<h2>1. Functional Overview: Strategic Positioning of GenAI Detection in FortiOS 8.0</h2><h3>1.1 Functional Background and Release Information</h3><p>FortiOS 8.0, as the latest major version of Fortinet's unified operating system, introduces native detection and control capabilities for Generative AI (GenAI) applications in the network security field. According to Fortinet official documentation, the new features in FortiOS 8.0.0 clearly state:</p><blockquote><p>"Application control support has been added for generative AI to enhance the management and categorization of generative AI signatures. This offers improved visibility and insights into AI-related activities."<br><strong>Source:</strong> FortiOS 8.0.0 New Features - Application control support for generative AI</p></blockquote><p>The introduction of this feature marks Fortinet's official inclusion of Generative AI application security control into its core security architecture system. With the widespread adoption of AI services such as ChatGPT, Claude, and Gemini in enterprise environments, how to effectively control AI tool usage while ensuring business efficiency has become a key challenge for security teams. FortiOS 8.0's GenAI detection feature is designed to address this challenge.</p><h3>1.2 Core Functional Components</h3><p>GenAI detection functionality in FortiOS 8.0 contains the following core components, which together constitute a complete AI visibility and control system:</p><p><strong>AIAP Database Type Support.</strong> FortiOS 8.0 introduces a new AIAP (AI Application Protection) database type, specifically for signature matching of Generative AI rules. This database is continuously maintained by FortiGuard Labs and contains precise identification signatures for mainstream AI applications.</p><p><strong>GenAI Dedicated Log Fields.</strong> The system adds six dedicated fields in UTM application control logs to record key metadata of AI interactions. These fields cover the complete information chain from user identity to prompt content.</p><p><strong>Dedicated Application Category.</strong> A new "Generative AI" application category has been added in Security Profiles > Application Signatures, identified as category 36 in CLI, facilitating batch policy configuration for administrators.</p><p><strong>FortiView AI Dedicated Widgets.</strong> Two new FortiView dashboard widgets - AI Applications and AI Use Cases, for real-time visualization of AI traffic patterns.</p><h3>1.3 Functional Positioning and Value Proposition</h3><p>From an enterprise network security perspective, the core value proposition of FortiOS 8.0 GenAI detection functionality is reflected in three dimensions:</p><p><strong>First, Shadow AI Discovery and Visibility.</strong> Through network-layer detection, identify various AI tools used by employees, helping security teams understand unauthorized AI usage, i.e., Shadow AI phenomenon.</p><p><strong>Second, Data Leakage Risk Visualization.</strong> By extracting AI interaction metadata (including target data center geographical location, user accounts, prompt content, etc.), help security teams assess potential data leakage risks through AI channels.</p><p><strong>Third, Compliance Audit Support.</strong> Complete log records and FortiView visualization reports provide technical evidence for meeting increasingly stringent AI regulatory requirements, supporting compliance audit needs.</p><h2>2. Technical Architecture: FortiOS 8.0 Implementation</h2><h3>2.1 AIAP Database Architecture</h3><p>AIAP (AI Application Protection) database is the core engine of FortiOS 8.0 GenAI detection functionality. According to official documentation, AIAP database has the following technical characteristics:</p><p><strong>Database Type and Update Mechanism.</strong> AIAP is an independent database type, updated through FortiGuard Distribution Network (FDN). Similar to traditional application signature libraries, AIAP database uses signature matching to identify AI application traffic. The database version status can be verified through the following CLI command:</p><p># diagnose autoupdate versions | grep -A 6 GenAI
