Description
Dynamically detecting, segmenting and auto-quarantine “Sunburst”/SolarWinds” Vulnerable Endpoints from EMS
Solution
Dynamically detecting, segmenting and auto-quarantine “Sunburst”/SolarWinds” Vulnerable Endpoints from EMS
Solution
- Create Zero-Trust Access Control Rules to continuously monitor and automatically block access for compromised endpoints:
- Run the attached Script to add SolarWinds detection rules in your EMS v6.4.2. (Open CMD with administrator access and run this command in the same folder where you saved the script: sqlcmd -E -S.\fcems -d fcm_default -i add_solarwind_ZTNA_Rules.txt)
- This script will add ZTNA tagging rules as seen in the screenshot below. Edit one of the newly added rules and check to see if configured properly and click save. You can also add additional rules to detect and tag endpoints with critical vulnerabilities which includes Sunburst vulnerability:
- Under Zero Trust Tags > Tag Monitor monitor for any endpoints with “EndpointsWithSolarWinds” or “SolarWinds Suspicious” Tags. If any detected then these endpoints can be quarantined and sent for investigation/remediation.
- As part of the Fabric you can also use these ZTNA Dynamic Tags on FortiGate to restrict or automatically quarantine network access for these suspicious endpoints. See How to add EMS ZTNA Tags in FortiOS dynamic policy for instructions.
