Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    7.6.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Unified OT virtual patching and IPS signatures 7.6.1

    Unified OT virtual patching and IPS signatures 7.6.1

    Note

    This information is also available in the FortiOS 7.6 Administration Guide:

    Virtual patching now includes OT virtual patching and IPS signatures. This allows IPS signatures to be used in OT/IoT vulnerability lookup and response, covering additional threats and vulnerabilities.

    Virtual patching works by:

    1. Collecting device information on connected devices.

    2. Performing a vulnerability query through FortiGuard for device-specific vulnerabilities.

    3. Retrieving and caching application signatures and mitigation rules for the device.

    4. Applying the application rules on matched device traffic.

    In the second step, FortiGuard now returns additional signature IDs based on IPS database that can match vulnerabilities on most IT devices, like Windows, Mac, and so on.

    Examples

    To demonstrate the flow of a virtual patching detection, an IPS signature (Eicar.Virus.Test.File (id=29844)) was added to a demo FortiGuard Server. This can be observed in the following debug:

    # diagnose ips share list otvp_cfgcache
10.1.100.11 f2:d7:39:5d:40:11 3 29844(ips) 10000673(n/a) 10000684

    This cache output shows the cached response of an application rule that identifies the IPS signature 29844 matching the source device 10.1.100.11.

    Traffic originating from a device (10.1.100.11) that matches this signature (29844) will trigger either the virtual patching profile, if enabled, or the IPS profile, if enabled. This use case demonstrates that an OT virtual profile can use an IPS signature for matching, and will either drop or reset the connection.

    Note that rule 29844 is not valid on the production server; it is only for testing and demonstration purposes.

    To configure the profiles and firewall:
    config virtual-patch profile
    edit "g-default"
        set comment ''
        set severity info low medium high critical
        set action block
        set log enable
    next
end
    config ips sensor
    edit "test"
        config entries
            edit 1
                set rule 29844
                set status enable
            next
        end
    next
end
    config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set nat enable
    next
end

    Example 1

    If only the virtual patch profile is enabled in the firewall policy, its configuration takes effect and a virtual patch log is generated.

    To configure the firewall:
    config firewall policy
    edit 1
        set virtual-patch-profile "g-default"
    next
end
    To check the log:
    # execute log filter category 24
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:40:09 eventtime=1731721208854825766 tz="+1200" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=266 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=48970 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

    Example 2

    If both the IPS sensor's and virtual patch profile's actions are set to block, the IPS sensor configuration takes effect and an IPS log is generated.

    To configure the IPS sensor and firewall:
    config ips sensor
    edit "test"
        config entries
            edit 1
                set action block
            next
        end
    next
end
    config firewall policy
    edit 1
        set ips-sensor "test"
        set virtual-patch-profile "g-default"
    next
end
    To check the log:
    # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:43:03 eventtime=1731721383128922224 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=304 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=32880 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237864 msg="file_transfer: Eicar.Virus.Test.File"

    Example 3

    If the IPS sensor's action is pass and the virtual patch profile's action is block, the virtual patch profile configuration takes effect and a virtual patch log is generated.

    To configure the IPS sensor and firewall:
    config ips sensor
    edit "test"
        config entries
            edit 1
                set action pass
            next
        end
    next
end
    config firewall policy
    edit 1
        set ips-sensor "test"
        set virtual-patch-profile "g-default"
    next
end
    To check the log:
    # execute log filter category 24
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:50:24 eventtime=1731721824022513590 tz="+1200" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=411 action="dropped" proto=6 service="HTTPS" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37108 dstport=443 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

    Example 4

    If only the IPS sensor enabled, its configuration takes effect and an IPS log is generated.

    To configure the IPS sensor and firewall:
    config ips sensor
    edit "test"
        config entries
            edit 1
                set action reset
            next
        end
    next
end
    config firewall policy
    edit 1
        set ips-sensor "test"
    next
end
    To check the log:
    # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:44:57 eventtime=1731721497986271293 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=345 action="reset" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=39416 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237865 msg="file_transfer: Eicar.Virus.Test.File"
    Previous
    Next

    Unified OT virtual patching and IPS signatures 7.6.1

    Unified OT virtual patching and IPS signatures 7.6.1

    Note

    This information is also available in the FortiOS 7.6 Administration Guide:

    Virtual patching now includes OT virtual patching and IPS signatures. This allows IPS signatures to be used in OT/IoT vulnerability lookup and response, covering additional threats and vulnerabilities.

