Fortinet black logo

Handbook

Configuring a Cookie Security policy

Configuring a Cookie Security policy

A cookie security policy allows you to configure FortiADC features that prevent cookie-based attacks and apply them in a protection profile. For example, a policy can enable cookie poisoning detection, encrypt the cookies issued by a back-end server, and add security attributes to cookies.

To configure an Cookie Security policy:
  1. Go to Web Application Firewall>Sensitive Data Protection.
  2. Click the Cookie Security tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Cookie Security configuration.

    Note

    If you want to drop a large number of packets when traffic match the rules, you should set Action to “block” instead of “deny."

  5. Save the configuration.

Cookie Security configuration

Settings Guidelines

Name

Enter a unique Cookie Security policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

Note: Once saved, the name of an Cookie Security policy cannot be changed.

Security Mode

No—Does not apply cookie tampering protection or encrypted cookie.

Signed—Prevents tampering by tracking the cookie by adding a signature.

Encrypted—FortiADC encrypts set-cookie values which have been sent from back-end web server to clients. Clients can only see the encrypted cookies. FortiADC also decrypts cookies which have been submitted by clients before sending them to the back-end server to determine if a cookie attack has been placed.

Encrypted Cookie Type

All—will encrypt all cookies.

List—will encrypt the cookie that matches with the cookie-list.

Note: Only applies when Security Mode is set to encrypted.

Cookie Replay

Disable or enable to allow FortiADC to use the IP address of a request to determine the owner of the cookie.

If Cookie Replay is enabled, the client IP address will be appended to the set-cookie value before encryption. Once the FortiADC receives the cookie, the cookie will be decrypted and FortiADC will check if the IP matches with the client.

Since the public IP of a client is not static in many environments, we recommend that you do not enable cookie-replay.

Note: Only applies when Security Mode is set to encrypted. Optional.

Allow Suspicious Cookies

Never—Never allow suspicious cookies.

Always—Always allow suspicious cookies.

Custom—Don't Block suspicious cookies until the date specified by "Dont_block_until".

Select whether or not FortiADC will allow requests that contain unrecognizable cookies or if there are missing cookies.

When cookie-replay is enabled, the suspicious cookie is a missing cookie that tracks the client IP address.

Caution

In many cases, when you first introduce the cookie security features, the cookies that client browsers have cached earlier will generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

Note: Only applies when Security Mode is set to encrypted.

Don't Block Until

Specify the date to begin blocking suspicious cookies. Applicable only when Allow Suspicious Cookies is set to custom.

Note: Only applies when Security Mode is set to encrypted.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Cookie Security:

  • Low
  • Medium
  • High

The default value is Low.

Remove Cookie

Enable so FortiADC will accept the request, but will also remove the cookie before sending it to backend web server.

Note: Only applies when Security Mode is set to encrypted or signed.

HTTP Only

Enable to add "HTTPOnly" flag to cookies. The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).

Note: cookie attribute.

Secure

Enable to add the secure flag to cookies. The secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS).

Note: cookie attribute.

Max Age

Note: cookie attribute.

Default value is 0 (do not add max age ), range 0- 2147483647.

Add the maximum age (in minutes) if the response from the backend server does not already have a "Max-Age" attribute, or does not have an "Expires" attribute.

Exception

See Configuring WAF Exception objects.

Action

Select which action FortiADC takes when the conditions are fulfilled for HTTP Response Code.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Cookie List

The list of cookies to be encrypted.

Note: Only when Security Mode is set to encrypted, and when encrpyted_cookie_type is set to "list."

Configuring a Cookie Security policy

A cookie security policy allows you to configure FortiADC features that prevent cookie-based attacks and apply them in a protection profile. For example, a policy can enable cookie poisoning detection, encrypt the cookies issued by a back-end server, and add security attributes to cookies.

To configure an Cookie Security policy:
  1. Go to Web Application Firewall>Sensitive Data Protection.
  2. Click the Cookie Security tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Cookie Security configuration.

    Note

    If you want to drop a large number of packets when traffic match the rules, you should set Action to “block” instead of “deny."

  5. Save the configuration.

Cookie Security configuration

Settings Guidelines

Name

Enter a unique Cookie Security policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

Note: Once saved, the name of an Cookie Security policy cannot be changed.

Security Mode

No—Does not apply cookie tampering protection or encrypted cookie.

Signed—Prevents tampering by tracking the cookie by adding a signature.

Encrypted—FortiADC encrypts set-cookie values which have been sent from back-end web server to clients. Clients can only see the encrypted cookies. FortiADC also decrypts cookies which have been submitted by clients before sending them to the back-end server to determine if a cookie attack has been placed.

Encrypted Cookie Type

All—will encrypt all cookies.

List—will encrypt the cookie that matches with the cookie-list.

Note: Only applies when Security Mode is set to encrypted.

Cookie Replay

Disable or enable to allow FortiADC to use the IP address of a request to determine the owner of the cookie.

If Cookie Replay is enabled, the client IP address will be appended to the set-cookie value before encryption. Once the FortiADC receives the cookie, the cookie will be decrypted and FortiADC will check if the IP matches with the client.

Since the public IP of a client is not static in many environments, we recommend that you do not enable cookie-replay.

Note: Only applies when Security Mode is set to encrypted. Optional.

Allow Suspicious Cookies

Never—Never allow suspicious cookies.

Always—Always allow suspicious cookies.

Custom—Don't Block suspicious cookies until the date specified by "Dont_block_until".

Select whether or not FortiADC will allow requests that contain unrecognizable cookies or if there are missing cookies.

When cookie-replay is enabled, the suspicious cookie is a missing cookie that tracks the client IP address.

Caution

In many cases, when you first introduce the cookie security features, the cookies that client browsers have cached earlier will generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

Note: Only applies when Security Mode is set to encrypted.

Don't Block Until

Specify the date to begin blocking suspicious cookies. Applicable only when Allow Suspicious Cookies is set to custom.

Note: Only applies when Security Mode is set to encrypted.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Cookie Security:

  • Low
  • Medium
  • High

The default value is Low.

Remove Cookie

Enable so FortiADC will accept the request, but will also remove the cookie before sending it to backend web server.

Note: Only applies when Security Mode is set to encrypted or signed.

HTTP Only

Enable to add "HTTPOnly" flag to cookies. The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).

Note: cookie attribute.

Secure

Enable to add the secure flag to cookies. The secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS).

Note: cookie attribute.

Max Age

Note: cookie attribute.

Default value is 0 (do not add max age ), range 0- 2147483647.

Add the maximum age (in minutes) if the response from the backend server does not already have a "Max-Age" attribute, or does not have an "Expires" attribute.

Exception

See Configuring WAF Exception objects.

Action

Select which action FortiADC takes when the conditions are fulfilled for HTTP Response Code.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Cookie List

The list of cookies to be encrypted.

Note: Only when Security Mode is set to encrypted, and when encrpyted_cookie_type is set to "list."