How often does Fortinet provide FortiGuard updates for FortiWeb?
Security is only as good as your most recent update. Without up-to-date signatures and blacklists, your network would be vulnerable to new attacks. However, if the updates were released before adequate testing and not accurate, FortiWeb scans would result in false positives or false negatives. For maximum benefit and minimum risk, updates must balance the two needs: to be both accurate and current.
Fortinet releases FortiGuard updates according to the best frequency for each technology.
• Antivirus — Multiple times per day. Updates are fast to test and low risk, while viruses can spread quickly and the newest ones are most common.
• IP reputation — Once per day (approximately). Some time is required to make certain of an IP address’s reputation, but waiting too long would increase the probability of blacklisting innocent DHCP/PPPoE clients that re-use an IP address previously leased by an attacker.
• Attack, data type, suspicious URL, and data leak signatures — Once every 1-2 weeks (approximately). Signatures must be tuned to be flexible enough to match heuristic permutations of attacks without triggering false positives in similar but innocent HTTP requests/responses. Signatures must then be thoroughly tested to analyze any performance impacts and mismatches that are an inherent risk in feature-complete regular expression engines. Many exploits and data leaks also continue to be relevant 2 years or more, much longer than most viruses. This increases the value and makes it worthwhile to optimize, tuning each signature to be both flexible and high-performance.
• Geography-to-IP mappings — Once every month (approximately). These change rarely. Additionally, FortiWeb cannot poll for these updates and automatically apply them. You must manually upload the updates (see
“Updating data analytics definitions”).
See also