Technical Tip: Virtual-patch option not visible in the local-in policy

Referring to the administration guide, virtual patching is the method of mitigating vulnerability exploits using FortiGate's IPS signature to block known vulnerabilities. 

Reference: Optimize virtual patching on the local-in interface 7.4.2.

1. To configure the virtual patching on the FortiGate, the following requirements must be met:
   
   FortiGate must have a valid Firmware (FMWR) license to install the FMWP database. Verify if the firewall has this license with the following command:

diagnose autoupdate versions | grep FMWRP
FMWP Definitions
---------
Version: 23.00084 signed
Contract Expiry Date: Wed Jan 1 2031
Last Updated using manual update on Wed Sep 6 15:19:11 2023
Last Update Attempt: Wed Sep 6 15:40:08 2023
Result: No Updates

The extended IPS must be enabled for more vulnerabilities to be covered:

config ips global

    set database extended

end

2. When configuring the local-in-policy, the command for virtual-patch is not visible by default:

    

   

    

    

3. The reason behind this is that the default action for local-in-policy is configured with the action 'deny':
   
   

   

    

    

4. Virtual patching will be visible only if the action for the local-in policy is configured to accept:
   
   

   

   
   If the option is still not visible even after the action is set to 'accept', go through the local-in policy configuration and type 'next' to save the policy while still in the config firewall local-in-policy setting. After, enter edit <id> and replace <id> with the index number of the newly created local-in policy.

    

5. The default option for virtual-patch is disabled, to enable virtual patch, enable the feature with the following command:
   
   

   config firewall local-in-policy

       edit <policy_id>

           set virtual-patch enable

   end
   
   

   
   
   

6. The data with an asterisk '*' are mandatory when creating a Local_In-Policy:

config firewall local-in-policy
    edit 1

        set
uuid Universally Unique Identifier (UUID: automatically assigned but can be manually reset).
*intf Incoming interface name from available options.
*srcaddr Source address object from available options.
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
*dstaddr Destination address object from available options.
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
action Action performed on traffic matching the policy (default = deny).
*service Service object from available options.
service-negate When enabled service specifies what the service must NOT be.
*schedule Schedule object from available options.
status Enable/disable this local-in policy.
comments Comment.

7. Before creating a Local_In Source Address and Local_In Destination Address:

    

   config firewall address

   (address) # edit "Local_In Source"

   (Local_In Source) # show
       config firewall address
           edit "Local_In Source"
               set subnet 192.168.0.1 255.255.255.255
           next
   end

    

   config firewall address

   (address) # edit "Local_in Destination"

   (Local_in Destination) # show
       config firewall address
           edit "Local_in Destination"
               set subnet 172.16.0.1 255.255.255.255
           next
   end

    

8. Create Local_In Policy with  virtual-patch enabled:

    

   config firewall local-in-policy

   (local-in-policy) # edit 1

   (1) # sh full-configuration
       config firewall local-in-policy
           edit 1
               set uuid e189bfb2-c1ac-51ee-cdb3-d01f576aa343
               set intf "port7"
               set srcaddr "Local_In Source"
               set srcaddr-negate disable
               set dstaddr "Local_in Destination"
               set dstaddr-negate disable
               set action accept  <---
               set service "ALL"
               set service-negate disable
               set schedule "always"
               set status enable  
               set virtual-patch enable  <---
               set comments ''
           next
   end

    

    

9. Multiple interfaces can be configured in Local_In Policy when enabling virtual-patch:

    

   config firewall local-in-policy

   (local-in-policy) # sh full-configuration
       config firewall local-in-policy
           edit 1
               set uuid e189bfb2-c1ac-51ee-cdb3-d01f576aa343
               set intf "port7"
               set srcaddr "Local_In Source"
               set srcaddr-negate disable
               set dstaddr "Local_in Destination"
               set dstaddr-negate disable
               set action accept
               set service "ALL"
               set service-negate disable
               set schedule "always"
               set status enable
               set virtual-patch enable
               set comments ''
           next
           edit 2
               set uuid fc8cfd1a-c1b1-51ee-f5f5-35e90f2397fb
               set intf "port8" "port9"
               set srcaddr "all"
               set srcaddr-negate disable
               set dstaddr "all"
               set dstaddr-negate disable
               set action accept
               set service "ALL"
               set service-negate disable
               set schedule "always"
               set status enable
               set virtual-patch enable
               set comments ''
           next
   end