Administration Guide

Introduction
- Getting Started
- Standalone, Center and Sensor operating mode
- FortiNDR traffic and files input types
- Files and malware scan flow using AV and ANN
- Planning deployment
- Initial setup
- Hardening
Dashboard
- NDR Overview
- Malware Overview
- System Status
- Custom dashboards
- Dashboard widgets in Center mode
Network Insights
- Device Inventory
- Botnet
- FortiGuard IOC
- Network Attacks
- Weak/Vulnerable Communication
- Encrypted Attack
- Top talker
- Top application
- Top URL/Domain
- MITRE ATT&CK
- ML Discovery (Center Standalone)
- Anomaly tab
- Connection tab
- Session tab
Security Fabric
- Device Input
- Network Share
- Network Share Quarantine
- Fabric Connectors
  - ICAP Connectors
  - Security Fabric Connector
- Enforcement Settings
- Automation Framework
- Automation log
- FortiSandbox integration (FortiSandbox 4.0.1 and higher)
- FortiGate inline blocking (FOS 7.0.1 and higher)
- FortiGate integration (integrated mode with FOS 6.2 and higher)
Attack Scenario
- Attack scenario navigation and timeline
- Understanding kill chain and scenario engine
Host Story
Virtual Security Analyst
- Express Malware Analysis
- Outbreak Search
- Static Filter
- NDR Muting
- ML Configuration
- Malware Big Picture
- Device Enrichment
  - Creating a Device Enrichment Profile
Netflow
- Netflow Dashboard
- Netflow Log
Network
System
- Administrators
  - Password policy
- Admin Profiles
- Sensor Settings (Center Standalone)
- Firmware
- Settings
- SNMP
- FortiGuard
- Certificates
- High Availability (HA)
- Conserve Mode
- Backup or restore the system configuration
User & Authentication
- RADIUS Server
- LDAP Servers
Log & Report
- Malware Log
- NDR Log
- Events
- Daily Feature Learned
- Log Settings
- Alert Email Setting
- Email Alert Recipients
- NDR logs samples
- AV log samples
Troubleshooting
- FortiNDR troubleshooting tips
- FortiNDR health checks
- Rebuild RAID disk
- Managing FortiNDR disk usage for Center mode
- Managing FortiNDR disk usage for Standalone and Sensor mode
- Export malware
- Working with false positives and false negatives
- Troubleshoot ICAP and OFTP connection issues
- Troubleshoot Log Settings
- Troubleshoot Network Share
- Troubleshooting the VM License
- Troubleshooting the updater
- Troubleshooting tips for Network File Share
- Sensor logs not displaying in Center GUI
- Troubleshooting FortiNDR VM high CPU usage
- Troubleshooting inactive Netflow status
Appendix A: API guide
Appendix B: Sample script to submit files
Appendix C: FortiNDR ports
Appendix D: FortiGuard updates
Appendix E: Event severity level by category
Appendix F: IPv6 support
Appendix G: Supported Application Protocol List
Appendix H: File types and protocols
Appendix I: Operational Technology / SCADA vendor and application list
Appendix J: Center Sensor Deployment
Change Log

Home FortiNDR 7.4.4 Administration Guide

7.4.4

Weak/Vulnerable Communication

The Weak/Vulnerable Communication monitor displays the list of weak or vulnerable communications detected on sniffer port(s) on NDR interfaces. Detection of weak and vulnerable communications in the network can be signs of weak or compromised network security that administrators should pay attention to.

The Weak/Vulnerable Communication displays the following information:

Sensor (Center mode) The network sensor. Hover over the sensors ID to view the IP Address, Serial number (S/N), Last Sync Time and Status.

Latest Timestamp The date record was updated.

Type

Communication type	Description
Weak record version	Weak TLS record layer version.
Weak version	Weak TLS handshake version.
Weak support version	Weak TLS handshake extension supported version.
Weak cipher	Weak TLS handshake cipher suite.
Weak security mode	SMB protocol uses level security mode.
Weak extended security	SMB protocol uses outdated extended security negotiation option.
Weak dialect	SMB uses outdated dialect version.
Weak encryption	SMB or SSH uses risky encryption algorithm. For example, SMB protocol with encryption disabled.
Weak authentication	Email protocols are using risky authentication methods. For example, POP3 uses authentication cram-md5, Postgres uses MD5 password as authentication type.
Weak server	HTTP or RTSP server version is outdated.
Weak method	HTTP, SIP or RTSP protocol uses weak request method. For example, HTTP protocol uses DELETE as request method.
Weak banner	Weak or outdated email server version. For example, Outdated Cyrus IMAP server
Weak encrypt algo server client	Weak encryption option is used in SSH, such as rc4, rc3, rc2.
Weak capability	IMAP or POP3 capability command uses option AUTH=PLAIN.
Weak security	SMB protocol uses low level security mode.
Weak encrypt method	RDP protocol uses low level encryption methods such as ENCRYPTION_METHOD_40BIT.
Weak encrypt level	RDP protocol uses low encryption level such as ENCRYPTION_LEVEL_NONE
Weak msg flags	SNMP protocol uses risky flags such as 0x00-02, 0x04-06 and 0x08-ff.
Weak server version	MYSQL, TDS, Posgres or SIP server version is outdated.
Weak auth algo	POP3, SMTP or IMAP authentication method option is too risky. For example, POP3 uses PLAIN authentication option.
Weak protocol version	MYSQL protocol version outdated.
Weak encrypt	TDS encryption option is disabled.
Weak fedauth	TDS protocol disables `FedAuthRequired` option.

Protocol The communication protocol.

Anomaly Severity The anomaly severity (Not Anomaly, Info, Low, Medium, High or Critical).

Count (Historic) The total number of times the anomaly was observed.

Count (Past week) The total number of times the anomaly was observed during the past week .

First Timestamp The date the record was created.

Anomaly information

Double-click an anomaly in the table to open the Anomaly Information pane. The Anomaly Information pane contains two tabs: General and Analytic.

General tab

The General tab displays the following information:

General	Anomaly Type Severity Reason
Additional Information	HTTP Version HTTP Response Code HTTP Server Name HTTP URL Malicious Behavior
Last Anomaly Occurrence	Latest Occurrence Count( Past Week) Count( Historic) Latest Source IP Latest Source Port Latest Source MAC Latest Source Packet Size Latest Source Country Latest Source Device Model Latest Source OS Latest Source Device Category Latest Source Device Sub Category Latest Destination IP Latest Destination Port Latest Destination MAC Latest Destination Packet Size Latest Destination Country Latest Destination Device Model Latest Destination OS Latest Destination Device Category Latest Destination Device Sub Category

Analytic tab

The Analytic tab displays the following information about he the connection pair:

Src IP	The source IP. Hover over the record to view the view the IP Address, Country and Related Service.
Source Network	The source network. You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.
Dst Ip	The destination IP. Hover over the record to view the view the IP Address, Country and Related Service.
Destination Network	The destination network. You can use this column to filter IP addresses based on the category of the IP, such as Internal, External (public addresses), Broadcast, Multicast address, Loopback, Reserved Address and Link-local Address. You can filter for both IPv4 and IPv6 Addresses.
Count (Historic)	The total number of times the anomaly was observed.
Count (Past week)	The total number of times the anomaly was observed during the past week .

To view the source and destination devices:

Select a record in the table and click View Device > View Source Device, or View Destination Device.

To view the session logs for a condition:

Double-click a record in the Anomaly Information pane. The Sessions Log for selected condition pane opens.

Examples

Wireshark pcap

Weak security mode

Weak extended security

Weak dialect

Weak authentication