Fortinet black logo

New Features

Virtual patching on the local-in management interface 7.2.4

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:393161
Download PDF

Virtual patching on the local-in management interface 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

Virtual patching is a method of mitigating vulnerability exploits by using the FortiGate’s IPS engine to block known vulnerabilities. Virtual patching can be applied to traffic destined to the FortiGate by applying IPS signatures to the local-in interface using local-in policies. Attacks geared towards GUI and SSH management access, for example, can be mitigated using IPS signatures pushed from FortiGuard, thereby virtually patching these vulnerabilities.

When the virtual-patch option is enabled in a local-in policy, the IPS engine queries the FortiGuard API server using the WAD process to obtain a list of vulnerabilities targeting the FortiGate on a particular version. IPS enables vulnerability rules to scan local-in traffic on the specified interface. All matched local-in traffic is dropped accordingly.

To configure virtual patching:
config firewall local-in-policy 
    edit <id>
        set virtual-patch {enable | disable}
    next
end

The FortiGate must have a valid IPS license in order to use the virtual-patch option. Additionally, the extended IPS database must be enabled for more vulnerabilities to be covered.

Note

This licensing is changed in FortiOS 7.2.6 and later, and 7.4.1 and later. See the FortiOS Administration Guide for more information.

To enable the extended database:
config ips global
    set database extended
end

Once virtual-patch is enabled, the WAD process will periodically query vulnerability items from the FortiGuard API server and forward it to IPS.

Sample vulnerability item found on the FortiGuard API server
{"vendor":"fortinet","min_version":"6.0.0","severity":"high","vuln_type":"Permission/Priviledge/Access Control","refs":["CVE-2018-13382"],"ID":108824,"product":"fortios","patch_sig_id":0,"description":"An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests","max_version":"6.0.4","date_added":"2022-09-20 18:33:50.517577","date_updated":"2022-09-20 18:33:50.517594"}

FortiGuard can be queried from the FortiOS CLI for a list of vulnerability rules while specifying parameters for the vendor, version, product, and model by running the diagnose wad dev-vuln query command. For example, to query Fortinet's FortiOS 7.0.3:

# diagnose wad dev-vuln query vendor=fortinet&version=7.0.3&product=fortios
FortiGate-201E # Dev-Vuln fetching is in process...
Dev-Vuln Lookup result: success, cache: miss, fgd: found, item: 0x7fbd2f09e138
Vulnerability details: 
 info entry (1):
        'vendor' = fortinet
       'product' = fortios
         'model' = N/A
   'version.min' = 7.0.0
   'version.max' = 7.0.3
      'firmware' = N/A
         'build' = N/A
    'date_added' = 2022-10-06 17:45:18.208424
  'date_updated' = 2022-10-06 17:45:18.208440
        'sig_id' = 0
       'vuln_id' = 146868
      'severity' = 2
...

After receiving the vulnerability rules from the WAD process, the IPS engine marks them as virtual patch rules mapped to each CVE vulnerability signature. For example:

FortiOS.NodeJS.Proxy.Authentication.Bypass(CVE-2022-40684)

FortiOS.SSL.VPN.Web.Portal.Password.Improper.Authentication(CVE-2018-13382)

FortiOS.SSL.VPN.Web.Protoal.Pathname.Information.Disclosure(CVE-2018-13379)

Example

In this example, the FortiGate’s port2 is configured with virtual patching enabled. In the test scenario, the FortiGate is set to debug mode in order to block a harmless attack. IPS will scan local-in traffic and all matched local-in traffic will be dropped accordingly. Intrusion prevention logs will be recorded.

To configure virtual patching on the local-in management interface:
  1. Configure the local-in policy:

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "ALL"
            set schedule "always"
            set virtual-patch enable
        next
    end
  2. For testing purpose only, enable all signatures for the virtual patch feature:

    # diagnose ips vpatch enable-all
  3. From the Linux client, start a cURL download:

    root@PC02:~# curl -vk -F "file=@eicar" https://10.1.100.175 -m 10

    The attack is blocked, and a security event log (intrusion prevention) is recorded.

