Fortinet white logo
Fortinet white logo

Administration Guide

OT virtual patching basic examples

OT virtual patching basic examples

This topic contains two OT virtual patching examples: a basic configuration, and configuration that uses a NAC policy.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:
  1. Verify the current contracts licensed to the FortiGate:

    # diagnose test update info
    …
    OTDT,Mon Sep 24 17:00:00 2029
    OTVP,Mon Sep 24 17:00:00 2029
    …
  2. Verify the versions and status of the OT definitions:

    # diagnose autoupdate versions
    …
    OT Detect Definitions
    ---------
    Version: 23.00545 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:40:03 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    --
    OT Patch Definitions
    ---------
    Version: 23.00505 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:39:50 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    …
  3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

    # get rule otdt status
    app-name: "Apple.iPad"
    id: 10000870
    category: "OT"
    cat-id: 34
    popularity: 5.low
    risk: 1.medium
    weight: 10
    shaping: 0
    protocol: 1.TCP, 9.HTTP
    vendor: 7.Apple
    technology: 0.Network-Protocol
    behavior: 
    dev_cat: Other
  4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

    # get rule otvp status                      
    rule-name: "WAP.Generic.XSS"
    rule-id: 10000684
    rev: 20.321
    date: 1653379200
    action: pass
    status: enable
    log: disable
    log-packet: disable
    severity: 2.medium
    service: TCP, HTTP
    location: server
    os: Other
    application: Other
    rate-count: 0
    rate-duration: 0
    rate-track: none
    rate-mode: continuous
    vuln_type: XSS
    cve: 20198625
To configure virtual patching in the GUI:
  1. Enable device detection on port2 :

    1. Go to Network > Interfaces and edit port2.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New.

    2. Configure the following settings:

      Name

      test

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

    3. Enable Application Control and select an application control profile (default).

    4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

    5. Configure the other settings as needed.

    6. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on port2:

    config system interface
        edit "port2"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "test"
            set comment ''
            set severity low medium high critical
            set action block
            set log enable
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set application-list "default"
            set virtual-patch-profile "default"
            set nat enable
        next
    end
To test the virtual patching:
  1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario:

    # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

    A log is generated, indicating the traffic that triggered the match:

    3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

    The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

  2. Verify the vulnerability by device MAC and IP address:

    # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
    Got 28 vulnerabilities, response size:1792
    [Vulnerability-0]
            'vulnerability_id' = '110977'
            'severity' = '2'
            'signature' = '10000684'
    
  3. Verify the virtual patch signatures stored and enabled on the FortiGate:

    # diagnose ips share list otvp_cfgcache
    f2:d7:39:5d:40:21 1 10000684 
    
  4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

    # curl -X POST http://172.16.200.55/'index.html?<javascript>'
  5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

    # execute log filter category 24
    # execute log display 
    2 logs found.
    2 logs returned.
    
    1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT and IoT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:
  1. Enable device detection on vlan300:

    1. Go to Network > Interfaces and edit vlan300.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

    2. Configure the following settings:

      Name

      OT_check

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

    3. Enable Application Control and select an application control profile (default).

    4. Configure the other settings as needed.

    5. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on vlan300:

    config system interface
        edit "vlan300"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "OT_check"
            set severity low medium high critical
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set name "virtualpatch-policy"
            set srcintf "vlan300"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set application-list "default"
            set virtual-patch-profile "OT_check"
            set logtraffic all
        next
    end
  4. Verify the logs:

    # execute log filter category utm-virtual-patch			
    # execute log display
    ...
    1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"

OT virtual patching basic examples

OT virtual patching basic examples

This topic contains two OT virtual patching examples: a basic configuration, and configuration that uses a NAC policy.

Example 1: basic configuration

This example demonstrates the flow for OT virtual patching from start to finish. First, a device (10.1.100.22) goes through device detection, which matches an OT detection signature downloaded on the FortiGate. Next, known vulnerabilities and OT patch signatures for this device are mapped to its MAC address. When traffic is generated by this device, IPS scans the traffic to identify any traffic patterns that match known OT patch signatures for this device. If a match is found, traffic is blocked by the FortiGate.

