Blogs

Last year we launched a network security solution in the Azure Marketplace that protects both east-west and north-south traffic as it passes through Azure Virtual WAN (vWAN). This security is provided through FortiGate VM, in the form of a managed Network Virtual Appliance (NVA)   There are multiple use cases supported with our offering. This includes a secure SD-WAN, SD-WAN with next-generation firewall (NGFW), and solely NGFW with layer 4-7 inspection.   The integration of FortiGate VM with Secure SD-WAN and Azure vWAN allows users to more effectively interconnect with applications and workloads running in Azure with the rest of their hybrid and multi-cloud deployments. The result is an even simpler, further automated, and operationally efficient cloud on-ramp and SD-WAN experience and the ability to apply NGFW policies to vWAN traffic.   Now, we have released an extension of this offering to include internet-inbound traffic, also known as Destination NAT. We are one o

   Introduction: Streamlining Software Deployment with AWS Marketplace Image Builder    AWS Marketplace has introduced an innovative feature to simplify software deployment for customers and sellers alike: the AWS Marketplace EC2 Image Builder. This feature allows customers to discover, purchase, and deploy third-party software directly through the EC2 Image Builder console and Image Builder APIs. With a straightforward console-driven onboarding process, customers can access security tools, OS hardening scripts, and analytics applications to create optimized, secure, and compliant images—referred to as “golden images”—tailored to their needs.  Whether you’re a seller looking to expand reach or a customer seeking a streamlined way to integrate third-party applications, this blog post is for you.  In the previous blog post, we described what EC2 Image Builder is at a high level, and how it can alleviate the operational overhead of deploying software such as

A prominent US-based specialty engineering and construction company faced challenges centralizing security controls, gaining visibility into traffic patterns and intrusion attempts, and applying policies at the application level within their cloud infrastructure. They turned to Fortinet Cloud Consulting Services to develop a comprehensive cloud network security design tailored to their unique requirements to ensure top-tier security and operational efficiency on AWS.   Guided Expertise in Selecting the Right Cloud Architecture   The Fortinet Cloud Consulting Services team worked closely with the customer to create an architecture that emphasized scalability, reliability, and robustness. The Fortinet consultants outlined multiple options, highlighting their unique benefits and potential challenges. This in-depth analysis enabled the customer to make informed decisions, ensuring their infrastructure not only satisfied current needs but was also adaptable for future advancements

For more than a decade, digital transformation has been the talk within businesses. One of the core elements in this journey is the migration to the public cloud, which adopts new ways of thinking and working the infrastructure and applications. This journey centers on automating infrastructure and application provisioning, rapidly detecting and responding in operations, containerizing applications, and leveraging serverless technology or other services from cloud providers for rapid prototyping, innovation, and adoption. Executives prioritize this initiative to expedite the pace of innovation, save on capital costs and time to set up infrastructure and realize new ways of delivering services. In the urgency to be part of the wave, some companies rush to adopt an “all-in” approach too quickly without sufficient due diligence. This presents a risk of failure, beyond a technical point of view which is the financial viewpoint. One of the elements that customers must realize is that they n

FortiWeb Security Alert: CVE-2024-3651 Vulnerability in idna.encode    The Impact of CVE-2024-3651  In the realm of web security, vulnerabilities can often lead to severe consequences if left unaddressed. One such critical issue is identified by CVE-2024-3651, a vulnerability that significantly impacts web applications by exposing them to potential denial-of-service (DoS) attacks and remote code execution (RCE). This essay explores the nature of CVE-2024-3651, its implications for web security, and the importance of addressing such vulnerabilities to maintain robust and secure web applications.  CVE-2024-3651 is categorized as a critical vulnerability primarily due to its origin in the improper validation of URL, header, and argument lengths within web applications. Web applications rely on numerous parameters passed through URLs, headers, and request bodies to function correctly. These inputs are crucial for processing requests, managing sessions, and delivering co

