Home

FortiAI Administration Guide: Evolution of Fortinet's AI-Powered Security Assistant

.

FortiAI represents Fortinet's strategic evolution from traditional signature-based malware detection to an artificial intelligence-powered security ecosystem. Originally launched as a standalone malware detection appliance utilizing Artificial Neural Networks (ANN), FortiAI has transformed into both a generative AI security assistant integrated into FortiManager and FortiAnalyzer and an advanced threat detection engine that operates as part of the Fortinet Security Fabric. This comprehensive guide synthesizes administration information across multiple versions (1.1 to 1.5.3) and deployment scenarios to provide security professionals with a complete operational overview.

What is FortiAI? Core Capabilities and Evolution

FortiAI leverages FortiGuard lab's high-fidelity security data to deliver sub-second malware detection without executing potentially dangerous files. Unlike traditional sandboxing technologies that require file execution in virtual environments, FortiAI uses pretrained neural networks with over 20 million clean and malicious files to analyze and classify threats based on detected features.

  • Dual Nature: FortiAI functions as both a generative AI assistant for administrative tasks and queries (in FortiManager/FortiAnalyzer) and a dedicated threat detection appliance (FortiAI-3500F hardware or virtual machine).
  • Virtual Security Analyst: The system mimics human analyst behavior through its Virtual Security Analyst (VSA), which classifies malware, traces attack origins, and provides actionable intelligence.
  • Continuous Improvement: All FortiAI systems are continuously monitored and improved by FortiGuard security experts, ensuring the AI models evolve with the threat landscape.

Initial Setup and System Configuration

Access and Licensing Requirements

To utilize FortiAI, organizations must secure appropriate licensing. The FortiAI license can be viewed in the Dashboard's License Information widget within FortiManager. When licensed, FortiAI can be accessed by up to three local administrators on a FortiManager device, with access configurable via CLI commands.

  • Initial GUI Access: Connect to the management interface (default IP 192.168.1.88 on port1) using Google Chrome browser. Login credentials are typically admin with no initial password.
  • Demo Mode: FortiAI 1.5.3 introduced a demo mode that generates simulated malware log entries to showcase GUI functionality without actual scanning capabilities. This mode requires fewer resources (2-4 vCPU, 8GB memory) compared to production requirements (minimum 16 vCPUs, 32GB memory).

ANN Database Management

The Artificial Neural Network database is the core detection engine, updated only 1-2 times weekly (unlike daily AV signature updates). Administrators can update the ANN database through:

  1. FortiGuard Distribution Network (FDN): Automatic updates via internet (1-2 hour process)
  2. Manual CLI Updates: Local updates via USB drive or network transfer (approximately 10 minutes)

The critical database files include pae_kdb_all.tar.gz and moat_kdb_all.tar.gz, which must be loaded for full scanning capabilities.

Operating Modes and Deployment Architecture

FortiAI supports multiple operational configurations that can function simultaneously, providing deployment flexibility for different network environments.

Deployment Modes Comparison

Operating Mode Supported Protocols Primary Use Case Key Considerations
Sniffer Mode SMBv2, HTTP, SMTP, POP3, IMAP Internal networks, DMZ, areas with heavy browsing traffic Ideal for passive monitoring; supports PE files, Office documents, PDFs, scripts
Integrated Mode (with FortiGate) HTTP, SMTP, POP3, IMAP, MAPI, FTP Active protection with FortiGate NGFW Uses encrypted OFTP over SSL (TCP 514); enables quarantine capabilities
Inline Blocking (FOS 7.0.1+) Various (via AV profiles) Real-time blocking with FortiGate Requires FortiOS 7.0.1 or higher; works alongside other AV methods
ICAP Server Mode ICAP Integration with FortiWeb, Squid Serves as ICAP server for compatible clients

Storage Planning and Capacity

Storage requirements vary significantly by deployment model, with the hardware appliance (FAI-3500F) offering higher processing capacity than virtual machine implementations.

Virtual Machine Storage Estimations:

VM Disk Image Default Storage Max Process Rate Retention Period
FAI-VM (1024GB) 1024 GB 25,000 files/hour ~1.5 years
FAI-VM (8192GB) 8192 GB 25,000 files/hour ~14.8 years

Dashboard and Security Monitoring Interface

The FortiAI dashboard provides comprehensive security visibility through several key widgets that display real-time and historical data:

  • Sample Processing: Shows samples captured and processed (both clean and malicious) within configurable timeframes (1 hour, 24 hours, 1 week)
  • Attack Scenario Composition: Visualizes malware classifications by type and severity
  • Top Learned Features: Displays the most frequently detected malware characteristics
  • System Performance: Monitors CPU, memory, and license status

Administrators can navigate between several investigative modules:

  1. Attack Scenario: Organizes threats by attack type (ransomware, worm, downloader, etc.)
  2. Host Story: Examines infections by host IP address to identify "patient zero"
  3. Threat Investigation: Provides forensic data for incident analysis
  4. Outbreak Search: Uses similarity engines to find related malware variants across the network

Security Fabric Integration and Automated Response

FortiAI's integration with the Fortinet Security Fabric enables coordinated threat response across the security infrastructure. The system connects with FortiGate devices to receive files for analysis and can initiate automated containment actions.

