Fortinet white logo
Fortinet white logo

New Features

Virtual patching profile 7.4.1

Virtual patching profile 7.4.1

Note

This information is also available in the FortiOS 7.4 Administration Guide:

Virtual patching is a method for mitigating vulnerability exploits against OT devices by applying patches virtually on the FortiGate. This is done in several steps:

  1. A FortiGate uses the OT Detection signatures and service to collect device information from OT devices that are connected to an interface.

  2. The device information is used to perform a vulnerability lookup by querying FortiGuard for device-specific vulnerabilities and mitigation rules.

  3. The FortiGate caches the applicable signatures and mitigation rules that apply to each device, mapped to the MAC address of the device.

  4. When a virtual patching profile is applied to a firewall policy, traffic that enters the firewall policy is subject to signature matching on a per-device basis.

    1. The IPS engine uses the MAC address of the device to match any mitigation rules that should apply.

    2. If the MAC address is in the exempted list, then patching is exempted or skipped.

    3. If the signature rule is in the exempted list, then patching is also exempted or skipped for that signature.

    4. Otherwise, all applicable rules for the device will be applied.

A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile. See OT virtual patching on NAC policies for more information.

The following are requirements for the virtual patching feature:

  • Purchase the appropriate OT-related license (virtual patching only applies to OT devices). See Operational Technology Security Service 7.4.1 for more information.

  • Enable device detection on the LAN interface.

    • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

    • In the CLI, enter:

      config system interface
          edit <name>
              set device-identification enable
          next
      end
  • Configure a firewall policy with an application control profile in order for device detection to occur. OT device detection collects device information by triggering application control signatures.

The following options can be configured in a virtual patching profile:

GUI option

CLI option

Description

Basic profile settings

Name

name <string>

Enter a unique name for the profile.

Severity

severity {low medium high critical}

Set the relative severity of the signature, from low to critical.

Action

action {pass | block}

Set the action to take for a matched device:

  • Pass/pass: allow sessions that match the profile.
  • Block/block: block sessions that match the profile (default).

Logging

log {enable | disable}

Enable/disable detection logging. This setting is enabled by default.

Comments

comment <var-string>

Enter a comment (optional).

Virtual patching exemptions settings

Status

status {enable | disable}

Enable/disable exemption.

MAC addresses

device <mac_address1>, <mac_address2>, ...

Enter the device MAC addresses to exempt.

Signature ID

rule <id1>, <id2>, ...

Enter the pre-defined or custom signatures to exempt.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:
  1. Verify the current contracts licensed to the FortiGate:

    # diagnose test update info
    …
    OTDT,Mon Sep 24 17:00:00 2029
    OTVP,Mon Sep 24 17:00:00 2029
    …
  2. Verify the versions and status of the OT definitions:

    # diagnose autoupdate versions
    …
    OT Detect Definitions
    ---------
    Version: 23.00545 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:40:03 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    --
    OT Patch Definitions
    ---------
    Version: 23.00505 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:39:50 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    …
  3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

    # get rule otdt status
    app-name: "Apple.iPad"
    id: 10000870
    category: "OT"
    cat-id: 34
    popularity: 5.low
    risk: 1.medium
    weight: 10
    shaping: 0
    protocol: 1.TCP, 9.HTTP
    vendor: 7.Apple
    technology: 0.Network-Protocol
    behavior: 
    dev_cat: Other
  4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

    # get rule otvp status                      
    rule-name: "WAP.Generic.XSS"
    rule-id: 10000684
    rev: 20.321
    date: 1653379200
    action: pass
    status: enable
    log: disable
    log-packet: disable
    severity: 2.medium
    service: TCP, HTTP
    location: server
    os: Other
    application: Other
    rate-count: 0
    rate-duration: 0
    rate-track: none
    rate-mode: continuous
    vuln_type: XSS
    cve: 20198625
To configure virtual patching in the GUI:
  1. Enable device detection on port2 :

    1. Go to Network > Interfaces and edit port2.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New.

    2. Configure the following settings:

      Name

      test

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

    3. Enable Application Control and select an application control profile (default).

    4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

    5. Configure the other settings as needed.

    6. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on port2:

    config system interface
        edit "port2"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "test"
            set comment ''
            set severity low medium high critical
            set action block
            set log enable
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set application-list "default"
            set virtual-patch-profile "default"
            set nat enable
        next
    end
To test the virtual patching:
  1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario:

    # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

    A log is generated, indicating the traffic that triggered the match:

    3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

    The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

  2. Verify the vulnerability by device MAC and IP address:

    # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
    Got 28 vulnerabilities, response size:1792
    [Vulnerability-0]
            'vulnerability_id' = '110977'
            'severity' = '2'
            'signature' = '10000684'
    
  3. Verify the virtual patch signatures stored and enabled on the FortiGate:

    # diagnose ips share list otvp_cfgcache
    f2:d7:39:5d:40:21 1 10000684 
    
  4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

    # curl -X POST http://172.16.200.55/'index.html?<javascript>'
  5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

    # execute log filter category 24
    # execute log display 
    2 logs found.
    2 logs returned.
    
    1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:
  1. Enable device detection on vlan300:

    1. Go to Network > Interfaces and edit vlan300.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

    2. Configure the following settings:

      Name

      OT_check

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

    3. Enable Application Control and select an application control profile (default).

    4. Configure the other settings as needed.

    5. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on vlan300:

    config system interface
        edit "vlan300"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "OT_check"
            set severity low medium high critical
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set name "virtualpatch-policy"
            set srcintf "vlan300"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set application-list "default"
            set virtual-patch-profile "OT_check"
            set logtraffic all
        next
    end
  4. Verify the logs:

    # execute log filter category utm-virtual-patch			
    # execute log display
    ...
    1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"

Virtual patching profile 7.4.1

Virtual patching profile 7.4.1

Note

This information is also available in the FortiOS 7.4 Administration Guide:

Virtual patching is a method for mitigating vulnerability exploits against OT devices by applying patches virtually on the FortiGate. This is done in several steps:

  1. A FortiGate uses the OT Detection signatures and service to collect device information from OT devices that are connected to an interface.

