MacDefender

Level 12
Verified
Wow... As a Fortinet user, I can kinda see both sides here.

This is a super old vulnerability, from 2018, and is usually the kind of thing you'd patch right away. But Fortinet's firmwares struggle with quality -- often times dot releases contain a mix of bug fixes and new regressions, and most Fortinet admins get scared of applying updates for that reason. Especially for a device as central to your network as the NGFW, most peoples' NGFWs do more than just handle the border between the internal network and WAN. They do complicated traffic policies, web filtering, perhaps even bridging things like ChromeCasts for classrooms between VLANs. It's hard enough to schedule downtime to knock out the internet (which often times knocks out phones too because of VOIP), but when such downtime results in further networking emergencies, it's tempting to put them off.

It seems like Fortinet should be providing more targeted "hotfixes" as an alternative -- for network admins that don't want to upgrade to a dot release with a few thousand miscellaneous release note entries, there should be an alternative that just only contains the security patch of interest.
 

Correlate

Level 16
Verified
Wow... As a Fortinet user, I can kinda see both sides here.

This is a super old vulnerability, from 2018, and is usually the kind of thing you'd patch right away. But Fortinet's firmwares struggle with quality -- often times dot releases contain a mix of bug fixes and new regressions, and most Fortinet admins get scared of applying updates for that reason. Especially for a device as central to your network as the NGFW, most peoples' NGFWs do more than just handle the border between the internal network and WAN. They do complicated traffic policies, web filtering, perhaps even bridging things like ChromeCasts for classrooms between VLANs. It's hard enough to schedule downtime to knock out the internet (which often times knocks out phones too because of VOIP), but when such downtime results in further networking emergencies, it's tempting to put them off.

It seems like Fortinet should be providing more targeted "hotfixes" as an alternative -- for network admins that don't want to upgrade to a dot release with a few thousand miscellaneous release note entries, there should be an alternative that just only contains the security patch of interest.
Today everything is targeted from auto companies to banks
Even protection companies
Your analysis is convincing, great caution is required.:cool:
 

Slyguy

Level 44
Patching is a key component of security. To let you know how bad this can get with lazy IT admins... When I purchased a Fortigate 100D recently, I found that it had a four year old firmware on it. Even worse, once I got into it using the maintainer backdoor, which by the way is hilariously easy to break into a fortinet if you have local access, I found that it was never properly configured and I don't even want to disclose where this unit was deployed. It's embarrassing.

Fortinet, just like any UTM with a web admin console can be vulnerable, but it can also be configured to be robust, and almost unhackable. Including disabling the maintainer backdoor.

config system global
set admin-maintainer disable
end

Another embarrassing aspect (of Fortinet) is their units come with some specific open/closed non-stealth ports. But again, due diligence. Those can all be disabled.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
more than 230,000 vulnerable FortiGate appliances using the VPN functionality, researchers found. Out of those, a full 88 percent, or more than 200,000 businesses, are using the default configuration and can be easily breached in an MitM attack.
 

Slyguy

Level 44
In a nutshell - Fortigate appliances themselves generate a certificate for VPN. The SSL-VPN only checks for a cert, and not actually if it is a non-locally generated cert. So in theory, someone could generate a cert from a $50 Fortigate Appliance on Ebay and MiTM these VPNs. Since there is no validation of the cert matching the issuing device, that random cheap Ebay purchased Fortinet as noted above, could generate certs to be used on any Fortinet VPN to MiTM the traffic with complete ease.

Contrary to what Fortinet says, I would consider this a vulnerability and in fact I would go out a bit more, and say this is gross negligence they aren't pairing locally generated certs on SSL's with the deployed device... Also since the default settings are rarely strayed from with the vast majority of these devices, it's probably a more widespread vuln than being indicated. That's just my perspective as a Fortinet NSE8 Engineer.
 

MacDefender

Level 12
Verified
In a nutshell - Fortigate appliances themselves generate a certificate for VPN. The SSL-VPN only checks for a cert, and not actually if it is a non-locally generated cert. So in theory, someone could generate a cert from a $50 Fortigate Appliance on Ebay and MiTM these VPNs. Since there is no validation of the cert matching the issuing device, that random cheap Ebay purchased Fortinet as noted above, could generate certs to be used on any Fortinet VPN to MiTM the traffic with complete ease.