GenAI Application Definitions
Version: 33.00033 signed
Contract Expiry Date: Thu Jan 3 2030
Last Updated using scheduled update on Tue Jun 24 20:59:43 2025
Last Update Attempt: Tue Jun 24 23:10:03 2025
Result: No Updates</p><p><strong>Prerequisites for Database Update.</strong> Official documentation clearly states that prerequisites for AIAP database update include:</p><ul><li>Device must have valid FMWR (FortiCare Maintenance & Warranty Renewals) contract</li><li>At least one firewall policy has Application Control profile enabled</li><li>FortiGate can normally connect to FortiGuard servers</li></ul><p><strong>CLI Category Identifier.</strong> Generative AI application category is identified as category 36 in CLI, this value is used when configuring application control entries.</p><h3>2.2 SSL Deep Inspection Dependency Architecture</h3><p>Since mainstream AI services are provided through HTTPS access (using TLS 1.2/1.3 encryption), FortiOS 8.0's GenAI detection capability highly depends on SSL Deep Inspection functionality. This architectural design reflects Fortinet's core technical capabilities in encrypted traffic detection.</p><p><strong>Man-in-the-Middle Decryption Principle.</strong> SSL deep inspection works by establishing bidirectional TLS connections between clients and servers. FortiGate terminates the client's TLS connection while simultaneously establishing a new TLS connection as a client with the target server, performing data forwarding and content inspection between them. This process is transparent to end users.</p><p><strong>Association with GenAI Detection.</strong> According to official documentation, complete capture of Extended UTM logs (including GenAI dedicated fields such as aiuser, model, prompt, etc.) requires enabling SSL deep inspection. Some GenAI signatures clearly indicate that SSL Deep Inspection is required to work properly, this information can be viewed through the "Requirements" field on the signature details page.</p><p><strong>Detection Mode Selection.</strong> FortiOS 8.0 supports two SSL detection modes:</p><figure class="table">
| Detection Mode | Description | GenAI Detection Capability |
|---|---|---|
| Certificate Inspection | Only check certificate information, do not decrypt content | Can only identify target server, cannot extract AI metadata |
| Full SSL Inspection (Deep Inspection) | Complete decryption and content inspection | Full support for AI application identification and metadata extraction |
| CLI Log Field | GUI Field Name | Data Meaning | Example Value |
|---|---|---|---|
| aiuser | AI User | AI application user account | user@company.com |
| model | Model | AI model identifier | gpt-4, claude-3 |
| dcgeo | Data Center's Geographical Location | Data center geographical region | US, EU, CN |
| usecase | Use Case | AI usage scenario classification | Conversational_Assistant |
| prompt | Prompt | User prompt content | (Actual input content) |
| cloudgenai | Generate AI Application | Aggregated application information | JSON structure containing multiple dimensions |
logid="1059028704" type="utm" subtype="app-ctrl"
eventtype="signature" level="information" vd="vd1"
appid=53323 srcip=10.1.100.126 dstip=110.18.32.47
srcport=59001 dstport=443 service="HTTPS"
direction="incoming" policyid=1 sessionid=1299
applist="GenAI" action="pass"
appcat="GenAI" app="OpenAI.ChatGPT_Post"
msg="GenAI: OpenAI.ChatGPT_Post"
usecase="Conversational_Assistant"
aiuser="fftntt@gmail.com"
model="auto"
dcgeo="US"
prompt="generate test log for appctrl"
cloudgenai="APP=OpenAI.ChatGPT, DCGEO=US,
UseCase=Conversational_Assistant,
User=fftntt@gmail.com,
UserOrganization=org-F2ZasxjlplRvKPgeVfbXbPeM,
HistoryTraining=true, Model=auto,
Title='AppCtrl Test Log',
Prompt='generate test log for appctrl'"
