Fortinet black logo

EMS Administration Guide

Define exceptions for Firewall Detect & Block Exploits feature

Define exceptions for Firewall Detect & Block Exploits feature

When you enable Detect & Block Exploits in an Application Firewall profile in EMS, FortiClient inspects network traffic for intrusions attempting to exploit known vulnerabilities and blocks application traffic based on the intrusion prevention system (IPS) signature IDs. You can define exceptions to allow any application traffic based on the IPS signature ID. You can obtain the signature IDs from FortiGuard Labs. Application Firewall allows access to application traffic that matches signature IDs configured in the pass action list. You can configure multiple signature IDs on the same rule.

This feature is helpful for when you want to allow network access for an application that Detect & Block Exploits blocks. In the example, Veeam Data Platform, a data backup and restore application, backs up data to a remote server through Remote.CMD.Shell. The example configures an exception for Remote.CMD.Shell IPS signature ID to allow network access to the Veeam application. If you do not configure an exception, Application Firewall detects Remote.CMD.Shell as an exploit and blocks Veeam application traffic.

To define exceptions for Application Firewall Detect & Block Exploits:
  1. In EMS, go to Endpoint Profiles > Firewall.
  2. Add a new profile or edit an existing one.
  3. Under General, enable Detect & Block Exploits. Save.

  4. Click XML, then Edit.
  5. Add the following pass rule for IPS detection, using the <ips> element, entering the IPS signature ID of the desired application. The example enters 12449, the IPS signature ID for Remote.CMD.Shell:
    <forticlient_configuration>
        <firewall>
            <enable_exploit_signatures>1</enable_exploit_signatures>
            <show_bubble_notifications>1</show_bubble_notifications>
            <candc_enabled>1</candc_enabled>
            <current_profile>1000</current_profile>
            <app_enabled>1</app_enabled>
            <profiles>
                <profile>
                    <id>1000</id>
                    <rules>
                        <rule>
                            <enabled>1</enabled>
                            <action>block</action>
                            <category>
                                <id>23</id>
                            </category>
                        </rule>
                        <rule>
                            <enabled>1</enabled>
                            <action>monitor</action>
                            <category>
                                <id>8</id>
                            </category>
                        </rule>
                        <rule>
                            <enabled>1</enabled>
                            <action>pass</action>
                            <ips>
                                <id>12449</id>
                            </ips>
                        </rule>
                    </rules>
                </profile>
            </profiles>
        </firewall>
        <endpoint_control>
            <ui>
                <display_firewall>1</display_firewall>
            </ui>
        </endpoint_control>
    </forticlient_configuration>

After an endpoint (Endpoint A) receives the configuration update, you can access Endpoint A's Command Prompt from another endpoint (Endpoint B) if Endpoint B has an application installed for launching a remote command shell. You can pass Windows commands to execute on Endpoint A from Endpoint B. FortiClient on Endpoint A does not block the execution of these commands because of the configuration of Remote.CMD.Shell IPS signature ID (12449) as an exception.

Define exceptions for Firewall Detect & Block Exploits feature

When you enable Detect & Block Exploits in an Application Firewall profile in EMS, FortiClient inspects network traffic for intrusions attempting to exploit known vulnerabilities and blocks application traffic based on the intrusion prevention system (IPS) signature IDs. You can define exceptions to allow any application traffic based on the IPS signature ID. You can obtain the signature IDs from FortiGuard Labs. Application Firewall allows access to application traffic that matches signature IDs configured in the pass action list. You can configure multiple signature IDs on the same rule.

This feature is helpful for when you want to allow network access for an application that Detect & Block Exploits blocks. In the example, Veeam Data Platform, a data backup and restore application, backs up data to a remote server through Remote.CMD.Shell. The example configures an exception for Remote.CMD.Shell IPS signature ID to allow network access to the Veeam application. If you do not configure an exception, Application Firewall detects Remote.CMD.Shell as an exploit and blocks Veeam application traffic.

To define exceptions for Application Firewall Detect & Block Exploits:
  1. In EMS, go to Endpoint Profiles > Firewall.
  2. Add a new profile or edit an existing one.
  3. Under General, enable Detect & Block Exploits. Save.

  4. Click XML, then Edit.
  5. Add the following pass rule for IPS detection, using the <ips> element, entering the IPS signature ID of the desired application. The example enters 12449, the IPS signature ID for Remote.CMD.Shell:
    <forticlient_configuration>
        <firewall>
            <enable_exploit_signatures>1</enable_exploit_signatures>
            <show_bubble_notifications>1</show_bubble_notifications>
            <candc_enabled>1</candc_enabled>
            <current_profile>1000</current_profile>
            <app_enabled>1</app_enabled>
            <profiles>
                <profile>
                    <id>1000</id>
                    <rules>
                        <rule>
                            <enabled>1</enabled>
                            <action>block</action>
                            <category>
                                <id>23</id>
                            </category>
                        </rule>
                        <rule>
                            <enabled>1</enabled>
                            <action>monitor</action>
                            <category>
                                <id>8</id>
                            </category>
                        </rule>
                        <rule>
                            <enabled>1</enabled>
                            <action>pass</action>
                            <ips>
                                <id>12449</id>
                            </ips>
                        </rule>
                    </rules>
                </profile>
            </profiles>
        </firewall>
        <endpoint_control>
            <ui>
                <display_firewall>1</display_firewall>
            </ui>
        </endpoint_control>
    </forticlient_configuration>

After an endpoint (Endpoint A) receives the configuration update, you can access Endpoint A's Command Prompt from another endpoint (Endpoint B) if Endpoint B has an application installed for launching a remote command shell. You can pass Windows commands to execute on Endpoint A from Endpoint B. FortiClient on Endpoint A does not block the execution of these commands because of the configuration of Remote.CMD.Shell IPS signature ID (12449) as an exception.