This article describes how to use FortiClient and FortiClient EMS's Endpoint Security profile to protect against the Apache Log4j exploit. The vulnerability is assigned CVE-2021-44228.
For more information about this vulnerability, as well as recommended package updates for various Fortinet Security Fabric devices, see the following FortiGuard Outbreak Alert:
FortiClient Endpoints must have Application Firewall package updates in the recommended version (19.218) or above. See IPS package below:
The Endpoint Security Profile configurations can be configured on FortiClient EMS v6.2+, deployed to FortiClient Endpoints v6.2+. Supported endpoint OSes are Windows and Mac.
1) Using FortiClient EMS, create a new Endpoint Profile or edit an existing Endpoint Profile. Then configure the following:
- On the Firewall tab, enable Application Firewall
- Under General settings, enable Detect & Block Exploits
- select 'Save' to save changes.
2) Allow changes to be pushed to managed Endpoints. Then check Endpoints for installation of the latest Application Firewall Signature packages.
3) If an exploit attempt is detected, the FortiClient will block the attempt. A FortiClient pop-up notification will appear on the Endpoint's system tray.
4) On FortiClient EMS, you can view the log of the exploit attempt when you view the targeted Endpoint.
- Go to Endpoints > All Endpoints, and select the device that was targeted.
- Use the Firewall Events tab to view the exploit attempt.