Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

WebSocket Security

WebSocket Protocol is a TCP-based network protocol, which enables full-duplex communication between a web browser and a server.

FortiWeb Cloud now secures WebSocket traffic with a variety of security controls such as allowed formats, frame and message size and signature detection.

You can create WebSocket security rules to detect traffic that uses the WebSocket TCP-based protocol.

To create a WebSocket security rule

  1. Go to ADVANCED APPLICATIONS > XML Protection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Add WebSocket Security Rule.
  3. Configure these settings.

    Name

    Type a name that can be referenced by other parts of the configuration.

    Request URL

    Enter the literal URL, such as /index.php, that the HTTP request must contain in order to match the rule.

    Allow WebSocket

    Enable to detect the WebSocket traffic, and FortiWeb Cloud will check any WebSocket related traffic.

    The following fields can be configured only when this option is enabled.

    Allow Formats

    When the WebSocket connection is established , data is transmitted in the form of frame. Select the allowed frame formats that are acceptable matches. By default, both Plain Text and Binary are checked.

    Max Frame Size

    Specify the maximum acceptable frame header and body size in bytes. The valid range is 0–2147483647 bytes.

    Max Message Size

    Specify the maximum acceptable message header and body size in bytes. The valid range is 0–2147483647 bytes.

    Block Extensions

    Enable to not check the extension header in WebSocket handshake packet. By default, this option is disabled.

    Block Known Attacks

    Enable to protect against known attacks, common vulnerabilities and exposures (CVEs), and other exploits as part of the OWASP Top 10.

  4. Enter the allowed origin.
    For example, 121.40.165.18:8800. Only traffic from the allowed origins can be accepted. You can add multiple origins here.
  5. Click OK.
    You can create at most 12 WebSocket security rules for an application.

To configure actions

  1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  2. Click SAVE.

WebSocket Security

WebSocket Protocol is a TCP-based network protocol, which enables full-duplex communication between a web browser and a server.

FortiWeb Cloud now secures WebSocket traffic with a variety of security controls such as allowed formats, frame and message size and signature detection.

You can create WebSocket security rules to detect traffic that uses the WebSocket TCP-based protocol.

To create a WebSocket security rule

  1. Go to ADVANCED APPLICATIONS > XML Protection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Add WebSocket Security Rule.
  3. Configure these settings.

    Name

    Type a name that can be referenced by other parts of the configuration.

    Request URL

    Enter the literal URL, such as /index.php, that the HTTP request must contain in order to match the rule.

    Allow WebSocket

    Enable to detect the WebSocket traffic, and FortiWeb Cloud will check any WebSocket related traffic.

    The following fields can be configured only when this option is enabled.

    Allow Formats

    When the WebSocket connection is established , data is transmitted in the form of frame. Select the allowed frame formats that are acceptable matches. By default, both Plain Text and Binary are checked.

    Max Frame Size

    Specify the maximum acceptable frame header and body size in bytes. The valid range is 0–2147483647 bytes.

    Max Message Size

    Specify the maximum acceptable message header and body size in bytes. The valid range is 0–2147483647 bytes.

    Block Extensions

    Enable to not check the extension header in WebSocket handshake packet. By default, this option is disabled.

    Block Known Attacks

    Enable to protect against known attacks, common vulnerabilities and exposures (CVEs), and other exploits as part of the OWASP Top 10.

  4. Enter the allowed origin.
    For example, 121.40.165.18:8800. Only traffic from the allowed origins can be accepted. You can add multiple origins here.
  5. Click OK.
    You can create at most 12 WebSocket security rules for an application.

To configure actions

  1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  2. Click SAVE.