Home

FortiAI: Configuring AI-Powered Security and Automation Within the Fortinet Ecosystem

.

A single FortiAI configuration can transform malware detection from a process taking minutes to one resolved in sub-seconds, while simultaneously enabling automated network configuration through conversational AI.

The Evolution of FortiAI: From Neural Networks to Generative AI

FortiAI represents Fortinet's strategic evolution in applying artificial intelligence to cybersecurity and network operations. Initially launched as a dedicated appliance (like the FortiAI-3500F) using pretrained Artificial Neural Networks (ANN) for sub-second malware analysis, the platform has expanded into a multifaceted AI suite. Today, FortiAI is embedded across the Fortinet Security Fabric, offering capabilities that range from proactive threat blocking and security task automation to securing generative AI applications themselves.

This transformation addresses critical modern challenges: adversaries weaponizing AI, overwhelmed SOC/NOC teams, and the risks of unmanaged GenAI usage. By leveraging over 15 years of R&D and data from millions of global sensors, FortiAI delivers contextual, real-time intelligence that integrates deeply with existing Fortinet deployments, moving beyond isolated detection to become an automated, analytical, and proactive component of the security infrastructure.

1. Core Capabilities: Protect, Assist, and SecureAI

FortiAI's functionality is structured around three strategic pillars, each targeting specific operational and security gaps.

  • FortiAI-Protect: This pillar focuses on enhanced threat prevention. It uses real-time intelligence to block novel and evasive attacks that bypass traditional signatures. A key feature is its contextual risk assessment, which prioritizes alerts to minimize false positives and allows teams to focus on critical threats. It also provides visibility and policy controls for unauthorized AI tool usage within the enterprise.

  • FortiAI-Assist: Aimed at reducing operational overhead, FortiAI-Assist automates routine tasks. This includes updating security policies, correcting configuration errors, and autonomously resolving network issues before users are impacted. It automates alert triage, suppresses duplicate alerts, and can perform adaptive threat hunting without constant human input, significantly reducing manual analyst effort.

  • FortiAI-SecureAI: This forward-looking pillar addresses the security of AI infrastructure itself. It provides layered protection for AI models and data, featuring LLM data leakage prevention, zero-trust access controls for AI systems, and rule-free monitoring for cloud workloads. It ensures that an organization's use of AI does not become its own vulnerability.

2. Configuration and Integration Tools

Deploying FortiAI's capabilities requires specific configuration tools that bridge it with the broader Fortinet ecosystem.

Primary Configuration Interface: The FortiAI Configuration widget for FortiSOAR is a central tool for enabling modern AI features. Certified for FortiSOAR 7.6.1 and later, this wizard facilitates the setup of Large Language Model (LLM) Integration (such as with OpenAI) and allows administrators to select the specific AI model to be used for different FortiAI operational modes. Configuration is tied to the individual FortiSOAR user's login ID.

Legacy Appliance Management: For dedicated FortiAI hardware appliances (e.g., FortiAI-3500F), initial setup is performed via CLI, with ongoing management through a web GUI (accessible via https://192.168.1.88 by default). Key administration areas in the GUI include Security Fabric settings for authorizing connected fortigate, Network configuration for interfaces and DNS, and System settings for administrators, certificates, and core AI functions.

3. Operational Modes and Deployment

FortiAI is designed for flexibility, supporting multiple simultaneous deployment modes to fit diverse network architectures.

Table 1: FortiAI Operational Modes and Use Cases

Operating Mode Supported Protocols Primary Use Case Key Integration/Note
Sniffer Mode SMBv2, HTTP Passive monitoring of internal networks, DMZ, and high-traffic browsing areas. Deploys independently to analyze traffic; ideal for detecting lateral movement.
Integrated Mode HTTP, SMTP, POP3, IMAP, FTP, MAPI Active inspection of files forwarded from FortiGate Next-Generation Firewalls. Uses encrypted OFTP over SSL (TCP 514). FortiGate 5.6+ compatibility, officially supported in 6.4+.
Inline Blocking Mode Varies by AV profile Real-time blocking of malware at the FortiGate. Requires FortiOS 7.0.1 or higher. FortiAI verdicts are used in FortiGate AV profiles for instant action.
ICAP Server Mode ICAP Providing malware analysis services to ICAP clients like FortiWeb or Squid proxies. Configurable via CLI and GUI; allows third-party devices to leverage FortiAI scanning.

