FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
keithli_FTNT
Staff
Staff

Description

This article describes how to use FortiClient and FortiClient EMS's Endpoint Security profile to protect against the Apache Log4j exploit. The vulnerability is assigned CVE-2021-44228

 

For more information about this vulnerability, as well as recommended package updates for various Fortinet Security Fabric devices, see the following FortiGuard Outbreak Alert:

FortiGuard Outbreak Alert - Log4j2 Vulnerability

 

FortiClient Endpoints must have Application Firewall package updates in the recommended version (19.218) or above. See IPS package below:

FortiGuard IPS Package 19.218

 

Scope

The Endpoint Security Profile configurations can be configured on FortiClient EMS v6.2+, deployed to FortiClient Endpoints v6.2+. Supported endpoint OSes are Windows and Mac.

 

Solution

1) Using FortiClient EMS, create a new Endpoint Profile or edit an existing Endpoint Profile. Then configure the following:

- On the Firewall tab, enable Application Firewall

- Under General settings, enable Detect & Block Exploits

- select 'Save' to save changes.

 

keithli_FTNT_0-1639465747025.jpeg

 

2) Allow changes to be pushed to managed Endpoints. Then check Endpoints for installation of the latest Application Firewall Signature packages.

 

keithli_FTNT_1-1639465904402.jpeg

3) If an exploit attempt is detected, the FortiClient will block the attempt. A FortiClient pop-up notification will appear on the Endpoint's system tray.

 

keithli_FTNT_2-1639466021942.jpeg

 

4) On FortiClient EMS, you can view the log of the exploit attempt when you view the targeted Endpoint. 

- Go to Endpoints > All Endpoints, and select the device that was targeted.

- Use the Firewall Events tab to view the exploit attempt.

 

keithli_FTNT_3-1639466375983.jpeg

Related Links

Configure Application Firewall on FortiClient EMS