Blogs

Our previous blog covered how FortiEDR eliminates malware and attacks early in the cyber kill chain and the benefits of proactive security. We know nothing in this life is guaranteed and no form of security is perfect. As stated before, Threat Hunting helps identify what circumvented the first line of defence. This blog will cover post-attack threat hunting. Post-attack, Threat Hunting can assist in ‘following the breadcrumbs’ and identifying patient zero, peering back days, weeks or even months. While FortiEDR’s Forensics suite provides much of the answer with patented code-tracing technology, Threat Hunting is also an essential component. While investigating an event, FortiEDR provides an intuitive experience with contextualised Threat Hunting hyperlinks enabling the SOC analyst to quickly retrieve the information required. Figure 1.1 – Contextualized Threat Hunting – Events View Figure 1.2 – Contextualized Threat Hunting – Forensics View   It is also possible to scan all (or

Time to time, threat hunters are alerted to a new threat and will run a query within FortiEDR to see if it is present on any of their devices. They can simply add a title, a description, add applicable tags, and select the organization to apply this search. Further on they can select which category and devices to search, and input the search in Lucene syntax. They can also choose to share this search with the community before they create a schedule for that query. Along the way, they will select the classification they would like it to fall under along with when they would like to have it repeat the search (e.g. Daily, every hour, etc.). Fig 1. Creating a custom and scheduled query Now that this custom search is created it will alert the team by placing the alert in the event viewer when it sees a hit. It will inform the threat hunting team that the alert was generated from a “Scheduled Threat Hunting Query” in the “Triggered Rules” box on the right of the screen. These same threat

We are pleased to announce the 5.1 release of FortiEDR. It keeps our Linux capability in lock step with Windows, both of which now offer even more robust threat hunting. Enhancements include Event Tracing for Windows (ETW), which enriches threat hunting telemetry collection by identifying behaviors. This provides FortiEDR users a fast, reliable, and versatile set of event tracing and logging features that are raised by user-mode applications and kernel-mode drivers. Outside of threat hunting, we made quality of life improvements for our administrators. We added application deny enhancements with Application Control. Now administrators have further flexibility when adding applications to deny/blocklists, along with tightly configuring communication rules on specific applications. It can also be used selectively on end-user systems with sensitive information or higher threat exposure. Lastly, we supplemented this release with further granularity to exclude files and folders from being in

By: Moshe Ben Simon & Julian Petersohn Summary Every SAP customer has a minimum of one SAPRouter Instance running within the infrastructure. In addition, these instances are often directly accessible through the Internet. Figure 1: Overview of Countries where the SAP Router was found[1] What is SAPRouter SAPRouter is a standalone program that protects your SAP network against unauthorized access. SAPRouter is an application gateway that acts as a network connection proxy between SAP systems or between SAP systems and external networks. The SAPRouter port serves as a gateway, and you can specify the connections you want to allow in a route permission table. SAPRouter can control and log incoming connections to the SAP system. SAPRouter can improve network security by applying a password and a layer of encryption across any network access Connections and SAP data. Customers need to set up and configure access to SAPRouter for SAP to receive technical Support from SAP Engineers. A

Lately I have been doing some AWS.  I am looking to get certified in the short-term.  I was struggling with a customer after I deployed a FortiGate in AWS and could not figure out how to allocate Elastic IPs to be used by the FortiGate to perform NATs for different internal instances.  Here is an article showing what I did. On AWS Log into you AWS Console and choose you VPC Then choose the Instances and choose your Fortigate instance. Then you will need to (1) Choose the Instance, (2) Click Actions (3) Choose Networking then choose (4) Manage IP Addresses Once in Manage IP Addresses you will see your interfaces that you have assigned to your Fortigate instance.  Choose the interface that represents the outside of the Fortigate and click Assign new IP. You can see that my subnet is 172.31.254.0/24 and I have .5 assigned to my Public Facing IP address. Enter another IP in that same range (I believe AWS reserves the first 4 IP addresses) and then click Yes, Update

Network Functions Virtualization (NFV) offers unprecedented opportunities for service providers to adopt new business models, radically lower costs, and increase the speed of innovation and delivery of next-generation services. While the potential benefits of NFV are enormous, ensuring effective security is a key consideration for service providers. Protecting these highly dynamic environments requires a Security Fabric with tightly integrated security and network technologies that share intelligence and collaborate to detect, isolate, and respond to threats in real time. Fortinet recognizes the importance of having an open system that supports and secures as many NFV solutions in the industry as needed in order to meet the requirements of service provider customers. The openness of the Fortinet Security Fabric enables deep integrations with industry partner products and platforms. Fortinet achieved VMware’s highest level of endorsement, VMware Ready™ Status for Network Functions