For demonstrative purposes, the simulated vulnerable OT device is a PC simulating web traffic from an iPad. An OT detection signature is specially crafted to match this Apple iPad traffic to the OT device category. To simulate vulnerable traffic, a test OT patch signature is used to match a generic cross-site scripting (XSS) attack over HTTP.

To verify the status of the OT related definitions:
  1. Verify the current contracts licensed to the FortiGate:

    # diagnose test update info
    …
    OTDT,Mon Sep 24 17:00:00 2029
    OTVP,Mon Sep 24 17:00:00 2029
    …
  2. Verify the versions and status of the OT definitions:

    # diagnose autoupdate versions
    …
    OT Detect Definitions
    ---------
    Version: 23.00545 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:40:03 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    --
    OT Patch Definitions
    ---------
    Version: 23.00505 signed
    Contract Expiry Date: Sun Sep 23 2029
    Last Updated using manual update on Thu Jul 20 09:39:50 2023
    Last Update Attempt: n/a
    Result: Updates Installed
    …
  3. View the OT detection rules downloaded on the FortiGate. In this example, the OT detection rule ID 1000870 is a specially crafted signature to match Apple iPad traffic to the OT category:

    # get rule otdt status
    app-name: "Apple.iPad"
    id: 10000870
    category: "OT"
    cat-id: 34
    popularity: 5.low
    risk: 1.medium
    weight: 10
    shaping: 0
    protocol: 1.TCP, 9.HTTP
    vendor: 7.Apple
    technology: 0.Network-Protocol
    behavior: 
    dev_cat: Other
  4. View the OT patch rules downloaded on the FortiGate. In this example, the OT patch rule is a specially crafted signature to match a generic XSS attack to a vulnerability:

    # get rule otvp status                      
    rule-name: "WAP.Generic.XSS"
    rule-id: 10000684
    rev: 20.321
    date: 1653379200
    action: pass
    status: enable
    log: disable
    log-packet: disable
    severity: 2.medium
    service: TCP, HTTP
    location: server
    os: Other
    application: Other
    rate-count: 0
    rate-duration: 0
    rate-track: none
    rate-mode: continuous
    vuln_type: XSS
    cve: 20198625
To configure virtual patching in the GUI:
  1. Enable device detection on port2 :

    1. Go to Network > Interfaces and edit port2.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New.

    2. Configure the following settings:

      Name

      test

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy for traffic from port2 to port1:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (test).

    3. Enable Application Control and select an application control profile (default).

    4. Set SSL Inspection to a profile that uses deep inspection profile in order to scan SSL encrypted traffic.

    5. Configure the other settings as needed.

    6. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on port2:

    config system interface
        edit "port2"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "test"
            set comment ''
            set severity low medium high critical
            set action block
            set log enable
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set application-list "default"
            set virtual-patch-profile "default"
            set nat enable
        next
    end
To test the virtual patching:
  1. On the PC, generate traffic that simulates web traffic from an iPad. This traffic is generated in order for the FortiGate to perform device detection on port2. The OT detection signature 10000870 will be triggered, which considers this traffic from an OT device in this simulated scenario:

    # curl 172.16.200.55 -H "User-Agent: Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1"

    A log is generated, indicating the traffic that triggered the match:

    3: date=2023-07-24 time=15:31:26 eventtime=1690237885960202460 tz="-0700" logid="1059028704" type="utm" subtype="app-ctrl" eventtype="signature" level="information" vd="root" appid=10000870 srcip=10.1.100.22 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcport=51548 dstport=80 srcintf="port2" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" direction="outgoing" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" sessionid=7284 applist="default" action="pass" appcat="OT" app="Apple.iPad" hostname="172.16.200.55" incidentserialno=18882457 url="/" agent="Mozilla/5.0 (iPad; CPU OS 12_5_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.1.2 Mobile/15E148 Safari/604.1" httpmethod="GET" msg="OT: Apple.iPad" clouddevice="Vendor=Apple, Product=ipados, Version=12.5.5, Firmware=IOS" apprisk="low"

    The FortiGate queries the FortiGuard OT query service with information about the OT device vendor and product. The service responds with the vulnerabilities and patch_sign_id applicable to this device. IPS caches this information in its device vulnerability database.

