Unified OT virtual patching and IPS signatures 7.6.1
Virtual patching now includes OT virtual patching and IPS signatures. This allows IPS sensors and virtual patch profiles to work together seamlessly, enhancing system security and efficiency.
Use cases
An IPS signature (Eicar.Virus.Test.File (id=29844)) was added to the FortiGuard Server for an OT device. Traffic originating from a device that matches this signature will trigger either the virtual patching profile, if enabled, or the IPS profile, if enabled. This use case demonstrates that an OT virtual profile can use an IPS signature for matching.
Note that rule 29844 is not valid on the production server; it is only for testing and demonstration purposes.
To configure the profiles and firewall:
config virtual-patch profile
edit "g-default"
set comment ''
set severity info low medium high critical
set action block
set log enable
next
endconfig ips sensor
edit "test"
config entries
edit 1
set rule 29844
set status enable
next
end
next
endconfig firewall policy
edit 1
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set nat enable
next
end
Case 1
If only the virtual patch profile is enabled in the firewall policy, its configuration takes effect and a virtual patch log is generated.
To configure the firewall:
config firewall policy
edit 1
set virtual-patch-profile "g-default"
next
end
To check the log:
# execute log filter category 24 # execute log display 1 logs found. 1 logs returned. 1: date=2024-11-16 time=13:40:09 eventtime=1731721208854825766 tz="+1200" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=266 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=48970 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"
Case 2
If both the IPS sensor's and virtual patch profile's actions are set to block, the IPS sensor configuration takes effect and an IPS log is generated.
To configure the IPS sensor and firewall:
config ips sensor
edit "test"
config entries
edit 1
set action block
next
end
next
endconfig firewall policy
edit 1
set ips-sensor "test"
set virtual-patch-profile "g-default"
next
end
To check the log:
# execute log filter category 4 # execute log display 1 logs found. 1 logs returned. 1: date=2024-11-16 time=13:43:03 eventtime=1731721383128922224 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=304 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=32880 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237864 msg="file_transfer: Eicar.Virus.Test.File"
Case 3
If the IPS sensor's action is pass and the virtual patch profile's action is block, the virtual patch profile configuration takes effect and a virtual patch log is generated.
To configure the IPS sensor and firewall:
config ips sensor
edit "test"
config entries
edit 1
set action pass
next
end
next
endconfig firewall policy
edit 1
set ips-sensor "test"
set virtual-patch-profile "g-default"
next
end
To check the log:
# execute log filter category 24 # execute log display 1 logs found. 1 logs returned. 1: date=2024-11-16 time=13:50:24 eventtime=1731721824022513590 tz="+1200" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="ot-vpatch" level="warning" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=411 action="dropped" proto=6 service="HTTPS" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37108 dstport=443 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="g-default" msg="file_transfer: Eicar.Virus.Test.File, (signature is from IPS DB)"
Case 4
If only the IPS sensor enabled, its configuration takes effect and an IPS log is generated.
To configure the IPS sensor and firewall:
config ips sensor
edit "test"
config entries
edit 1
set action reset
next
end
next
endconfig firewall policy
edit 1
set ips-sensor "test"
next
end
To check the log:
# execute log filter category 4 # execute log display 1 logs found. 1 logs returned. 1: date=2024-11-16 time=13:44:57 eventtime=1731721497986271293 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="info" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=345 action="reset" proto=6 service="HTTP" policyid=1 poluuid="b8a98718-dfc9-51ee-3aff-53c8c1b65d82" policytype="policy" attack="Eicar.Virus.Test.File" srcport=39416 dstport=80 hostname="172.16.200.55" url="/virus/eicar" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="test" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=156237865 msg="file_transfer: Eicar.Virus.Test.File"