Fortinet white logo
Fortinet white logo

Administration Guide

Virtual patching on the local-in management interface

Virtual patching on the local-in management interface

Virtual patching is a method of mitigating vulnerability exploits by using the FortiGate’s IPS engine to block known vulnerabilities. Virtual patching can be applied to traffic destined to the FortiGate by applying the FMWP (Firmware Virtual Patch) database to the local-in interface using local-in policies. Attacks geared towards GUI and SSH management access, for example, can be mitigated using the FMWP database pushed from FortiGuard, thereby virtually patching these vulnerabilities.

When the virtual-patch option is enabled in a local-in policy, the IPS engine queries the FortiGuard API server to:

  • Obtain a list of vulnerabilities targeting the FortiGate on a particular version

  • Determine whether the session destined to the local-in interface on the FortiGate requires a scan by identifying and tagging services in the session. The session's port number and protocol are used to identify the services. Currently only SSL VPN and web GUI services are tagged in a session.

If a tagged session lacks vulnerability signatures for the FortiOS version, then the IPS engine bypasses the session. This optimizes performance by only scanning and dropping sessions that are exploiting a vulnerability.

To configure virtual patching:
config firewall local-in-policy 
    edit <id>
        set action accept
        set virtual-patch {enable | disable}
    next
end

The FortiGate must have a valid FMWR (Firmware) license to install the FMWP database. The FMWP database can be viewed by running the diagnose autoupdate versions command.

# diagnose autoupdate versions
FMWP Definitions
---------
Version: 23.00084 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Sep  6 15:19:11 2023
Last Update Attempt: Wed Sep  6 15:40:08 2023
Result: No Updates

Once virtual-patch is enabled, the WAD process will periodically query vulnerability items from the FortiGuard API server at "productapi.corp.fortinet.com" and forward it to IPS.

Caution

For SSL VPN and ZTNA connections that terminate on the FortiGate from a client that is using a client certificate, enabling virtual-patch will cause the connection to fail. Do not enable virtual-patch if you are using either of these configurations.

Sample vulnerability item found on the FortiGuard API server
{"ID":918630,"product":"fortios","vendor":"fortinet","max_version":"7.2.5","min_version":"7.2.0","severity":"high","vuln_type":"Format String","refs":["https://www.fortiguard.com/psirt/FG-IR-23-137"],"description":"This indicates detection of a Zero-Day vulnerability protected by a signature from Fortinet's FortiGuard Labs. This signature should help mitigate the threat proactively both prior to, and after an official statement is available from the vendor. Once an official advisory or statement is available from the vendor, the signature name and its description will be updated to provide more details regarding this vulnerability. Further details may also be made available in an advisory on FortiGuard Center (http://www.fortiguard.com).","patch_sig_id":10004065,"patch_sig_ids":[],"detection_sig_ids":null,"date_added":"2023-08-22T13:09:11","date_updated":"2023-08-22T13:09:11"}

FortiGuard can be queried from the FortiOS CLI for a list of vulnerability rules while specifying parameters for the vendor, version, product, and model by running the diagnose wad dev-vuln query command. For example, to query Fortinet Inc.'s FortiOS 7.2.5:

# diagnose wad dev-vuln query vendor=fortinet&version=7.2.5&product=fortios
Dev-Vuln Lookup result: success, cache: found, fgd: unknown, item: 0x7fb474e0b4a0
Vulnerability details: 
info entry (1):
        'vendor' = fortinet
       'product' = fortios
         'model' = N/A
   'version.min' = 7.2.0
   'version.max' = 7.2.5
      'firmware' = N/A
         'build' = N/A
    'date_added' = 2023-08-22T13:09:11
  'date_updated' = 2023-08-22T13:09:11
        'sig_id' = 10004065
       'vuln_id' = 918630
      'severity' = 3
...