Team,Veterans bring valuable skills and experience from their military service to your workforce. This toolkit is designed to help you better understand how Veterans can be valuable assets to your company. You can also learn more about how hiring Veterans may benefit your organization, its mission, and bottom line. Why Veterans Make Good Employees: https://www.va.gov/VETSINWORKPLACE/docs/em_goodemployees.asp   The Work Opportunity Tax Credit (WOTC) is a Federal tax credit available to employers for hiring individuals from certain targeted groups who have consistently faced significant barriers to employment: https://www.irs.gov/businesses/small-businesses-self-employed/work-opportunity-tax-credit The Employer Guide to Hire Veterans is designed to assist employers find, hire and retain veterans: https://www.dol.gov/sites/dolgov/files/VETS/files/Employer-Guide-to-Hiring-Veterans.pdf Veterans leave military service with a wealth of skills and professiona

Log4shell or Log4j2 or more simply CVE-2021-44228 is being called the greatest vulnerability to hit the interest... ever.  Log4j2 impact touches anything that uses Apache’s opensource logging service Log4j prior to version 2.15.0.  And that’s a lot of systems.  In fact, it’s said to impact most of the web services attached to the Internet at the time of the exploit’s announcement on December 9th, 2021.  That’s a lot of systems to patch.  How does a cyber team work through all of the known and shadow IT inventory?  Further, what if those systems are the heart of the company running critical financial and management functions, such as a SAP or other ERP system?  Patching of these systems must be prioritized, but it will take time.  More immediately, cyber teams should be looking to their security partners to implement network-wide mitigation that can be broadly and swiftly deployed.  Fortinet has rolled out several countermeasures to stop 4422

Fortinet is pleased to announce the availability of a brand-new data switch model and a refresh to one of its most popular data center switch models. The FortiSwitch T1024E is our first fixed copper 10GE switch offering 24 ports of 10G base T in a 1 RU form factor with 2 100GE capable QSFP28/QSFP+ slots for uplinks. This new FortiSwitch compliments our popular 1024 which has been updated to the 1024E offering 24 10GE capable slots in a 1 RU form factor with 2 100GE capable QSFP28/QSFP+  slots for uplink. While both of these switches are designed for high performance 10GE switching the T1024E is capable of negotiating Multi Gig Ethernet speeds including 5GE , 2.5GE and 1GE. These new switches build on our FortiSwitch data center series while maintaining integration into the Fortinet Security Fabric through FortiLink, a hallmark of our FortiSwitch product line. For more information on the 1024E and our FortiSwitch Data Center Series please refer to our datasheet.    

Let's talk about three important areas of SIEM deployments:  functionality, scalability, and flexibility.   Functionality What does a SIEM do?  Wikipedia [1] suggests: Data aggregation; Correlation; Alerting; Dashboards; Retention, and; Forensic Analysis - a good list of foundational features, but these are taken-for-granted in a modern SIEM. What else does a SIEM do for you,? What makes your SIEM a winner in your environment? FortiSIEM brings a raft of functionality that provides a winning solution for modern enterprise and service provider environments:   Feature Description Benefit Combined NOC&SOC Analytics Performance and availability monitoring via active device discovery Greater ROI Greater security vantage Greater ease of use Reduced MTTR Greater functionality & flexibility Integrated CMDB Asset list of discovered devices, plus device monitoring Integrated UEBA Visibility of client activity. AI driven anomaly detection.

By: Aidan Walden, Director, Public Cloud Architecture & Engineering at Fortinet It’s no coincidence that SD-WAN adoption has grown rapidly with increasing cloud consumption by enterprises. After all, the primary use case for SD-WAN is to provide fast and resilient connectivity to cloud services. While the SD-WAN migration has been driven by cost savings, faster time to provision, and more application control, there have been some trade-offs. MPLS provides granular control of routing domains and segmentation, and centralized Internet breakout for consistent egress security and partner interconnection. MPLS’s traffic-engineered paths provide end-to-end low network latency and a high quality of service. The launch of AWS’s Cloud WAN provides, for the first time in the AWS cloud, the opportunity to realize the benefits of an MPLS-like core network with the advantages of SD-WAN cloud on-ramps from many on-premises locations. AWS Cloud WAN builds on Transit Gateway Connect by allowing us