Enforcement and Quarantine Capabilities

The enforcement framework, introduced in FortiOS 6.4.0, allows FortiAI to automatically quarantine infected hosts through FortiGate devices. Key configuration elements include:

  • Automation Framework: Registers webhooks from FortiGate to enable enforcement actions
  • Enforcement Settings: Defines policies based on risk level, confidence level, and IP whitelists
  • Ban IP Action: Quarantines infected hosts and malicious remote IPs (differing logic for sniffer vs. integrated modes)

Configuration Tip: For optimal enforcement, use integrated mode rather than sniffer mode, as it provides better target discrimination and reduces false positives.

Network Share Scanning

FortiAI 1.5.3 introduced network share scanning capabilities, allowing administrators to:

  • Schedule regular scans of network storage locations
  • Configure quarantine profiles for detected threats
  • Process ZIP files and other archives
  • View detailed scan results through the GUI

FortiAI as Generative Assistant in FortiManager/FortiAnalyzer

Beyond threat detection, FortiAI serves as a natural language assistant within FortiManager and FortiAnalyzer interfaces, accessible via:

  • The FortiAI icon in the GUI banner from any page
  • The dedicated FortiAI module in the tree menu

Assistant Capabilities

The generative AI assistant supports four primary operational areas:

  1. Incident Detection: Creates event handlers and rules for threat detection based on natural language prompts
  2. Incident Investigation: Correlates information across multiple GUI panes and provides contextual threat intelligence
  3. Incident Response: Integrates with playbooks and connectors for automated response; generates compliance reports
  4. Visibility & Insights: Creates custom charts, reports, and provides product knowledge summaries

Effective Prompt Engineering

To optimize token usage and response accuracy, administrators should craft specific, actionable prompts:

  • Effective: "Show me the top 5 threats from the last 24 hours" or "Create an event handler for failed login attempts"
  • Ineffective: "How many attacks will I receive tomorrow?" (requires speculation) or overly broad requests without context

Advanced Features Across Versions

Attack Scenario Analysis

FortiAI classifies threats into 22 distinct attack scenarios with severity ratings (Critical, High, Medium, Low). The system's Attack Timeline visualization traces infection paths to identify attack origins, transforming investigations that traditionally took days into processes requiring seconds.

High Availability Configuration

Version 1.5.3 introduced comprehensive High Availability (HA) support with:

  • Active-Passive configuration options
  • Automatic failover capabilities
  • Configuration synchronization between nodes
  • Detailed HA status monitoring and logging

API and Automation Ecosystem

FortiAI provides extensive API support for:

  • File submission and threat lookup
  • Integration with Security Fabric components
  • Custom automation workflows
  • Scripting examples for common administrative tasks

Best Practices for FortiAI Administration

  1. Mode Selection: Deploy in integrated mode with FortiGate for optimal enforcement capabilities rather than standalone sniffer mode
  2. Storage Planning: Calculate retention needs based on expected file processing volumes before deployment
  3. Update Strategy: Schedule ANN database updates during maintenance windows (1-2 hours via FDN)
  4. Access Control: Limit FortiAI administrative access to essential personnel (maximum 3 users)
  5. Monitoring: Regularly review Dashboard widgets for sample processing rates and detection efficacy
  6. Fabric Integration: Fully leverage Security Fabric capabilities for automated quarantine and response

Frequently Asked Questions (FAQ)

General Administration

Q: How many administrators can access FortiAI simultaneously? A: When licensed, FortiAI supports up to three concurrent local administrator accounts on FortiManager. Access is controlled through FortiManager CLI configuration.

Q: What are the minimum system requirements for FortiAI virtual machine deployment? A: Production deployments require a minimum of 16 vCPUs and 32GB of memory. Demo mode can run on reduced resources (2-4 vCPUs, 8GB memory) but lacks full scanning capabilities.

Deployment and Configuration

Q: Can FortiAI operate in multiple modes simultaneously? A: Yes, FortiAI can run in sniffer mode, integrated mode, inline blocking, and ICAP server mode concurrently, providing flexible deployment options for complex environments.

Q: What's the difference between sniffer mode and integrated mode? A: Sniffer mode passively monitors network traffic for supported protocols, while integrated mode actively receives files from FortiGate devices for analysis and enables automated quarantine capabilities through the Security Fabric.

Licensing and Updates

Q: How frequently does the ANN database require updates? A: Unlike traditional AV signatures that update daily, the ANN database typically updates 1-2 times weekly via FortiGuard Distribution Network or manual installation.

Q: Where can I check my FortiAI license status? A: License information is available in the License Information widget on the FortiManager Dashboard or through System > FortiGuard in the FortiAI appliance GUI.

Threat Detection and Response

Q: How does FortiAI reduce malware identification time compared to sandboxing? A: FortiAI analyzes file characteristics without execution, delivering verdicts in seconds rather than the minutes required for sandbox environments to observe file behavior through execution.

Q: What enforcement actions can FortiAI initiate automatically? A: Through Security Fabric integration, FortiAI can trigger "Ban IP" actions to quarantine infected hosts via FortiGate devices when threats meet configured risk and confidence thresholds.

Q: How does FortiAI help identify the source of an attack? A: The Attack Timeline feature visualizes infection paths, while the Virtual Security Analyst correlates events to identify "patient zero" - the original infection source that security teams can isolate to prevent further spread.