After receiving the vulnerability rules from the WAD process, the IPS engine marks them as virtual patch rules mapped to each CVE vulnerability signature. For example:

FortiOS.NodeJS.Proxy.Authentication.Bypass(CVE-2022-40684)

FortiOS.SSL.VPN.Web.Portal.Password.Improper.Authentication(CVE-2018-13382)

FortiOS.SSL.VPN.Web.Protoal.Pathname.Information.Disclosure(CVE-2018-13379)

To show the list of available FMWP signatures from the FMWP database:
# get rule fmwp status
rule-name: "FortiOS.Fclicense.Daemon.Format.String."
rule-id: 10004067
rev: 23.082
date: 1697644800
action: block
status: enable
log: disable
log-packet: disable
severity: 3.high
service: TCP, HTTP
location: server
os: Linux
application: Other
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: Format String
cve: 202329181
fos_comp: Web-GUI
....

The following are the diagnose commands:

# diagnose ips vpatch {fmwp-status | fmwp-enable-all  | fmwp-reset}

fmwp-status

Shows the current status of enabled FMWP signatures.

fmwp-enable-all

Enable all FMWP signatures in FMWP database.

fmwp-reset

Revert the results of fmwp-enable-all.

Example

In this example, virtual patching is enabled for the local-in policy and the following scenarios are described:

  • FortiGate with an SSL VPN vulnerability

  • FortiGate with a web GUI vulnerability

  • FortiGate with both an SSL VPN and web GUI vulnerability

To enable virtual patching:
  1. Enable virtual patching in the local-in policy:

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "ALL"
            set schedule "always"
            set virtual-patch enable
        next
    end
    Note

    Because the IPS engine can currently only tag services related to SSL VPN and web GUI signatures, all other protocols are scanned when service is set to ALL. However, you can bypass scanning of other protocols, such as SSH and FTP, by setting service to only HTTPS.

  2. Observe the outcome of the following scenarios:

    • In this example, FortiOS has an SSL VPN vulnerability. The IPS engine drops SSL VPN traffic to the local-in interface on the FortiGate and bypasses web GUI traffic. Traffic for other services is scanned and passed to the interface.

      Following is a log of the SSL VPN traffic that was dropped because of the vulnerability. Bypassed web GUI traffic did not generate any logs.

      # diagnose ips vpatch fmwp-status 
      Enabled FMWP signatures: 3
      
        10002887 FortiOS.SSL-VPN.Heap.Buffer.Overflow.
      
      1: date=2023-11-07 time=14:53:44 eventtime=1699325624346021995 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=284 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.SSL-VPN.Heap.Buffer.Overflow." srcport=53250 dstport=11443 hostname="myfortigate.example" url="/error" httpmethod="POST" direction="outgoing" attackid=10002887 ref="http://www.fortinet.com/ids/VID10002887" incidentserialno=99614721 msg="vPatch: FortiOS.SSL-VPN.Heap.Buffer.Overflow." crscore=50 craction=4096 crlevel="critical"
    • In this example, FortiOS has a web GUI vulnerability. The IPS engine drops web GUI traffic to the local-in interface on the FortiGate and bypasses SSL VPN traffic. Traffic for other services is scanned and passed to the interface.

      Following is a log of the web GUI traffic that was dropped because of the vulnerability. Bypassed SSL VPN traffic did not generate any logs.

      # diagnose ips vpatch fmwp-status
      Enabled FMWP signatures: 2
      
        10002156 FortiOS.NodeJS.Proxy.Authentication.Bypass.
        10002890 FortiOS.HTTPD.Content-Length.Memory.Corruption.
        
      1: date=2023-11-07 time=14:55:15 eventtime=1699325715311370215 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=304 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.NodeJS.Proxy.Authentication.Bypass." srcport=53622 dstport=443 hostname="127.0.0.1:9980" url="/api/v2/cmdb/system/admin" agent="Node.js" httpmethod="GET" direction="outgoing" attackid=10002156 ref="http://www.fortinet.com/ids/VID10002156" incidentserialno=99614722 msg="vPatch: FortiOS.NodeJS.Proxy.Authentication.Bypass." crscore=50 craction=4096 crlevel="critical"
    • In this example, FortiOS has an SSL VPN and a web GUI vulnerability. The IPS engine drops both SSL VPN and web GUI traffic to the local-in interface on the FortiGate. Traffic for other services is scanned and passed to the interface.

