Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.2.4 Handbook
    6.2.4
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring an SQL/XSS Injection Detection policy

    Configuring an SQL/XSS Injection Detection policy

    SQL/XSS Injection Detection policies detect SQL injection and cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.

    In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.

    The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.

    You can enable detection in the following scanpoints:

    • SQL Injection: URI—Analyzes content in the URI.
    • SQL Injection: Referer—Analyzes content in the HTTP Referer header.
    • SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
    • SQL Injection: Body—Analyzes content in the HTTP request body.
    • XSS Injection: URI—Analyzes content in the URI.
    • XSS Detection: Referer—Analyzes content in the HTTP Referer header.
    • XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
    • XSS Detection: Body—Analyzes content in the HTTP request body.

    Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

    Predefined SQL injection and XSS detection policies describes the predefined policies.

    Predefined SQL injection and XSS detection policies
    SQL Injection XSS
    Predefined Rules Detection Action Severity Detection Action Severity

    High-Level-Security

    All except Body SQL Injection Detection

    Deny

    High

    All except Body XSS Injection Detection

    Deny

    High

    Medium-Level-Security

    Only SQL URI SQL Injection Detection

    Deny

    High

    None

    Alert

    Low

    Alert-Only

    Only SQL URI SQL Injection Detection

    Alert

    High

    None

    Alert

    Low

    If desired, you can create user-defined policies.

    Before you begin:

    • You must have Read-Write permission for Security settings.

    After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

    To configure an SQL/XSS Injection Detection policy:
    1. Go to Web Application Firewall > Common Attacks Detection.
    2. Click the SQL/XSS Injection Detection tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in SQL/XSS Injection Detection configuration.
    5. Save the configuration.

    SQL/XSS Injection Detection configuration
    Settings Guidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.
    SQL

    SQL Injection Detection

    Enable/disable SQL injection detection.

    URI Detection

    Enable/disable detection in the HTTP request.

    Referer Detection

    Enable/disable detection in the Referer header.

    Cookie Detection

    Enable/disable detection in the Cookie header.

    Body Detection

    Enable/disable detection in the HTTP Body message.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default is alert, but we recommend using Deny SQL Injection.

    Severity
    • High—Log as high severity events.
    • Medium—Log as a medium severity events.
    • Low—Log as low severity events.

    The default is low, but we recommend you rate this high or medium.
    SQL Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
    XSS

    XSS Injection Detection

    Enable/disable XSS injection detection.

    URI Detection

    Enable/disable detection in the HTTP request.

    Referer Detection

    Enable/disable detection in the Referer header.

    Cookie Detection

    Enable/disable detection in the Cookie header.

    Body Detection

    Enable/disable detection in the HTTP Body message.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default is alert, but we recommend you deny XSS Injection.

    Severity
    • High—Log matches as high severity events.
    • Medium—Log matches as a medium severity events.
    • Low—Log matches as low severity events.

    The default is low, but we recommend you rate this high or medium.
    XSS Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
    Previous
    Next

    Configuring an SQL/XSS Injection Detection policy

    Configuring an SQL/XSS Injection Detection policy

    SQL/XSS Injection Detection policies detect SQL injection and cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.

    In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.

    The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.

    You can enable detection in the following scanpoints:

    • SQL Injection: URI—Analyzes content in the URI.
    • SQL Injection: Referer—Analyzes content in the HTTP Referer header.
    • SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
    • SQL Injection: Body—Analyzes content in the HTTP request body.
    • XSS Injection: URI—Analyzes content in the URI.
    • XSS Detection: Referer—Analyzes content in the HTTP Referer header.
    • XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
    • XSS Detection: Body—Analyzes content in the HTTP request body.

    Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

    Predefined SQL injection and XSS detection policies describes the predefined policies.

    Predefined SQL injection and XSS detection policies
    SQL Injection XSS
    Predefined Rules Detection Action Severity Detection Action Severity

    High-Level-Security

    All except Body SQL Injection Detection

    Deny

    High

    All except Body XSS Injection Detection

    Deny

    High

    Medium-Level-Security

    Only SQL URI SQL Injection Detection

    Deny

    High

    None

    Alert

    Low

    Alert-Only

    Only SQL URI SQL Injection Detection

    Alert

    High

    None

    Alert

    Low

    If desired, you can create user-defined policies.

    Before you begin:

    • You must have Read-Write permission for Security settings.

    After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

    To configure an SQL/XSS Injection Detection policy:
    1. Go to Web Application Firewall > Common Attacks Detection.
    2. Click the SQL/XSS Injection Detection tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in SQL/XSS Injection Detection configuration.
    5. Save the configuration.

    SQL/XSS Injection Detection configuration
    Settings Guidelines

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.
    SQL

    SQL Injection Detection

    Enable/disable SQL injection detection.

    URI Detection

    Enable/disable detection in the HTTP request.

    Referer Detection

    Enable/disable detection in the Referer header.

    Cookie Detection

    Enable/disable detection in the Cookie header.

    Body Detection

    Enable/disable detection in the HTTP Body message.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default is alert, but we recommend using Deny SQL Injection.

    Severity
    • High—Log as high severity events.
    • Medium—Log as a medium severity events.
    • Low—Log as low severity events.

    The default is low, but we recommend you rate this high or medium.
    SQL Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
    XSS

    XSS Injection Detection

    Enable/disable XSS injection detection.

    URI Detection

    Enable/disable detection in the HTTP request.

    Referer Detection

    Enable/disable detection in the Referer header.

    Cookie Detection

    Enable/disable detection in the Cookie header.

    Body Detection

    Enable/disable detection in the HTTP Body message.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default is alert, but we recommend you deny XSS Injection.

    Severity
    • High—Log matches as high severity events.
    • Medium—Log matches as a medium severity events.
    • Low—Log matches as low severity events.

    The default is low, but we recommend you rate this high or medium.
    XSS Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
    Previous
    Next