Contrary to what Fortinet says, I would consider this a vulnerability and in fact I would go out a bit more, and say this is gross negligence they aren't pairing locally generated certs on SSL's with the deployed device... Also since the default settings are rarely strayed from with the vast majority of these devices, it's probably a more widespread vuln than being indicated. That's just my perspective as a Fortinet NSE8 Engineer.
I agree it's a vulnerability. Also on the client side, there is a singular checkbox in FortiClient for ignoring SSL VPN certs. When you select that, it means the client accepts ANY cert.

I would go one step further and say that IMO it's a requirement to at least pay $10/year for a cheap SSL certificate that validates properly for your SSL VPNs. It's kind of dumb that it's not OpenVPN style where the certificate bundle includes the expected public key of the server's self-signed certificate.
 

McMcbrad

Level 10
In a nutshell - Fortigate appliances themselves generate a certificate for VPN. The SSL-VPN only checks for a cert, and not actually if it is a non-locally generated cert. So in theory, someone could generate a cert from a $50 Fortigate Appliance on Ebay and MiTM these VPNs. Since there is no validation of the cert matching the issuing device, that random cheap Ebay purchased Fortinet as noted above, could generate certs to be used on any Fortinet VPN to MiTM the traffic with complete ease.

Contrary to what Fortinet says, I would consider this a vulnerability and in fact I would go out a bit more, and say this is gross negligence they aren't pairing locally generated certs on SSL's with the deployed device... Also since the default settings are rarely strayed from with the vast majority of these devices, it's probably a more widespread vuln than being indicated. That's just my perspective as a Fortinet NSE8 Engineer.
That’s one of the reasons why I stay away of Fortinet. Not only from their VPNs, but everything they offer. They came across as a company that tries to sell security in a business environment, but then doesn’t cover the security 101.
 

MacDefender

Level 12
Verified
That’s one of the reasons why I stay away of Fortinet. Not only from their VPNs, but everything they offer. They came across as a company that tries to sell security in a business environment, but then doesn’t cover the security 101.
Who do you prefer, out of curiosity? I usually deploy either Fortinet or Meraki, used to deploy Sophos more with UTM 9 but since they switched to XG and acquired CyberRoam the product has gone seriously downhill.

I don't particularly love the quality of Fortinet, but they do have a great combination of featureset and performance. They offer 2-3 appliances below the $700 price point that can deal with a gigabit WAN with some degree of IPS and web filtering / AV. Nobody else offers an appliance capable of gigabit within a similar price point.

Honestly I like the software polish and prompt security updates of Cisco Meraki a lot more but now that all my sites are gigabit capable, I simply cannot entertain the budget of $20,000USD/yr.
 

McMcbrad

Level 10
Who do you prefer, out of curiosity? I usually deploy either Fortinet or Meraki, used to deploy Sophos more with UTM 9 but since they switched to XG and acquired CyberRoam the product has gone seriously downhill.

I don't particularly love the quality of Fortinet, but they do have a great combination of featureset and performance. They offer 2-3 appliances below the $700 price point that can deal with a gigabit WAN with some degree of IPS and web filtering / AV. Nobody else offers an appliance capable of gigabit within a similar price point.

Honestly I like the software polish and prompt security updates of Cisco Meraki a lot more but now that all my sites are gigabit capable, I simply cannot entertain the budget of $20,000USD/yr.
I work with rather large budget and rely on McAfee Web Gateway. I’ve used many others, I used to like Sophos too. I’ve worked with cheaper companies, such as WatchGuard, but I guess you get what you pay for.
It all depends on budget and needs.
Fortinet has always been a hard no for me.
 

MacDefender

Level 12
Verified
I work with rather large budget and rely on McAfee Web Gateway. I’ve used many others, I used to like Sophos too. I’ve worked with cheaper companies, such as WatchGuard, but I guess you get what you pay for.
It all depends on budget and needs.
Fortinet has always been a hard no for me.
Yeah to clarify, I use Fortinet to protect home-ish networks. I think spending $3000-4000 USD/yr on licensing for home network security (2 homes) is already beyond what the average person does. If I were an IT professional I'd push for something like Palo Alto Networks instead. You're right, you get what you pay for. IMO Fortinet delivers decent bang-for-the-buck. Their "SoC4" chip is basically the only thing in the sub-$1000 price point that can do IPS of gigabit traffic. They certainly don't do everything well, but if that's your budget, there's not a lot of viable alternatives :(

I used to just build pfSense boxes and try to roll my own Suricata/Snort based security but based off my personal pentesting, they don't perform nearly as well as Fortinet's curated IPS and web filtering databases.