      Following is a log of the SSL VPN and web GUI traffic that was dropped because of the vulnerability.

      # diagnose ips vpatch fmwp-status 
      Enabled FMWP signatures: 3
      
        10002156 FortiOS.NodeJS.Proxy.Authentication.Bypass.
        10002887 FortiOS.SSL-VPN.Heap.Buffer.Overflow.
        10002890 FortiOS.HTTPD.Content-Length.Memory.Corruption.
      
      1: date=2023-11-07 time=06:42:44 eventtime=1699296164649894963 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=1094 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.SSL-VPN.Heap.Buffer.Overflow." srcport=44164 dstport=10443 hostname="myfortigate.example" url="/error" httpmethod="POST" direction="outgoing" attackid=10002887 ref="http://www.fortinet.com/ids/VID10002887" incidentserialno=116392250 msg="vPatch: FortiOS.SSL-VPN.Heap.Buffer.Overflow." crscore=50 craction=4096 crlevel="critical"
      
      2: date=2023-11-07 time=06:42:09 eventtime=1699296129458704870 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=1066 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.NodeJS.Proxy.Authentication.Bypass." srcport=42352 dstport=443 hostname="127.0.0.1:9980" url="/api/v2/cmdb/system/admin" agent="Node.js" httpmethod="GET" direction="outgoing" attackid=10002156 ref="http://www.fortinet.com/ids/VID10002156" incidentserialno=116392236 msg="vPatch: FortiOS.NodeJS.Proxy.Authentication.Bypass." crscore=50 craction=4096 crlevel="critical"

More Links

Virtual patching on the local-in management interface

Virtual patching on the local-in management interface

Virtual patching is a method of mitigating vulnerability exploits by using the FortiGate’s IPS engine to block known vulnerabilities. Virtual patching can be applied to traffic destined to the FortiGate by applying the FMWP (Firmware Virtual Patch) database to the local-in interface using local-in policies. Attacks geared towards GUI and SSH management access, for example, can be mitigated using the FMWP database pushed from FortiGuard, thereby virtually patching these vulnerabilities.

When the virtual-patch option is enabled in a local-in policy, the IPS engine queries the FortiGuard API server to:

  • Obtain a list of vulnerabilities targeting the FortiGate on a particular version

  • Determine whether the session destined to the local-in interface on the FortiGate requires a scan by identifying and tagging services in the session. The session's port number and protocol are used to identify the services. Currently only SSL VPN and web GUI services are tagged in a session.

If a tagged session lacks vulnerability signatures for the FortiOS version, then the IPS engine bypasses the session. This optimizes performance by only scanning and dropping sessions that are exploiting a vulnerability.

To configure virtual patching:
config firewall local-in-policy 
    edit <id>
        set action accept
        set virtual-patch {enable | disable}
    next
end

The FortiGate must have a valid FMWR (Firmware) license to install the FMWP database. The FMWP database can be viewed by running the diagnose autoupdate versions command.

# diagnose autoupdate versions
FMWP Definitions
---------
Version: 23.00084 signed
Contract Expiry Date: Wed Jan  1 2031
Last Updated using manual update on Wed Sep  6 15:19:11 2023
Last Update Attempt: Wed Sep  6 15:40:08 2023
Result: No Updates

Once virtual-patch is enabled, the WAD process will periodically query vulnerability items from the FortiGuard API server at "productapi.corp.fortinet.com" and forward it to IPS.

Caution

For SSL VPN and ZTNA connections that terminate on the FortiGate from a client that is using a client certificate, enabling virtual-patch will cause the connection to fail. Do not enable virtual-patch if you are using either of these configurations.

