WAF configuration overview shows the relationship between WAF configuration elements. A WAF profile comprises a Web Attack Signature policy, URL Protection policy, HTTP Protocol Constraint policy, SQL/XSS Injection Detection, Bot Detection policy, and more. The profile is applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules. WAF profiles can be applied to HTTP and HTTPS virtual servers but not HTTP Turbo virtual servers.
The FortiADC WAF includes many predefined configuration elements to help you get started: WAF profiles, Web Attack Signature policies, HTTP Protocol Constraint policies, SQL/XSS Injection Detection policies, JSON Detection and XML Detection.
The severity ratings for predefined Web Attack Signatures and the default severity rating for feature options like SQL/XSS Injection Detection are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. In order to harmonize the significance of severity levels in logs, we recommend you use this methodology to assign severity for any custom elements you create.
You can create an action which FortiADC takes when the conditions are fulfilled for WAF.
- Create configuration objects that define the action.
- Select this action to a WAF rule configuration.
You can create exceptions so that traffic to specific hosts or URL patterns is not subject to processing by WAF rules. Exception lists are processed before traffic is inspected. If an exception applies, the traffic bypasses the WAF module.
- Create configuration objects that define the exception.
- Add the exception to a WAF profile configuration or WAF rule configuration.