- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Heartbleed-Bug and Fortinet products
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heartbleed-Bug and Fortinet products
Hi,
have a look at http://heartbleed.com/ - I made a test with some of our own Fortigates and with some of our customers and found, that they are affected.
I tried to test the public ssl portals where valid ssl certificates have been installed.
Can anyone check this please?
A good site to run a test is http://possible.lv/tools/hb/
best regards, TC
best regards, TC
34 REPLIES 34
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' d like to better understand this new signature.
Its listed as attack ID 38307, but I cannot tweak it in an IPS policy, and it is catching many of our employees' outbound traffic. Since it is listed as critical, even though it is only detected, we quarantine Critical for 5 minutes, meaning we are knocking several hundred people offline all day!
If I pick any other signature and set it to monitor, then go into CLi, and switch that signature ID with 38307, it shows up as NULL, and people continue to get banned.
I also don' t understand what this signature is seeing in standard outbound traffic...is it blocking ANY SSL handshake that includes a TLS? Our PCs are heavily locked down with a whitelist (only around 2,000 websites allowed), so these machines are certainly not infected with malware or hack tools, that this many PCs would get knocked offline going to generic, business sites.
EDIT: The majority of our Fortinets run 4.3 p15, and are the ones doing the banning.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its working fine for me,
1. Created a new IPS profile
2. Added the signature, and changed the action to " block"
3. Then went to CLI and created an interface-policy
4. Selecting my Internet interfaces
5. Enabled the IPS and selected my profile and service HTTPS
6. Done
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi selective,
I understand what you did, but
1) I don' t have any inbound rules, so I am not protecting anything from the outside
2) 38307 was added to the larger sets of rules, and included in Default and All Default.
3) I cannot create an IPS policy that EXCLUDES 38307 and apply it to outbound traffic rules
4) Outbound traffic from internal users are getting tripped up on this rule, blocking what still appears to be standard traffic (IE10 and IE11, no add-ons).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IPS signature works well, we' ve noticed a significant amount of hits from Chinese IPs so far, I guess testing for the vulnerability.
NSE8
Fortinet Expert partner - Norway
NSE8Fortinet Expert partner - Norway
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, same here, let them try ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am now able to select that rule and manipulate it, so they must have made some update.
Is no one else seeing outbound SSL traffic getting blocked by this rule though?
I manage over 200 Fortinets, so I have a higher visibility, but I was curious if anyone else is seeing internal users at minimum getting flagged (we have a bigger issue because we quarantine critical)?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I' m seeing several outbound hits a day from clients in our small network. I' m on MR3 P15 so apparently it' s secure externally but I' d like to know what the outbound hits imply.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try enabling packet archiving and see what you get in wireshark.
NSE8
Fortinet Expert partner - Norway
NSE8Fortinet Expert partner - Norway
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After applying the 5.0.7 update, and following the guidance of http://www.fortiguard.com/advisory/FG-IR-14-011/ in setting up an interface-policy, shouldn' t the article also discuss regenerating new uncompromised private key and then importing private/public pair?
Which certificates need to be regenerated if you are using the pre-shipped certificates?
Thanks!
-Neil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' d like to know the answer to that as well
NSE8
Fortinet Expert partner - Norway
NSE8Fortinet Expert partner - Norway
Related Posts
- Fortinet GNS3 images 64 Views
- Fortinet GNS3 image 128 Views
- Fortimail False positives 148 Views
- How to configure a FortiGate as... 98 Views
- Vdom setup with ISP LAN pool 357 Views
Labels
-
FortiGate
6,681 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.