What is CVE-2023-34434?   CVE-2023-34434 is a critical security vulnerability identified in Apache InLong, an open-source data collection and processing platform. This vulnerability affects versions 1.4.0 through 1.7.0 of Apache InLong. It is classified as a deserialization flaw, which can be exploited to bypass security mechanisms and gain unauthorized access to arbitrary files. The issue was resolved in Apache InLong version 1.8.0.    The Significance of CVE-2023-34434   Deserialization of untrusted data is a critical security concern that can lead to unauthorized access and system compromise. This vulnerability within Apache InLong could enable attackers to manipulate or steal data by bypassing existing logic controls, making it a priority to address.  The vulnerability is rooted in the deserialization process, which is the method of converting data from a serialized format back into an object or data structure. Deserialization is a common practice

What is CVE-2024-4577?   CVE-2024-4577 is a severe security vulnerability found in PHP installations running in CGI mode. This flaw arises from inadequate input data handling, which can lead to attackers injecting and executing arbitrary PHP code on the server. The issue affects PHP versions prior to 8.1.29, 8.2.20, and 8.3.8. Due to its nature, the vulnerability poses a significant risk to many web applications, potentially allowing unauthorized users to compromise the server and execute malicious code. This can lead to various security breaches, including data theft, server control, or disruption of services. Users of affected PHP versions should prioritize upgrading to patched versions to mitigate this critical risk.    The Significance of CVE-2024-4577  The exploitation of CVE-2024-4577 can lead to remote code execution (RCE), enabling attackers to perform a variety of malicious activities such as deploying malware and launching denial-of-service attacks. I

I am a BIG supporter of Central NAT.  I believe it is in-line with the present day firewall platforms.  Even if you use Policy NAT (the original way on FortiOS) or Central NAT you normally want bidirectional NAT'ng, that is SNAT and DNAT. DNAT / VIP There is a feature on the CLI of the VIP which makes the VIP bi-directional.  That command is set nat-source-vip enable.  This is NOT enabled by default.  You can get to the VIP settings by right-clicking the VIP and choosing edit in cli Once you are in the cli you can type set ? and it will show you all of the set options available to you.  You can also give the show full to see all the options, default and or custom. The other option you can type is tree which gives you the entire command structure for that section. Once you shell out to the cli FortiOS will show you the basic configuration for that VIP config firewall vip edit "OBSER" set uuid 169ccfa6-a

A customer-facing FAQ is available in the FortiSASE Admin Guide for existing FortiClient EMS customers interested in shifting from FortiClient EMS to FortiSASE for endpoint management:https://docs.fortinet.com/document/fortisase/latest/administration-guide/90443/shifting-from-forticlient-ems-to-fortisase   This FAQ provides guidance about licensing and FortiSASE configuration for endpoint management for these cases: 1. Existing FortiClient EMS on-premise deployments2. Existing FortiClient Cloud deployments   As part of this shift to a FortiSASE deployment, new configuration of endpoint management features must be performed in FortiSASE: Existing FortiClient EMS or FortiClient Cloud configuration is not preserved because FortiSASE uses its own EMS instance. FortiSASE does not support some FortiClient EMS features. To assist customers with new deployments requiring endpoint management features, see the 4-D FortiSASE endpoint management deployment guide:https://docs.fortinet.c

In today's fast-paced digital landscape, the network edge has become a critical battleground for businesses. It's where users connect, data flows, and opportunities arise. But managing this dynamic environment can be a complex and time-consuming task, especially for organizations with distributed networks. That's where FortiEdge Cloud comes in, offering a powerful and intuitive cloud-based management platform that simplifies network operations and empowers businesses to thrive at the edge.   Single Pane of Glass Management FortiEdge Cloud provides a centralized platform for managing your entire LAN and WAN edge infrastructure, including FortiSwitch, FortiAP, and FortiExtender devices. With its intuitive interface and powerful tools, you can easily configure, monitor, and troubleshoot your network from anywhere, at any time. The platform's single pane of glass view eliminates the need to juggle multiple management consoles, streamlining operations and saving valuable time and resou

