Fortinet black logo

Handbook

Configuring WAF Exception objects

Configuring WAF Exception objects

WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule. FortiADC supports URL, hosts and source IP patterns matching in the WAF exception rules.

After you have created an exception object, you can specify it in WAF profiles and individual WAF feature rules.

Before you begin:
  • You must have Read-Write permission for System settings.

For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform).

To configure a WAF exception rule:
  1. Go to Web Application Firewall > WAF Profile.
  2. Click the Exceptions tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following:

    Parameter

    Description

    Name

    Enter a unique name for the WAF Exception. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Exception cannot be changed.

  5. Click Save.
    The newly created Exception is listed under the Exceptions tab.
  6. Locate the newly created Exception on the list and double-click the row or click the (Edit icon).
  7. Under Exception Rule, click Create New to display the configuration editor.
  8. Select the exception pattern Element Type from the drop-down menu.
    • URL
    • Source IP
    • HTTP Method
    • HTTP Header
    • Cookie
    • Parameter
  9. Configure the following parameters based on the exception pattern Element Type.

    Parameter

    Description

    URL
    Exception Host Status Enable/disable the setting exceptions by host pattern.
    Host Pattern

    The Host Pattern option appears if Exception Host Status is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

    URL Pattern

    Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

    Source IP

    IPv4/Netmask

    Specify the IP address and netmask. For example: 192.0.2.5/24

    HTTP Method

    HTTP Method

    Select the HTTP method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    • OPTIONS

    • OTHERS

    HTTP Header

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Cookie

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Parameter

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

  10. Click Save.

Limitations: Escaped Characters

All Name Pattern and Value Pattern fields support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.

This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.

Brackets: []

Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.

For example:

Invalid: []

Valid: [123] — Valid

[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.

Parentheses: ()

Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — ()\(\)

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)

Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.

Asterisk: *

Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — *\*

For example:

curl -vv -X POST --cookie "Cookie123=abcd"

"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"

Where the cookie name is "cookie" and the cookie value is "a*"

Invalid: a*

Valid: a\*"

In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.

Space: %20

Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)

Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success')mocha:alert(\'attack success'\)

Single Quotes: ''

When the Name Pattern or Value Pattern fields contain single quotes, it will be automatically escaped.

For example:

In the GUI or CLI, you may enter the parameter value pattern as: alert\('attack%20success'\)

In the CLI, the value pattern will appear as: alert\\(\'attack success\'\\)

Configuring WAF Exception objects

WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule. FortiADC supports URL, hosts and source IP patterns matching in the WAF exception rules.

After you have created an exception object, you can specify it in WAF profiles and individual WAF feature rules.

Before you begin:
  • You must have Read-Write permission for System settings.

For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform).

To configure a WAF exception rule:
  1. Go to Web Application Firewall > WAF Profile.
  2. Click the Exceptions tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following:

    Parameter

    Description

    Name

    Enter a unique name for the WAF Exception. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Exception cannot be changed.

  5. Click Save.
    The newly created Exception is listed under the Exceptions tab.
  6. Locate the newly created Exception on the list and double-click the row or click the (Edit icon).
  7. Under Exception Rule, click Create New to display the configuration editor.
  8. Select the exception pattern Element Type from the drop-down menu.
    • URL
    • Source IP
    • HTTP Method
    • HTTP Header
    • Cookie
    • Parameter
  9. Configure the following parameters based on the exception pattern Element Type.

    Parameter

    Description

    URL
    Exception Host Status Enable/disable the setting exceptions by host pattern.
    Host Pattern

    The Host Pattern option appears if Exception Host Status is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

    URL Pattern

    Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

    Source IP

    IPv4/Netmask

    Specify the IP address and netmask. For example: 192.0.2.5/24

    HTTP Method

    HTTP Method

    Select the HTTP method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    • OPTIONS

    • OTHERS

    HTTP Header

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Cookie

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Parameter

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

  10. Click Save.

Limitations: Escaped Characters

All Name Pattern and Value Pattern fields support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.

This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.

Brackets: []

Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.

For example:

Invalid: []

Valid: [123] — Valid

[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.

Parentheses: ()

Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — ()\(\)

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)

Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.

Asterisk: *

Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — *\*

For example:

curl -vv -X POST --cookie "Cookie123=abcd"

"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"

Where the cookie name is "cookie" and the cookie value is "a*"

Invalid: a*

Valid: a\*"

In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.

Space: %20

Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)

Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success')mocha:alert(\'attack success'\)

Single Quotes: ''

When the Name Pattern or Value Pattern fields contain single quotes, it will be automatically escaped.

For example:

In the GUI or CLI, you may enter the parameter value pattern as: alert\('attack%20success'\)

In the CLI, the value pattern will appear as: alert\\(\'attack success\'\\)