    Virtual patching works by:

    1. Collecting device information on connected devices.

    2. Performing a vulnerability query through FortiGuard for device-specific vulnerabilities.

    3. Retrieving and caching application signatures and mitigation rules for the device.

    4. Applying the application rules on matched device traffic.

    In the second step, FortiGuard now returns additional signature IDs based on IPS database that can match vulnerabilities on most IT devices, like Windows, Mac, and so on.

    Examples

    To demonstrate the flow of a virtual patching detection, an IPS signature (Eicar.Virus.Test.File (id=29844)) was added to a demo FortiGuard Server. This can be observed in the following debug:

    # diagnose ips share list otvp_cfgcache
10.1.100.11 f2:d7:39:5d:40:11 3 29844(ips) 10000673(n/a) 10000684

    This cache output shows the cached response of an application rule that identifies the IPS signature 29844 matching the source device 10.1.100.11.

    Traffic originating from a device (10.1.100.11) that matches this signature (29844) will trigger either the virtual patching profile, if enabled, or the IPS profile, if enabled. This use case demonstrates that an OT virtual profile can use an IPS signature for matching, and will either drop or reset the connection.

    Note that rule 29844 is not valid on the production server; it is only for testing and demonstration purposes.

    To configure the profiles and firewall:
    config virtual-patch profile
    edit "g-default"
        set comment ''
        set severity info low medium high critical
        set action block
        set log enable
    next
end
    config ips sensor
    edit "test"
        config entries
            edit 1
                set rule 29844
                set status enable
            next
        end
    next
end
    config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set logtraffic all
        set nat enable
    next
end

    Example 1

    If only the virtual patch profile is enabled in the firewall policy, its configuration takes effect and a virtual patch log is generated.

    To configure the firewall:
    config firewall policy
    edit 1
        set virtual-patch-profile "g-default"
    next
end
    To check the log:
    # execute log filter category 24
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:40:09 eventtime=1731721208854825766 tz="+1200" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=266 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=48970 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

    Example 2

    If both the IPS sensor's and virtual patch profile's actions are set to block, the IPS sensor configuration takes effect and an IPS log is generated.

    To configure the IPS sensor and firewall:
    config ips sensor
    edit "test"
        config entries
            edit 1
                set action block
            next
        end
    next
end
    config firewall policy
    edit 1
        set ips-sensor "test"
        set virtual-patch-profile "g-default"
    next
end
    To check the log:
    # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:43:03 eventtime=1731721383128922224 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=304 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=32880 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237864 msg="file_transfer: Eicar.Virus.Test.File"

    Example 3

    If the IPS sensor's action is pass and the virtual patch profile's action is block, the virtual patch profile configuration takes effect and a virtual patch log is generated.

    To configure the IPS sensor and firewall:
    config ips sensor
    edit "test"
        config entries
            edit 1
                set action pass
            next
        end
    next
end
    config firewall policy
    edit 1
        set ips-sensor "test"
        set virtual-patch-profile "g-default"
    next
end
    To check the log:
    # execute log filter category 24
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:50:24 eventtime=1731721824022513590 tz="+1200" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=411 action="dropped" proto=6 service="HTTPS" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37108 dstport=443 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"

    Example 4

    If only the IPS sensor enabled, its configuration takes effect and an IPS log is generated.

    To configure the IPS sensor and firewall:
    config ips sensor
    edit "test"
        config entries
            edit 1
                set action reset
            next
        end
    next
end
    config firewall policy
    edit 1
        set ips-sensor "test"
    next
end
    To check the log:
    # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.

1: date=2024-11-16 time=13:44:57 eventtime=1731721497986271293 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=345 action="reset" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=39416 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237865 msg="file_transfer: Eicar.Virus.Test.File"
    Previous
    Next