FortiOS flow-mode detection bypass under certain conditions
Summary
A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).
This tends to impact long lived network sessions, with chances to be alive during and after an update, such as SMBv3 sessions.
Description
A FortiGate configured to use flow-based protection will stop monitoring network sessions that are active when a scanning engine is reloaded after an update (nearly instantaneous process).
This tends to impact long lived network sessions, with chances to be alive during and after an update, such as SMBv3 sessions.
Affected Products
FortiOS version 5.0.xFortiOS version 5.2.x
Solutions
FortiGates in routed mode: Upgrade to FortiOS 5.4.0 or above, or stay in proxy-based protection mode (default). FortiGates in transparent mode: Upgrade to FortiOS 5.4.0 or above. For FortiOS 5.2 branch: Load FortiOS 5.2 compatible[*] IPS engine 3.299 or above. [*] Reach out to your local TAC for the compatibility support.Acknowledgement
We are pleased to thank Yves Bieri, Stefan Frei, Christof Jungo of the Swisscom security group, who discovered the issue while it was in the process of being fixed, and committed to responsible disclosure.