  The Impact of CVE-2024-3651  In the realm of web security, vulnerabilities can often lead to severe consequences if left unaddressed. One such critical issue is identified by CVE-2024-3651, a vulnerability that significantly impacts web applications by exposing them to potential denial-of-service (DoS) attacks and remote code execution (RCE). This essay explores the nature of CVE-2024-3651, its implications for web security, and the importance of addressing such vulnerabilities to maintain robust and secure web applications.    CVE-2024-3651 is categorized as a critical vulnerability primarily due to its origin in the improper validation of URL, header, and argument lengths within web applications. Web applications rely on numerous parameters passed through URLs, headers, and request bodies to function correctly. These inputs are crucial for processing requests, managing sessions, and delivering content. However, when an application fails to validate the size of t

Solution overview The Landing Zone Accelerator on AWS (LZA) for Canadian Centre for Cyber Security (CCCS) Cloud Medium is a specialized deployment designed in collaboration with national security entities and government agencies. It facilitates compliance with strict security requirements, offering a comprehensive AWS cloud architecture for handling sensitive workloads. The CCCS Medium Reference Architecture addresses identity and access management, governance, data security, logging, and network design in alignment with various security frameworks, including NIST 800-53, ITSG-33, FEDRAMP Moderate, CCCS-Medium, IRAP, and other medium-level security profiles.   Please refer to the CCCS Medium Reference Architecture document for the full detailed design.   Note: This solution will not, by itself, make you compliant. It provides the foundational infrastructure from which additional complementary solutions can be integrated.     Solution Detail This version of

The rapid growth of electric vehicles (EVs) and the corresponding need for extreme fast charging (XFC) infrastructure have highlighted the importance of robust cybersecurity measures. The NIST Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure (NIST IR 8473) offers a detailed, risk-based approach to managing cybersecurity in this complex ecosystem. FortiSOAR, with its advanced capabilities, is ideally positioned to help organizations comply with this profile. Here's how FortiSOAR can enhance compliance across the various phases of the NIST framework:    Introduction to NIST IR 8473    Electric vehicle (EV) charging stations are critical to the growth of the EV industry, much like gas stations are for traditional vehicles. Countries worldwide are setting ambitious targets to ensure widespread availability of these charging points. For instance, the EU aims for 3 million public charging points by 2030, and the US targets at least

If you haven't used the open source iperf tool before, there is a lot of info on it (see https://iperf.fr), and I will only say it allows us to generate UDP/TCP traffic between 2 hosts of any  bandwidth we desire. Load testing is a sure way to pinpoint "weak links" in the network, be it equipment or cabling.  So iperf is a software (Linux & Windows) you install on 2 hosts and it works as client and server - one host sends TCP or UDP traffic, and the second one (well, iperf on it) receives it measuring jitter, packet loss, bandwidth. We use iperf to indicate network problems but also to prove (to client or ourselves) capacity of a line - is the claimed throughput indeed as expected?  It becomes a challenge when you don't have Windows/Linux on remote site to install iperf or you cannot allow network downtime to disconnect your Fortigate  from the line and connect instead laptop/server. Luckily, starting with FortiOS 5.2.x version, all Fortigate firewalls come with

In light of recent cybersecurity events, we would like to remind FortiEDR customers and partners about our software and content update release process, as well as our overarching release strategy. The following overview will detail our various release types, our systematic release process, and the measures we take to mitigate associated risks.    Release types: We classify FortiEDR releases into three categories: Major, Minor, and Patch.  Major and Minor releases undergo comprehensive QA cycles, followed by internal deployments where the system is tested in our own production environment for several months.  Patch releases address a limited set of bugs and are considered less risky. These releases go through QA cycles that focus on the impact of the changed modules and include overall sanity checks. Similar to Major and Minor releases, Patch releases are tested internally for at least a few weeks before being deployed in production.  Development and Q