4. Advanced Features and Analysis

Beyond basic detection, FortiAI provides deep analytical tools that mimic and augment human security analysts.

  • Virtual Security Analyst (VSA): The VSA is the core analytical engine. It doesn't just label a file as malicious; it classifies the attack scenario (e.g., Ransomware, Downloader, Worm) and traces the attack's origin. The Attack Timeline visualizes the kill chain, helping identify "patient zero"—the initial source of an infection—turning an investigation that could take days into one resolved in seconds.

  • Host Story and Threat Investigation: While "Attack Scenario" organizes data by threat type, "Host Story" organizes it by infected host IP address. This allows analysts to see all infection events on a single machine over time, providing a complete narrative of a host's compromise. The Threat Investigation section then ties this data together for comprehensive forensic analysis and reporting.

  • Automation and Response: FortiAI can integrate with the Security Fabric for automated enforcement. This includes quarantining infected hosts via FortiGate NAC policies and triggering automated playbooks through Fabric Connectors and webhooks. It also features Network Share Scanning, which can schedule deep scans of file servers, quarantine malicious files found, and generate detailed logs and reports.

5. Practical Application: A Case Study in SD-WAN Automation

A powerful example of FortiAI-Assist in action is automated SD-WAN overlay configuration through FortiManager. Instead of manually building complex templates, a network engineer can simply ask the FortiAI assistant for help.

The process is conversational: the engineer provides a network diagram or describes the topology of Hubs and Branches. FortiAI processes this information, extracts the key components, and generates a complete SD-WAN Overlay Template. After the engineer reviews and confirms, FortiAI can proceed to push the configuration directly to the relevant FortiGate devices (both Hubs and Branches), completing in minutes a task that traditionally requires extensive manual configuration and validation.

Frequently Asked Questions (FAQ)

What is the difference between the FortiAI appliance and the FortiAI features in FortiSOAR/FortiAnalyzer?

This is a common point of confusion. FortiAI originally referred to a dedicated hardware appliance (like the FortiAI-3500F) for advanced malware detection using neural networks. Now, "FortiAI" also encompasses AI features integrated into platforms like FortiSOAR and FortiAnalyzer. The FortiSOAR widget configures LLM integrations for automation, while FortiAnalyzer 7.6+ includes an AI assistant (requiring a separate license). The legacy appliance was renamed FortiAIOps.

What are the minimum version requirements for integrating FortiAI with FortiAnalyzer?

It depends on the integration type. For forwarding logs from the legacy FortiAI (FortiAIOps) appliance to FortiAnalyzer for storage, version 7.0.1 or higher is required. To use the built-in FortiAI Assistant generative AI features within FortiAnalyzer itself, you need FortiAnalyzer 7.6.1 or later along with a specific AI license.

How do I perform the initial setup of a FortiAI appliance?

  1. CLI Initialization: Connect via console or SSH to the appliance's management interface (default port1). Use CLI commands to set the IP address.
  2. GUI Access: Point a web browser (Chrome is recommended) to the appliance's IP (default https://192.168.1.88). Log in with the username admin and a blank default password.
  3. System Configuration: In the GUI, navigate to System to configure network settings, administrators, certificates, and FortiGuard updates for the ANN database.
  4. Security Fabric Setup: Under Security Fabric > Settings, authorize the FortiGate devices that will send files to the FortiAI appliance.

Can FortiAI operate in more than one mode at a time?

Yes. A significant strength of FortiAI is its ability to operate in multiple modes simultaneously. For example, one port can be configured in sniffer mode to monitor an internal VLAN, while the appliance also accepts files via integrated mode from fortigate at the network perimeter, and simultaneously serves as an ICAP server for a web application firewall.

What should I do if I encounter a false positive or false negative?

The FortiAI administration guide includes a section on working with false positives/negatives. The process typically involves:

  • Verification: Confirming the file's actual behavior using other tools.
  • Submission: If the FortiAI verdict is incorrect, the file can be submitted to FortiGuard Labs for analysis via the FortiAI GUI.
  • Feedback Loop: This submission helps refine and improve the underlying AI models, contributing to the collective intelligence of the Fortinet Security Fabric.