Fortinet Integrates with Azure Gateway Load Balancer to Enable Seamless Deployment of FortiGate Next-Generation Firewall By: Ali Bidibadi  Many customers use third-party network virtual appliances (NVA) offerings from Azure Marketplace, including Fortinet FortiGate Next-Generation Firewall (NGFW), to secure their Azure cloud deployments. Specifically, Fortinet offers several design patterns to address each customer’s unique deployment requirements. Those include Active-Passive with Unicast HA and Active-Active with and without autoscaling support. Both external and internal load balancers are utilized in some of those architectures to help with scalability and resiliency of the security solutions. Now, with the public preview launch of the Azure Gateway Load Balancer (GWLB) service, we are excited to announce the availability of the Fortinet FortiGate VM integrated with this service as a launch partner. Equipped with full NGFW capabilities, as well as VXLAN encapsulation and decap

Does your SIEM deliver effective value to the widest part of the organization in an efficient and easy to use manner? I hope so - SIEMs can benefit many parts of the organization outside of the SOC, such as compliance, network operations and general business functions. Ease of use is key to enabling this important business asset, empowering users of the system, and delivering business value.   The business value delivered by a SIEM extends beyond the technical features of the platform. Many organizations are currently struggling to recruit and retain employees in cybersecurity roles such as security administrators, and NOC and SOC specialists [1]. Easier to use tools can create a more attractive workplace and help to reduce the amount of training required to onboard new hires - an easier to use tool becomes an enabler, rather than a barrier.   Easier to use tools can also empower junior employees, increasing their effectiveness, motivation, and ability to deliver results for

A FortiGate Automation Stitch brings together a Trigger and an Action. The Trigger can be internal or external to the FortiGate, when a trigger occurs one of more Actions can be initiated. The Action, like the Trigger can be internal or external to the FortiGate.The code in the repository fortigate-automation-stitches, is an example of a FortiGate SDN Event Log being the Trigger to initiate the Action of updating an Azure Route Table to enforce VM Micro Segmentation. The SDN event log entry generated when a FortiGate Dynamic Address is updated, triggers the action of sending a Webhook to Azure. The webhook contains the information required to update the Azure route table. The Azure route table update is either the addition of a route or the removal of a route from an Azure route table.The FortiGate Automation Stitch Azure route table updates are made to support Micro Segmentation of VMs in FortiGate protected networks. In Azure, VMs on the same subnet and

By: Peter Nas & Ronen Shpirer   FortiOS v7.0.1 introduced support for the Packet Forwarding Control Protocol or PFCP. This is an essential enhancement to an already rich set of features and capabilities that FortiOS and the FortiGate provide to 4G and 5G mobile operators worldwide. To understand why this is a valuable enhancement, you need to know what PFCP is, why it’s important, and what security use cases are made possible with FortiGate’s support for PFCP. PFCP was first made available with 3GPP Release 14’s introduction of Control and User Plane Separation, or CUPS. CUPS enabled a new network architecture that allows Service Providers to independently scale and evolve their network for Control Plane resources without modifying their User Plane resources. PFCP is used between the control plane and the user plane function in 4G CUPS-based EPC. While CUPS and PFCP are not mandatory in 4G, they are required in 5G Stand Alone (SA) networks, where the Session Management Fu

Today we're looking at the new FortiSIEM JSON Incident API. Need to extract some incident data from your FortiSIEM? This API's for you!Let's explore one of the API functions by building a simple Bash script that pulls recent incidents and summarizes the target IP. Disclaimer This is a basic, stripped back 'Proof of Concept' script. It's provided as is and for informational purposes only. Some features, such as hard-coded credentials, are not considered best practice and you probably have a better approach. Be sure to check, fix, validate data, handle errors, improve, customize and secure to meet your own requirements before use. Formatting Some of the longer commands may be word-wrapped on your screen, which could prevent them working if you copy/ paste the script without fixing this. Preparation Assuming you are using a CentOS based distribution run the following command to check and install required packages if needed: yum -y install curl jq sed grep API Endpoint The API details a

Fortinet is extending FortiGuard security to the wireless edge by offering UTP services running on our Wi-Fi 6 FortiAP-U models.  With this new service, customers can enable the following security features on the AP: Web Filtering IPS Anti Botnet App Control Anti Virus Device Identification F-series FortiAP-U models and later can offer these FortiGuard services when managed by the FortiGate or when managed by our new FortiLAN Cloud management platform.  Want to learn more technical details?  Our Product Manager Sumanth Gorajala recently talked about this topic at Mobility Field Day, you can watch his presentation on youTube here.

