Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
netmanb2k
New Contributor II

On Fortigate firewall do we need to take any actions against LOG4J ?

On Fortigate firewall do we need to take any actions against LOG4J ?

4 Solutions
kitkat09811
New Contributor II

yes !  you should protect any servers that are internet facing. If your not doing SSL inspection on inbound HTTPS communication and your webservers are vulnerable, this would not be good.  IPS Signature database 19.00215 is the updated signature database which has the log4j signature, although you need to setup this IPS signature as block since by default it's set to pass.

View solution in original post

JWJ
Staff
Staff

Just in case, another user submitted a quick and dirty "How-To" for changing the default action of "Allow" to "Block" on the log4j signature.

Security Profiles

Intrusion Prevention

Edit Sensor

Add Signature

Type = Signature

Action = Block

Status = enable.

Then search the log4j signature and click add to signature.

[Apache.Log4j.Error.Log.Remote.Code.Execution]

Save.

Move to the top of the signatures list.

Save

 

Thanks @none1234 for posting.

View solution in original post

kitkat09811
New Contributor II

and to add to @JWJ , here is a screenshot of the IPS Sensor:

Capture.PNG

View solution in original post

kitkat09811
New Contributor II

and as default it's set to pass as seen on this screenshot, so make sure to change it to blockCapture.PNG

View solution in original post

4 REPLIES 4
kitkat09811
New Contributor II

yes !  you should protect any servers that are internet facing. If your not doing SSL inspection on inbound HTTPS communication and your webservers are vulnerable, this would not be good.  IPS Signature database 19.00215 is the updated signature database which has the log4j signature, although you need to setup this IPS signature as block since by default it's set to pass.

JWJ
Staff
Staff

Just in case, another user submitted a quick and dirty "How-To" for changing the default action of "Allow" to "Block" on the log4j signature.

Security Profiles

Intrusion Prevention

Edit Sensor

Add Signature

Type = Signature

Action = Block

Status = enable.

Then search the log4j signature and click add to signature.

[Apache.Log4j.Error.Log.Remote.Code.Execution]

Save.

Move to the top of the signatures list.

Save

 

Thanks @none1234 for posting.

kitkat09811
New Contributor II

and to add to @JWJ , here is a screenshot of the IPS Sensor:

Capture.PNG

kitkat09811
New Contributor II

and as default it's set to pass as seen on this screenshot, so make sure to change it to blockCapture.PNG