Sample vulnerability item found on the FortiGuard API server
{"ID":918630,"product":"fortios","vendor":"fortinet","max_version":"7.2.5","min_version":"7.2.0","severity":"high","vuln_type":"Format String","refs":["https://www.fortiguard.com/psirt/FG-IR-23-137"],"description":"This indicates detection of a Zero-Day vulnerability protected by a signature from Fortinet's FortiGuard Labs. This signature should help mitigate the threat proactively both prior to, and after an official statement is available from the vendor. Once an official advisory or statement is available from the vendor, the signature name and its description will be updated to provide more details regarding this vulnerability. Further details may also be made available in an advisory on FortiGuard Center (http://www.fortiguard.com).","patch_sig_id":10004065,"patch_sig_ids":[],"detection_sig_ids":null,"date_added":"2023-08-22T13:09:11","date_updated":"2023-08-22T13:09:11"}

FortiGuard can be queried from the FortiOS CLI for a list of vulnerability rules while specifying parameters for the vendor, version, product, and model by running the diagnose wad dev-vuln query command. For example, to query Fortinet Inc.'s FortiOS 7.2.5:

# diagnose wad dev-vuln query vendor=fortinet&version=7.2.5&product=fortios
Dev-Vuln Lookup result: success, cache: found, fgd: unknown, item: 0x7fb474e0b4a0
Vulnerability details: 
info entry (1):
        'vendor' = fortinet
       'product' = fortios
         'model' = N/A
   'version.min' = 7.2.0
   'version.max' = 7.2.5
      'firmware' = N/A
         'build' = N/A
    'date_added' = 2023-08-22T13:09:11
  'date_updated' = 2023-08-22T13:09:11
        'sig_id' = 10004065
       'vuln_id' = 918630
      'severity' = 3
...

After receiving the vulnerability rules from the WAD process, the IPS engine marks them as virtual patch rules mapped to each CVE vulnerability signature. For example:

FortiOS.NodeJS.Proxy.Authentication.Bypass(CVE-2022-40684)

FortiOS.SSL.VPN.Web.Portal.Password.Improper.Authentication(CVE-2018-13382)

FortiOS.SSL.VPN.Web.Protoal.Pathname.Information.Disclosure(CVE-2018-13379)

To show the list of available FMWP signatures from the FMWP database:
# get rule fmwp status
rule-name: "FortiOS.Fclicense.Daemon.Format.String."
rule-id: 10004067
rev: 23.082
date: 1697644800
action: block
status: enable
log: disable
log-packet: disable
severity: 3.high
service: TCP, HTTP
location: server
os: Linux
application: Other
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: Format String
cve: 202329181
fos_comp: Web-GUI
....

The following are the diagnose commands:

# diagnose ips vpatch {fmwp-status | fmwp-enable-all  | fmwp-reset}

fmwp-status

Shows the current status of enabled FMWP signatures.

fmwp-enable-all

Enable all FMWP signatures in FMWP database.

fmwp-reset

Revert the results of fmwp-enable-all.

Example

In this example, virtual patching is enabled for the local-in policy and the following scenarios are described:

  • FortiGate with an SSL VPN vulnerability

  • FortiGate with a web GUI vulnerability

  • FortiGate with both an SSL VPN and web GUI vulnerability

To enable virtual patching:
  1. Enable virtual patching in the local-in policy:

    config firewall local-in-policy
        edit 1
            set intf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set service "ALL"
            set schedule "always"
            set virtual-patch enable
        next
    end
    Note

    Because the IPS engine can currently only tag services related to SSL VPN and web GUI signatures, all other protocols are scanned when service is set to ALL. However, you can bypass scanning of other protocols, such as SSH and FTP, by setting service to only HTTPS.

  2. Observe the outcome of the following scenarios:

    • In this example, FortiOS has an SSL VPN vulnerability. The IPS engine drops SSL VPN traffic to the local-in interface on the FortiGate and bypasses web GUI traffic. Traffic for other services is scanned and passed to the interface.

      Following is a log of the SSL VPN traffic that was dropped because of the vulnerability. Bypassed web GUI traffic did not generate any logs.

