Fortinet white logo
Fortinet white logo

CLI Reference

waf signature

waf signature

Use this command to configure web server protection rules.

There are several security features specifically designed to protect web servers from known attacks. You can configure defenses against:

  • Cross-site scripting (XSS)
  • SQL injection and many other code injection styles
  • Remote file inclusion (RFI)
  • Local file inclusion (LFI)
  • OS commands
  • Trojans/viruses
  • Exploits
  • Sensitive server information disclosure
  • Credit card data leaks

To defend against known attacks, FortiWeb scans:

  • Parameters in the URL of HTTP GET requests
  • Parameters in the body of HTTP POST requests
  • XML in the body of HTTP POST requests (if waf web-protection-profile inline-protection is enabled)
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename(MULTIPART_FORM_DATA_FILENAME)

In addition to scanning standard requests, signatures can also scan action message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate with server-side software and XML. For details, see amf3-protocol-detection {enable | disable} and waf web-protection-profile inline-protection (for inline protection profiles) or amf3-protocol-detection {enable | disable} (for Offline Protection profiles).

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Updating signatures

Known attack signatures can be updated. For details about uploading a new set of attack definitions, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

You can also create your own. For details, see waf custom-protection-rule.

Configuring signatures

Before configuring a server protection rule, if you want to configure your own attack or data leak signatures, you must also configure custom server protection rules. For details, see waf custom-protection-group.

Each server protection rule can be configured with the severity and notification settings (“trigger”) that, in combination with the action, determines how FortiWeb handles each violation.

For example, attacks categorized as cross-site scripting and SQL injection could have the action set to alert_deny, the severity set to High, and a trigger set to deliver an alert email each time these rule violations are detected. Specific signatures in those categories, however, might be disabled, set to log/alert instead, or exempt requests to specific host names/URLs.

Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

Overriding signature category configuration

To override category-wide actions for a specific signature, configure:

  • config signature_disable_list—Disable a specific signature ID (e.g. 040000007), even if the category in general (e.g. SQL Injection (Extended)) is enabled.
  • config sub_class_disable_list—Disable a subcategory of signatures (e.g. Session Fixation), even if the category in general (e.g. General Attacks) is enabled.
  • config alert_only_list—Only log/alert when detecting the attack, even if the category in general is configured to block.
  • config filter_list—Exempt specific host name and/or URL combinations from scanning with this signature.
Applying signature policies

To apply server protection rules, select them within an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

You can use SNMP traps to notify you when an attack or data leak has been detected. For details, see system snmp community.

Syntax

config waf signature

edit "<signature-set_name>"

set credit-card-detection-threshold <instances_int>

set custom-protection-group "<group_name>"

config main_class_list

edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

set action {alert |alert_deny | block-period |only_erase | send_http_response | alert_erase | redirect | deny_no_log}

set block-period <seconds_int>

set severity {Low | Medium | High | Info}

set trigger "trigger-policy_name>"

next

end

config signature_disable_list

edit "<signature-id_str>"

next

end

config sub_class_disable_list

edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

next

end

config alert_only_list

edit "<alert-only-list_signature-id_str>"

next

end

config fpm_disable_list

edit "<fpm-disable-list_signature-id_str>"

next

end

config scoring_override_disable_list

edit "<scoring-override-disable-list_signature-id_str>"

next

end

config score_grade_list

edit "<score-grade-list_signature-id_str>"

set scoring-grade {low | critical | informational | moderate | substantial | severe}

next

end

config filter_list

edit <entry_index>

set signature_id "<signature-id_str>"

set match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS}

set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}

set http-method {get post head options trace connect delete put others patch}

set ip {<ipv4> | <ipv6>}

set name {"<name_str>" | "<name_pattern>"}

set value-check {enable | disable}

set value {"<value_str>" | "<value_pattern>"}

set concatenate-type {AND | OR}

next

set comment "<comment_str>"

end

next

end

Variable Description Default

"<signature-set_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

credit-card-detection-threshold <instances_int>

Enter the number of credit cards that triggers the credit card number detection feature.

