FortiOS flow-mode detection bypass under certain conditions

Summary

A FortiGate configured to use flow-based protection will stop monitoring
network sessions that are active when a scanning engine is
reloaded after an update (nearly instantaneous process).

This tends to impact long lived network sessions, with chances to be alive
during and after an update, such as SMBv3 sessions.

Description

A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).
This tends to impact long lived network sessions, with chances to be alive during and after an update, such as SMBv3 sessions.

Affected Products

FortiOS version 5.0.x
FortiOS version 5.2.x

Solutions

FortiGates in routed mode:
Upgrade to FortiOS 5.4.0 or above, or stay in proxy-based protection mode (default).
FortiGates in transparent mode:
Upgrade to FortiOS 5.4.0 or above.
For FortiOS 5.2 branch:
Load FortiOS 5.2 compatible[] IPS engine 3.299 or above.
[] Reach out to your local TAC for the compatibility support.

Acknowledgement

We are pleased to thank Yves Bieri, Stefan Frei, Christof Jungo of the Swisscom security group, who discovered the issue while it was in the process of being fixed, and committed to responsible disclosure.