apprisk="low"</p><p>From this log, the following key information can be extracted:</p><ul><li>User identity: fftntt@gmail.com</li><li>AI service: OpenAI ChatGPT</li><li>AI model: auto (automatic selection)</li><li>Data center location: United States (US)</li><li>Usage scenario: Conversational assistant</li><li>Prompt content: generate test log for appctrl</li><li>Conversation history training status: HistoryTraining=true</li></ul><h2>3. Deployment Guide: FortiOS 8.0 Device Operation Steps</h2><h3>3.1 Prerequisite Verification</h3><p>Before deploying GenAI detection functionality, the following prerequisite verifications need to be completed on FortiOS 8.0 devices. These verification steps ensure the device has the basic environment for normal operation of GenAI detection functionality.</p><p><strong>Step 1: Confirm Firmware Version.</strong></p><p>Log in to FortiOS 8.0 device management interface, execute the following command to confirm firmware version:</p><p># get system status</p><p>Ensure the device is running FortiOS 8.0.0 or higher version.</p><p><strong>Step 2: Verify Subscription Status.</strong></p><p>Navigate to System > FortiGuard page, or execute the following CLI command to verify subscription status:</p><p># diagnose fortiguard upd-status</p><p>Confirm the following subscriptions are active:</p><ul><li>FortiCare Maintenance & Warranty Renewals (FMWR)</li><li>Application Control service</li></ul><p><strong>Step 3: Verify FortiGuard Connectivity.</strong></p><p># execute ping update.fortiguard.net
execute ping service.fortiguard.net</p><p>Ensure the device can normally resolve and access FortiGuard servers.</p><h3>3.2 Endpoint CA Certificate Deployment</h3><p>After enabling SSL deep inspection, endpoint devices need to trust the CA certificate used by FortiGate for re-signing, otherwise users will encounter certificate warnings. The following are certificate deployment steps in different operating system environments.</p><p><strong>Windows System Certificate Installation Steps:</strong></p><ol><li>Log in to FortiGate management interface</li><li>Navigate to Security Profiles > SSL/SSH Inspection</li><li>Edit the SSL inspection profile being used (system built-in deep-inspection or custom profile)</li><li>Click the "Download" button next to CA certificate to download the certificate</li><li>On Windows client, double-click the downloaded certificate file</li><li>Select "Local Machine" as storage location</li><li>Place the certificate in "Trusted Root Certification Authorities" store</li><li>Complete the certificate import wizard</li></ol><p><strong>macOS System Certificate Installation Steps:</strong></p><ol><li>Download Fortinet_CA_SSL certificate file</li><li>Open "Keychain Access" application on macOS</li><li>Select "System" keychain</li><li>Import certificate through "File > Import Items"</li><li>Double-click the imported certificate, expand "Trust" options</li><li>Set "When using this certificate" to "Always Trust"</li></ol><p><strong>Firefox Browser Special Configuration.</strong></p><p>Firefox uses independent certificate storage and does not rely on system certificate storage. In Firefox, additional configuration is required:</p><ol><li>Open Firefox settings</li><li>Navigate to "Privacy & Security" page</li><li>In "Certificates" section, check "Allow Firefox to automatically trust third-party certificates you install"</li></ol><h3>3.3 Application Control Profile Creation</h3><p><strong>Create GenAI Monitoring Profile via GUI:</strong></p><ol><li>Navigate to Security Profiles > Application Control page</li><li>Click "Create New" button to create new profile</li><li>Enter profile name (such as "GenAI_Monitor")</li><li>Find "Generative AI" category in application category list</li><li>Set the action for this category to "Monitor"</li><li>Configure other parameters as needed</li><li>Click "OK" to save profile</li></ol><h3>3.4 SSL Inspection Profile Configuration</h3><p><strong>Create SSL/SSH Profile with Deep Inspection Enabled:</strong></p><ol><li>Navigate to Security Profiles > SSL/SSH Inspection page</li><li>Click "Create New" to create new profile</li><li>Configure the following parameters:<ul><li>Name: Enter profile name (such as "new-deep-inspection")</li><li>SSL Inspection Options > Inspection method: Select "Full SSL Inspection"</li><li>CA certificate: Select CA certificate for re-signing</li></ul></li><li>In Protocol Port Mapping, ensure HTTPS (port 443) has deep inspection enabled</li><li>Click "OK" to save</li></ol><p><strong>Create SSL Inspection Profile via CLI:</strong></p><p>config firewall ssl-ssh-profile
