Virtual patching NEW

Virtual patching is a method for mitigating vulnerability exploits against OT devices by applying patches virtually on the FortiGate. This is done in several steps:

1. A FortiGate uses the OT Detection signatures and service to collect device information from OT devices that are connected to an interface.

2. The device information is used to perform a vulnerability lookup by querying FortiGuard for device-specific vulnerabilities and mitigation rules.

3. The FortiGate caches the applicable signatures and mitigation rules that apply to each device, mapped to the MAC address of the device.

4. When a virtual patching profile is applied to a firewall policy, traffic that enters the firewall policy is subject to signature matching on a per-device basis.

   1. The IPS engine uses the MAC address of the device to match any mitigation rules that should apply.

   2. If the MAC address is in the exempted list, then patching is exempted or skipped.

   3. If the signature rule is in the exempted list, then patching is also exempted or skipped for that signature.

   4. Otherwise, all applicable rules for the device will be applied.

A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile. See OT and IoT virtual patching on NAC policies for more information.

The following are requirements for the virtual patching feature:

• Purchase the appropriate OT-related license (virtual patching only applies to OT devices). See Operational Technology Security Service for more information.

• Enable device detection on the LAN interface.

  • In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.

  • In the CLI, enter:

    config system interface
        edit <name>
            set device-identification enable
        next
    end

• Configure a firewall policy with an application control profile in order for device detection to occur. OT device detection collects device information by triggering application control signatures.

The following options can be configured in a virtual patching profile:

GUI option	CLI option	Description
Basic profile settings
Name	name <string>	Enter a unique name for the profile.
Severity	severity {low medium high critical}	Set the relative severity of the signature, from low to critical.
Action	action {pass | block}	Set the action to take for a matched device: Pass/pass: allow sessions that match the profile. Block/block: block sessions that match the profile (default).
Logging	log {enable | disable}	Enable/disable detection logging. This setting is enabled by default.
Comments	comment <var-string>	Enter a comment (optional).
Virtual patching exemptions settings
Status	status {enable | disable}	Enable/disable exemption.
MAC addresses	device <mac_address1>, <mac_address2>, ...	Enter the device MAC addresses to exempt.
Signature ID	rule <id1>, <id2>, ...	Enter the pre-defined or custom signatures to exempt.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:

1. Verify the current contracts licensed to the FortiGate:

   # diagnose test update info
   …
   OTDT,Mon Sep 24 17:00:00 2029
   OTVP,Mon Sep 24 17:00:00 2029
   …

2. Verify the versions and status of the OT definitions:

   # diagnose autoupdate versions
   …
   OT Detect Definitions
   ---------
   Version: 23.00545 signed
   Contract Expiry Date: Sun Sep 23 2029
   Last Updated using manual update on Thu Jul 20 09:40:03 2023
   Last Update Attempt: n/a
   Result: Updates Installed
   --
   OT Patch Definitions
   ---------
   Version: 23.00505 signed
   Contract Expiry Date: Sun Sep 23 2029
   Last Updated using manual update on Thu Jul 20 09:39:50 2023
   Last Update Attempt: n/a
   Result: Updates Installed
   …

3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

   # get rule otdt status
   app-name: "Apple.iPad"
   id: 10000870
   category: "OT"
   cat-id: 34
   popularity: 5.low
   risk: 1.medium
   weight: 10
   shaping: 0
   protocol: 1.TCP, 9.HTTP
   vendor: 7.Apple
   technology: 0.Network-Protocol
   behavior: 
   dev_cat: Other

4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

   # get rule otvp status                      
   rule-name: "WAP.Generic.XSS"
   rule-id: 10000684
   rev: 20.321
   date: 1653379200
   action: pass
   status: enable
   log: disable
   log-packet: disable
   severity: 2.medium
   service: TCP, HTTP
   location: server
   os: Other
   application: Other
   rate-count: 0
   rate-duration: 0
   rate-track: none
   rate-mode: continuous
   vuln_type: XSS
   cve: 20198625

To configure virtual patching in the GUI:

1. Enable device detection on port2 :

   1. Go to Network > Interfaces and edit port2.

   2. In the Network section, enable Device detection.

   3. Click OK.

2. Configure the virtual patching profile:

   1. Go to Security Profiles > Virtual Patching and click Create New.

   2. Configure the following settings:

      Name	test
      Severity	Select Low, Medium, High, and Critical
      Action	Block
      Logging	Enable

   3. Click OK.

3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

   1. Go to Policy & Objects > Firewall Policy and click Create New.

   2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

   3. Enable Application Control and select an application control profile (default).

   4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

   5. Configure the other settings as needed.

   6. Click OK.

To configure virtual patching in the CLI:

1. Enable device detection on port2:

   config system interface
       edit "port2"
           set device-identification enable
       next
   end

2. Configure the virtual patching profile:

   config virtual-patch profile
       edit "test"
           set comment ''
           set severity low medium high critical
           set action block
           set log enable
       next
   end

3. Apply the virtual patching profile to a firewall policy:

   config firewall policy
       edit 1
           set srcintf "port2"
           set dstintf "port1"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set ssl-ssh-profile "custom-deep-inspection"
           set application-list "default"
           set virtual-patch-profile "default"
           set nat enable
       next
   end

To test the virtual patching:

1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario:

   # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

   A log is generated, indicating the traffic that triggered the match:

   3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

   The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

2. Verify the vulnerability by device MAC and IP address:

   # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
   Got 28 vulnerabilities, response size:1792
   [Vulnerability-0]
           'vulnerability_id' = '110977'
           'severity' = '2'
           'signature' = '10000684'
   

3. Verify the virtual patch signatures stored and enabled on the FortiGate:

   # diagnose ips share list otvp_cfgcache
   f2:d7:39:5d:40:21 1 10000684 
   

4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

   # curl -X POST http://172.16.200.55/'index.html?<javascript>'

5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

   # execute log filter category 24
   # execute log display 
   2 logs found.
   2 logs returned.
   
   1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT and IoT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:

1. Enable device detection on vlan300:

   1. Go to Network > Interfaces and edit vlan300.

   2. In the Network section, enable Device detection.

   3. Click OK.

2. Configure the virtual patching profile:

   1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

   2. Configure the following settings:

      Name	OT_check
      Severity	Select Low, Medium, High, and Critical
      Action	Block
      Logging	Enable

   3. Click OK.

3. Apply the virtual patching profile to a firewall policy:

   1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

   2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

   3. Enable Application Control and select an application control profile (default).

   4. Configure the other settings as needed.

   5. Click OK.

To configure virtual patching in the CLI:

1. Enable device detection on vlan300:

   config system interface
       edit "vlan300"
           set device-identification enable
       next
   end

2. Configure the virtual patching profile:

   config virtual-patch profile
       edit "OT_check"
           set severity low medium high critical
       next
   end

3. Apply the virtual patching profile to a firewall policy:

   config firewall policy
       edit 1
           set name "virtualpatch-policy"
           set srcintf "vlan300"
           set dstintf "port1"
           set srcaddr "all"
           set dstaddr "all"
           set action accept
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set application-list "default"
           set virtual-patch-profile "OT_check"
           set logtraffic all
       next
   end

4. Verify the logs:

   # execute log filter category utm-virtual-patch			
   # execute log display
   ...
   1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"