Handbook

Introduction
What's New
Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Dashboard
- Widgets
- Dashboard management tools
Security Fabric
- Automation
- Fabric connectors
- External connectors
FortiView
- Logical Topology
- Server Load Balance
- Security
- System
  - Event Logs
  - Automation
- Global Load Balance
  - Host
  - Data Analytics
- Link Load Balance
  - Gateway
- ZTNA FortiClient endpoint
System
- Settings
- Virtual Domain
- High Availability
- Traffic Group
- Administrator
- Global Resources
- WCCP
- SNMP
- Replacement Messages
- FortiGuard
  - Connecting to FortiGuard services
  - Configuring FortiGuard service settings
- Debug
- Certificate
Network
- Interface
- Routing
- NAT
  - Configuring source NAT
  - Configuring 1-to-1 NAT
- QoS
- Packet capture
Shared Resources
- Health Check
- Schedule Group
- Address
- Service
  - Creating service groups
  - Creating service objects
Server Load Balance
- Virtual Server
- Application Resources
- Application Optimization
- Real Server Pool
- Scripting
  - Using HTTP scripting
- SSL-FP Resources
Link Load Balance
- Link Policy
- Link Group
- Virtual Tunnel
Global Load Balance
- GLB Wizard
- FQDN
- Zone Tools
- Global Object
Web Application Firewall
- OWASP TOP10
- WAF Profile
- Known Web Attacks
  - Configuring a Web Attack Signature policy
  - Using the Signature Creation Wizard
- Common Attacks Detection
- Sensitive Data Protection
  - Configuring a Cookie Security policy
  - Configuring an HTTP Header Security policy
- Data Loss Prevention
- Input Validation
- Access Protection
- CORS Protection
- API Protection
- Bot Mitigation
- Web Vulnerability Scanner
Advanced Bot Protection (ABP)
- Enabling the Advanced Bot Protection connector
- Obtaining the Application ID from the FortiGuard ABP User Portal
- Configuring an Advanced Bot Protection policy
- Advanced Bot Protection troubleshooting and debugging
Network Security
- Firewall
- Intrusion Prevention
- AntiVirus
- IP Reputation
- Geo IP Protection
Zero Trust Network Access (ZTNA)
- How device identity and trust context is established with FortiClient EMS
- Configuring FortiClient EMS Connector for ZTNA
- Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- ZTNA troubleshooting and debugging
DoS Protection
- DoS Protection Profile
- Application
- Networking
User Authentication
- Authentication Policy
- User Group
  - Configuring user groups
  - Configuring customized authentication forms
- Local User
- Remote User
- Using Kerberos Authentication Relay
  - Using HTTP Basic SSO
- SAML
  - Configure an SAML service provider
  - Import IDP Metadata
- AD FS Proxy
  - Adding an AD FS Publish
  - Adding an AD FS Proxy
- OAuth 2.0 authentication
Log & Report
- Using the traffic log
- Using the security log
- Using the script log
- Log Setting
- Report Setting
AI Threat Analytics
- AI Threat Analytics troubleshooting and debugging
SSL Advanced Services
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
- HSM Integration
Best Practices and Fine-tuning
- Regular backups
  - Rebooting, resetting, and shutting down the system
  - SCP support for configuration backup
- Security
- Performance tips
- High availability
Troubleshooting
- Logs
- Tools
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Appendices
- Port Numbers
- Scripts
- Maximum Configuration Values
Change Log

Home FortiADC 7.4.3 Handbook

7.4.3

Configuring a WAF Profile

A WAF profile references the WAF policies that are to be enforced.

Predefined WAF profiles describes the predefined profiles. In many cases, you can use predefined profiles to get started.

Predefined WAF profiles
Predefined Profiles	Description
High-Level-Security	Web Attack Signature policy: High-Level-Security HTTP Protocol Constraints policy: High-Level-Security SQL/XSS Injection Detection policy: High-Level-Security
Medium-Level-Security	Web Attack Signature policy: Medium-Level-Security HTTP Protocol Constraints policy: Medium-Level-Security SQL/XSS Injection Detection policy: Medium-Level-Security
Alert-Only	Web Attack Signature policy: Alert-Only HTTP Protocol Constraints policy: Alert-Only SQL/XSS Injection Detection policy: Alert-Only

If desired, you can create user-defined profiles. The maximum number of profiles per VDOM is 255.

Before you begin:

You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this procedure to add them to a WAF profile.
You must have Read-Write permission for Security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

To configure a WAF Profile:

Go to Web Application Firewall > WAF Profile.
Click the WAF Profile tab.
Click Create New to display the configuration editor.
Complete the configuration as described in WAF Profile configuration.
Save the configuration.