edit "new-deep-inspection"
config https
set ports 443
set status deep-inspection
end
set caname "Fortinet_CA_SSL"
next
end</p><h3>3.5 Firewall Policy Configuration</h3><p>Associate Application Control profile and SSL inspection profile to firewall policy:</p><p><strong>Configure Firewall Policy via GUI:</strong></p><ol><li>Navigate to Policy & Objects > Firewall Policy page</li><li>Click "Create New" to create new policy</li><li>Configure basic parameters:<ul><li>Name: Policy name</li><li>Incoming Interface: Source interface (such as port2)</li><li>Outgoing Interface: Destination interface (such as port1)</li><li>Source: Source address object</li><li>Destination: Destination address object</li><li>Schedule: Schedule time</li><li>Service: Service type (usually select ALL)</li></ul></li><li>In Security Profiles section:<ul><li>Enable Application Control, select the previously created GenAI profile</li><li>Set SSL Inspection to profile with deep inspection enabled</li></ul></li><li>Enable UTM status</li><li>Enable NAT as needed</li><li>Click "OK" to save policy</li></ol><h3>3.6 FortiView AI Widget Configuration</h3><p><strong>Add FortiView AI Applications Widget:</strong></p><ol><li>Navigate to Dashboard > Status page</li><li>Click "Add Widget" button</li><li>Select "FortiView AI Applications" in widget list</li><li>Configure widget parameters (name, data refresh interval, etc.)</li><li>Click "OK" to add widget</li></ol><p><strong>Add FortiView AI Use Cases Widget:</strong></p><p>Repeat the above steps, select "FortiView AI Use Cases" in widget list.</p><h3>3.7 Deployment Verification</h3><p>After completing the above configuration, functional verification is required to ensure GenAI detection works properly.</p><p><strong>Step 1: Trigger Test Traffic.</strong></p><p>On client PC with CA certificate installed:</p><ol><li>Open browser and visit www.chatgpt.com</li><li>Log in to AI service account</li><li>Enter test prompt (such as "Hello, this is a test")</li></ol><p><strong>Step 2: Check Log Generation.</strong></p><p>View via GUI: Log & Report > Security Events > Application Control</p><p>View via CLI:</p><p># execute log display | grep -i "GenAI"</p><p><strong>Step 3: Verify Log Content.</strong></p><p>Confirm log contains the following GenAI fields:</p><ul><li>appcat="GenAI"</li><li>app="OpenAI.ChatGPT_Post"</li><li>aiuser, model, dcgeo, usecase, etc. fields have values</li></ul><p><strong>Step 4: Verify AIAP Database Update.</strong></p><p># diagnose autoupdate versions | grep -A 6 GenAI</p><p>Confirm AIAP database version number is non-zero (such as Version: 33.00033).</p><h2>4. Configuration Details: FortiOS 8.0 CLI Command Reference</h2><h3>4.1 Application Control Profile CLI Configuration</h3><p><strong>Basic GenAI Monitoring Configuration (CLI):</strong></p><p>config application list
edit "GenAI"
config entries
edit 1
set category 36
set action pass
next
end
next
end</p><p><strong>Configuration Notes:</strong></p><ul><li>
category 36: Specify Generative AI application category</li><li>action pass: Set action to allow (log only)</li></ul><p><strong>Monitor Mode Configuration:</strong></p><p>If you need to generate UTM alert events while logging, set action to monitor:</p><p>config application list
edit "GenAI_Monitor"
config entries
edit 1
set category 36
set action monitor
next
end
next
end</p><p><strong>Block Mode Configuration:</strong></p><p>If you need to block all GenAI traffic:</p><p>config application list
edit "GenAI_Block"
config entries
edit 1
set category 36
set action block
next
end
next
