Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

New threats and Intrusion Prevention

Just wondering, as I did not want to just assume things, but had 2 questions as it relates to new threats/vulnerabilities and using IPS to mitigate against.

1. If an IPS profile is created via filter, will any new signature, updated from the subscription, that matches to said filter, automatically also apply? eg... if I have a filter based on macOS, is a new signature that is macOS applicable, dynamically applied as well since it is a dynamic filter (again, sounds logical, but don't want to assume)?

2. What is the normal turn-around for new vulnerabilities to then be turned around into IPS signatures from FortiGuard for the database to be updated? eg... Apple has some new vulnerabilities (CVE-2023-41064, CVE-2023-41061) that was disclosed yesterday (but CVE was created back on the 22nd of last month). FortiGuard has nothing about those on their website as of yet.

1 Solution
FortiNet_Newb

According to the Administrative Guide (for FortiOS 7.2.5 anyway), your assumption is correct.  If you have an active IPS license, the new signatures will be automatically applied to any existing filters.  Here is the excerpt:

 

"The FortiGuard Service periodically adds new predefined signatures to counter new threats. New predefined signatures are automatically included in IPS sensors that are configured to use filters when the new signatures match existing filter specifications. For example, if you have an IPS sensor with a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures that the FortiGuard Service adds to the database."

View solution in original post

7 REPLIES 7
Raghu_Kumar
Staff
Staff

Hello Cajuntank,

 

1. If you have active license for IPS, the signatures are actively updated if you have active connectivity to FortiGuard servers.

 

2.Once CVE is reported globally. It takes some time for PSIRT (Product Security Incident Response Team)  for an official release about the CVE.

For the detail of the respective CVE, kindly be informed that the relevant will be shared via our official PSIRT announcement in short future. Please monitor this page: https://www.fortiguard.com/psirt as the respective information would be published in the respective page.
Raghuram Kumar
unknown1020

Hello, is there a way that the new vulnerabilities published on this page can reach me by email? as notification

Raghu_Kumar

To get PSIRT notifications:

  1. Log into support.fortinet.com

  2. In the top right corner, click on your name and select My Account

  3. On the Account page, click on My Account (IAM version)

  4. On the left side, click on Account Preferences

  5. On the top right corner of the Account Preferences page click Edit

  6. At the bottom, under PSIRT Contact, enter the email addresses you’d like to have notified of any future PSIRTs released (comma delimited)

  7. Click Update in the top right corner, where you clicked Edit in step 5.

This should get you all email notifications on future PSIRTS

Raghuram Kumar
unknown1020

Thank you very much, I already added my email. So from now on, if there are new vulnerabilities in fortios or other equipment, you should receive a notification.

Cajuntank

I appreciate and thank you for your time responding. I would like to restate and get clarification on question 1 however since I don't feel like it was confirmed as to what I was asking. The assumption to my inquiry was that of a active license for IPS signatures. What I was wanting a confirmation on, was if the sensor was built using a filter, would any new signatures applicable for said filter, be dynamically applied to the sensor (which makes logical sense) or is that sensor static at that moment in time of being built (even though a filter was used... i.e.. it made the sensor with what was available at that moment in time, but does not dynamically add new signatures that match against the filter until you refresh the sensor yourself), thus making it necessary to refresh that sensor periodically? Again, I feel like the answer logically makes sense the it is dynamically built to include all new IPS signatures as they match up, but don't want to assume, thus needing confirmation.

FortiNet_Newb

According to the Administrative Guide (for FortiOS 7.2.5 anyway), your assumption is correct.  If you have an active IPS license, the new signatures will be automatically applied to any existing filters.  Here is the excerpt:

 

"The FortiGuard Service periodically adds new predefined signatures to counter new threats. New predefined signatures are automatically included in IPS sensors that are configured to use filters when the new signatures match existing filter specifications. For example, if you have an IPS sensor with a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures that the FortiGuard Service adds to the database."

Cajuntank

Thank you. Exactly what I was looking for.

Top Kudoed Authors