Virtual patching
Virtual patching is a method for mitigating vulnerability exploits against OT devices by applying patches virtually on the FortiGate. This is done in several steps:
-
A FortiGate uses the OT Detection signatures and service to collect device information from OT devices that are connected to an interface.
-
The device information is used to perform a vulnerability lookup by querying FortiGuard for device-specific vulnerabilities and mitigation rules.
-
The FortiGate caches the applicable signatures and mitigation rules that apply to each device, mapped to the MAC address of the device.
-
When a virtual patching profile is applied to a firewall policy, traffic that enters the firewall policy is subject to signature matching on a per-device basis.
-
The IPS engine uses the MAC address of the device to match any mitigation rules that should apply.
-
If the MAC address is in the exempted list, then patching is exempted or skipped.
-
If the signature rule is in the exempted list, then patching is also exempted or skipped for that signature.
-
Otherwise, all applicable rules for the device will be applied.
-
Virtual patching profiles
A virtual patching profile can be applied to firewall policies in any direction, protecting traffic from or to the vulnerable OT devices. Virtual patching profiles can also be combined with virtual patching on NAC policies, so that vulnerable OT devices are first assigned to a protected VLAN, and then firewall policies associated with the VLAN will apply the virtual patching profile. See OT and IoT virtual patching on NAC policies for more information.
The following are requirements for the virtual patching feature:
-
Purchase the appropriate OT-related license (virtual patching only applies to OT devices). See Operational Technology Security Service and License and entitlement information for more details.
-
Enable device detection on the LAN interface.
-
In the GUI, go to Network > Interfaces, edit a LAN interface, enable Device detection, and click OK.
-
In the CLI, enter:
config system interface edit <name> set device-identification enable next end
-
-
Configure a firewall policy with an application control profile in order for device detection to occur. OT device detection collects device information by triggering application control signatures.
The following options can be configured in a virtual patching profile (see also OT virtual patching basic examples):
GUI option |
CLI option |
Description |
---|---|---|
Basic profile settings |
||
Name |
name <string> |
Enter a unique name for the profile. |
Severity |
severity {low medium high critical} |
Set the relative severity of the signature, from low to critical. |
Action |
action {pass | block} |
Set the action to take for a matched device:
|
Logging |
log {enable | disable} |
Enable/disable detection logging. This setting is enabled by default. |
Comments |
comment <var-string> |
Enter a comment (optional). |
Virtual patching exemptions settings |
||
Status |
status {enable | disable} |
Enable/disable exemption. |
MAC addresses |
device <mac_address1>, <mac_address2>, ... |
Enter the device MAC addresses to exempt. |
Signature ID |
rule <id1>, <id2>, ... |
Enter the pre-defined or custom signatures to exempt. See Virtual patching exemptions for more details. |
To configure virtual patching in the GUI, ensure that Virtual Patching is enabled on the System > Feature Visibility page. |
Virtual patching exemptions
The Signature ID field includes a dropdown below it with suggestions (signature name and ID). Users can select a signature from the Suggestions dropdown or type in the Signature ID field to find a specific signature.
Virtual patching signatures
The Security Profiles > Virtual Patching Signatures page displays all OT virtual patching signatures. When using multi-VDOM mode, the OT virtual patching signatures are displayed per VDOM.
The Dashboard > Assets & Identities > Assets widget displays a tooltip for detected IoT and OT vulnerabilities when hovering over the Vulnerabilities column.
Clicking View IoT/OT Vulnerabilities in the tooltip displays a list of vulnerabilities retrieved from the FortiGuard API server for the device. The OT Virtual Patching Signature column includes the virtual patch signature ID that is mapped to the Vulnerability ID.
License and entitlement information
If a FortiGate does not have a valid OT license, a warning message is included in top of the IoT and OT vulnerabilities tooltip (Assets widget), indicating that OT vulnerabilities will not be detected.
The right-side gutter of virtual patching profile pages includes information about the following:
-
Operational Technology (OT) Security Service entitlement status
-
OT Detection Definitions Package version
-
OT Virtual Patching Signatures Package version
The System > FortiGuard page also includes the list of signatures under the Operational Technology (OT) Security Service entitlement.