Attack Surface Security Rating service 7.4.1
The following table provides an overview of changes to the Security Rating service entitlement starting in 7.4.1:
7.4.0 and earlier |
7.4.1 and later |
---|---|
Security Rating entitlement Includes:
|
Attack Surface Security Rating entitlement Includes:
|
Firmware entitlement Includes:
|
Firmware entitlement* Includes:
|
IoT Detection service Includes:
|
n/a |
* The list is not exhaustive and does not include services such as FortiGate Virtual Patch Signatures, Inline-CASB, and SaaS Application Definitions.
Re-position the PSIRT packages into the Firmware entitlement
Starting in 7.4.1, PSIRT related packages and functionalities are re-positioned from the Security Rating entitlement into the Firmware entitlement. This allows more customers with the basic Firmware entitlement to have access to the latest PSIRT package updates, which can be executed under Security Fabric > Security Rating > Security Posture checks.
Devices with different entitlements can expect the following behaviors:
Entitlement |
Action |
||||
---|---|---|---|---|---|
Firmware (FMWR) |
Attack Surface Security Rating (FGSA) |
Download PSIRT package from FortiGuard |
Run PSIRT security rating checks |
Run built-in paid security rating checks |
Run built-in free security rating checks |
Yes |
No |
Yes |
Yes |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
No |
No |
No |
No |
Yes |
No |
Yes |
No |
No |
Yes |
Yes |
Example 1: device with Firmware entitlement, but no Attack Surface Security Rating entitlement
On the System > FortiGuard page, note that Firmware & General Updates is licensed, but Attack Surface Security Rating is not.
PSIRT-related rules can be executed from the Security Fabric > Security Rating > Security Posture page.
Free built-in security rating rules can be run. Other paid rules cannot be run, which fall under the Unlicensed category.
Example 2: device with both Firmware and Attack Surface Security Rating entitlements
In this scenario, all PSIRT, Outbreak, paid, and free rules can be run. There is no Unlicensed rule category.
Example 3: device with no Firmware or Attack Surface Security Rating entitlement
In this scenario, only free built-in rules can be run. Other rules are grouped under the Unlicensed category.
Merge the IoT Detection service into the Attack Surface Security Rating service
Starting in 7.4.1, the IoT Detection service, which includes IoT Detection Definitions (APDB) and the IoT Query service (IOTH), is merged into the Attack Surface Security Rating service (FGSA).
The following table provides a breakdown of the entitlements before and after upgrading:
Before upgrading |
After upgrading |
||
---|---|---|---|
Entitlement |
Licensed |
Entitlement |
Licensed |
Security Rating |
Yes |
Attack Surface Security Rating |
Yes |
IoT Detection |
Yes |
Yes, for IoT Detection subcategory |
|
Security Rating |
Yes |
Attack Surface Security Rating |
Yes |
IoT Detection |
No |
Yes, for IoT Detection subcategory |
|
Security Rating |
No |
Attack Surface Security Rating |
No |
IoT Detection |
Yes |
Yes, for IoT Detection subcategory |
|
Security Rating |
No |
Attack Surface Security Rating |
No |
IoT Detection |
No |
No, for IoT Detection subcategory |
Example 1: device does not have an Attack Surface Security Rating entitlement
On the System > FortiGuard page, note that Attack Surface Security Rating is not licensed, and IoT Detection Definitions was not downloaded.
In the Dashboard > Status > Licenses widget, hovering over the Rating icon displays a tooltip that the status of Attack Surface Security Rating is Not Licensed.
Example 2: device has an Attack Surface Security Rating entitlement
On the System > FortiGuard page, note that Attack Surface Security Rating is licensed, and IoT Detection Definitions is downloaded.
To view the definitions and license information in the CLI:
-
Verify the IoT definition version and update status:
# diagnose autoupdate versions | grep IoT -A 6 IoT Detect Definitions --------- Version: 25.00600 signed Contract Expiry Date: n/a Last Updated using manual update on Fri Jul 14 11:12:19 2023 Last Update Attempt: Fri Jul 14 11:12:19 2023 Result: Updates Installed
-
Verify the Attack Surface Security Rating (FGSA) license and IoT detection service object:
# diagnose test update info … System contracts: … FGSA,Thu Jun 13 17:00:00 2024 … Object versions: … 07004000IOTD00105-00025.00600-2307121926 …