  2. The device information is used to perform a vulnerability lookup by querying FortiGuard for device-specific vulnerabilities and mitigation rules.

  3. The FortiGate caches the applicable signatures and mitigation rules that apply to each device, mapped to the MAC address of the device.

  4. When a virtual patching profile is applied to a firewall policy, traffic that enters the firewall policy is subject to signature matching on a per-device basis.

    1. The IPS engine uses the MAC address of the device to match any mitigation rules that should apply.

    2. If the MAC address is in the exempted list, then patching is exempted or skipped.

    3. If the signature rule is in the exempted list, then patching is also exempted or skipped for that signature.

    4. Otherwise, all applicable rules for the device will be applied.

A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile. See OT virtual patching on NAC policies for more information.

The following are requirements for the virtual patching feature:

  • Purchase the appropriate OT-related license (virtual patching only applies to OT devices). See Operational Technology Security Service 7.4.1 for more information.

  • Enable device detection on the LAN interface.

    • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

    • In the CLI, enter:

      config system interface
          edit <name>
              set device-identification enable
          next
      end
  • Configure a firewall policy with an application control profile in order for device detection to occur. OT device detection collects device information by triggering application control signatures.

The following options can be configured in a virtual patching profile:

GUI option

CLI option

Description

Basic profile settings

Name

name <string>

Enter a unique name for the profile.

Severity

severity {low medium high critical}

Set the relative severity of the signature, from low to critical.

Action

action {pass | block}

Set the action to take for a matched device:

  • Pass/pass: allow sessions that match the profile.
  • Block/block: block sessions that match the profile (default).

Logging

log {enable | disable}

Enable/disable detection logging. This setting is enabled by default.

Comments

comment <var-string>

Enter a comment (optional).

Virtual patching exemptions settings

Status

status {enable | disable}

Enable/disable exemption.

MAC addresses

device <mac_address1>, <mac_address2>, ...

Enter the device MAC addresses to exempt.

Signature ID

rule <id1>, <id2>, ...

Enter the pre-defined or custom signatures to exempt.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:
  1. Verify the current contracts licensed to the FortiGate:

    # diagnose test update info
    …
    OTDT,Mon Sep 24 17:00:00 2029
    OTVP,Mon Sep 24 17:00:00 2029
    …
  2. Verify the versions and status of the OT definitions:

    # diagnose autoupdate versions
    …
    OT Detect Definitions
    ---------
    Version: 23.00545 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:40:03 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    --
    OT Patch Definitions
    ---------
    Version: 23.00505 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:39:50 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    …
  3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

    # get rule otdt status
    app-name: "Apple.iPad"
    id: 10000870
    category: "OT"
    cat-id: 34
    popularity: 5.low
    risk: 1.medium
    weight: 10
    shaping: 0
    protocol: 1.TCP, 9.HTTP
    vendor: 7.Apple
    technology: 0.Network-Protocol
    behavior: 
    dev_cat: Other
  4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

    # get rule otvp status                      
    rule-name: "WAP.Generic.XSS"
    rule-id: 10000684
    rev: 20.321
    date: 1653379200
    action: pass
    status: enable
    log: disable
    log-packet: disable
    severity: 2.medium
    service: TCP, HTTP
    location: server
    os: Other
    application: Other
    rate-count: 0
    rate-duration: 0
    rate-track: none
    rate-mode: continuous
    vuln_type: XSS
    cve: 20198625
To configure virtual patching in the GUI:
  1. Enable device detection on port2 :

    1. Go to Network > Interfaces and edit port2.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New.

    2. Configure the following settings:

      Name

      test

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

    3. Enable Application Control and select an application control profile (default).

    4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

    5. Configure the other settings as needed.

    6. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on port2:

    config system interface
        edit "port2"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "test"
            set comment ''
            set severity low medium high critical
            set action block
            set log enable
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set application-list "default"
            set virtual-patch-profile "default"
            set nat enable
        next
    end
To test the virtual patching:
  1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario:

    # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

    A log is generated, indicating the traffic that triggered the match:

    3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

    The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

  2. Verify the vulnerability by device MAC and IP address:

    # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
    Got 28 vulnerabilities, response size:1792
    [Vulnerability-0]
            'vulnerability_id' = '110977'
            'severity' = '2'
            'signature' = '10000684'
    
  3. Verify the virtual patch signatures stored and enabled on the FortiGate:

    # diagnose ips share list otvp_cfgcache
    f2:d7:39:5d:40:21 1 10000684 
    
  4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

    # curl -X POST http://172.16.200.55/'index.html?<javascript>'
  5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

    # execute log filter category 24
    # execute log display 
    2 logs found.
    2 logs returned.
    
    1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:
  1. Enable device detection on vlan300:

    1. Go to Network > Interfaces and edit vlan300.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

    2. Configure the following settings:

      Name

      OT_check

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

    3. Enable Application Control and select an application control profile (default).

    4. Configure the other settings as needed.

    5. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on vlan300:

    config system interface
        edit "vlan300"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "OT_check"
            set severity low medium high critical
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set name "virtualpatch-policy"
            set srcintf "vlan300"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set application-list "default"
            set virtual-patch-profile "OT_check"
            set logtraffic all
        next
    end
  4. Verify the logs:

    # execute log filter category utm-virtual-patch			
    # execute log display
    ...
    1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"