Handbook

Introduction
Chapter 1: What's New
Chapter 2: Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
Chapter 3: Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Chapter 4: Server Load Balancing
- Server load balancing basics
- Server load balancing configuration overview
- Configuring virtual servers
- Using content rewriting rules
- HSTS and HPKP support
- Configuring content routes
- Using source pools
- Using schedule pools
- Using clone pools
- Configuring Application profiles
- WebSocket load-balancing
- Configuring MSSQL profiles
- Configuring MySQL profiles
- Configuring client SSL profiles
- Configuring HTTP2 profiles
- Configuring load-balancing (LB) methods
- Configuring persistence rules
- Configuring error pages
- Configuring decompression rules
- Configuring Captcha
- Creating a PageSpeed configuration
- Creating PageSpeed profiles
- PageSpeed support and restrictions
- Configuring compression rules
- Compression and decompression
- Configuring caching rules
- Using real server pools
- Configuring real servers
- Configuring real server SSL profiles
- Using HTTP scripting
- Configuring an L2 exception list
- Creating a Web Filter Profile configuration
- Using the Web Category tab
- Configuring certificate caching
- TCP multiplexing
Chapter 5: Link Load Balancing
- Link load balancing basics
- Link load balancing configuration overview
- Configuring link policies
- Configuring a link group
- Configuring gateway links
- Configuring persistence rules
- Configuring proximity route settings
- Configuring a virtual tunnel group
Chapter 6: Global Load Balancing
- Global load balancing basics
- Global load balancing configuration overview
- Configuring servers
- Configuring a global load balance link
- Configuring data centers
- Configuring hosts
- Configuring wizard
- Configuring virtual server pools
- Configuring location lists
- Logical Topology
- Configuring a Global DNS policy
- Configuring DNS zones
- Configuring general settings
- Configuring DNS over HTTPS and DNS over TLS
- Configuring the trust anchor key
- Configuring DNS64
- Configuring the DSSET list
- Configuring an address group
- Configuring remote DNS servers
- Configuring the response rate limit
Chapter 7: Network Security
- Security features basics
- Managing IP Reputation policy settings
- Configure IP reputation exception
- Configure IP reputation block list
- Using the Geo IP block list
- Using the Geo IP allowlist
- Special Geo codes
- Enabling denial of service protection
- Configuring an IPv4 firewall policy
- Configuring an IPv6 firewall policy
- Configuring an IPv4 connection limit policy
- Configuring an IPv6 connection limit policy
- Anti-virus
- Configuring IPS
- Zero Trust Network Access (ZTNA)
Chapter 8: DoS Protection
- Configuring DoS Protection Profile
- Configuring HTTP access limit policy
- Configuring HTTP connection flood policy
- Configuring an HTTP request flood policy
- Configuring an IP fragmentation policy
- Configuring a TCP SYN flood protection policy
- Configuring a TCP slow data flood protection policy
Chapter 9: Web Application Firewall
- Web application firewall basics
- Web application firewall configuration overview
- Configuring an OWASP TOP10 profile
- Configuring a WAF Profile
- Configuring WAF Action objects
- Configuring WAF Exception objects
- Configuring a Web Attack Signature policy
- Using the Signature Creation Wizard
- Configuring a URL Protection policy
- Configuring an Advanced Protection policy
- Configuring an HTTP Protocol Constraint policy
- Configuring CSRF protection
- Configuring brute force attack detection
- Configuring an SQL/XSS Injection Detection policy
- Configuring a Bot Detection policy
- Configuring a Threshold Based Detection policy
- Configuring a Biometrics Based Detection policy
- Configuring a Credential Stuffing Defense Policy
- Configuring a Cookie Security policy
- Configuring sensitive data protection
- Configuring Cross-Origin Resource Sharing (CORS) protection
- Configuring XML Detection
- Configuring JSON detection
- Importing XML schema
- Uploading WSDL files
- Importing JSON schema
- Configuring OpenAPI Detection
- Importing OpenAPI schema
- Configuring API Gateway
- Configuring Input Validation
- Web Vulnerability Scanner
  - WVS Profile
  - WVS Login
  - WVS Exceptions
  - Scan History
  - Scan Integration
- Web Anti-Defacement
Chapter 10: User Authentication
- Configuring AD FS Proxy
- Configuring authentication policies
- Configuring user groups
- Configuring customized authentication form
- Using the local authentication server
- Using an LDAP authentication server
- Using a RADIUS authentication server
- Using a TACACS+ authentication server
- Configuring an NTLM authentication server
- Configuring Duo authentication server support
- Using Kerberos Authentication Relay
- Two-factor authentication
- OAuth 2.0 authentication
- Using HTTP Basic SSO
- SAML and SSO
  - Configure a SAML service provider
  - Import IDP Metadata
Chapter 11: Shared Resources
- Configuring health checks
- Configuring health check monitor
- Creating schedule groups
- Creating IP address objects
- Configuring address groups
- Creating IPv6 address objects
- Configuring address groups
- Managing the ISP address books
- Creating service objects
- Creating service groups
- Configuring WCCP
Chapter 12: Basic Networking
- Configuring network interfaces
- Configuring management interface
- Linking VDOMs for inter-VDOM routing
- Configuring static routes
- Configuring policy routes
Chapter 13: System Management
- Configuring basic system settings
- Configuring system time
- Configuring pre-login disclaimer messages
- Updating firmware
- Configuring an SMTP mail server
- Connecting to FortiGuard services
- Configuring FortiGuard service settings
- Pushing/pulling configurations
- Backing up and restoring the configuration
- SCP support for configuration backup
- Rebooting, resetting, and shutting down the system
- Create a traffic group
- Manage administrator users
- Configuring SNMP
- Managing and validating certificates
- Validating certificates
- HSM Integration
Chapter 14: Logging and Reporting
- Downloading logs
- Using the security log
- Using the traffic log
- Using the script log
- Configuring local log settings
- Configuring syslog settings
- Configuring OFTP settings for FortiAnalyzer logs
- Configuring fast stats log settings
- Configuring report email
- Configuring reports
- Configuring report queries
- Configuring fast reports
- Display logs via CLI
Chapter 15: High Availability Deployments
- HA feature overview
- HA system requirements
- HA synchronization
- Configuring HA settings
- Monitoring an HA cluster
- Updating firmware for an HA cluster
- Deploying an active-passive cluster
- Deploying an active-active cluster
- Advantages of HA Active-Active-VRRP
- Deploying an active-active-VRRP cluster
Chapter 16: Virtual Domain
- Virtual Domain (VDOM) and Administrative Domain (ADOM) overview
- Enabling the Virtual Domain feature and selecting the Virtual Domain Mode
- Creating a virtual domain
- Assigning administrator users and network interfaces to VDOMs
- Virtual domain policies
- Disabling a virtual domain
Chapter 17: SSL Offloading
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
Chapter 18: Advanced Networking
- NAT
  - Configure source NAT
  - Configuring 1-to-1 NAT
- QoS
- OSPF
- ISP Routes
  - Reverse path route caching
- BGP
- Access list vs. prefix list
- Configuring an IPv4 access list
- Configuring an IPv6 access list
- Configuring an IPv4 prefix list
- Configuring an IPv6 prefix list
- Transparent mode
Chapter 19: Best Practices and Fine-tuning
- Regular backups
- Security
- Performance tips
- High availability
Chapter 20: Troubleshooting
- Logs
- Tools
- Save debug file
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Chapter 21: System Dashboard
- Widgets
- Dashboard management tools
Chapter 22: FortiView
- Physical Topology
- HA Status
- Server Load Balance
- Link Load Balance
  - Logical Topology
  - Link Group
- Global Load Balance
  - Logical Topology
  - Host
- Security
- All Segments
- ZTNA FortiClient endpoint
Chapter 23: Security Fabric
- Automation
- Fabric connectors
- External connectors
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
- Scripting application
- Events and actions
- Predefined commands
- Predefined scripts
- Control structures
- Operators
- String library
- Function
- Special characters
- Examples
Appendix D: Maximum Configuration Values
Change Log

Home FortiADC 7.2.2 Handbook

7.2.2

Configuring a Web Attack Signature policy

The FortiGuard Web Attack Signature service provides a database of attack signatures that is updated periodically to protect against new kinds of attacks. Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures. The categories are reported in logs.

