Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
Luke_FTNT
Staff
Staff

Created on ‎10-05-2022 01:50 PM Edited on ‎12-05-2022 10:04 PM By Staff

Article Id 225807

Technical Tip: What Functionality Mode Should be Used for an On-Premise FortiEDR Core

Description This articles discusses the valid use cases of using an on-premise FortiEDR Core in JumpBox, Core only and ‘both’ modes.
Scope FortiEDR 5.0+
Solution

As outlined in our Administration guide, the FortiEDR Core offers three functionality modes:

 

- Core only – Specifies that the system provides basic FortiEDR Core functionality: events processing, Communication Control handling and Threat Hunting event handling to the cloud repository.

 

- JumpBox – Specifies that the FortiEDR Core is used by the FortiEDR Manager as a JumpBox, while the JumpBox connects to the LDAP, sandbox or to the products. No basic Core functionalities are provided in this mode.

 

Note: The JumpBox can also be used in the Cloud, not only when the Core is on-premise. This can only be changed in Hoster view.

 

- Both – Provides both Core and JumpBox functionality, as described above.

 

In the vast majority of deployment models, the JumpBox mode should be selected to allow for integrations with other services and products, including Active Directory, FortiGate, FortiAnalyzer and others.

 

If the deployment model is geographically distributed or consists of a large amount of Collectors (5,000+) using large Threat Hunting collection profiles, then an on-premise Core may be required but varies case-by-case. Fortinet TAC will be able to assist through a ticket to review this. In such circumstance, the Core will need to satisfy the minimum system requirements as outlined here https://docs.fortinet.com/document/fortiedr/5.2.0/administration-guide/838338/appendix-c-on-premise-.... Collectors will measure response times based on a TCP three-way handshake between both the on-premise Core and cloud Core and will select the Core will the lowest response time.

 

Note: These are minimum requirements and depending on the amount of Collectors connecting to the Core as well as Threat Hunting collection profiles assigned, this may need to be increased to scale. It is important to understand this before changing the mode to ‘Core only’ or ‘Both’.

 

To allow Threat Hunting data be passed to the cloud Threat Hunting repository,  open a FortiCare ticket and have TAC add the public IP address of the Core to the cloud’s border firewall.
Labels:
1069
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.