  4. Reset the virtual patch enabled signatures back to the default:

    # diagnose ips vpatch reset

Virtual patching on the local-in management interface 7.2.4

Note

This information is also available in the FortiOS 7.2 Administration Guide:

Virtual patching is a method of mitigating vulnerability exploits by using the FortiGate’s IPS engine to block known vulnerabilities. Virtual patching can be applied to traffic destined to the FortiGate by applying IPS signatures to the local-in interface using local-in policies. Attacks geared towards GUI and SSH management access, for example, can be mitigated using IPS signatures pushed from FortiGuard, thereby virtually patching these vulnerabilities.

When the virtual-patch option is enabled in a local-in policy, the IPS engine queries the FortiGuard API server using the WAD process to obtain a list of vulnerabilities targeting the FortiGate on a particular version. IPS enables vulnerability rules to scan local-in traffic on the specified interface. All matched local-in traffic is dropped accordingly.

To configure virtual patching:
config firewall local-in-policy 
    edit <id>
        set virtual-patch {enable | disable}
    next
end

The FortiGate must have a valid IPS license in order to use the virtual-patch option. Additionally, the extended IPS database must be enabled for more vulnerabilities to be covered.

Note

This licensing is changed in FortiOS 7.2.6 and later, and 7.4.1 and later. See the FortiOS Administration Guide for more information.

To enable the extended database:
config ips global
    set database extended
end

Once virtual-patch is enabled, the WAD process will periodically query vulnerability items from the FortiGuard API server and forward it to IPS.

Sample vulnerability item found on the FortiGuard API server
{"vendor":"fortinet","min_version":"6.0.0","severity":"high","vuln_type":"Permission/Priviledge/Access Control","refs":["CVE-2018-13382"],"ID":108824,"product":"fortios","patch_sig_id":0,"description":"An Improper Authorization vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to modify the password of an SSL VPN web portal user via specially crafted HTTP requests","max_version":"6.0.4","date_added":"2022-09-20 18:33:50.517577","date_updated":"2022-09-20 18:33:50.517594"}

FortiGuard can be queried from the FortiOS CLI for a list of vulnerability rules while specifying parameters for the vendor, version, product, and model by running the diagnose wad dev-vuln query command. For example, to query Fortinet's FortiOS 7.0.3:

# diagnose wad dev-vuln query vendor=fortinet&version=7.0.3&product=fortios
FortiGate-201E # Dev-Vuln fetching is in process...
Dev-Vuln Lookup result: success, cache: miss, fgd: found, item: 0x7fbd2f09e138
Vulnerability details: 
 info entry (1):
        'vendor' = fortinet
       'product' = fortios
         'model' = N/A
   'version.min' = 7.0.0
   'version.max' = 7.0.3
      'firmware' = N/A
         'build' = N/A
    'date_added' = 2022-10-06 17:45:18.208424
  'date_updated' = 2022-10-06 17:45:18.208440
        'sig_id' = 0
       'vuln_id' = 146868
      'severity' = 2
...

After receiving the vulnerability rules from the WAD process, the IPS engine marks them as virtual patch rules mapped to each CVE vulnerability signature. For example:

FortiOS.NodeJS.Proxy.Authentication.Bypass(CVE-2022-40684)

FortiOS.SSL.VPN.Web.Portal.Password.Improper.Authentication(CVE-2018-13382)

FortiOS.SSL.VPN.Web.Protoal.Pathname.Information.Disclosure(CVE-2018-13379)

Example

In this example, the FortiGate’s port2 is configured with virtual patching enabled. In the test scenario, the FortiGate is set to debug mode in order to block a harmless attack. IPS will scan local-in traffic and all matched local-in traffic will be dropped accordingly. Intrusion prevention logs will be recorded.

To configure virtual patching on the local-in management interface:
  1. Configure the local-in policy:

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "ALL"
            set schedule "always"
            set virtual-patch enable
        next
    end
  2. For testing purpose only, enable all signatures for the virtual patch feature:

    # diagnose ips vpatch enable-all
  3. From the Linux client, start a cURL download:

    root@PC02:~# curl -vk -F "file=@eicar" https://10.1.100.175 -m 10

    The attack is blocked, and a security event log (intrusion prevention) is recorded.

  4. Reset the virtual patch enabled signatures back to the default:

    # diagnose ips vpatch reset