
      1. FortiNDR inline inspection occurs simultaneously.
    2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
      1. FortiNDR inline inspection occurs simultaneously.
    3. Outbreak prevention and external hash list resources.
      1. FortiNDR inline inspection occurs simultaneously.

    If any AV inspection method returns an infected verdict, the FortiNDR inspection is aborted.
    POP3, IMAP, SMTP, NNTP, and MAPI protocols:
    1. AV engine scan; AV database and FortiSandbox database (if applicable).
    2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
      1. FortiNDR inline inspection occurs simultaneously.
    3. Outbreak prevention and external hash list resources.
      1. FortiNDR inline inspection occurs simultaneously.

    In an AV profile, use set fortindr-error-action {log-only | block | ignore} to configure the action to take if FortiNDR encounters an error.

    Accepted file types

    The following file types are sent to FortiNDR for inline inspection:

    7Z

    ARJ

    BZIP

    BZIP2

    CAB

    ELF

    GZIP

    HTML

    JS

    LZH

    LZW

    MS Office documents (XML and non-XML)

    PDF

    RAR

    RTF

    TAR

    VBA

    VBS

    WinPE (EXE)

    XZ

    ZIP
    Previous
    Next

    Using FortiNDR inline scanning with antivirus

    Using FortiNDR inline scanning with antivirus

    FortiNDR (formerly FortiAI) can be used with antivirus profiles in FortiProxy. FortiNDR inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiNDR can log, block, ignore, or monitor (allow) the file based on the verdict.

    A licensed FortiNDR appliance with version 1.5.1 or later is required to use this feature.
    To configure FortiNDR inline inspection with an AV profile:

    1. Configure FortiNDR to join a Security Fabric in FortiProxy:

      1. Enable Security Fabric on FortiProxy using the following command:

        config system csf
	set status enable
	set group-name "fabric-ai"
end

      2. Configure the interface to allow other devices to join the FortiProxy Security Fabric:

        config system interface
    edit "port1"
        set allowaccess ping https ssh http fgfm fabric
    next
end

      3. In FortiNDR, configure the device to join the Security Fabric:

        config system csf
	set status enable
	set upstream-ip 10.6.30.14
	set managment-ip 10.6.30.251
end

      4. Authorize the FortiNDR in FortiProxy:

        config system csf
	config trusted-list
		edit "FAIVMSTM21000000"
			set authorization-type certificate
			set certificate "*******************"
		next
	end
end
    2. In the FortiProxy CLI, enable inline inspection:
      config system fortindr
    set status enable
end
    3. Configure an AV profile in FortiProxy to use inline inspection and block detected infections (see also Create or edit an antivirus profile):
      config antivirus profile
    edit "av"
        set feature-set proxy
        config http
            set fortindr block
        end
        config ftp
            set fortindr block
        end
        config imap
            set fortindr block
        end
        config pop3
            set fortindr block
        end
        config smtp
            set fortindr block
        end
        config mapi
            set fortindr block
        end
        config nntp
            set fortindr block
        end
        config cifs
            set fortindr block
        end
        config ssh
            set fortindr block
        end
    next
end

    4. To configure the action to take when FortiNDR encounters an error, use the set fortindr-error-action {log-only | block | ignore} option of the config antivirus profile command. The default is log-only.

    5. Add the AV profile to a policy. See Create or edit a policy.

      When potential infections are blocked by FortiNDR inline inspection, a replacement message appears. See Replacement Messages for more information. An infection blocked over HTTP looks similar to the following:

      Sample log

      1: date=2024-03-11 time=18:45:52 eventtime=1710207952440247519 tz="-0700" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="root" policyid=2 poluuid="516c4d58-7d9d-51ee-d4f1-7addc4e7603d" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="HTTPS" sessionid=1460043885 srcip=10.40.1.44 dstip=172.18.20.226 srcport=35726 dstport=443 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 direction="incoming" filename="606C9848.zip" quarskip="File-was-not-quarantined" virus="W32/Industroyer.A!tr" viruscat="Industroyer" dtype="fortindr" ref=" http://www.fortinet.com/ve?vn=W32%2FIndustroyer.A%21tr" virusid=0 url=" https://172.18.20.226/files/606C9848.zip" profile="av" agent="curl/7.76.1" analyticssubmit="false" fndraction="deny" fndrseverity="critical" fndrconfidence="high" fndrfileid=466490 fndrfiletype="ZIP" crscore=50 craction=2 crlevel="critical"

    FortiNDR inline inspection with other AV inspection methods

    The following inspection logic applies when FortiNDR inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

    HTTP, FTP, SSH, and CIFS protocols:
    1. AV engine scan; AV database and FortiSandbox database (if applicable).
      1. FortiNDR inline inspection occurs simultaneously.
    2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
      1. FortiNDR inline inspection occurs simultaneously.
    3. Outbreak prevention and external hash list resources.
      1. FortiNDR inline inspection occurs simultaneously.

    If any AV inspection method returns an infected verdict, the FortiNDR inspection is aborted.
    POP3, IMAP, SMTP, NNTP, and MAPI protocols:
    1. AV engine scan; AV database and FortiSandbox database (if applicable).
    2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
      1. FortiNDR inline inspection occurs simultaneously.
    3. Outbreak prevention and external hash list resources.
      1. FortiNDR inline inspection occurs simultaneously.

    In an AV profile, use set fortindr-error-action {log-only | block | ignore} to configure the action to take if FortiNDR encounters an error.

    Accepted file types

    The following file types are sent to FortiNDR for inline inspection:

    7Z

    ARJ

    BZIP

    BZIP2

    CAB

    ELF

    GZIP

    HTML

    JS

    LZH

    LZW

    MS Office documents (XML and non-XML)

    PDF

    RAR

    RTF

    TAR

    VBA

    VBS

    WinPE (EXE)

    XZ

    ZIP
    Previous
    Next