Configuring WAF Exception objects
WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule. FortiADC supports URL, hosts and source IP patterns matching in the WAF exception rules.
You can create and configure WAF Exception objects using either of the following methods:
- From the Web Application Firewall > WAF Profile > Exceptions tab, you can create/configure exception objects to then apply to specific WAF profiles and individual WAF feature rules. For detailed steps, see Configuring WAF exception rules from the WAF Profile > Exceptions tab.
- From the WAF security log (Log & Report > Security Log or FortiView > Security Logs), you can create/configure exception objects to directly apply to the specific WAF log. For detailed steps, see Configuring WAF exception rules from the WAF log.
Before you begin:
- You must have Read-Write permission for System settings.
|
For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform). |
Configuring WAF exception rules from the WAF Profile > Exceptions tab
You can create or configure exception objects to then apply to specific WAF profiles and individual WAF feature rules.
To configure a WAF exception rule from the WAF Profile > Exceptions tab:
- Go to Web Application Firewall > WAF Profile.
- Click the Exceptions tab.
- Click Create New to display the configuration editor.
- Configure the following:
Parameter
Description
Name Enter a unique name for the WAF Exception. Maximum length is 130 characters.
Note: Once saved, the name of an Exception cannot be changed.
- Click Save.
- Under Exception Rule, click Create New to display the configuration editor.
- Select the exception pattern Element Type from the drop-down menu.
- URL
- Source IP
- Source IPv6
- HTTP Method
- HTTP Header
- Cookie
- Parameter
- Configure the following parameters based on the exception pattern Element Type.
Parameter
Description
URL Exception Host Status Enable/disable the setting exceptions by host pattern. Host Pattern The Host Pattern option appears if Exception Host Status is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.
For example, you can specify
www.example.com,*.example.com, orwww.example.*to match a literal host pattern or a wildcard host pattern.URL Pattern
Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.
For example, you can specify path names and files with expressions like
\/admin,.*\/data\/1.html, or\/data.*.Source IP
IPv4/Netmask
Specify the IPv4 address and netmask. For example: 192.0.2.5/24
Source IPv6
IPv6/Netmask
Specify the IPv6 address and netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64
HTTP Method
HTTP Method
Select the HTTP method(s):
GET
POST
HEAD
TRACE
CONNECT
DELETE
PUT
PATCH
OPTIONS
OTHERS
HTTP Header
Name Pattern
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Check Value of Specified Element
Enable/disable value checking for the specified element.
Value Pattern
The Value Pattern option appears if Check Value of Specified Element is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Cookie Name Pattern
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Check Value of Specified Element
Enable/disable value checking for the specified element.
Value Pattern
The Value Pattern option appears if Check Value of Specified Element is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Parameter
Name Pattern
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Check Value of Specified Element
Enable/disable value checking for the specified element.
Value Pattern
The Value Pattern option appears if Check Value of Specified Element is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content* - Click Save.
Configuring WAF exception rules from the WAF log
You can create or configure exception objects to directly apply to the specific WAF log. You have the option to create exception rules in basic mode or advanced mode. Using basic mode, you can apply the URL or Source IP/ Source IPv6 from the WAF log directly to the exception rule. The advanced mode enables you to create and configure exception rules for all supported element patterns.
To configure a WAF exception rule from the WAF log using basic mode:
- Go to Log & Report > Security Log or FortiView > Security Logs.
- Navigate to the WAF security log and expand the details for which you want to add an exception rule.
- In the log details, click Add Exception to display the configuration editor.
- Configure the following parameters.
Parameter
Description
Profile Name Select the WAF Profile to apply the WAF exception rule. Advanced Mode To configure the WAF exception rule using basic mode, ensure Advanced Mode is disabled.
By default, Advanced Mode is disabled, which enables basic mode.
Element Type Select either of the following:
- URL — To apply the HTTP URL from this WAF log for this exception rule.
- Source IP — To apply the Source from this WAF log for this exception rule. The Source IP option appears if the Source address is IPv4.
- Source IPv6 — To apply the Source IPv6 from this WAF log for this exception rule. The Source IPv6 option appears if the Source address is IPv6.
- Click Save.
To configure a WAF exception rule from the WAF log using advanced mode:
- Go to Log & Report > Security Log or FortiView > Security Logs.
- Navigate to the WAF security log and expand the details for which you want to add an exception rule.
- In the log details, click Add Exception to display the configuration editor.
- Configure the following:
Parameter
Description
Profile Name Select the WAF Profile to apply the WAF exception rule.
Note: The profile name parameter will display according to the WAF subcategory of the log. For example, if the WAF subcategory of the log is "cookie security" then the parameter will display as "Cookie Security Profile Name".
Advanced Mode Enable Advanced Mode to configure the WAF exception rule using advanced mode.
Once Advanced Mode is enabled, the Element Type drop-down menu will include all supported exception pattern.
- Select the exception pattern Element Type from the drop-down menu.
- URL
- Source IP
- Source IPv6
- HTTP Method
- HTTP Header
- Cookie
- Parameter
- Configure the following parameters based on the exception pattern Element Type.
Parameter
Description
URL Exception Host Status Enable/disable the setting exceptions by host pattern. Host Pattern The Host Pattern option appears if Exception Host Status is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 128 characters.
For example, you can specify
www.example.com,*.example.com, orwww.example.*to match a literal host pattern or a wildcard host pattern.URL Pattern
Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters.
For example, you can specify path names and files with expressions like
\/admin,.*\/data\/1.html, or\/data.*.Source IP
IPv4/Netmask
Specify the IPv4 address and netmask. For example: 192.0.2.5/24
Source IPv6
IPv6/Netmask
Specify the IPv6 address and netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64
HTTP Method
HTTP Method
Select the HTTP method(s):
GET
POST
HEAD
TRACE
CONNECT
DELETE
PUT
PATCH
OPTIONS
OTHERS
HTTP Header
Name Pattern
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Check Value of Specified Element
Enable/disable value checking for the specified element.
Value Pattern
The Value Pattern option appears if Check Value of Specified Element is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Cookie Name Pattern
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Check Value of Specified Element
Enable/disable value checking for the specified element.
Value Pattern
The Value Pattern option appears if Check Value of Specified Element is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Parameter
Name Pattern
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content*Check Value of Specified Element
Enable/disable value checking for the specified element.
Value Pattern
The Value Pattern option appears if Check Value of Specified Element is enabled.
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters.
For example:
. Content* - Click Save.
Limitations: Escaped Characters
All Name Pattern and Value Pattern fields support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.
This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.
Brackets: []
Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.
For example:
Invalid: []
Valid: [123] — Valid
[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.
Parentheses: ()
Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — () → \(\)
For example:
Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')
Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)
Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.
Asterisk: *
Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — * → \*
For example:
curl -vv -X POST --cookie "Cookie123=abcd"
"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"
Where the cookie name is "cookie" and the cookie value is "a*"
Invalid: a*
Valid: a\*"
In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.
Space: %20
Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.
For example:
Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')
Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)
Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success') → mocha:alert(\'attack success'\)
Single Quotes: ''
When the Name Pattern or Value Pattern fields contain single quotes, it will be automatically escaped.
For example:
In the GUI or CLI, you may enter the parameter value pattern as: alert\('attack%20success'\)
In the CLI, the value pattern will appear as: alert\\(\'attack success\'\\)