Why not enabled auto installed FortiGate Firewall Firmware – Insecure Firewall Configuration

Vulnerability: Auto Firmware Installed enabled in the firewall configuration. Insecure Firewall Configuration

Description: If FortiGate Firewall configuration is not as per best practice, by using USB key to upgrade and restore firmware. During the console review it was found that USB Auto Installed is enabled by default. Using auto install functionality, it is possible to update the firmware on firewall reboot. If firewall reboot then will make it productivity down. This miss configuration may count as vulnerability.

Impact: USB Auto Install allows an attacker to load the malicious firmware on start up or booting of the firewall. Malicious firmware and configuration could open doors for an attacker to enter the organization.

Solution:

USB auto install should be disabled when not in use. Over the air firmware upgrade is recommended.

Apply this order to design automated establishment of firmware and framework setup from a USB key when the FortiGate unit restarts. This direction is accessible just on units that have a USB key link.

Below step to procedure of disable USB key or enable

Go to System > Maintenance > Advanced > USB auto-install > Enable

If USB install enable FortiOS will automatically install firmware if filename is found in USB stick.

config system auto-install
set auto-install-config enable
set auto-install-image enable
set default-config-file “Fortigate_netsecaddcit.conf”
set default-image-file “Fgt_30E.out”
end

Go to System > Maintenance > Advanced > USB auto-install > Enable

We recommended to disable USB auto install firmware to avoid vulnerability.

config system auto-install
set auto-install-config disable
set auto-install-image disable
set default-config-file “Fortigate_netsecaddcit.conf”
set default-image-file “Fgt_30E.out”
end

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: