Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
netmanb2k
New Contributor II

Created on ‎12-13-2021 11:11 AM

On Fortigate firewall do we need to take any actions against LOG4J ?

On Fortigate firewall do we need to take any actions against LOG4J ?

Labels:
3887
0 Kudos
4 Solutions
kitkat09811
New Contributor II

Created on ‎12-13-2021 11:53 AM

yes !  you should protect any servers that are internet facing. If your not doing SSL inspection on inbound HTTPS communication and your webservers are vulnerable, this would not be good.  IPS Signature database 19.00215 is the updated signature database which has the log4j signature, although you need to setup this IPS signature as block since by default it's set to pass.

View solution in original post

3868
JWJ
Staff
Staff

Created on ‎12-13-2021 12:50 PM Edited on ‎12-13-2021 12:52 PM

Just in case, another user submitted a quick and dirty "How-To" for changing the default action of "Allow" to "Block" on the log4j signature.

Security Profiles

Intrusion Prevention

Edit Sensor

Add Signature

Type = Signature

Action = Block

Status = enable.

Then search the log4j signature and click add to signature.

[Apache.Log4j.Error.Log.Remote.Code.Execution]

Save.

Move to the top of the signatures list.

Save

 

Thanks @none1234 for posting.

View solution in original post

3849
kitkat09811
New Contributor II

Created on ‎12-13-2021 12:56 PM

and to add to @JWJ , here is a screenshot of the IPS Sensor:

Capture.PNG

View solution in original post

3843
kitkat09811
New Contributor II

Created on ‎12-13-2021 12:58 PM

and as default it's set to pass as seen on this screenshot, so make sure to change it to blockCapture.PNG

View solution in original post

3841
4 REPLIES 4
kitkat09811
New Contributor II

Created on ‎12-13-2021 11:53 AM

yes !  you should protect any servers that are internet facing. If your not doing SSL inspection on inbound HTTPS communication and your webservers are vulnerable, this would not be good.  IPS Signature database 19.00215 is the updated signature database which has the log4j signature, although you need to setup this IPS signature as block since by default it's set to pass.

3869
JWJ
Staff
Staff

Created on ‎12-13-2021 12:50 PM Edited on ‎12-13-2021 12:52 PM

Just in case, another user submitted a quick and dirty "How-To" for changing the default action of "Allow" to "Block" on the log4j signature.

Security Profiles

Intrusion Prevention

Edit Sensor

Add Signature

Type = Signature

Action = Block

Status = enable.

Then search the log4j signature and click add to signature.

[Apache.Log4j.Error.Log.Remote.Code.Execution]

Save.

Move to the top of the signatures list.

Save

 

Thanks @none1234 for posting.

3850
kitkat09811
New Contributor II

Created on ‎12-13-2021 12:56 PM

and to add to @JWJ , here is a screenshot of the IPS Sensor:

Capture.PNG

3844
kitkat09811
New Contributor II

Created on ‎12-13-2021 12:58 PM

and as default it's set to pass as seen on this screenshot, so make sure to change it to blockCapture.PNG

3842
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.