UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The FortiGate device must only install patches or updates that are validated by the vendor via digital signature or hash.


Overview

Finding ID Version Rule ID IA Controls Severity
V-234220 FGFW-ND-000305 SV-234220r628777_rule Medium
Description
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed or hashed ensures that the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate or verified with an integrity hash provided by the vendor. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor.
STIG Date
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide 2021-01-29

Details

Check Text ( C-37405r611847_chk )
Verify the process used to apply updates and patches to the system.

If the system is updated via a FortiGuard or FortiManager server, those solutions meet the requirement and this is NOT a finding.

If the system is not using a FortiGuard or FortiManager server, and a process is not defined to manually verify the update hash value with the vendor site, this is a finding.
Fix Text (F-37370r611848_fix)
Administrators can download software directly from a FortiGuard or FortiManager server. These servers are authenticated using digital certificates that ensure identity and non-repudiation of the source packages. This is a preferred method of applying updates.

The Administrator can also download the software from Fortinet's support website portal. The website includes a file checksum to verify file integrity prior to uploading.

Develop a process to download the update files from the Fortinet website, and manually compare the download hash to the hash value provided on the vendor site before applying the update files to the system.