end</p><h3>4.2 Firewall Policy CLI Configuration</h3><p><strong>Associate Application Control and SSL Inspection Configuration to Policy:</strong></p><p>config firewall policy
edit 1
set name "GenAI_Inspection_Policy"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "new-deep-inspection"
set application-list "GenAI"
set nat enable
next
end</p><p><strong>Key Parameter Notes:</strong></p><ul><li>
utm-status enable: Enable UTM functionality</li><li>ssl-ssh-profile "new-deep-inspection": Associate deep inspection profile</li><li>application-list "GenAI": Associate application control profile</li></ul><h3>4.3 SSL/SSH Inspection Profile CLI Configuration</h3><p><strong>Create Deep Inspection Profile:</strong></p><p>config firewall ssl-ssh-profile
edit "new-deep-inspection"
config https
set ports 443
set status deep-inspection
end
config ftps
set ports 990
set status deep-inspection
end
config imaps
set ports 993
set status deep-inspection
end
config pop3s
set ports 995
set status deep-inspection
end
config smtps
set ports 465
set status deep-inspection
end
set caname "Fortinet_CA_SSL"
next
end</p><h3>4.4 Explicit Proxy Environment Configuration</h3><p>When using GenAI detection in Explicit Proxy enabled environment, inline IPS needs to be disabled:</p><p>config ips settings
set proxy-inline-ips disable
end</p><h3>4.5 Database Status Query Commands</h3><p><strong>Query AIAP Database Version:</strong></p><p># diagnose autoupdate versions | grep -A 6 GenAI</p><p><strong>Expected Output Format:</strong></p><p>GenAI Application Definitions
Version: XX.XXXXXX signed
Contract Expiry Date: [Date]
Last Updated using scheduled update on [Date]
Last Update Attempt: [Date]
Result: No Updates / Update succeeded</p><p><strong>Abnormal Situation Diagnosis:</strong></p><p>If "Version: 0.00000" is displayed, it indicates AIAP database has not been updated yet, possible reasons include:</p><ul><li>No firewall policy has Application Control enabled</li><li>FMWR subscription has expired</li><li>FortiGate cannot connect to FortiGuard servers</li></ul><h2>5. Business Process: FortiOS 8.0 System Processing Flow</h2><h3>5.1 Traffic Identification and Policy Matching Flow</h3><p>When users access AI services through FortiOS 8.0 devices, the system processes traffic according to the following flow:</p><p><strong>Phase 1: Connection Establishment and Policy Matching.</strong></p><ol><li>Client initiates HTTPS connection request to AI service (such as chat.openai.com)</li><li>FortiGate receives incoming traffic packets</li><li>Firewall engine queries policy table, executes policy matching</li><li>After finding matching policy, checks if SSL/SSH inspection and UTM functionality are enabled</li><li>If deep inspection is enabled, enter SSL decryption flow</li></ol><p><strong>Phase 2: SSL Deep Inspection Flow.</strong></p><ol><li>FortiGate impersonates target server, generates forged certificate using local CA certificate</li><li>Client establishes TLS connection with FortiGate (frontend connection)</li><li>FortiGate simultaneously establishes TLS connection as client with real AI server (backend connection)</li><li>FortiGate forwards data between two TLS connections</li><li>Traffic is decrypted to plaintext inside FortiGate</li></ol><p><strong>Phase 3: Application Layer Inspection and Signature Matching.</strong></p><ol><li>IPS engine's protocol decoder analyzes decrypted HTTP requests</li><li>Application identification module queries AIAP database</li><li>Execute signature pattern matching, identify AI application type</li><li>If matching is successful, extract GenAI-related metadata</li><li>Execute policy action according to profile settings</li></ol><p><strong>Phase 4: Response Generation and Data Forwarding.</strong></p><ol><li>Generate application control log containing GenAI fields</li><li>Determine traffic handling method according to action settings:<ul><li>Monitor/Pass: Forward decrypted traffic</li><li>Block: Terminate connection, return replacement page</li></ul></li><li>Re-encrypt traffic and forward to target recipient</li></ol><h3>5.2 Log Generation and Reporting Flow</h3><p><strong>Local Log Generation.