FireStorm vulnerability Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-15-024 Final 1 1 2015-12-15T00:00:00 Current version 2015-12-15T00:00:00 2015-12-15T00:00:00 None Researchers discovered that certain next generation firewalls are designed to permit full TCP handshake with any destination, regardless of firewall rules and client restrictions. They derive from this that they can exfiltrate data to a blacklisted IP (their example is a Botnet C&C Server), by packing data in TCP handshake packets. Firewall rules bypass None. IP address filtering features of Fortinet products are not affected: Webfiltering: Not Applicable. Indeed Webfiltering is meant to block Web/HTTP access only. Not any other protocol, much less SYN packets. Firewall policies: Not vulnerable. Botnet Servers filtering: Not vulnerable. Enabling Botnet Servers filtering is done differently in FOS 5.4 and FOS 5.2: In 5.4, set "Scan Outgoing Connections to Botnet Sites" to "Block" in Network->Interfaces->Edit Interface In 5.2 , set "Detect Connections to Botnet C&C Servers" to "Block" in Security Profiles -> AntiVirus. https://fortiguard.fortinet.com/psirt/FG-IR-15-024 FireStorm vulnerability http://www.cynet.com/blog/ http://www.cynet.com/blog/ https://fortiguard.fortinet.com/psirt/FG-IR-15-024 FireStorm vulnerability Reference> http://www.cynet.com/blog/ http://www.cynet.com/blog/