We had a popup today on an end user machine indicated a detection and block for this. I can't find a reason for it, though. It's a workstation without Apache or Log4J installed. Does this plugin identify going to a vulnerable external website? My impression is that it only triggered on a machine if the machine itself was vulnerable.
Problem with this issue, the actual vulnerability can be behind the system being targetted (see the blog here). FortiGate has no way of knowing if the server is vulnerable or of there is log4j somewhere in the path, just that the payload has been sent e.g. in a HTTP header. This is the block you are seeing.
To know if you are potentially vulnerable, block outbound LDAP and look for triggers to the FW rule.
Dr. Carl Windsor
Field Chief Technology Officer