WAF Profile configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Exception Name	Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
Description	A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.
Rule Match Record	Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default.
Standard Protection
Web Attack Signature	Select a predefined or user-defined Web Attack Signature configuration object.
HTTP Protocol Constraint	Select a predefined or user-defined HTTP Protocol Constraint configuration object.
Sensitive Data Protection
Cookie Security	Select a user-defined Cookie Security configuration object.
Data Leak Prevention	Select a user-defined Data Leak Prevention configuration object.
HTTP Header Security	Select a user-defined HTTP Header Security configuration object.
Input Protection
SQL/XSS Injection Detection	Select a predefined or user-defined SQL/XSS Injection Detection configuration object.
Input Validation Policy	Select a user-defined Input Validation Policy configuration object.
CORS Protection	Select a user-defined CORS Protection configuration object.
Access Protection
Brute Force Attack Detection	Select a user-defined Brute Force Attack Detection configuration object.
URL Protection	Select a user-defined URL Protection configuration object.
Credential Stuffing Defense	Select a user-defined Credential Stuffing Defense configuration object.
API Protection
JSON Detection	Select a predefined or user-defined JSON Detection configuration object.
XML Detection	Select a predefined or user-defined XML Detection configuration object.
OpenAPI Detection	Select a user-defined OpenAPI Detection configuration object.
API Gateway	Select a user-defined API Gateway configuration object.
Bot Mitigation
Bot Detection	Select a user-defined Bot Detection configuration object.
Threshold Based Detection	Select a predefined or user-defined Threshold Based Detection configuration object.
Biometrics Based Detection	Select a user-defined Biometrics Based Detection configuration object.
Fingerprint Based Detection	Select a user-defined Fingerprint Based Detection configuration object.
Advanced Bot Protection	Select a user-defined Advanced Bot Protection configuration object.
Advanced Protection
Advanced Protection	Select a user-defined Advanced Protection configuration object.
CSRF Protection	Select a user-defined CSRF Protection configuration object.

Configuring a WAF Profile

A WAF profile references the WAF policies that are to be enforced.

Predefined WAF profiles describes the predefined profiles. In many cases, you can use predefined profiles to get started.

Predefined WAF profiles
Predefined Profiles	Description
High-Level-Security	Web Attack Signature policy: High-Level-Security HTTP Protocol Constraints policy: High-Level-Security SQL/XSS Injection Detection policy: High-Level-Security
Medium-Level-Security	Web Attack Signature policy: Medium-Level-Security HTTP Protocol Constraints policy: Medium-Level-Security SQL/XSS Injection Detection policy: Medium-Level-Security
Alert-Only	Web Attack Signature policy: Alert-Only HTTP Protocol Constraints policy: Alert-Only SQL/XSS Injection Detection policy: Alert-Only

If desired, you can create user-defined profiles. The maximum number of profiles per VDOM is 255.

Before you begin:

You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this procedure to add them to a WAF profile.
You must have Read-Write permission for Security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

To configure a WAF Profile:

Go to Web Application Firewall > WAF Profile.
Click the WAF Profile tab.
Click Create New to display the configuration editor.
Complete the configuration as described in WAF Profile configuration.
Save the configuration.

WAF Profile configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Exception Name	Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
Description	A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.
Rule Match Record	Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default.
Standard Protection
Web Attack Signature	Select a predefined or user-defined Web Attack Signature configuration object.
HTTP Protocol Constraint	Select a predefined or user-defined HTTP Protocol Constraint configuration object.
Sensitive Data Protection
Cookie Security	Select a user-defined Cookie Security configuration object.
Data Leak Prevention	Select a user-defined Data Leak Prevention configuration object.
HTTP Header Security	Select a user-defined HTTP Header Security configuration object.
Input Protection
SQL/XSS Injection Detection	Select a predefined or user-defined SQL/XSS Injection Detection configuration object.
Input Validation Policy	Select a user-defined Input Validation Policy configuration object.
CORS Protection	Select a user-defined CORS Protection configuration object.
Access Protection
Brute Force Attack Detection	Select a user-defined Brute Force Attack Detection configuration object.
URL Protection	Select a user-defined URL Protection configuration object.
Credential Stuffing Defense	Select a user-defined Credential Stuffing Defense configuration object.
API Protection
JSON Detection	Select a predefined or user-defined JSON Detection configuration object.
XML Detection	Select a predefined or user-defined XML Detection configuration object.
OpenAPI Detection	Select a user-defined OpenAPI Detection configuration object.
API Gateway	Select a user-defined API Gateway configuration object.
Bot Mitigation
Bot Detection	Select a user-defined Bot Detection configuration object.
Threshold Based Detection	Select a predefined or user-defined Threshold Based Detection configuration object.
Biometrics Based Detection	Select a user-defined Biometrics Based Detection configuration object.
Fingerprint Based Detection	Select a user-defined Fingerprint Based Detection configuration object.
Advanced Bot Protection	Select a user-defined Advanced Bot Protection configuration object.
Advanced Protection
Advanced Protection	Select a user-defined Advanced Protection configuration object.
CSRF Protection	Select a user-defined CSRF Protection configuration object.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Handbook

Configuring a WAF Profile

Configuring a WAF Profile

Before you begin:

To configure a WAF Profile:

Configuring a WAF Profile

Configuring a WAF Profile

Before you begin:

To configure a WAF Profile: