Skip to Content

How to fix virtual-patch option not visible in the local-in policy

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

This article describes the solution when the virtual-patch option is not visible in the local-in policy.

Scope

FortiGate 7.2.4 and above, FortiOS 7.4.2.

Solution

Referring to the administration guide, virtual patching is the method of mitigating vulnerability exploits using FortiGate’s IPS signature to block known vulnerabilities.

Step 1: To configure the virtual patching on the FortiGate, the following requirement has to be met:
FortiGate must have a valid IPS license and extended IPS must be enabled for more vulnerabilities to be covered:

config ips global
    set database extended
end

Step 2: When configuring the local-in-policy, the command for virtual-patch is not visible by default:

When configuring the local-in-policy, the command for virtual-patch is not visible by default.

Step 3: The reason behind this is that the default action for local-in-policy is configured with action ‘deny’:

The reason behind this is that the default action for local-in-policy is configured with action 'deny'.

Step 4: Virtual patching will be visible only if the action for the local-in policy is configured to accept:

Virtual patching will be visible only if the action for the local-in policy is configured to accept.

Step 5: The default option for virtual-patch is disabled, to enable virtual patch, enable the feature with the following command:

config firewall local-in-policy
    edit 
        set virtual-patch enable
end

The default option for virtual-patch is disabled, to enable virtual patch, enable the feature with the following command.