The FortiGate device must only install patches or updates that are validated by the vendor via digital signature or hash.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-234220	FGFW-ND-000305	SV-234220r850541_rule		Medium

Description
Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed or hashed ensures that the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate or verified with an integrity hash provided by the vendor. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor.

Description

Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed or hashed ensures that the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, or application components must be signed with a certificate or verified with an integrity hash provided by the vendor. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor.

STIG	Date
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide	2022-09-12

Details

Check Text ( C-37405r611847_chk )
Verify the process used to apply updates and patches to the system. If the system is updated via a FortiGuard or FortiManager server, those solutions meet the requirement and this is NOT a finding. If the system is not using a FortiGuard or FortiManager server, and a process is not defined to manually verify the update hash value with the vendor site, this is a finding.

Fix Text (F-37370r611848_fix)
Administrators can download software directly from a FortiGuard or FortiManager server. These servers are authenticated using digital certificates that ensure identity and non-repudiation of the source packages. This is a preferred method of applying updates. The Administrator can also download the software from Fortinet's support website portal. The website includes a file checksum to verify file integrity prior to uploading. Develop a process to download the update files from the Fortinet website, and manually compare the download hash to the hash value provided on the vendor site before applying the update files to the system.

Fix Text (F-37370r611848_fix)

Administrators can download software directly from a FortiGuard or FortiManager server. These servers are authenticated using digital certificates that ensure identity and non-repudiation of the source packages. This is a preferred method of applying updates.

The Administrator can also download the software from Fortinet's support website portal. The website includes a file checksum to verify file integrity prior to uploading.

Develop a process to download the update files from the Fortinet website, and manually compare the download hash to the hash value provided on the vendor site before applying the update files to the system.