Would appreciate a response from Fortinet regarding the Apache log4 vulnerability if any Fortinet product
is affected.
Any information regarding updated IPS signature for CVE-2021-44228?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
PSIRT advisory on impacted products can be found here:
https://www.fortiguard.com/psirt/FG-IR-21-245
Dr. Carl Windsor Field Chief Technology Officer Fortinet
Created on 12-12-2021 12:58 AM Edited on 12-12-2021 01:11 AM
where are you finding the signature ? "Then search the log4j signature and click add to signature." I cannot find the syntax for this ?
make sure your IPS version is updated to the latest version:
If not, perform the update first
Run exec update-now and verify if the IPS attack definition is on 19.00215. This will include the signature and then have to set the action to 'block' manually.
Since this was the emergency release, default action is still pass.
Make sure you've updated your signatures. Edit the sensor (ex all_default), under IPS signatures and filters, +Create New, click "Signature", action drop down Block, Enable, and then in the search type Log4. Click on it and add selected. Did I do that right?
Thank you that did the trick!
I've already done that. You need to click the "Add Signatures" button in the "Security profiles" section and in the "Instruction Protection" tab, then a window opens with a list of all signatures and you search for "log4j" in the search, click on its line and then add it with the "Use Selected Signatures" button. After that, it will appear in your table of added signatures and by right-clicking on its row you will open a list of applicable functions, including blocking.
With respect,
Daniil Dubosarskij
cit.rkomi.ru
Just like shown here:
Running Fortigate fortiOS 6.2.9 and IPS engine Version 5.00245 and definitions Version 19.00215, the signature is there. As previously stated, I had to set the action to block as the default is default and the default for the signature is pass. It was not greyed our for me.
Does anybody (...from FTNT) know whether FortiADC is affected? If so, is any firmware version patched? In https://www.fortiguard.com/psirt/FG-IR-21-245, FortiADC is mentioned neither in "affected" nor in "not affected" section.
i noticed handful CVEs are set to pass in default including log4j. Aren't CVEs especially critical supposed to be blocked in default?
i just set all above medium to be blocked. what is the impact if i set all CVEs blocked?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.