Description
This document explains how to mitigate the improper check of the certificate revocation vulnerability in FortiOS.
FortiGate configuration steps outlined in this article can also be completed using FortiManager, if the FortiGates are managed by FortiManager (see attached PDF document "How To Apply IPS Signature using FortiManager").
Scope
Solution
Solution 1 - Firmware upgrade
· Instructions to upgrade the FortiGate unit firmware
· Steps to upgrade other Fortinet Products
Solution 2 - Implement IPS signature.
· Scenario 1 - Networks with the FortiGate as perimeter gateway (or) network gateway and directly connected to Internet
Ø Step 1 - IPS sensor configuration
Ø Step 2 - Configure Interface Policy
· Scenario 2 - Network with the FortiGate as the perimeter Gateway and other Fortinet products in a protected network behind the FortiGate.
Ø Step 1 - Configure Address objects for the Fortinet devices in protected network
Ø Step 2 - Create Address group with Fortinet Devices as members.
Ø Step 3 - Create firewall policy for the FortiGate units in the protected network and apply IPS inspection
· Scenario 3 - Hybrid networks with De-Centralized FortiGate units connect to Internet directly
· Scenario 4 - Network with Fortinet products directly connected to Internet and FortiGate is in isolated network
· Solution for Fortigate without valid IPS subscription
This document explains how to mitigate the improper check of the certificate revocation vulnerability in FortiOS.
Mitigation options:
Solution 1 - Firmware upgrade.
Solution 2 - Implement IPS signature.
Note: For optimal protection, all the FortiGate units which have direct connection to the Internet must be configured with the IPS signature. The IPS signature can be also configured on the perimeter FortiGate unit to protect other Fortinet Products such as FortiMail, FortiWEB, FortiManager, FortiAnalyzer, FortiSandbox, FortiAuthenticator and also FortiGate units in the network (Please see Scenario - 2).
Note : The IPS signature "Fortinet.Revoked.SSL.Certificates" is included in IPS definition version 14.00656 or later.
Please make sure the IPS definitions are updated to 14.00656 or later versions.
In case of any issues while following below steps or need further assistance with the configuration of IPS signature and further steps described in this document, please contact Fortinet support
Solution 1 - Firmware upgrade.
The below firmware versions have a fix to resolve this issue.
FortiGate
FortiOS 6.2.1
FortiOS 6.0.6
FortiOS 5.6.10
FortiOS 5.4.12
FortiOS 5.2.14
FortiAnalyzer
6.2.1, 6.0.6, 5.6.9, 5.4.7
FortiManager
6.2.1, 6.0.6, 5.6.9,5.4.7
Steps to upgrade FortiManager firmware
Steps to upgrade FortiAnalyzer firmware
Instructions to upgrade the FortiGate unit firmware.
Steps to upgrade FortiGate firmware
Supported upgrade path information is available on the Fortinet Customer Service & Support site (https://support.fortinet.com/)
To view supported upgrade path information: To view supported upgrade path information:
1- Go to https://support.fortinet.com and login
2- From the Download menu, select Firmware Images
3- Check that Select Product is Fortigate
4- Click the Upgrade Path tab and select the following:
a. Current Product
b. Current FortiOS Version
c. Upgrade To FortiOS Version
5- Click Go
For each upgrade step, the firmware image can be found on the Fortinet Customer Service & Support site (https://support.fortinet.com/)
To download a FGT firmware image:
1- Go to https://support.fortinet.com and login
2- From the Download menu, select Firmware Images
3- Check that Select Product is Fortigate
4- Click the Download tab and select the sub folder which contain the image you look for (for example v5.00 > 5.4 > 5.4.12)
5- Download the firmware image by clicking on the HTTPS link
It is important to read the release notes which are as well available from the Fortinet Customer Service & Support site (https://support.fortinet.com/) at the same location from where you downloaded the firmware image. Once downloaded, please review the special notices, upgrade information, product integration and support, resolved issue, known issues and limitations
After each upgrade step, please note that the following CLI command “diagnose debug config-error-log read” can be used to check if some settings are lost after the upgrade. Please refer to the following KB article for more information:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD39256
The following firmware versions will have a solution to this issue for other Fortinet products.