</strong></p><p>After detecting GenAI traffic, FortiGate automatically generates UTM application control logs containing complete GenAI metadata fields. Logs are stored on device local disk and can be viewed through:</p><ul><li>GUI: Log & Report > Security Events</li><li>CLI: execute log display</li></ul><p><strong>FortiAnalyzer Reporting.</strong></p><p>If FortiGate is configured with FortiAnalyzer log reporting, logs are synchronously sent to FortiAnalyzer for centralized storage and analysis. On FortiAnalyzer, you can:</p><ul><li>View cross-device AI traffic aggregated data</li><li>Generate periodic AI usage reports</li><li>Configure alert rules based on GenAI fields</li></ul><p><strong>FortiView Real-time Aggregation.</strong></p><p>FortiView module aggregates GenAI log data in real-time, displaying on dashboard:</p><ul><li>AI Applications widget: Traffic ranking by AI application classification</li><li>AI Use Cases widget: Traffic ranking by usage scenario classification</li></ul><h2>6. Authorization and Purchase: FortiOS 8.0 License Requirements</h2><h3>6.1 FortiGuard Subscription Service System</h3><p>FortiOS 8.0's GenAI detection functionality depends on Fortinet's FortiGuard subscription service system. According to official documentation and related product materials, this functionality requires the following types of subscription authorization:</p><p><strong>FMWR (FortiCare Maintenance & Warranty Renewals).</strong></p><p>FMWR is FortiGate device's basic maintenance contract, main functions include:</p><ul><li>Firmware version upgrade rights</li><li>Technical support services</li><li>FortiGuard database update rights</li></ul><p>According to official instructions, AIAP database update requires valid FMWR contract.</p><p><strong>Application Control Service.</strong></p><p>Application Control is one of the security services included in multiple FortiGuard security bundles:</p><ul><li>UTP (Unified Threat Protection) Bundle</li><li>Enterprise Protection Bundle</li><li>Advanced Threat Protection (ATP) Bundle</li></ul><h3>6.2 Subscription Bundle Comparison</h3><p>According to Fortinet official product materials and licensing guides, the functional coverage of each subscription bundle is as follows:</p><figure class="table">
| Bundle Name | Includes Application Control | Includes DLP | Includes AI Security Features | Applicable Scenarios |
|---|---|---|---|---|
| FortiCare Basic Contract | ❌ | ❌ | ❌ | Basic support only |
| UTP Bundle | ✅ | ❌ | ❌ | SME basic protection |
| ATP Bundle | ✅ | ❌ | Partial | Advanced threat protection |
| Enterprise Protection | ✅ | ✅ | ✅ | Large enterprise comprehensive protection |
| Function | Post-Expiration Status |
|---|---|
| Firmware Upgrade | Blocked from upgrading to new versions |
| FortiGuard Updates | Stop updates |
| AIAP Database | Stop updates (downloaded version still usable) |
| Function | Post-Expiration Status |
|---|---|
| New Signature Download | Stop |
| Deployed Detection | Continue working (using last downloaded signatures) |
| New AI Application Identification | Unable to identify |
Why it Matters
FortiOS 8.0's GenAI detection functionality provides enterprises with a complete AI visibility and control system, a key technical means to address Shadow AI and data leakage risks, meeting the urgent needs of enterprises for AI tool control.
DECISION
For enterprises using FortiGate, it is recommended to deploy GenAI detection functionality in Monitor mode first, establish AI usage baseline before gradually transitioning to stricter control policies, while assessing SSL deep inspection deployment costs and endpoint certificate distribution complexity.
PREDICT
In the future, GenAI detection may be deeply integrated with DLP to achieve sensitive information detection in AI interaction content, while potentially introducing AI-driven signature generation capabilities to achieve rapid identification of emerging AI applications.
Get 3-5 key AI infrastructure signals weekly →
💬 Comments (0)