Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TC_Hessen
New Contributor

Heartbleed-Bug and Fortinet products

Hi, have a look at http://heartbleed.com/ - I made a test with some of our own Fortigates and with some of our customers and found, that they are affected. I tried to test the public ssl portals where valid ssl certificates have been installed. Can anyone check this please? A good site to run a test is http://possible.lv/tools/hb/
best regards, TC
best regards, TC
34 REPLIES 34
ShrewLWD
Contributor

I' d like to better understand this new signature. Its listed as attack ID 38307, but I cannot tweak it in an IPS policy, and it is catching many of our employees' outbound traffic. Since it is listed as critical, even though it is only detected, we quarantine Critical for 5 minutes, meaning we are knocking several hundred people offline all day! If I pick any other signature and set it to monitor, then go into CLi, and switch that signature ID with 38307, it shows up as NULL, and people continue to get banned. I also don' t understand what this signature is seeing in standard outbound traffic...is it blocking ANY SSL handshake that includes a TLS? Our PCs are heavily locked down with a whitelist (only around 2,000 websites allowed), so these machines are certainly not infected with malware or hack tools, that this many PCs would get knocked offline going to generic, business sites. EDIT: The majority of our Fortinets run 4.3 p15, and are the ones doing the banning.
Carl_Wallmark

Its working fine for me, 1. Created a new IPS profile 2. Added the signature, and changed the action to " block" 3. Then went to CLI and created an interface-policy 4. Selecting my Internet interfaces 5. Enabled the IPS and selected my profile and service HTTPS 6. Done

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ShrewLWD

Hi selective, I understand what you did, but 1) I don' t have any inbound rules, so I am not protecting anything from the outside 2) 38307 was added to the larger sets of rules, and included in Default and All Default. 3) I cannot create an IPS policy that EXCLUDES 38307 and apply it to outbound traffic rules 4) Outbound traffic from internal users are getting tripped up on this rule, blocking what still appears to be standard traffic (IE10 and IE11, no add-ons).
simonorch

The IPS signature works well, we' ve noticed a significant amount of hits from Chinese IPs so far, I guess testing for the vulnerability.
Carl_Wallmark

Yep, same here, let them try ;)

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ShrewLWD

I am now able to select that rule and manipulate it, so they must have made some update. Is no one else seeing outbound SSL traffic getting blocked by this rule though? I manage over 200 Fortinets, so I have a higher visibility, but I was curious if anyone else is seeing internal users at minimum getting flagged (we have a bigger issue because we quarantine critical)?
3pointD

Yes, I' m seeing several outbound hits a day from clients in our small network. I' m on MR3 P15 so apparently it' s secure externally but I' d like to know what the outbound hits imply.
simonorch

Try enabling packet archiving and see what you get in wireshark.
NeilG

After applying the 5.0.7 update, and following the guidance of http://www.fortiguard.com/advisory/FG-IR-14-011/ in setting up an interface-policy, shouldn' t the article also discuss regenerating new uncompromised private key and then importing private/public pair? Which certificates need to be regenerated if you are using the pre-shipped certificates? Thanks! -Neil
simonorch

I' d like to know the answer to that as well
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors