Fortinet black logo

Handbook

Configuring WAF Exception objects

Configuring WAF Exception objects

WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule. FortiADC supports URL, hosts and source IP patterns matching in the WAF exception rules.

You can create and configure WAF Exception objects using either of the following methods:

Before you begin:
  • You must have Read-Write permission for System settings.

For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform).

Configuring WAF exception rules from the WAF Profile > Exceptions tab

You can create or configure exception objects to then apply to specific WAF profiles and individual WAF feature rules.

To configure a WAF exception rule from the WAF Profile > Exceptions tab:
  1. Go to Web Application Firewall > WAF Profile.
  2. Click the Exceptions tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following:

    Parameter

    Description

    Name

    Enter a unique name for the WAF Exception. Maximum length is 130 characters.

    Note: Once saved, the name of an Exception cannot be changed.

  5. Click Save.
  6. Under Exception Rule, click Create New to display the configuration editor.
  7. Select the exception pattern Element Type from the drop-down menu.
    • URL
    • Source IP
    • Source IPv6
    • HTTP Method
    • HTTP Header
    • Cookie
    • Parameter
  8. Configure the following parameters based on the exception pattern Element Type.

    Parameter

    Description

    URL
    Exception Host StatusEnable/disable the setting exceptions by host pattern.
    Host Pattern

    The Host Pattern option appears if Exception Host Status is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

    URL Pattern

    Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

    Source IP

    IPv4/Netmask

    Specify the IPv4 address and netmask. For example: 192.0.2.5/24

    Source IPv6

    IPv6/Netmask

    Specify the IPv6 address and netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64

    HTTP Method

    HTTP Method

    Select the HTTP method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    • OPTIONS

    • OTHERS

    HTTP Header

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Cookie

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Parameter

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

  9. Click Save.

Configuring WAF exception rules from the WAF log

You can create or configure exception objects to directly apply to the specific WAF log. You have the option to create exception rules in basic mode or advanced mode. Using basic mode, you can apply the URL or Source IP/ Source IPv6 from the WAF log directly to the exception rule. The advanced mode enables you to create and configure exception rules for all supported element patterns.

To configure a WAF exception rule from the WAF log using basic mode:
  1. Go toLog & Report > Security Log or FortiView > Security Logs.
  2. Navigate to the WAF security log and expand the details for which you want to add an exception rule.
  3. In the log details, click Add Exception to display the configuration editor.
  4. Configure the following parameters.

    Parameter

    Description

    Profile NameSelect the WAF Profile to apply the WAF exception rule.
    Advanced Mode

    To configure the WAF exception rule using basic mode, ensure Advanced Mode is disabled.

    By default, Advanced Mode is disabled, which enables basic mode.

    Element Type

    Select either of the following:

    • URL — To apply the HTTP URL from this WAF log for this exception rule.
    • Source IP — To apply the Source from this WAF log for this exception rule. The Source IP option appears if the Source address is IPv4.
    • Source IPv6 — To apply the Source IPv6 from this WAF log for this exception rule. The Source IPv6 option appears if the Source address is IPv6.
  5. Click Save.
To configure a WAF exception rule from the WAF log using advanced mode:
  1. Go toLog & Report > Security Log or FortiView > Security Logs.
  2. Navigate to the WAF security log and expand the details for which you want to add an exception rule.
  3. In the log details, click Add Exception to display the configuration editor.
  4. Configure the following:

    Parameter

    Description

    Profile Name

    Select the WAF Profile to apply the WAF exception rule.

    Note: The profile name parameter will display according to the WAF subcategory of the log. For example, if the WAF subcategory of the log is "cookie security" then the parameter will display as "Cookie Security Profile Name".

    Advanced Mode

    Enable Advanced Mode to configure the WAF exception rule using advanced mode.

    Once Advanced Mode is enabled, the Element Type drop-down menu will include all supported exception pattern.

  5. Select the exception pattern Element Type from the drop-down menu.
    • URL
    • Source IP
    • Source IPv6
    • HTTP Method
    • HTTP Header
    • Cookie
    • Parameter
  6. Configure the following parameters based on the exception pattern Element Type.

    Parameter

    Description

    URL
    Exception Host StatusEnable/disable the setting exceptions by host pattern.
    Host Pattern

    The Host Pattern option appears if Exception Host Status is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

    URL Pattern

    Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

    Source IP

    IPv4/Netmask

    Specify the IPv4 address and netmask. For example: 192.0.2.5/24

    Source IPv6

    IPv6/Netmask

    Specify the IPv6 address and netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64

    HTTP Method

    HTTP Method

    Select the HTTP method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    • OPTIONS

    • OTHERS

    HTTP Header

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Cookie

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Parameter

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

  7. Click Save.

Limitations: Escaped Characters

All Name Pattern and Value Pattern fields support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.

This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.

Brackets: []

Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.

For example:

Invalid: []

Valid: [123] — Valid

[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.

Parentheses: ()

Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — ()\(\)

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)

Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.

Asterisk: *

Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — *\*

For example:

curl -vv -X POST --cookie "Cookie123=abcd"

"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"

Where the cookie name is "cookie" and the cookie value is "a*"

Invalid: a*

Valid: a\*"

In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.

Space: %20

Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)

Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success')mocha:alert(\'attack success'\)

Single Quotes: ''

When the Name Pattern or Value Pattern fields contain single quotes, it will be automatically escaped.

For example:

In the GUI or CLI, you may enter the parameter value pattern as: alert\('attack%20success'\)

In the CLI, the value pattern will appear as: alert\\(\'attack success\'\\)

Configuring WAF Exception objects

WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule. FortiADC supports URL, hosts and source IP patterns matching in the WAF exception rules.

You can create and configure WAF Exception objects using either of the following methods:

Before you begin:
  • You must have Read-Write permission for System settings.

For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform).

Configuring WAF exception rules from the WAF Profile > Exceptions tab

You can create or configure exception objects to then apply to specific WAF profiles and individual WAF feature rules.

To configure a WAF exception rule from the WAF Profile > Exceptions tab:
  1. Go to Web Application Firewall > WAF Profile.
  2. Click the Exceptions tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following:

    Parameter

    Description

    Name

    Enter a unique name for the WAF Exception. Maximum length is 130 characters.

    Note: Once saved, the name of an Exception cannot be changed.

  5. Click Save.
  6. Under Exception Rule, click Create New to display the configuration editor.
  7. Select the exception pattern Element Type from the drop-down menu.
    • URL
    • Source IP
    • Source IPv6
    • HTTP Method
    • HTTP Header
    • Cookie
    • Parameter
  8. Configure the following parameters based on the exception pattern Element Type.

    Parameter

    Description

    URL
    Exception Host StatusEnable/disable the setting exceptions by host pattern.
    Host Pattern

    The Host Pattern option appears if Exception Host Status is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

    URL Pattern

    Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

    Source IP

    IPv4/Netmask

    Specify the IPv4 address and netmask. For example: 192.0.2.5/24

    Source IPv6

    IPv6/Netmask

    Specify the IPv6 address and netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64

    HTTP Method

    HTTP Method

    Select the HTTP method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    • OPTIONS

    • OTHERS

    HTTP Header

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Cookie

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Parameter

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

  9. Click Save.

Configuring WAF exception rules from the WAF log

You can create or configure exception objects to directly apply to the specific WAF log. You have the option to create exception rules in basic mode or advanced mode. Using basic mode, you can apply the URL or Source IP/ Source IPv6 from the WAF log directly to the exception rule. The advanced mode enables you to create and configure exception rules for all supported element patterns.

To configure a WAF exception rule from the WAF log using basic mode:
  1. Go toLog & Report > Security Log or FortiView > Security Logs.
  2. Navigate to the WAF security log and expand the details for which you want to add an exception rule.
  3. In the log details, click Add Exception to display the configuration editor.
  4. Configure the following parameters.

    Parameter

    Description

    Profile NameSelect the WAF Profile to apply the WAF exception rule.
    Advanced Mode

    To configure the WAF exception rule using basic mode, ensure Advanced Mode is disabled.

    By default, Advanced Mode is disabled, which enables basic mode.

    Element Type

    Select either of the following:

    • URL — To apply the HTTP URL from this WAF log for this exception rule.
    • Source IP — To apply the Source from this WAF log for this exception rule. The Source IP option appears if the Source address is IPv4.
    • Source IPv6 — To apply the Source IPv6 from this WAF log for this exception rule. The Source IPv6 option appears if the Source address is IPv6.
  5. Click Save.
To configure a WAF exception rule from the WAF log using advanced mode:
  1. Go toLog & Report > Security Log or FortiView > Security Logs.
  2. Navigate to the WAF security log and expand the details for which you want to add an exception rule.
  3. In the log details, click Add Exception to display the configuration editor.
  4. Configure the following:

    Parameter

    Description

    Profile Name

    Select the WAF Profile to apply the WAF exception rule.

    Note: The profile name parameter will display according to the WAF subcategory of the log. For example, if the WAF subcategory of the log is "cookie security" then the parameter will display as "Cookie Security Profile Name".

    Advanced Mode

    Enable Advanced Mode to configure the WAF exception rule using advanced mode.

    Once Advanced Mode is enabled, the Element Type drop-down menu will include all supported exception pattern.

  5. Select the exception pattern Element Type from the drop-down menu.
    • URL
    • Source IP
    • Source IPv6
    • HTTP Method
    • HTTP Header
    • Cookie
    • Parameter
  6. Configure the following parameters based on the exception pattern Element Type.

    Parameter

    Description

    URL
    Exception Host StatusEnable/disable the setting exceptions by host pattern.
    Host Pattern

    The Host Pattern option appears if Exception Host Status is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify www.example.com, *.example.com, or www.example.* to match a literal host pattern or a wildcard host pattern.

    URL Pattern

    Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.

    For example, you can specify path names and files with expressions like \/admin, .*\/data\/1.html, or \/data.*.

    Source IP

    IPv4/Netmask

    Specify the IPv4 address and netmask. For example: 192.0.2.5/24

    Source IPv6

    IPv6/Netmask

    Specify the IPv6 address and netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64

    HTTP Method

    HTTP Method

    Select the HTTP method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    • OPTIONS

    • OTHERS

    HTTP Header

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Cookie

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Parameter

    Name Pattern

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

    Check Value of Specified Element

    Enable/disable value checking for the specified element.

    Value Pattern

    The Value Pattern option appears if Check Value of Specified Element is enabled.

    Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.

    For example: . Content*

  7. Click Save.

Limitations: Escaped Characters

All Name Pattern and Value Pattern fields support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.

This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.

Brackets: []

Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.

For example:

Invalid: []

Valid: [123] — Valid

[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.

Parentheses: ()

Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — ()\(\)

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)

Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.

Asterisk: *

Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — *\*

For example:

curl -vv -X POST --cookie "Cookie123=abcd"

"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"

Where the cookie name is "cookie" and the cookie value is "a*"

Invalid: a*

Valid: a\*"

In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.

Space: %20

Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.

For example:

Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')

Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)

Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success')mocha:alert(\'attack success'\)

Single Quotes: ''

When the Name Pattern or Value Pattern fields contain single quotes, it will be automatically escaped.

For example:

In the GUI or CLI, you may enter the parameter value pattern as: alert\('attack%20success'\)

In the CLI, the value pattern will appear as: alert\\(\'attack success\'\\)