Using FortiNDR inline scanning with antivirus
FortiNDR (formerly FortiAI) can be used with antivirus profiles in FortiProxy. FortiNDR inspects high-risk files and issues a verdict to the firewall based on how close the file features match those of malware. When enabled, FortiNDR can log, block, ignore, or monitor (allow) the file based on the verdict.
A licensed FortiNDR appliance with version 1.5.1 or later is required to use this feature. |
To configure FortiNDR inline inspection with an AV profile:
-
Configure FortiNDR to join a Security Fabric in FortiProxy:
-
Enable Security Fabric on FortiProxy using the following command:
config system csf set status enable set group-name "fabric-ai" end
-
Configure the interface to allow other devices to join the FortiProxy Security Fabric:
config system interface edit "port1" set allowaccess ping https ssh http fgfm fabric next end
-
In FortiNDR, configure the device to join the Security Fabric:
config system csf set status enable set upstream-ip 10.6.30.14 set managment-ip 10.6.30.251 end
-
Authorize the FortiNDR in FortiProxy:
config system csf config trusted-list edit "FAIVMSTM21000000" set authorization-type certificate set certificate "*******************" next end end
-
- In the FortiProxy CLI, enable inline inspection:
config system fortindr set status enable end
- Configure an AV profile in FortiProxy to use inline inspection and block detected infections (see also Create or edit an antivirus profile):
config antivirus profile edit "av" set feature-set proxy config http set fortindr block end config ftp set fortindr block end config imap set fortindr block end config pop3 set fortindr block end config smtp set fortindr block end config mapi set fortindr block end config nntp set fortindr block end config cifs set fortindr block end config ssh set fortindr block end next end
-
To configure the action to take when FortiNDR encounters an error, use the
set fortindr-error-action {log-only | block | ignore}
option of theconfig antivirus profile
command. The default islog-only
. - Add the AV profile to a policy.
See Create or edit a policy.
When potential infections are blocked by FortiNDR inline inspection, a replacement message appears. See Replacement Messages for more information. An infection blocked over HTTP looks similar to the following:
Sample log
4: date=2024-03-03 time=18:46:03 eventtime=1709520363412262227 tz="-0800" logid="0209008220" type="utm" subtype="virus" eventtype="fortindr" level="warning" vd="v2" policyid=4 poluuid="b5fcdca8-cd37-51ee-0e28-3e96400e4b46" policytype="policy" msg="Blocked by FortiNDR." action="blocked" service="SSH" subservice="SFTP" sessionid=890734348 srcip=10.40.1.42 dstip=172.18.20.226 srcport=34674 dstport=22 srccountry="Reserved" dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="link11" dstintfrole="undefined" proto=6 direction="incoming" filename="test.pdf" quarskip="Quarantine-disabled" virus="StaticFilter.AI" viruscat="Generic Trojan" dtype="fortindr" ref="
http://www.fortinet.com/ve?vn=StaticFilter.AI
" virusid=0 profile="ndr" analyticssubmit="false" fndraction="deny" fndrverdict="block" fndrseverity="low" fndrconfidence="high" fndrfileid=0 fndrfiletype="PDF" crscore=50 craction=2 crlevel="critical"
FortiNDR inline inspection with other AV inspection methods
The following inspection logic applies when FortiNDR inline inspection is enabled simultaneously with other AV inspection methods. The AV engine inspection and its verdict always takes precedence because of performance. The actual behavior depends on which inspected protocol is used.
HTTP, FTP, SSH, and CIFS protocols:
- AV engine scan; AV database and FortiSandbox database (if applicable).
- FortiNDR inline inspection occurs simultaneously.
- AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
- FortiNDR inline inspection occurs simultaneously.
- Outbreak prevention and external hash list resources.
- FortiNDR inline inspection occurs simultaneously.
If any AV inspection method returns an infected verdict, the FortiNDR inspection is aborted. |
POP3, IMAP, SMTP, NNTP, and MAPI protocols:
- AV engine scan; AV database and FortiSandbox database (if applicable).
- AV engine machine learning detection for WinPE PUPs (potentially unwanted programs).
- FortiNDR inline inspection occurs simultaneously.
- Outbreak prevention and external hash list resources.
- FortiNDR inline inspection occurs simultaneously.
In an AV profile, use |
Accepted file types
The following file types are sent to FortiNDR for inline inspection:
7Z ARJ BZIP BZIP2 CAB ELF GZIP |
HTML JS LZH LZW MS Office documents (XML and non-XML) RAR |
RTF TAR VBA VBS WinPE (EXE) XZ ZIP |