FortiMail
5.4.10 & 6.0.6
FortiWeb
6.1.1
FortiAuthenticator
6.0.2
FortiSandbox
3.1.0
Below are the steps to upgrade different Fortinet Products.
Steps to upgrade FortiMail firmware
Steps to upgrade FortiAutheticator firmware
Steps to upgrade FortiWeb firmware
Steps to upgrade FortiSandbox firmware
Fortinet Security Fabric.
Best practices for Firmware upgrade:
Solution 2 - Implement IPS signature.
Fortinet is automatically implementing an IPS signature update to mitigate the risk and help protect customers. Fortigate units with IPS subscription will receive this signature via FortiGuard updates. Additionally, the IPS package can be downloaded manually from the following URL:
https://support.fortinet.com/Download/AvNidsDownload.aspx
Scenario 1 - Networks with the FortiGate as perimeter gateway (or) network gateway and directly connected to Internet
In this scenario, an IPS sensor with IPS signature "Fortinet.Revoked.SSL.Certificates" can be configured to protect the FortiGate unit. This IPS sensor can be applied to an Interface policy on the interface(s) connected to Internet.
Configuration using GUI.
Example configuration on FortiGate unit acts as perimeter gateway and has direct access to Internet.
Step 1) IPS sensor configuration
Configuration using GUI.
Example configuration on FortiGate unit acts as perimeter gateway and has direct access to Internet.
Step 1) IPS sensor configuration
- Connect to FortiGate unit web GUI using browser (Chrome/Firefox etc.).
- Enter Admin credentials and login.
- After login, Create new IPS sensor by navigating to“Security Profiles” > “Intrusion Prevention” and click on the “+” button on the Top right corner of the page or Create New button depending on the firmware version.
For 5.2.x & 5.4.x versions
Ø
For FortiOS 5.6.x, 6.0.x and 6.2.0 versions.
- Enter Name, for example “Block-Vulnerabilities”
- Create filter with the IPS signature "Fortinet.Revoked.SSL.Certificates"
FortiOS 5.2.x
- Click on “Create New” under “Pattern Based Signatures and Filters”
- In the Next screen “Sensor Type” select “Specify Signatures” and search for signature "Fortinet.Revoked.SSL.Certificates" in the search bar.
- Click to Select the signature "Fortinet.Revoked.SSL.Certificates" from signature list and select action “reset”.
- Click OK
- Next screen will show the Selected signature with action as “reset”
- Click “Apply” to save the IPS sensor.
For FortiOS 5.4.x
- Under IPS Signatures, click on the “Add Signatures” button.
- In the Next Window, search for signature "Fortinet.Revoked.SSL.Certificates" in the search bar.
- Select the signature and Click on “Use Selected Signatures”
- The selected signature is now displayed under “IPS Signatures” section.
- Right click the Signature "Fortinet.Revoked.SSL.Certificates" and select action “Reset”, the action will change to Reset.
- Click “Apply” to save the IPS sensor.
FortiOS 5.6.x, 6.0.x and 6.2.0
- Under IPS Signatures, click on the “Add Signatures” button.
- Click on “Add” filter button.
- Click on Name
- Enter the Signature name "Fortinet.Revoked.SSL.Certificates" and select the signature.
- Select the signature and Click on “Use Selected Signatures”
- The selected signature is now displayed under “IPS Signatures” section.
- Right click the Signature "Fortinet.Revoked.SSL.Certificates" and select action “Reset”, the action will change to Reset.
- Click “Apply” to save the IPS sensor.
At this moment, IPS sensor is created with the signature "Fortinet.Revoked.SSL.Certificates" and action set to reset. This IPS sensor can be configured in firewall/interface policies to block this vulnerability.
Step 3) Configure Interface Policy.
|
config firewall interface-policy
|
Note: In case multiple interfaces are connected to the Internet, configure the interface policy for each relevant interface.
When using FortiOS 6.2.0, an additional port needs to be configured.
For example
|
config firewall service custom
config firewall interface-policy
|
Note: In case multiple interfaces are connected to the Internet, configure the interface policy for each relevant interface.
Scenario 2 - Network with the FortiGate as the perimeter Gateway and other Fortinet products in a protected network behind FortiGate.