(FWIW it's worth noting that Fortinet sells their IPS and AV data to lots of higher end vendors, so they are an important contributor to overall cybersecurity even when their own products can have some questionable choices)
 

McMcbrad

Level 10
Yeah to clarify, I use Fortinet to protect home-ish networks. I think spending $3000-4000 USD/yr on licensing for home network security (2 homes) is already beyond what the average person does. If I were an IT professional I'd push for something like Palo Alto Networks instead. You're right, you get what you pay for. IMO Fortinet delivers decent bang-for-the-buck. Their "SoC4" chip is basically the only thing in the sub-$1000 price point that can do IPS of gigabit traffic. They certainly don't do everything well, but if that's your budget, there's not a lot of viable alternatives :(

I used to just build pfSense boxes and try to roll my own Suricata/Snort based security but based off my personal pentesting, they don't perform nearly as well as Fortinet's curated IPS and web filtering databases.


(FWIW it's worth noting that Fortinet sells their IPS and AV data to lots of higher end vendors, so they are an important contributor to overall cybersecurity even when their own products can have some questionable choices)
Yeah, for homish networks, Forinet might be excellent choice and even more than what you need.
In a business environment there are now so many players, it’s becoming difficult to make a choice.
There are many decent offerings, but I am strictly a McAfee person.
 

MacDefender

Level 12
Verified
Yeah, for homish networks, Forinet might be excellent choice and even more than what you need.
In a business environment there are now so many players, it’s becoming difficult to make a choice.
There are many decent offerings, but I am strictly a McAfee person.
I'll have to look more into the McAfee offerings. I've been more intimately familiar with Cisco and PAN these days. Cisco has a commendably tuned IPS (custom Snort rules) and AMP is a great hybrid AV product. I think at the end of the day small businesses are really just bound by a budget, and I'd love for other vendors to target that price point. The Fortigate 61F is $600 for hardware and $1000/yr for full security licensing (AV, IPS, SSL inspection, reverse proxy, HTTPS accelerator, SSL and IPSec VPN) and does all of those things at 900mbps to 10gbps (6gbps IPSec VPN even with AES256-SHA512)... I think that's a price/performance benchmark no other vendor can hit.

I see a lot of small businesses buying small Watchguard/Sonicwall appliances then turning off almost all NGFW features and basically using it as a NAT router in order to achieve high throughput. That IMO is worse than using a Fortinet, even with all of its warts. I still keep my eye peeled for something better in the the low end space though.
 

Slyguy

Level 44
I don't use Fortinet, and haven't for quite some time. While Fortinet has many good points, such as the throughput on the IPS and Amazing Web Filtration, as well as reasonably low price to renew, I felt they started sacrificing real security into the hands of their marketing people. Their focus was on business acquisition more than security from what I witnessed there, as well as an ever encroaching intelligence complex intrusion into their company and culture. I hit the road, and with that, sold off all of my Fortinet gear. I don't even work in the UTM/Firewall/IT Security industry anymore but do something far more lucrative. But I will probably take a really early retirement and build a nice modern container home (Faraday) on a few acres in the north country of the USA and get away from it all.

Anyway..

I roamed around various UTM's.. Meraki, Untangle Juniper, Watchguard, Cyberoam, even some seriously hardened German brand. Ultimately none of them were to my liking, and all of that had their own set of issues. By the way, Watchguard uses Cylance now...

For home users the Gryphon product line is going to offer as tight, even tighter in some respects security. So personally I stick with that for my home, and deployed them all to my friends/family homes. So far their infection rate basically dropped to zero and I haven't been asked to come clean something up since. I'm good now, Gryphon and a Pi-Hole with a million items being blocked and some lockdowns and security on endpoints and I am happy with the results.
 
Top