Fortinet white logo
Fortinet white logo

Administration Guide

Using FortiNDR inline scanning with antivirus

Using FortiNDR inline scanning with antivirus

FortiNDR (formerly FortiAI) can be used with antivirus profiles in FortiProxy. FortiNDR inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiNDR can log, block, ignore, or monitor (allow) the file based on the verdict.

A licensed FortiNDR appliance with version 1.5.1 or later is required to use this feature.

To configure FortiNDR inline inspection with an AV profile:
  1. Configure FortiNDR to join a Security Fabric in FortiProxy:

    1. Enable Security Fabric on FortiProxy using the following command:

      config system csf
      	set status enable
      	set group-name "fabric-ai"
      end
    2. Configure the interface to allow other devices to join the FortiProxy Security Fabric:

      config system interface
          edit "port1"
              set allowaccess ping https ssh http fgfm fabric
          next
      end
    3. In FortiNDR, configure the device to join the Security Fabric:

      config system csf
      	set status enable
      	set upstream-ip 10.6.30.14
      	set managment-ip 10.6.30.251
      end
    4. Authorize the FortiNDR in FortiProxy:

      config system csf
      	config trusted-list
      		edit "FAIVMSTM21000000"
      			set authorization-type certificate
      			set certificate "*******************"
      		next
      	end
      end
  2. In the FortiProxy CLI, enable inline inspection:
    config system fortindr
        set status enable
    end
  3. Configure an AV profile in FortiProxy to use inline inspection and block detected infections (see also Create or edit an antivirus profile):
    config antivirus profile
        edit "av"
            set feature-set proxy
            config http
                set fortindr block
            end
            config ftp
                set fortindr block
            end
            config imap
                set fortindr block
            end
            config pop3
                set fortindr block
            end
            config smtp
                set fortindr block
            end
            config mapi
                set fortindr block
            end
            config nntp
                set fortindr block
            end
            config cifs
                set fortindr block
            end
            config ssh
                set fortindr block
            end
        next
    end
  4. To configure the action to take when FortiNDR encounters an error, use the set fortindr-error-action {log-only | block | ignore} option of the config antivirus profile command. The default is log-only.

  5. Add the AV profile to a policy. See Create or edit a policy.

    When potential infections are blocked by FortiNDR inline inspection, a replacement message appears. See Replacement Messages for more information. An infection blocked over HTTP looks similar to the following:

    Sample log

    1: date=2024-03-11 time=18:45:52 eventtime=1710207952440247519 tz="-0700" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="root" policyid=2 poluuid="516c4d58-7d9d-51ee-d4f1-7addc4e7603d" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="HTTPS" sessionid=1460043885 srcip=10.40.1.44 dstip=172.18.20.226 srcport=35726 dstport=443 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 direction="incoming" filename="606C9848.zip" quarskip="File-was-not-quarantined" virus="W32/Industroyer.A!tr" viruscat="Industroyer" dtype="fortindr" ref=" http://www.fortinet.com/ve?vn=W32%2FIndustroyer.A%21tr" virusid=0 url=" https://172.18.20.226/files/606C9848.zip" profile="av" agent="curl/7.76.1" analyticssubmit="false" fndraction="deny" fndrseverity="critical" fndrconfidence="high" fndrfileid=466490 fndrfiletype="ZIP" crscore=50 craction=2 crlevel="critical"

FortiNDR inline inspection with other AV inspection methods

The following inspection logic applies when FortiNDR inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

HTTP, FTP, SSH, and CIFS protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
    1. FortiNDR inline inspection occurs simultaneously.
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiNDR inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiNDR inline inspection occurs simultaneously.

If any AV inspection method returns an infected verdict, the FortiNDR inspection is aborted.

POP3, IMAP, SMTP, NNTP, and MAPI protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiNDR inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiNDR inline inspection occurs simultaneously.

In an AV profile, use set fortindr-error-action {log-only | block | ignore} to configure the action to take if FortiNDR encounters an error.

Accepted file types

The following file types are sent to FortiNDR for inline inspection:

7Z

ARJ

BZIP

BZIP2

CAB

ELF

GZIP

HTML

JS

LZH

LZW

MS Office documents (XML and non-XML)

PDF

RAR

RTF

TAR

VBA

VBS

WinPE (EXE)

XZ

ZIP

Using FortiNDR inline scanning with antivirus

Using FortiNDR inline scanning with antivirus

FortiNDR (formerly FortiAI) can be used with antivirus profiles in FortiProxy. FortiNDR inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiNDR can log, block, ignore, or monitor (allow) the file based on the verdict.