      # diagnose ips vpatch fmwp-status 
      Enabled FMWP signatures: 3
      
        10002887 FortiOS.SSL-VPN.Heap.Buffer.Overflow.
      
      1: date=2023-11-07 time=14:53:44 eventtime=1699325624346021995 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=284 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.SSL-VPN.Heap.Buffer.Overflow." srcport=53250 dstport=11443 hostname="myfortigate.example" url="/error" httpmethod="POST" direction="outgoing" attackid=10002887 ref="http://www.fortinet.com/ids/VID10002887" incidentserialno=99614721 msg="vPatch: FortiOS.SSL-VPN.Heap.Buffer.Overflow." crscore=50 craction=4096 crlevel="critical"
    • In this example, FortiOS has a web GUI vulnerability. The IPS engine drops web GUI traffic to the local-in interface on the FortiGate and bypasses SSL VPN traffic. Traffic for other services is scanned and passed to the interface.

      Following is a log of the web GUI traffic that was dropped because of the vulnerability. Bypassed SSL VPN traffic did not generate any logs.

      # diagnose ips vpatch fmwp-status
      Enabled FMWP signatures: 2
      
        10002156 FortiOS.NodeJS.Proxy.Authentication.Bypass.
        10002890 FortiOS.HTTPD.Content-Length.Memory.Corruption.
        
      1: date=2023-11-07 time=14:55:15 eventtime=1699325715311370215 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=304 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.NodeJS.Proxy.Authentication.Bypass." srcport=53622 dstport=443 hostname="127.0.0.1:9980" url="/api/v2/cmdb/system/admin" agent="Node.js" httpmethod="GET" direction="outgoing" attackid=10002156 ref="http://www.fortinet.com/ids/VID10002156" incidentserialno=99614722 msg="vPatch: FortiOS.NodeJS.Proxy.Authentication.Bypass." crscore=50 craction=4096 crlevel="critical"
    • In this example, FortiOS has an SSL VPN and a web GUI vulnerability. The IPS engine drops both SSL VPN and web GUI traffic to the local-in interface on the FortiGate. Traffic for other services is scanned and passed to the interface.

      Following is a log of the SSL VPN and web GUI traffic that was dropped because of the vulnerability.

      # diagnose ips vpatch fmwp-status 
      Enabled FMWP signatures: 3
      
        10002156 FortiOS.NodeJS.Proxy.Authentication.Bypass.
        10002887 FortiOS.SSL-VPN.Heap.Buffer.Overflow.
        10002890 FortiOS.HTTPD.Content-Length.Memory.Corruption.
      
      1: date=2023-11-07 time=06:42:44 eventtime=1699296164649894963 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=1094 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.SSL-VPN.Heap.Buffer.Overflow." srcport=44164 dstport=10443 hostname="myfortigate.example" url="/error" httpmethod="POST" direction="outgoing" attackid=10002887 ref="http://www.fortinet.com/ids/VID10002887" incidentserialno=116392250 msg="vPatch: FortiOS.SSL-VPN.Heap.Buffer.Overflow." crscore=50 craction=4096 crlevel="critical"
      
      2: date=2023-11-07 time=06:42:09 eventtime=1699296129458704870 tz="+1200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.1.100.22 srccountry="Reserved" dstip=10.1.100.1 dstcountry="Reserved" srcintf="port2" srcintfrole="undefined" dstintf="root" dstintfrole="undefined" sessionid=1066 action="dropped" proto=6 service="HTTPS" policyid=1 attack="FortiOS.NodeJS.Proxy.Authentication.Bypass." srcport=42352 dstport=443 hostname="127.0.0.1:9980" url="/api/v2/cmdb/system/admin" agent="Node.js" httpmethod="GET" direction="outgoing" attackid=10002156 ref="http://www.fortinet.com/ids/VID10002156" incidentserialno=116392236 msg="vPatch: FortiOS.NodeJS.Proxy.Authentication.Bypass." crscore=50 craction=4096 crlevel="critical"