In the Web Attack Signature policy configuration, you can enable/disable the class of scanpoints and the action when traffic matches signatures.

There are three classes of scanpoints:

HTTP Header—Scans traffic against HTTP header signatures. If you enable a policy at all, you are enabling HTTP header scanning.
HTTP Request Body—Scans traffic against HTTP request body signatures.
HTTP Response Body—Scans traffic against HTTP response body signatures.

Header scanning is always a good practice, so enabling a policy always enables header scanning. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

You can specify separate actions for three levels of event severity:

High—We recommend you deny traffic for high severity events.
Medium—We recommend you deny or alert, according to your preference. To be strict, deny; otherwise, alert.
Low—We recommend you allow the traffic and log an alert for low severity events.

Web Attack Signature predefined policies describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.

Web Attack Signature predefined policies
Policy	Status	Action
High-Level-Security	Scan HTTP header—Enabled. Scan HTTP Request Body—Enabled. Scan HTTP Response Body—Disabled.	High Severity Action—Deny. Medium Severity Action—Deny. Low Severity Action—Alert.
Medium-Level-Security	Scan HTTP header—Enabled. Scan HTTP Request Body—Enabled. Scan HTTP Response Body—Disabled.	High Severity Action—Deny. Medium Severity Action—Alert. Low Severity Action—Alert.
Alert-Only	Scan HTTP header—Enabled. Scan HTTP Request Body—Disabled. Scan HTTP Response Body—Disabled.	High Severity Action—Alert. Medium Severity Action—Alert. Low Severity Action—Alert.

Basic Steps

Configure the connection to FortiGuard so that the system can receive periodic WAF Signature Database updates. See Configuring FortiGuard service settings.
Optionally, if you do not want to use the predefined policies, configure Web Attack Signature policies. See below.
When configuring the WAF profile, select a policy that you associate with virtual servers . See Configuring a Web Attack Signature policy.

Before you begin:

You must have read-write permission for security settings.

To configure a Web Attack Signature policy:

Go to Web Application Firewall > Known Web Attacks.
Click the Web Attack Signature tab.
Click Create New to display the configuration editor.
Complete the configuration as described in Web Attack Signature configuration.
Save the configuration.