A licensed FortiNDR appliance with version 1.5.1 or later is required to use this feature.

To configure FortiNDR inline inspection with an AV profile:
  1. Configure FortiNDR to join a Security Fabric in FortiProxy:

    1. Enable Security Fabric on FortiProxy using the following command:

      config system csf
      	set status enable
      	set group-name "fabric-ai"
      end
    2. Configure the interface to allow other devices to join the FortiProxy Security Fabric:

      config system interface
          edit "port1"
              set allowaccess ping https ssh http fgfm fabric
          next
      end
    3. In FortiNDR, configure the device to join the Security Fabric:

      config system csf
      	set status enable
      	set upstream-ip 10.6.30.14
      	set managment-ip 10.6.30.251
      end
    4. Authorize the FortiNDR in FortiProxy:

      config system csf
      	config trusted-list
      		edit "FAIVMSTM21000000"
      			set authorization-type certificate
      			set certificate "*******************"
      		next
      	end
      end
  2. In the FortiProxy CLI, enable inline inspection:
    config system fortindr
        set status enable
    end
  3. Configure an AV profile in FortiProxy to use inline inspection and block detected infections (see also Create or edit an antivirus profile):
    config antivirus profile
        edit "av"
            set feature-set proxy
            config http
                set fortindr block
            end
            config ftp
                set fortindr block
            end
            config imap
                set fortindr block
            end
            config pop3
                set fortindr block
            end
            config smtp
                set fortindr block
            end
            config mapi
                set fortindr block
            end
            config nntp
                set fortindr block
            end
            config cifs
                set fortindr block
            end
            config ssh
                set fortindr block
            end
        next
    end
  4. To configure the action to take when FortiNDR encounters an error, use the set fortindr-error-action {log-only | block | ignore} option of the config antivirus profile command. The default is log-only.

  5. Add the AV profile to a policy. See Create or edit a policy.

    When potential infections are blocked by FortiNDR inline inspection, a replacement message appears. See Replacement Messages for more information. An infection blocked over HTTP looks similar to the following:

    Sample log

    1: date=2024-03-11 time=18:45:52 eventtime=1710207952440247519 tz="-0700" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="root" policyid=2 poluuid="516c4d58-7d9d-51ee-d4f1-7addc4e7603d" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="HTTPS" sessionid=1460043885 srcip=10.40.1.44 dstip=172.18.20.226 srcport=35726 dstport=443 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" proto=6 direction="incoming" filename="606C9848.zip" quarskip="File-was-not-quarantined" virus="W32/Industroyer.A!tr" viruscat="Industroyer" dtype="fortindr" ref=" http://www.fortinet.com/ve?vn=W32%2FIndustroyer.A%21tr" virusid=0 url=" https://172.18.20.226/files/606C9848.zip" profile="av" agent="curl/7.76.1" analyticssubmit="false" fndraction="deny" fndrseverity="critical" fndrconfidence="high" fndrfileid=466490 fndrfiletype="ZIP" crscore=50 craction=2 crlevel="critical"

FortiNDR inline inspection with other AV inspection methods

The following inspection logic applies when FortiNDR inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.

HTTP, FTP, SSH, and CIFS protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
    1. FortiNDR inline inspection occurs simultaneously.
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiNDR inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiNDR inline inspection occurs simultaneously.

If any AV inspection method returns an infected verdict, the FortiNDR inspection is aborted.

POP3, IMAP, SMTP, NNTP, and MAPI protocols:
  1. AV engine scan; AV database and FortiSandbox database (if applicable).
  2. AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
    1. FortiNDR inline inspection occurs simultaneously.
  3. Outbreak prevention and external hash list resources.
    1. FortiNDR inline inspection occurs simultaneously.

In an AV profile, use set fortindr-error-action {log-only | block | ignore} to configure the action to take if FortiNDR encounters an error.

Accepted file types

The following file types are sent to FortiNDR for inline inspection:

7Z

ARJ

BZIP

BZIP2

CAB

ELF

GZIP

HTML

JS

LZH

LZW

MS Office documents (XML and non-XML)

PDF

RAR

RTF

TAR

VBA

VBS

WinPE (EXE)

XZ

ZIP