Fortinet white logo
Fortinet white logo

Handbook

Configuring a WAF Profile

Configuring a WAF Profile

A WAF profile references the WAF policies that are to be enforced.

Predefined WAF profiles describes the predefined profiles. In many cases, you can use predefined profiles to get started.

Predefined WAF profiles

Predefined Profiles Description

High-Level-Security

  • Web Attack Signature policy: High-Level-Security
  • HTTP Protocol Constraints policy: High-Level-Security
  • SQL/XSS Injection Detection policy: High-Level-Security

Medium-Level-Security

  • Web Attack Signature policy: Medium-Level-Security
  • HTTP Protocol Constraints policy: Medium-Level-Security
  • SQL/XSS Injection Detection policy: Medium-Level-Security

Alert-Only

  • Web Attack Signature policy: Alert-Only
  • HTTP Protocol Constraints policy: Alert-Only
  • SQL/XSS Injection Detection policy: Alert-Only

If desired, you can create user-defined profiles. The maximum number of profiles per VDOM is 255.

Before you begin:
  • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this procedure to add them to a WAF profile.
  • You must have Read-Write permission for Security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

To configure a WAF Profile:
  1. Go to Web Application Firewall > Web Profile.
  2. Click the WAF Profile tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in WAF Profile configuration.
  5. Save the configuration.

WAF Profile configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Exception Name

Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

Rule Match Record

Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default.

Standard Protection

Web Attack Signature

Select a predefined or user-defined Web Attack Signature configuration object.

HTTP Protocol Constraint

Select a predefined or user-defined HTTP Protocol Constraint configuration object.

Sensitive Data Protection

Cookie Security

Select a user-defined Cookie Security configuration object.

Data Leak Prevention

Select a user-defined Data Leak Prevention configuration object.

HTTP Header Security

Select a user-defined HTTP Header Security configuration object.

Input Protection

SQL/XSS Injection Detection

Select a predefined or user-defined SQL/XSS Injection Detection configuration object.

Input Validation Policy

Select a user-defined Input Validation Policy configuration object.

CORS Protection

Select a user-defined CORS Protection configuration object.

Access Protection

Brute Force Attack Detection

Select a user-defined Brute Force Attack Detection configuration object.

URL Protection

Select a user-defined URL Protection configuration object.

Credential Stuffing Defense

Select a user-defined Credential Stuffing Defense configuration object.

API Protection

JSON Detection

Select a predefined or user-defined JSON Detection configuration object.

XML Detection

Select a predefined or user-defined XML Detection configuration object.

OpenAPI Detection

Select a user-defined OpenAPI Detection configuration object.

API Gateway

Select a user-defined API Gateway configuration object.

Bot Mitigation

Bot Detection

Select a user-defined Bot Detection configuration object.

Threshold Based Detection

Select a predefined or user-defined Threshold Based Detection configuration object.

Biometrics Based Detection

Select a user-defined Biometrics Based Detection configuration object.

Advanced Protection

Advanced Protection

Select a user-defined Advanced Protection configuration object.

CSRF Protection

Select a user-defined CSRF Protection configuration object.

Configuring a WAF Profile

Configuring a WAF Profile

A WAF profile references the WAF policies that are to be enforced.

Predefined WAF profiles describes the predefined profiles. In many cases, you can use predefined profiles to get started.

Predefined WAF profiles

Predefined Profiles Description

High-Level-Security

  • Web Attack Signature policy: High-Level-Security
  • HTTP Protocol Constraints policy: High-Level-Security
  • SQL/XSS Injection Detection policy: High-Level-Security

Medium-Level-Security

  • Web Attack Signature policy: Medium-Level-Security
  • HTTP Protocol Constraints policy: Medium-Level-Security
  • SQL/XSS Injection Detection policy: Medium-Level-Security

Alert-Only

  • Web Attack Signature policy: Alert-Only
  • HTTP Protocol Constraints policy: Alert-Only
  • SQL/XSS Injection Detection policy: Alert-Only

If desired, you can create user-defined profiles. The maximum number of profiles per VDOM is 255.

Before you begin:
  • You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this procedure to add them to a WAF profile.
  • You must have Read-Write permission for Security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

To configure a WAF Profile:
  1. Go to Web Application Firewall > Web Profile.
  2. Click the WAF Profile tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in WAF Profile configuration.
  5. Save the configuration.

WAF Profile configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

Exception Name

Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Description

A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

Rule Match Record

Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default.

Standard Protection

Web Attack Signature

Select a predefined or user-defined Web Attack Signature configuration object.

HTTP Protocol Constraint

Select a predefined or user-defined HTTP Protocol Constraint configuration object.

Sensitive Data Protection

Cookie Security

Select a user-defined Cookie Security configuration object.

Data Leak Prevention

Select a user-defined Data Leak Prevention configuration object.

HTTP Header Security

Select a user-defined HTTP Header Security configuration object.

Input Protection

SQL/XSS Injection Detection

Select a predefined or user-defined SQL/XSS Injection Detection configuration object.

Input Validation Policy

Select a user-defined Input Validation Policy configuration object.

CORS Protection

Select a user-defined CORS Protection configuration object.

Access Protection

Brute Force Attack Detection

Select a user-defined Brute Force Attack Detection configuration object.

URL Protection

Select a user-defined URL Protection configuration object.

Credential Stuffing Defense

Select a user-defined Credential Stuffing Defense configuration object.

API Protection

JSON Detection

Select a predefined or user-defined JSON Detection configuration object.

XML Detection

Select a predefined or user-defined XML Detection configuration object.

OpenAPI Detection

Select a user-defined OpenAPI Detection configuration object.

API Gateway

Select a user-defined API Gateway configuration object.

Bot Mitigation

Bot Detection

Select a user-defined Bot Detection configuration object.

Threshold Based Detection

Select a predefined or user-defined Threshold Based Detection configuration object.

Biometrics Based Detection

Select a user-defined Biometrics Based Detection configuration object.

Advanced Protection

Advanced Protection

Select a user-defined Advanced Protection configuration object.

CSRF Protection

Select a user-defined CSRF Protection configuration object.