Web Attack Signature configuration
Settings	Guidelines
Category	This dialog provides tools for configuring a Web attack signature policy.
Name	Specify a unique name for the Web attack signature policy and click Save. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No space is allowed between characters. Note: Once saved, the policy name cannot be changed.
Category	This section lists the (main) categories of Web attack signatures within the system. Do the following to include the desired categories of Web attack signature in the policy: In the Name column, identify the categories of Web attack signatures of interest. In the Status column, select (check mark) the categories you like to include in the policy. In the Action column, select the action you want to apply to the categories that you select. Double-click the name of a category to view its sub-categories. See Sub-category below.
Sub-category	This section lists the sub-categories of a (main) category of Web attack signature that you have opened (double-clicked) from above. Do the following to enable any of the sub-categories of interest: In the Name column, identify the sub-categories of interest. In the Status column, select (check mark) the sub-categories you like to include in the policy.
Signature	This dialog provides tools for searching through and filtering Web attack signatures available within the system.
Search	Use the following options to search for Web attack signatures to display: Description—Enter a descriptive text string and click Search. ID—Enter a Web attack signature ID and click Search. CVE Number—Enter a CVE number related to a Web attack signature and click Search. Clear Search—Click this button to empty all search fields. Note: Web attack signatures that match your search criterion show up in the Signature section below the moment you click the corresponding Search button.
Filters	Use any or a combination of the following filters to filter the Web attack signatures to be displayed in the Signature section below: Category—Click the down arrow and select a (main) category of Web attack signatures from the drop-down menu. Sub-category—Click the down arrow and select a sub-category of the category of Web attack signatures that you have selected. Status —Click the down arrow and select either (Enable or Disable) from the drop-down menu. Severity—Click the down arrow and select High, Medium, or Low from the drop-down menu. Exception—Click the down arrow and select either (Yes or No) from the drop-down menu. Clear All—Click this button to clear the existing filters. Note: You can also remove a specific filter by clicking the corresponding x mark.
Signature	This section displays all Web attack signatures that match your search and filter criteria, showing the following information for each Web attack signature: ID Status Name Severity Target Application Exception Name
Signature Detail	This section shows detailed information about the Web attack signature that you've highlighted (clicked) in the Signature section above.
Detail	This tab shows the following information about the selected signature: Signature ID Category Sub-category Severity Target Application Description CVE Number (if one exists) Reference (if one exists) Found In
Edit Signature	This tab provides tools for editing a selected Web attack signature. It contains the following fields: Signature ID—(Read only) Shows the ID of the selected signature. Status—Click to enable or disable the signature. Exception Name—Click the down arrow and select an exception from the drop-down menu.

Web Attack Signature categories and subcategories summarizes the categories of threats that are detected by the signatures.

Web Attack Signature categories and subcategories
Category (ID)	Subcategory (ID)
Cross Site Scripting (1)	Generic XSS Attack (42)
SQL Injection (2)	Generic SQL Injection (43)
Generic Attacks (3)	OS Command Injection (1) Coldfusion Injection (2) LDAP Injection (3) Command Injection (4) Session Fixation (5) File Injection (6) PHP Injection (7) SSI Injection (8) UPDF XSS (9) Email Injection (10) HTTP Response Splitting (11) RFI Injection (12) Xpath Injection (49) XML External Entities (57) Insecure Deserialization (59) HTTP Header Injection (60) Buffer Overflow (62) Denial Of Service (64)
Trojans (4)	Trojans (44)
Information Disclosure (5)	Zope Information Leakage (13) CF Information Leakage (14) PHP Information Leakage (15) ISA Server Existence Revealed (16) Microsoft Office Document Properties Leakage (17) CF Source Code Leakage (18) IIS Information Leakage (19) Weblogic information leakage (20) Generic Filename and Directory leakage (21) ASP/JSP Source Code Leakage (22) PHP Source Code Leakage (23) SQL Error leakage (24) HTTP Header Leakage (25) WordPress Leakage (26) Generic Malicious Leakage (47) Path Travel (58)
Known Exploits (6)	Oracle 9i (27) Coppermine Photo Gallery (28) Netscape Enterprise Server (29) Cisco IOS HTTP Service (30) Microsoft SQL Server (31) HP OpenView Network Node Manager (32) Best Sofrware SalesLogix (33) IBM Lotus Domino Web Server (34) Microsoft IIS (35) Microsoft Windows Media Services (36) Dave Carrigan Auth_LDAP (37) 427BB (38) RaXnet Cacti Graph (39) CHETCPASSWD (40) SAP (41) Generic Exploit (48) Lighttpd Server (53) Caucho Resin Server (54) JRun Web Server (55) IBM Lotus Domino (56) WordPress (61) Struts 2 (63) Joomla! (65)
Credit Card Detection (7)	Credit Card Detection (45)
Bad Robot (8)	Bad Robot (46)
Cross Site Scripting (Extended) (9)	Cross Site Scripting (Extended) (50)
SQL Injection (Extended) (10)	SQL Injection (Extended) (51)
Generic Attacks (Extended) (11)	Generic Attacks (Extended) (52)