  2. Verify the vulnerability by device MAC and IP address:

    # diagnose user-device-store device memory vulnerability-query f2:d7:39:5d:40:21 10.1.100.22
    Got 28 vulnerabilities, response size:1792
    [Vulnerability-0]
            'vulnerability_id' = '110977'
            'severity' = '2'
            'signature' = '10000684'
    
  3. Verify the virtual patch signatures stored and enabled on the FortiGate:

    # diagnose ips share list otvp_cfgcache
    f2:d7:39:5d:40:21 1 10000684 
    
  4. Using the vulnerable device 10.1.100.22, generate vulnerable traffic to the destination server 172.16.200.55. The traffic from this IP and MAC address triggers OT patch signature 1000684 to match and is subsequently blocked by the firewall policy:

    # curl -X POST http://172.16.200.55/'index.html?<javascript>'
  5. Verify the UTM virtual patch log that was recorded with information about the vulnerability that was virtually patched:

    # execute log filter category 24
    # execute log display 
    2 logs found.
    2 logs returned.
    
    1: date=2023-07-20 time=16:03:00 eventtime=1689894179977743851 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" count=medium srcip=10.1.100.22 profiletype="Reserved" dstip=172.16.200.55 direction="Reserved" srcintfrole="port2" dstintf="undefined" dstintfrole="port1" sessionid=undefined eventtype="12514" action="dropped" proto=6 service="HTTP" policyid=1 poluuid="a3424268-1ffc-51ed-3ba9-f3a60e2271cf" policytype="policy" attack="WAP.Generic.XSS" srcport=47830 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684

Example 2: NAC policy

In this example, a NAC policy is pre-configured to detect devices with information or higher vulnerabilities, as demonstrated in OT and IoT virtual patching on NAC policies. The NAC policy assigns the devices to vlan300.

A virtual patching profile is created to block any vulnerabilities with low, medium, high, or critical severity. The profile is applied to a firewall policy for outbound traffic.

To configure virtual patching in the GUI:
  1. Enable device detection on vlan300:

    1. Go to Network > Interfaces and edit vlan300.

    2. In the Network section, enable Device detection.

    3. Click OK.

  2. Configure the virtual patching profile:

    1. Go to Security Profiles > Virtual Patching and click Create New, or edit an existing profile.

    2. Configure the following settings:

      Name

      OT_check

      Severity

      Select Low, Medium, High, and Critical

      Action

      Block

      Logging

      Enable

    3. Click OK.

  3. Apply the virtual patching profile to a firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New, or edit an existing policy.

    2. In the Security Profiles section, enable Virtual Patching and select the virtual patch profile (OT_check).

    3. Enable Application Control and select an application control profile (default).

    4. Configure the other settings as needed.

    5. Click OK.

To configure virtual patching in the CLI:
  1. Enable device detection on vlan300:

    config system interface
        edit "vlan300"
            set device-identification enable
        next
    end
  2. Configure the virtual patching profile:

    config virtual-patch profile
        edit "OT_check"
            set severity low medium high critical
        next
    end
  3. Apply the virtual patching profile to a firewall policy:

    config firewall policy
        edit 1
            set name "virtualpatch-policy"
            set srcintf "vlan300"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set application-list "default"
            set virtual-patch-profile "OT_check"
            set logtraffic all
        next
    end
  4. Verify the logs:

    # execute log filter category utm-virtual-patch			
    # execute log display
    ...
    1: date=2023-06-20 time=16:21:00 eventtime=1686180059982988434 tz="-0700" logid="2400064600" type="utm" subtype="virtual-patch" eventtype="virtual-patch" level="warning" vd="root" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=172.16.200.55 dstcountry="Reserved" srcintf="vlan300" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=1445 action="dropped" proto=6 service="HTTP" policyid=1 poluuid="ce6b724c-0558-51ee-e9d3-f0b8ef1c115f" policytype="policy" attack="WAP.Generic.XSS" srcport=37062 dstport=80 hostname="172.16.200.55" url="/index.html?<javascript>" agent="curl/7.61.1" httpmethod="POST" direction="outgoing" attackid=10000684 ref="http://www.fortinet.com/ids/VID10000684" incidentserialno=214959182 msg="vPatch: WAP.Generic.XSS" crscore=10 craction=16384 crlevel="medium"