FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
preznik_FTNT
Staff
Staff
Article Id 197060
Description
Dynamically detecting, segmenting and auto-quarantine “Sunburst”/SolarWinds” Vulnerable Endpoints from EMS
Solution
  • Create Zero-Trust Access Control Rules to continuously monitor and automatically block access for compromised endpoints:
    • Run the attached Script to add SolarWinds detection rules in your EMS v6.4.2.  (Open CMD with administrator access and run this command in the same folder where you saved the script:  sqlcmd -E -S.\fcems -d fcm_default -i add_solarwind_ZTNA_Rules.txt)
    • This script will add ZTNA tagging rules as seen in the screenshot below. Edit one of the newly added rules and check to see if configured properly and click save.  You can also add additional rules to detect and tag endpoints with critical vulnerabilities which includes Sunburst vulnerability:

 ztnarules.jpg




 

    • Under Zero Trust Tags > Tag Monitor monitor for any endpoints with “EndpointsWithSolarWinds” or “SolarWinds Suspicious” Tags.  If any detected then these endpoints can be quarantined and sent for investigation/remediation. 

ztnatag.jpg



ztnaquar.jpg
 

Contributors