Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

OT virtual patching basic examples

OT virtual patching basic examples

This topic contains two OT virtual patching examples: a basic configuration, and configuration that uses a NAC policy.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:

  1. Verify the current contracts licensed to the FortiGate:

    # diagnose test update info
…
OTDT,Mon Sep 24 17:00:00 2029
OTVP,Mon Sep 24 17:00:00 2029
…

  2. Verify the versions and status of the OT definitions:

    # diagnose autoupdate versions
…
OT Detect Definitions
---------
Version: 23.00545 signed
Contract Expiry Date: Sun Sep 23 2029
Last Updated using manual update on Thu Jul 20 09:40:03 2023
Last Update Attempt: n/a
Result: Updates Installed
--
OT Patch Definitions
---------
Version: 23.00505 signed
Contract Expiry Date: Sun Sep 23 2029
Last Updated using manual update on Thu Jul 20 09:39:50 2023
Last Update Attempt: n/a
Result: Updates Installed
…

  3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

    # get rule otdt status
app-name: "Apple.iPad"
id: 10000870
category: "OT"
cat-id: 34
popularity: 5.low
risk: 1.medium
weight: 10
shaping: 0
protocol: 1.TCP, 9.HTTP
vendor: 7.Apple
technology: 0.Network-Protocol
behavior: 
dev_cat: Other

  4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

    # get rule otvp status                      
rule-name: "WAP.Generic.XSS"
rule-id: 10000684
rev: 20.321
date: 1653379200
action: pass
status: enable
log: disable
log-packet: disable
severity: 2.medium
service: TCP, HTTP
location: server
os: Other
application: Other
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: XSS
cve: 20198625
To configure virtual patching in the GUI:

  1. Enable device detection on port2 :

    1. Go to Network > Interfaces and edit port2.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New.

    2. Configure the following settings:

      Name

      test

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

    3. Enable Application Control and select an application control profile (default).

    4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

    5. Configure the other settings as needed.

    6. Click OK.

To configure virtual patching in the CLI:

  1. Enable device detection on port2:

    config system interface
    edit "port2"
        set device-identification enable
    next
end

  2. Configure the virtual patching profile:

    config virtual-patch profile
    edit "test"
        set comment ''
        set severity low medium high critical
        set action block
        set log enable
    next
end

  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "custom-deep-inspection"
        set application-list "default"
        set virtual-patch-profile "default"
        set nat enable
    next
end
To test the virtual patching:

  1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario: 

    # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

    A log is generated, indicating the traffic that triggered the match:

    3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

    The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

  2. Verify the vulnerability by device MAC and IP address:

    # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
Got 28 vulnerabilities, response size:1792
[Vulnerability-0]
        'vulnerability_id' = '110977'
        'severity' = '2'
        'signature' = '10000684'

  3. Verify the virtual patch signatures stored and enabled on the FortiGate:

    # diagnose ips share list otvp_cfgcache
f2:d7:39:5d:40:21 1 10000684

  4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

    # curl -X POST http://172.16.200.55/'index.html?<javascript>'

  5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

    # execute log filter category 24
# execute log display 
2 logs found.
2 logs returned.

1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT and IoT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:

  1. Enable device detection on vlan300:

    1. Go to Network > Interfaces and edit vlan300.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

    2. Configure the following settings:

      Name

      OT_check

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

    3. Enable Application Control and select an application control profile (default).

    4. Configure the other settings as needed.

    5. Click OK.

To configure virtual patching in the CLI:

  1. Enable device detection on vlan300:

    config system interface
    edit "vlan300"
        set device-identification enable
    next
end

  2. Configure the virtual patching profile:

    config virtual-patch profile
    edit "OT_check"
        set severity low medium high critical
    next
end

  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
    edit 1
        set name "virtualpatch-policy"
        set srcintf "vlan300"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set application-list "default"
        set virtual-patch-profile "OT_check"
        set logtraffic all
    next
end

  4. Verify the logs:

    # execute log filter category utm-virtual-patch			
# execute log display
...
1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"
Previous
Next