Fortinet Products including:
FortiMail
FortiAuthenticator
FortiSandbox
FortiWeb
FortiAnalyzer
FortiManager
Also including FortiGate units inside the protected network.
This solution requires all the Fortinet devices inside the protected network reach Internet through the perimeter FortiGate unit.
In this case the traffic from the Internal Fortinet products reach the perimeter FortiGate, a firewall policy on the perimeter FortiGate unit with IPS inspection can be used to mitigate this issue.
Follow the below steps in Scenario 1 to create the IPS sensor with signature "Fortinet.Revoked.SSL.Certificates".
IPS Sensor configuration
Step 1) Configure Address objects for the Fortinet devices in protected network.
Configuration using GUI:
- Connect to FortiGate unit web GUI using browser (Chrome/Firefox etc.).
- Enter Admin credentials and login.
- Navigate to “Policy & Objects” > Addresses > Click on “Create New” and select “Address” in drop-down list.
- In the next screen, Enter name, for example “FortiAnalyzer”
- Select type “Subnet”.
- Subnet / IP Range > Enter the IP address of the device.
- Click “OK” to save the Address object.
Repeat the steps to create more address objects if there are multiple Fortinet products in the network.
Step 2 - Create Address group with Fortinet Devices as members.
- Navigate to “Policy & Objects” > Addresses > Click on “Create New” and select “Address Group” form drop-down list.
- Enter “Group Name”, for example “Fortinet-Devices”
- Under Members, click on “+” button and select the Members form list.
- Click “OK” to save the Address Group configuration.
Step 3 - Create firewall policy for the Fortinet Products in the protected network and apply IPS inspection.
- In GUI, navigate to “Policy & Objects” > Policy > Click on “Create New”
- In the new policy page, Configure the following;
Name > policy name, for example "Fortinet-Devices"
Incoming Interface : Interface connected to Fortinet Devices
Outgoing Interface : Interface connected to Internet
Source : Address created in previous step “Fortinet-Devices”
Destination : Destination Address “all”
Schedule : Always
Service : Select service “ANY” or select required services like HTTPS/DNS etc.
Refer to Step 3 in Scenario 1 about service selection.
Action : Accept
NAT : Enable
Under security Profiles
IPS : Enable and select IPS sensor "Block-Vulnerabilities"
ssl-inspection profile : certificate inspection.
Ø
- In the Above configuration example, FortiGate unit’s Port2 is connected to Internal network.
- Port1 is connected to Internet.
- If the Fortinet devices are connected to different interfaces of the FortiGate unit, similar policy must
- be configured between interfaces connected to Fortinet units and interface connected to Internet.
- If the perimeter FortiGate has multiple interface connecting to Internet, repeat the same steps and create policies for all interfaces connected to Internet.
- After creating the policy (or policies), make sure to move this policy to top of the policy table.
Scenario 3) Hybrid networks with De-Centralized FortiGate units connect to Internet directly.
This scenario is applicable for De-centralized networks where the perimeter FortiGate in Head office and the Branch office FortiGate having direct connection to Internet.
In the above network, the Branch office FortiGate is part of a centralized network but also have direct Internet connection.
In this case please follow Scenario1 to configure and configure the following on branch office FortiGate unit(s).
Note: In case multiple interfaces are connected to Internet, configure the interface policy for all relevant interfaces.
Scenario 4 - Network with Fortinet products directly connected to Internet and FortiGate is in isolated network.
This scenario is applicable for Fortinet products which are directly connected to Internet, but the Internet traffic is not routed through the FortiGate unit.
In the above example, FortiManager is connected to Internet, Internet traffic is routed through another firewall.
FortiGate unit is in an isolated network and receiving package updates from FortiManager.
In this case, the solution is to upgrade the Fortinet products to the latest patch as a solution to this issue.
Please see the Upgrade section.
In case if the Fortigate does not have a valid FortiGuard subscription to receive IPS updates, please follow below steps for solution to this issue.
The Signature package can be downloaded from our support website.
The IPS signature "Fortinet.Revoked.SSL.Certificates" is included in IPS definition version 14.00656 or later.
In case the Fortigate does not have a valid IPS subscription, please contact Fortinet support to obtain the package.
