IoT Virtual Patch Protection

The IoT Virtual Patch is a proactive security feature that helps organizations reduce the risk of newly discovered software vulnerabilities, even before official vendor patches are available. It acts as a temporary shield at runtime, blocking known exploit techniques and minimizing exposure during the critical window between vulnerability discovery and patch release.

Virtual Patch Configuration APIs

You can manage the Virtual Patch feature using two REST APIs. These APIs support offline and automated management and let you change how the patching system works and upload custom protection rules. You send requests to these APIs from the local machine using HTTP.

  • Set Virtual Patch Policy: Choose how the system reacts to threats—block them, log them, or turn off protection.

  • Set Virtual Patch Signatures: Add or update detection rules that help the system recognize known attacks.

Configure the operating mode of the Virtual Patch engine.

API Call

POST http://<localhost address of the IoT device>:5666/set-virtual-patch-policy

Request Body (application/json) schema

Copy 
{
        "mode": "<Prevent | Detect | Inactive>"
     }

 

Parameter

Type

Description

mode

String

Sets the Virtual Patch operating mode. Options include:

  • Prevent: Actively blocks exploit attempts

  • Detect: Logs exploit attempts without blocking

  • Inactive: Disables all virtual patching logic

Define or update the set of IPS-style detection signatures used by the Virtual Patch system. These signatures are typically linked to known CVEs and exploit patterns.

API Call

POST http://<localhost address of the IoT device>:5666/set-virtual-patch-signatures

Request Body (application/json) schema

Copy 
{
  "ips_protections": {
    "protections": [
      {
        "protectionMetadata": {
          "protectionName": <String – Protection name>,
          "cveList": [<String – CVE ID>]
        },
        "detectionRules": {
          "type": <String>,
          "SSM": <String>,
          "keywords": <String>,
          "context": [<String>]
        }
      }
    ],
    .
    .
    .
  }
}

 

Parameter

Type

Description
protectionName String Descriptive name of the protection rule

cveList

Array of strings

List of associated CVE identifiers

type

String

Signature type

SSM

String

Simple string match used for detection

keywords

String

Keywords used for precise signature matching

context

Array of strings

HTTP context fields to match against

To request custom signatures, contact Check Point Support and provide relevant traffic samples. We will review the data and generate tailored protections for your environment.

Logs and Events

The Nano Agent saves the logs locally in the /var/log/nano-agent/cp-nano-orchestration.log file.

IoT Virtual Patch Log

When a Virtual Patch event is triggered, it generates a detailed log entry. This entry explains what was detected, why it matched, and how the system responded.

See below the field descriptions.

Field

Type

Description

matchedSignatureConfidence

String

Indicates the detection engine's confidence level in matching the exploit. Values: High, Medium, or Low. Higher values indicate more reliable detection.

matchedSignaturePerformance

String

Represents the expected system performance impact of the signature. Values: Low, Medium, or High.

matchedSignatureSeverity

String

Describes the potential impact of the attack if successful. Values: Critical, High, Medium, Low.

matchedSignatureCVE

String

Lists CVE identifiers associated with the detected exploit. Useful for correlating logs with known vulnerabilities.

signatureVersion

String

Identifies the version of the deployed signature package at the time of detection. Used for auditing and troubleshooting.

protectionId

String

Human-readable identifier for the protection that triggered the detection (for example, exploit category or affected product).

indicatorsSource

String

Specifies the source of Threat Intelligence used to generate the detection logic (for example, Check Point).

indicatorsVersion

String

Specifies the version number of the indicators feed (for example, Threat Intelligence or signature database). Useful for version tracking.

waapIncidentType

String

Categorizes the attack by type, such as Injection, XSS, Traversal, etc. Used for classification and filtering.

matchedSample

String

Contains the raw HTTP request sample that triggered the signature. Critical for forensic analysis and investigation.

matchedSignatureYear

String

Indicates the year the signature was released or the vulnerability was published. Helps assess signature age.

waapOverride

String

Indicates whether any manual override (policy change or admin action) affected the decision. None means no override is applied.

securityAction

String

The action taken by the system when the signature matched. Values: Prevent or Detect.
Copy 
{
  "eventTime": "2025-05-27T07:33:53.580",
  "eventName": "Web Request",
  "eventSeverity": "Info",
  "eventPriority": "High",
  "eventType": "Event Driven",
  "eventLevel": "Log",
  "eventLogLevel": "info",
  "eventAudience": "Security",
  "eventAudienceTeam": "",
  "eventFrequency": 0,
  "eventTags": ["IPS"],
  "eventSource": {
    "agentId": "Unknown",
    "practiceType": "Threat Prevention",
    "eventTraceId": "",
    "eventSpanId": "",
    "issuingEngineVersion": "2575853",
    "serviceName": "Orchestration",
    "practiceId": "46c4d605-fb47-75a5-1bb8-c2d801f67db4",
    "practiceName": "WEB APPLICATION BEST PRACTICE",
    "practiceSubType": "Web IPS"
  },
  "eventData": {
    "logIndex": 8,
    "matchedSignatureConfidence": "Medium",
    "matchedSignaturePerformance": "Medium",
    "matchedSignatureSeverity": "Critical",
    "matchedSignatureCVE": "CVE-2018-19987, CVE-2018-19988, CVE-2018-19989, CVE-2018-19990, CVE-2018-6530, CVE-2024-3272, CVE-2024-44333, CVE-2024-44334, CVE-2024-44335, CVE-2024-44401, CVE-2024-44402, CVE-2024-48629, CVE-2024-48630, CVE-2024-48631",
    "signatureVersion": "20250414",
    "protectionId": "D-Link Multiple Products Command Injection",
    "indicatorsSource": "Check Point",
    "indicatorsVersion": "1244268",
    "waapIncidentType": "Injection",
    "matchedSample": "POST /cgi-bin/hd_config.cgi 1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nConnection: close\r\nHost: 192.168.0.32\r\nAccept-Language: en-US,en;q=0.5\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Requested-With: XMLHttpRequest\r\nOrigin: http://192.168.0.32\r\nReferer: http://192.168.0.32/photo_center/index.html\r\nCookie: username=admin\r\nPriority: u=1\r\nContent-Length: 116\r\n\r\ncmd=cgi_FMT_Std2R1_DiskMGR&amp;f_volume_name=1&amp;f_newly_dev=`touch+/tmp/128`&amp;f_file_system=1&amp;f_source_dev=1&amp;f_auto_sync=1\r\n",
    "matchedSignatureYear": "2024",
    "waapOverride": "None",
    "securityAction": "Detect"
  }
}