Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Heartbleed-Bug and Fortinet products
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Heartbleed-Bug and Fortinet products
Hi,
have a look at http://heartbleed.com/ - I made a test with some of our own Fortigates and with some of our customers and found, that they are affected.
I tried to test the public ssl portals where valid ssl certificates have been installed.
Can anyone check this please?
A good site to run a test is http://possible.lv/tools/hb/
best regards, TC
best regards, TC
- « Previous
- Next »
34 REPLIES 34
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI, into my inbox this AM:
By now, many of you have heard of the Heartbleed bug, which is a recently disclosed vulnerability that was discovered in OpenSSL versions 1.0.1 through 1.0.1f. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests. Despite the media hype about this vulnerability, it is worth calling out the facts. Not all Fortinet products were impacted by this bug. In fact, many of our products, such as our FortiWeb (WAF) products, were immune from day one. However, some of our product lines were affected. This includes: FortiGate (FortiOS) 5.0.0 up to 5.0.6 FortiAuthenticator 3.x FortiMail 4.3.x and 5.x FortiVoice models 200D, 200D-T and VM FortiRecorder FortiADC D-Series models 1500D, 2000D and 4000D FortiADC E-Series 3.x Coyote Point Equalizer GX / LX 10.x AscenLink v7.0 and v7.1-B5599 FortiDDoS 4.x FortiDNS Within hours of the discovery, our FortiGuard Labs product security (PSIRT) and security research teams began developing protections and releasing patches for a variety of Fortinet products. Our industry-leading security and threat researchers are well prepared to react to and protect our customers from threats such as Heartbleed, thanks to our existing critical update process. This process has been in place for nearly a decade. Our team is well equipped to analyze, develop, deploy and refactor critical IPS signatures within 48 hours of any breaking attack. Product Updates For FortiGate customers: A software update for FortiOS 5 is available for download on the support site at http://support.fortinet.com. This vulnerability is fixed in FortiOS version 5.0.7. Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability. For FortiMail customers: Software updates for FortiMail 5.0 and 5.1 are now available at http://support.fortinet.com. This vulnerability is fixed in FortiMail versions 5.0.5 and 5.1.2. An update for FortiMail 4.3 will be released on Monday April 14th. For FortiVoice customers: Software updates for affected FortiVoice products will be released on or before Wednesday April 16th. Note that only FortiVoice 200D, 200D-T and VM products are affected. For FortiRecorder customers: An updated version of FortiRecorder software is now available on the Fortinet support site. This vulnerability is fixed in FortiRecorder version 1.4.1. For FortiADC and Coyote Point customers: Updates will be provided for FortiADC D-Series on or before Wednesday April 16th. The release timeline for FortiADC E-series and Coyote Point products can be found in the following advisory: http://www.coyotepoint.com/files/downloads/EqSecurityVulnerabilities.pdf For AscenLink customers: A software fix for AscenLink will be available in version 7.1-B5745, which will be available on the support site at http://support.fortinet.com on Tuesday, April 15th. For users with existing Xtera AscenLink systems still using firmware below V7.1 with Xtera Serial Numbers (AAAA-BBBB-CCCC-DDDD), or any issues accessing Fortinet Support, please contact ascenlink@fortinet.com. Firmware release dates for other products are pending. More information can be found here: http://www.fortiguard.com/advisory/FG-IR-14-011/ Protecting Against Heartbleed Attacks In addition to patching our own products in rapid succession, our FortiGuard Labs team developed an IPS signature to thwart potential Heartbleed attacks. Customers should make sure that they update their FortiGate IPS signatures in order to protect their network from Heartbleed-based attacks. The IPS signature was released in IPS update 4.476 and is named: " OpenSSL.TLOpenSSL.TLS.Heartbeat.Information.Disclosure" . On Friday, April 11, an additional out-of-band IPS update (4.480) was released to our customers providing additional protection under the same name against “reverse Heartbleed†attacks. Customers must have a current/active FortiGuard service subscription to get this IPS signature. Additionally, FortiWeb (our web application firewall) provides 100% protection against Heartbleed. When a FortiWeb hardware or virtual appliance is deployed inline using either Reverse Proxy or Transparent Proxy modes it will automatically protect all applications behind the web application firewall from this OpenSSL exploit. In summary, Fortinet wants you to know that of the small number of products that were affected by Heartbleed, we have patched most of these; the remaining patches to be released very soon. More so, we are pleased to state that our FortiGate IPS signatures and FortiWeb products provide protection against Heartbleed. Our threat research team continues to monitor this vulnerability, and we will provide further updates through our FortiGuard blog and security advisories. Sincerely, Michael Xie Co-Founder and Chief Technology Officer Fortinet Phone: 1-866-868-3678 www.fortinet.com
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I am exposing my ignorance here. I followed the work around below. Shouldn' t I see this policy listed under DOS POlicy in the GUI?
The following workarounds are available:
1. Apply the mitigating IPS signature to interface policies on affected FortiGate devices. The IPS signature was released in IPS update 4.476 and is named " OpenSSL.TLS.Heartbeat.Information.Disclosure" . Note that this will affect traffic destined to the FortiGate and transit traffic. Follow the steps below to configure the FortiGate firewall to use this signature:
1.1. Applying the signature to an IPS profile.
Use the following syntax to create a new IPS profile. The new profile will reset SSL connections attempting to use the OpenSSL Heartbleed vulnerability.
config ips sensor
edit " ssl.heartbleed"
config entries
edit 1
set action reset
set rule 38307
set status enable
next
end
next
end
1.2. Define an SSL services group.
Note: This group is only provided as a sample service group. Include all SSL service ports that are applicable in your environment.
config firewall service custom
edit " SSLVPN"
set tcp-portrange 10443
next
end
config firewall service group
edit " SSL-Services"
set member " HTTPS" " SSLVPN"
next
end
1.3. Apply this sensor to an interface policy (which applies to both local and transit traffic) or regular firewall policy (transit traffic only).
Make sure the policy to which this sensor is applied is specific to SSL services.
To apply an IPS signature to an interface policy, use the following steps:
Note: this policy will protect the FortiGate itself on the WAN1 interface and all transit traffic arriving on the WAN1 interface for SSL services only.
config firewall interface-policy
edit 0
set interface " wan1"
set srcaddr " all"
set dstaddr " all"
set service " SSL-Services"
set ips-sensor-status enable
set ips-sensor " ssl.heartbleed"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
If you did not fat-finger your request (not listed under DoS?), DoS is pretty much just a packet storm quencher, it doesn' t care about the characteristic of the packet. So you would not see this particular IPS rule listed there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response Shrew, but where (if anywhere) would I see this new policy?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have ' multiple security profiles' enabled?
System->Config->Features
- « Previous
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,811 -
FortiClient
1,788 -
5.2
801 -
FortiManager
746 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
217 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
46 -
DNS
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
Interface
32 -
VDOM
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1747 | |
| 1114 | |
| 760 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.