JAN’s Workplace Accommodation Toolkit is a free, comprehensive online resource for employers seeking to move beyond basic compliance with the Americans with Disabilities Act (ADA) in order to create more disability-inclusive workplaces. The Toolkit provides guidance and resources for developing or updating accommodation policies and processes while leveraging the best proven practices available to date. The Toolkit contains actionable accommodation policies and processes from leading U.S. businesses, a suite of accommodation forms, training presentations, and role play videos modeling inclusive behaviors. The Toolkit also includes best and emerging practices for creating an inclusive workplace for people with disabilities during all phases of the employment life cycle. Within the Toolkit, one can find specific resource drawers for: Recruiters and Hiring Managers, Supervisors and Managers, Internal Reasonable Accommodation Subject Matter Experts (SME)/Consultants, Information Tech

The SHRM Foundation Veterans at Work Certificate program is completely free and open to all. You do not need to be a SHRM member, and you do not need to hold a SHRM credential to engage with the content, take the course and earn the Veterans at Work Certificate.This course leverages critical insights from subject matter experts and the latest research to equip you with the knowledge and actionable tools necessary to confidently adapt your workplace into one that attracts, hires, and retains both veterans and members of the military community.SHRM Foundation Veterans at Work Certificate Program

An organization's workforce is its most valuable asset. And when an employee can't work due to illness or injury, it impacts not only an organization's productivity, but also its morale. This toolkit helps both employers and employees understand the return-to-work process and provides resources to assist in getting employees back on the job quickly and smoothly. Effective return-to-work approaches can help employees work while still recuperating, protecting their earning power and boosting an organization's output. Furthermore, in many instances, work itself plays an important role in the recovery process.Learn more: https://www.dol.gov/odep/return-to-work/

FortiSIEM 6.3.0 is now available. This major release introduces a range of new features.New Feature HighlightsCustomizable GUI Login BannerFortiSIEM can now display a customizable text login banner. This can be configured or disabled under ‘Settings > System > UI’ UTC and ISO8601 Timestamp Formatted DatesUsers can now select ‘ISO8601’ or ‘UTC’ date formats in their user profile, as well as the original ‘Local date format’.Report Export in RTF FormatBoth scheduled and ad-hoc Reports can now be generated in RTF (Rich Text Format), as well as the original PDF and CSV formats. RTF is compatible with MS Word and a range of other word processing packages.Trend Chart for Hourly/Daily/Weekly AggregatesTrend charts in dashboards and reports now have configurable trend interval settings. Choose from Auto, Hourly, Daily or Weekly intervals.Report Design Template EnhancementsThe report designer now has a rich text editor that enables users to format report in the GUI text without entering H

Fortinet Employees, As a proud sponsor and supporter of our military veterans, we are conducting a survey to understand the impact military service members and their families have on Fortinet’s business and culture.    Answering these short questions will allow Fortinet to develop an ongoing database of metrics that can be used to analyze and improve our military programs.    You can now access the survey by visiting your NSE Institute dashboard and look for the 2021 FortiVet Military Service Survey.   Please complete this survey by end of day July 26th.  Our veterans and our company thank you. Best, Jay GarciaFortinet Veterans Program & Community Engagement

As If the Perimeter was not Blurred Enough As cloud adoption began accelerating several years back the growing predictions of a doomed enterprise perimeter also increased. And then the pandemic hit… With the dawn of a 100% remote workforce, the story quickly changed from that of a fading perimeter to one that is rapidly vanishing.    But the passage to a digitally transformed cloud-enabled enterprise will not happen overnight. Understanding the importance of properly managing the transformation and living in the hybrid environment for the many years ahead is paramount.  Necessarily, this will drive dramatic changes in the way we secure our networks.  IT leaders are faced with managing their budgets to include new technologies but there is also growing awareness that added heterogeneity can introduce its own set of challenges, including dramatic increases in complexity.    Failure to address growing complexity can result in misconfigurations which ulti

FortiLAN Cloud offers unified cloud management of stand-alone FortiAP and FortiSwitch deployments, replacing both FortiSwitch Cloud and FortiAP Cloud. It simplifies the management and deployment of your standalone FortiAP and FortiSwitch environments by offering an intuitive, easy-to-use interface enabling zero touch deployment, configuration management, reporting and analytics. FortiLAN Cloud joins FortiGate Cloud management platform which manages our popular FortiLink driven deployment of FortiGate managed FortiSwitch and FortiAP. FortiLAN Cloud is available today, for detailed ordering and specifications information please refer to the data sheet: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortilan.pdf