Fortinet black logo

New Features

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Attack Surface Security Rating service 7.4.1

Attack Surface Security Rating service 7.4.1

The following table provides an overview of changes to the Security Rating service entitlement starting in 7.4.1:

7.4.0 and earlier

7.4.1 and later

Security Rating entitlement

Includes:

  • PSIRT/Outbreak Package Definitions
  • Checking all the PSIRT/Outbreak rules in Security Rating
  • Running all the built-in free and paid security rating rules

Attack Surface Security Rating entitlement

Includes:

  • Running all the built-in free and paid security rating rules
  • Checking all the Outbreak rules in Security Rating
  • Displaying CIS compliance information
  • IoT Detection Definitions
  • IoT Query

Firmware entitlement

Includes:

  • Application Control Signatures
  • Device & OS Identification
  • Internet Service Database Definitions

Firmware entitlement*

Includes:

  • Application Control Signatures
  • Device & OS Identification
  • Internet Service Database Definitions
  • PSIRT Package Definitions
  • Checking all PSIRT rules in Security Rating

IoT Detection service

Includes:

  • IoT Detection Definitions
  • IoT Query

n/a

* The list is not exhaustive and does not include services such as FortiGate Virtual Patch Signatures, Inline-CASB, and SaaS Application Definitions.

Re-position the PSIRT packages into the Firmware entitlement

Starting in 7.4.1, PSIRT related packages and functionalities are re-positioned from the Security Rating entitlement into the Firmware entitlement. This allows more customers with the basic Firmware entitlement to have access to the latest PSIRT package updates, which can be executed under Security Fabric > Security Rating > Security Posture checks.

Devices with different entitlements can expect the following behaviors:

Entitlement

Action

Firmware (FMWR)

Attack Surface Security Rating (FGSA)

Download PSIRT package from FortiGuard

Run PSIRT security rating checks

Run built-in paid security rating checks

Run built-in free security rating checks

Yes

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Yes

No

Yes

No

No

Yes

Yes

Example 1: device with Firmware entitlement, but no Attack Surface Security Rating entitlement

On the System > FortiGuard page, note that Firmware & General Updates is licensed, but Attack Surface Security Rating is not.

PSIRT-related rules can be executed from the Security Fabric > Security Rating > Security Posture page.

Free built-in security rating rules can be run. Other paid rules cannot be run, which fall under the Unlicensed category.

Example 2: device with both Firmware and Attack Surface Security Rating entitlements

In this scenario, all PSIRT, Outbreak, paid, and free rules can be run. There is no Unlicensed rule category.

Example 3: device with no Firmware or Attack Surface Security Rating entitlement

In this scenario, only free built-in rules can be run. Other rules are grouped under the Unlicensed category.

Merge the IoT Detection service into the Attack Surface Security Rating service

Starting in 7.4.1, the IoT Detection service, which includes IoT Detection Definitions (APDB) and the IoT Query service (IOTH), is merged into the Attack Surface Security Rating service (FGSA).

The following table provides a breakdown of the entitlements before and after upgrading:

Before upgrading

After upgrading

Entitlement

Licensed

Entitlement

Licensed

Security Rating

Yes

Attack Surface Security Rating

Yes

IoT Detection

Yes

Yes, for IoT Detection subcategory

Security Rating

Yes

Attack Surface Security Rating

Yes

IoT Detection

No

Yes, for IoT Detection subcategory

Security Rating

No

Attack Surface Security Rating

No

IoT Detection

Yes

Yes, for IoT Detection subcategory

Security Rating

No

Attack Surface Security Rating

No

IoT Detection

No

No, for IoT Detection subcategory

Example 1: device does not have an Attack Surface Security Rating entitlement

On the System > FortiGuard page, note that Attack Surface Security Rating is not licensed, and IoT Detection Definitions was not downloaded.

In the Dashboard > Status > Licenses widget, hovering over the Rating icon displays a tooltip that the status of Attack Surface Security Rating is Not Licensed.

Example 2: device has an Attack Surface Security Rating entitlement

On the System > FortiGuard page, note that Attack Surface Security Rating is licensed, and IoT Detection Definitions is downloaded.