OT virtual patching basic examples

This topic contains two OT virtual patching examples: a basic configuration, and configuration that uses a NAC policy.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:

  1. Verify the current contracts licensed to the FortiGate:

    # diagnose test update info
…
OTDT,Mon Sep 24 17:00:00 2029
OTVP,Mon Sep 24 17:00:00 2029
…

  2. Verify the versions and status of the OT definitions:

    # diagnose autoupdate versions
…
OT Detect Definitions
---------
Version: 23.00545 signed
Contract Expiry Date: Sun Sep 23 2029
Last Updated using manual update on Thu Jul 20 09:40:03 2023
Last Update Attempt: n/a
Result: Updates Installed
--
OT Patch Definitions
---------
Version: 23.00505 signed
Contract Expiry Date: Sun Sep 23 2029
Last Updated using manual update on Thu Jul 20 09:39:50 2023
Last Update Attempt: n/a
Result: Updates Installed
…

  3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

    # get rule otdt status
app-name: "Apple.iPad"
id: 10000870
category: "OT"
cat-id: 34
popularity: 5.low
risk: 1.medium
weight: 10
shaping: 0
protocol: 1.TCP, 9.HTTP
vendor: 7.Apple
technology: 0.Network-Protocol
behavior: 
dev_cat: Other

  4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

    # get rule otvp status                      
rule-name: "WAP.Generic.XSS"
rule-id: 10000684
rev: 20.321
date: 1653379200
action: pass
status: enable
log: disable
log-packet: disable
severity: 2.medium
service: TCP, HTTP
location: server
os: Other
application: Other
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: XSS
cve: 20198625
To configure virtual patching in the GUI:

  1. Enable device detection on port2 :

    1. Go to Network > Interfaces and edit port2.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New.

    2. Configure the following settings:

      Name

      test

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

    3. Enable Application Control and select an application control profile (default).

    4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

    5. Configure the other settings as needed.

    6. Click OK.

To configure virtual patching in the CLI:

  1. Enable device detection on port2:

    config system interface
    edit "port2"
        set device-identification enable
    next
end

  2. Configure the virtual patching profile:

    config virtual-patch profile
    edit "test"
        set comment ''
        set severity low medium high critical
        set action block
        set log enable
    next
end

  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "custom-deep-inspection"
        set application-list "default"
        set virtual-patch-profile "default"
        set nat enable
    next
end
To test the virtual patching:

  1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario: 

    # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

    A log is generated, indicating the traffic that triggered the match:

    3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

    The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

  2. Verify the vulnerability by device MAC and IP address:

    # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
Got 28 vulnerabilities, response size:1792
[Vulnerability-0]
        'vulnerability_id' = '110977'
        'severity' = '2'
        'signature' = '10000684'

  3. Verify the virtual patch signatures stored and enabled on the FortiGate:

    # diagnose ips share list otvp_cfgcache
f2:d7:39:5d:40:21 1 10000684

  4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

    # curl -X POST http://172.16.200.55/'index.html?<javascript>'

  5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

    # execute log filter category 24
# execute log display 
2 logs found.
2 logs returned.

1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT and IoT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:

  1. Enable device detection on vlan300:

    1. Go to Network > Interfaces and edit vlan300.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

    2. Configure the following settings:

      Name

      OT_check

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

    3. Enable Application Control and select an application control profile (default).

    4. Configure the other settings as needed.

    5. Click OK.

To configure virtual patching in the CLI:

  1. Enable device detection on vlan300:

    config system interface
    edit "vlan300"
        set device-identification enable
    next
end

  2. Configure the virtual patching profile:

    config virtual-patch profile
    edit "OT_check"
        set severity low medium high critical
    next
end

  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
    edit 1
        set name "virtualpatch-policy"
        set srcintf "vlan300"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set application-list "default"
        set virtual-patch-profile "OT_check"
        set logtraffic all
    next
end

  4. Verify the logs:

    # execute log filter category utm-virtual-patch			
# execute log display
...
1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"
Previous
Next