Virtual patching profile 7.4.1
This information is also available in the FortiOS 7.4 Administration Guide: |
Virtual patching is a method for mitigating vulnerability exploits against OT devices by applying patches virtually on the FortiGate. This is done in several steps:
-
A FortiGate uses the OT Detection signatures and service to collect device information from OT devices that are connected to an interface.
-
The device information is used to perform a vulnerability lookup by querying FortiGuard for device-specific vulnerabilities and mitigation rules.
-
The FortiGate caches the applicable signatures and mitigation rules that apply to each device, mapped to the MAC address of the device.
-
When a virtual patching profile is applied to a firewall policy, traffic that enters the firewall policy is subject to signature matching on a per-device basis.
-
The IPS engine uses the MAC address of the device to match any mitigation rules that should apply.
-
If the MAC address is in the exempted list, then patching is exempted or skipped.
-
If the signature rule is in the exempted list, then patching is also exempted or skipped for that signature.
-
Otherwise, all applicable rules for the device will be applied.
-
A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile. See OT virtual patching on NAC policies for more information.
The following are requirements for the virtual patching feature:
-
Purchase the appropriate OT-related license (virtual patching only applies to OT devices). See Operational Technology Security Service 7.4.1 for more information.
-
Enable device detection on the LAN interface.
-
In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.
-
In the CLI, enter:
config system interface edit <name> set device-identification enable next end
-
-
Configure a firewall policy with an application control profile in order for device detection to occur. OT device detection collects device information by triggering application control signatures.
The following options can be configured in a virtual patching profile:
GUI option |
CLI option |
Description |
---|---|---|
Basic profile settings |
||
Name |
name <string> |
Enter a unique name for the profile. |
Severity |
severity {low medium high critical} |
Set the relative severity of the signature, from low to critical. |
Action |
action {pass | block} |
Set the action to take for a matched device:
|
Logging |
log {enable | disable} |
Enable/disable detection logging. This setting is enabled by default. |
Comments |
comment <var-string> |
Enter a comment (optional). |
Virtual patching exemptions settings |
||
Status |
status {enable | disable} |
Enable/disable exemption. |
MAC addresses |
device <mac_address1>, <mac_address2>, ... |
Enter the device MAC addresses to exempt. |
Signature ID |
rule <id1>, <id2>, ... |
Enter the pre-defined or custom signatures to exempt. |
Example 1: basic configuration
This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.
For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.
To verify the status of the OT related definitions:
-
Verify the current contracts licensed to the FortiGate:
# diagnose test update info … OTDT,Mon Sep 24 17:00:00 2029 OTVP,Mon Sep 24 17:00:00 2029 …
-
Verify the versions and status of the OT definitions:
# diagnose autoupdate versions … OT Detect Definitions --------- Version: 23.00545 signed Contract Expiry Date: Sun Sep 23 2029 Last Updated using manual update on Thu Jul 20 09:40:03 2023 Last Update Attempt: n/a Result: Updates Installed -- OT Patch Definitions --------- Version: 23.00505 signed Contract Expiry Date: Sun Sep 23 2029 Last Updated using manual update on Thu Jul 20 09:39:50 2023 Last Update Attempt: n/a Result: Updates Installed …
-
View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:
# get rule otdt status app-name: "Apple.iPad" id: 10000870 category: "OT" cat-id: 34 popularity: 5.low risk: 1.medium weight: 10 shaping: 0 protocol: 1.TCP, 9.HTTP vendor: 7.Apple technology: 0.Network-Protocol behavior: dev_cat: Other
-
View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:
# get rule otvp status rule-name: "WAP.Generic.XSS" rule-id: 10000684 rev: 20.321 date: 1653379200 action: pass status: enable log: disable log-packet: disable severity: 2.medium service: TCP, HTTP location: server os: Other application: Other rate-count: 0 rate-duration: 0 rate-track: none rate-mode: continuous vuln_type: XSS cve: 20198625
To configure virtual patching in the GUI:
-
Enable device detection on port2 :
-
Go to Network > Interfaces and edit port2.
-
In the Network section, enable Device detection.
-
Click OK.
-
-
Configure the virtual patching profile:
-
Go to Security Profiles > Virtual Patching and click Create New.
-
Configure the following settings:
Name
test
Severity
Select Low, Medium, High, and Critical
Action
Block
Logging
Enable
-
Click OK.
-
-
Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:
-
Go to Policy & Objects > Firewall Policy and click Create New.
-
In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).
-
Enable Application Control and select an application control profile (default).
-
Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.
-
Configure the other settings as needed.
-
Click OK.
-
To configure virtual patching in the CLI:
-
Enable device detection on port2:
config system interface edit "port2" set device-identification enable next end
-
Configure the virtual patching profile:
config virtual-patch profile edit "test" set comment '' set severity low medium high critical set action block set log enable next end
-
Apply the virtual patching profile to a firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "custom-deep-inspection" set application-list "default" set virtual-patch-profile "default" set nat enable next end
To test the virtual patching:
-
On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario:
# curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"
A log is generated, indicating the traffic that triggered the match:
3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"
The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.
-
Verify the vulnerability by device MAC and IP address:
# diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22 Got 28 vulnerabilities, response size:1792 [Vulnerability-0] 'vulnerability_id' = '110977' 'severity' = '2' 'signature' = '10000684'
-
Verify the virtual patch signatures stored and enabled on the FortiGate:
# diagnose ips share list otvp_cfgcache f2:d7:39:5d:40:21 1 10000684
-
Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:
# curl -X POST http://172.16.200.55/'index.html?<javascript>'
-
Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:
# execute log filter category 24 # execute log display 2 logs found. 2 logs returned. 1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684
Example 2: NAC policy
In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.
A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.
To configure virtual patching in the GUI:
-
Enable device detection on vlan300:
-
Go to Network > Interfaces and edit vlan300.
-
In the Network section, enable Device detection.
-
Click OK.
-
-
Configure the virtual patching profile:
-
Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.
-
Configure the following settings:
Name
OT_check
Severity
Select Low, Medium, High, and Critical
Action
Block
Logging
Enable
-
Click OK.
-
-
Apply the virtual patching profile to a firewall policy:
-
Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.
-
In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).
-
Enable Application Control and select an application control profile (default).
-
Configure the other settings as needed.
-
Click OK.
-
To configure virtual patching in the CLI:
-
Enable device detection on vlan300:
config system interface edit "vlan300" set device-identification enable next end
-
Configure the virtual patching profile:
config virtual-patch profile edit "OT_check" set severity low medium high critical next end
-
Apply the virtual patching profile to a firewall policy:
config firewall policy edit 1 set name "virtualpatch-policy" set srcintf "vlan300" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set application-list "default" set virtual-patch-profile "OT_check" set logtraffic all next end
-
Verify the logs:
# execute log filter category utm-virtual-patch # execute log display ... 1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"