To view the definitions and license information in the CLI:

  1. Verify the IoT definition version and update status:

    # diagnose autoupdate versions | grep IoT -A 6
IoT Detect Definitions
---------
Version: 25.00600 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jul 14 11:12:19 2023
Last Update Attempt: Fri Jul 14 11:12:19 2023
Result: Updates Installed

  2. Verify the Attack Surface Security Rating (FGSA) license and IoT detection service object:

    # diagnose test update info
…
System contracts:
…
FGSA,Thu Jun 13 17:00:00 2024
…
Object versions: 
…
07004000IOTD00105-00025.00600-2307121926
…
Previous
Next

Attack Surface Security Rating service 7.4.1

The following table provides an overview of changes to the Security Rating service entitlement starting in 7.4.1:

7.4.0 and earlier

7.4.1 and later

Security Rating entitlement

Includes:

  • PSIRT/Outbreak Package Definitions
  • Checking all the PSIRT/Outbreak rules in Security Rating
  • Running all the built-in free and paid security rating rules

Attack Surface Security Rating entitlement

Includes:

  • Running all the built-in free and paid security rating rules
  • Checking all the Outbreak rules in Security Rating
  • Displaying CIS compliance information
  • IoT Detection Definitions
  • IoT Query

Firmware entitlement

Includes:

  • Application Control Signatures
  • Device & OS Identification
  • Internet Service Database Definitions

Firmware entitlement*

Includes:

  • Application Control Signatures
  • Device & OS Identification
  • Internet Service Database Definitions
  • PSIRT Package Definitions
  • Checking all PSIRT rules in Security Rating

IoT Detection service

Includes:

  • IoT Detection Definitions
  • IoT Query

n/a

* The list is not exhaustive and does not include services such as FortiGate Virtual Patch Signatures, Inline-CASB, and SaaS Application Definitions.

Re-position the PSIRT packages into the Firmware entitlement

Starting in 7.4.1, PSIRT related packages and functionalities are re-positioned from the Security Rating entitlement into the Firmware entitlement. This allows more customers with the basic Firmware entitlement to have access to the latest PSIRT package updates, which can be executed under Security Fabric > Security Rating > Security Posture checks.

Devices with different entitlements can expect the following behaviors:

Entitlement

Action

Firmware (FMWR)

Attack Surface Security Rating (FGSA)

Download PSIRT package from FortiGuard

Run PSIRT security rating checks

Run built-in paid security rating checks

Run built-in free security rating checks

Yes

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

Yes

No

Yes

No

No

Yes

Yes

Example 1: device with Firmware entitlement, but no Attack Surface Security Rating entitlement

On the System > FortiGuard page, note that Firmware & General Updates is licensed, but Attack Surface Security Rating is not.

PSIRT-related rules can be executed from the Security Fabric > Security Rating > Security Posture page.

Free built-in security rating rules can be run. Other paid rules cannot be run, which fall under the Unlicensed category.

Example 2: device with both Firmware and Attack Surface Security Rating entitlements

In this scenario, all PSIRT, Outbreak, paid, and free rules can be run. There is no Unlicensed rule category.

Example 3: device with no Firmware or Attack Surface Security Rating entitlement

In this scenario, only free built-in rules can be run. Other rules are grouped under the Unlicensed category.

Merge the IoT Detection service into the Attack Surface Security Rating service

Starting in 7.4.1, the IoT Detection service, which includes IoT Detection Definitions (APDB) and the IoT Query service (IOTH), is merged into the Attack Surface Security Rating service (FGSA).

The following table provides a breakdown of the entitlements before and after upgrading:

Before upgrading

After upgrading

Entitlement

Licensed

Entitlement

Licensed

Security Rating

Yes

Attack Surface Security Rating

Yes

IoT Detection

Yes

Yes, for IoT Detection subcategory

Security Rating

Yes

Attack Surface Security Rating

Yes

IoT Detection

No

Yes, for IoT Detection subcategory

Security Rating

No

Attack Surface Security Rating

No

IoT Detection

Yes

Yes, for IoT Detection subcategory

Security Rating

No

Attack Surface Security Rating

No

IoT Detection

No

No, for IoT Detection subcategory

Example 1: device does not have an Attack Surface Security Rating entitlement

On the System > FortiGuard page, note that Attack Surface Security Rating is not licensed, and IoT Detection Definitions was not downloaded.

In the Dashboard > Status > Licenses widget, hovering over the Rating icon displays a tooltip that the status of Attack Surface Security Rating is Not Licensed.

Example 2: device has an Attack Surface Security Rating entitlement

On the System > FortiGuard page, note that Attack Surface Security Rating is licensed, and IoT Detection Definitions is downloaded.

To view the definitions and license information in the CLI:

  1. Verify the IoT definition version and update status:

    # diagnose autoupdate versions | grep IoT -A 6
IoT Detect Definitions
---------
Version: 25.00600 signed
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jul 14 11:12:19 2023
Last Update Attempt: Fri Jul 14 11:12:19 2023
Result: Updates Installed

  2. Verify the Attack Surface Security Rating (FGSA) license and IoT detection service object:

    # diagnose test update info
…
System contracts:
…
FGSA,Thu Jun 13 17:00:00 2024
…
Object versions: 
…
07004000IOTD00105-00025.00600-2307121926
…
Previous
Next