By Manny Fernandez

July 29, 2024

Virtual Patching – Local-In management interface

Fortinet has a 1,000+ FortiGuard Labs team on cyber security professionals and because they ship twice as many devices than their closest competitors worldwide, they have billions (yes billions) of actionable alerts per day that are processed through FortiGuard labs.  Fortinet has their team of internal pentesters that look for vulnerabilities on their platforms.  Not to mention the mature AI backend where they constantly process mailware, and other attack information.  Fortinet developed a feature that will help you protect against vulnerabilities to the FortiGate itself.  This feature was introduced in 7.4.4 and is available via the CLI, however in 7.6 its available in the GUI.

On 7.4

The first thing you want to do is validate that you have the FMWP database initiated and you are licensed for it.  Run the following command diagnose autoupdate versions  and look for the FMWP database.

On the above screenshot, you can see that the last update was via an scheduled update.

Once you have validated that you have the database and that it is up to date, you need to ensure that the signatures are enabled.  You can do this with the following commands

(1) diagnose ips vpatch fmwp-status will tell you how many signatures are enabled.

(2) diagnose ips vpatch fmwp-enable-all will enabled all of the virtual patches.

(3) Once you have them enabled, you can run the diag ips vpatch fmwp-status and validate they are enabled.

Now lets configur the local-in policy.  As you can see in the figure below, I have a local-in policy already created from a previous blog post I did on geo-blocking with the local-in policy.  So we will pick the next sequence number which is 2.

As you can see in the figure highlighted in red, we need to put the interface this applies to, in my case it is port1 You will also want to define the source address with set srcaddr in our case to all.  Same with destination, service, and schedule.  The most important setting for this post is the set virtual-patch enable which applies the virtual patches to these connections.  Once you are done, you need to enter the end command to save it.

You should now see something like this

On 7.6

 

Special Thanks to Vladislav Ceban for pointing this new feature out to me.  Thanks Vlad.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Executive Summary A FortiGate is only as flexible as... Full Story

  • 1. Title & Executive Summary Objective: This guide explains... Full Story

  • 1. Title and Executive Summary Title: Power over Ethernet Standards... Full Story