For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2.

The valid range is 1–128.

1

custom-protection-group "<group_name>"

Enter the name of the custom signature group to be used, if any. The maximum length is 63 characters.

To display the list of existing custom signature groups, enter:

set custom-protection-group ?

No default.

{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

Enter the ID of a signature class (or, for subclass overrides, the subclass ID).

To display the list of signature classes, enter:

edit ?

No default.

action {alert |alert_deny | block-period |only_erase | send_http_response | alert_erase | redirect | deny_no_log}

Select which action the FortiWeb appliance will take when it detects a signature match.

Note: This is not a single setting. Available actions may vary slightly, depending on what is possible for each specific type of attack/information disclosure.

  • alert—Accept the request and generate an alert email and/or log message.

    Note: Does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.)

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • only_erase—Hide sensitive information in replies from the web server (sometimes called “cloaking”). Block the request or remove the sensitive information, but do not generate an alert email and/or log message.

    Caution: This option is not supported in Offline Protection mode.

  • send_http_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both

  • alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

alert

Caution: FortiWeb ignores this setting if monitor-mode {enable | disable} is enabled.

Note: Actions that generate log messages alert email actions require the features to be enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile in the policy with Offline Protection profiles that use this rule, select alert. If the action is alert_deny, the FortiWeb appliance resets the connection when it detects an attack and the session information for the auto-learning feature will be incomplete. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

block-period <seconds_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

The valid range is 1–3,600 seconds. The setting is applicable only if action is period-block.

Note: This is not a single setting. You can configure the block period separately for each signature category.

600

severity {Low | Medium | High | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

Note: This is not a single setting. You can configure the severity separately for each signature category.

Medium

trigger "trigger-policy_name>"

Enter the name of the trigger, if any, to apply when a protection rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

Note: This is not a single setting. You can configure a different trigger for each signature category.

No default.

"<signature-id_str>"

Enter the ID of a specific signature that you want to disable.

Some signatures often cause false positives and are disabled by default. To display a list, enter:

edit ?

No default.

"<alert-only-list_signature-id_str>"

Enter the ID of a specific signature that generates logs or alert email only and does not block matching requests.

No default.

"<fpm-disable-list_signature-id_str>"

Enter the ID of a specific signature for which false positive mitigation is disabled.

The false positive mitigation feature performs additional lexical and syntax analysis after a SQL injection signature matches a request.

No default.

"<scoring-override-disable-list_signature-id_str>"

Enter the ID of a specific signature that will not be affected by the threat weight settings, if any. When traffic violates specified signature, FortiWeb takes the local action specified for that signature.

No default.

"<score-grade-list_signature-id_str>"

Enter the ID of a specific signature to configure its threat weight.

Specify the scoring-grade to set the threat weight of the specified signature.

No default.

scoring-grade {low | critical | informational | moderate | substantial | severe}

Specify the threat weight that the signature adds to the combined threat weight.

Global threat weight risk level values can be modified using server-policy pattern threat-weight.

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–128. You can create up to 128 exceptions for each signature. No default.

signature_id "<signature-id_str>"

Enter the ID of a specific signature that you want to disable when the request matches the specified object. No default.

match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS}

Enter the type of object that FortiWeb examines for matching values:

operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}

Enter the type of values to match. The match-target value determines which types are available.

  • STRING_MATCHvalue is a literal value (for example, a literal host name).
  • REGEXP_MATCHvalue is a regular expression that matches the object the exception applies to.
  • EQ—When match-target is CLIENT_IP, FortiWeb only performs a signature scan for requests with a client IP address that matches the value of ip.
  • NE—When match-target is CLIENT_IP, FortiWeb does not perform a signature scan for requests with a client IP address that matches the value of ip.
  • INCLUDE—When match-target is HTTP_METHOD, FortiWeb does not perform a signature scan for requests that include the HTTP methods specified by http-method.
  • EXCLUDE—When match-target is HTTP_METHOD, FortiWeb only performs a signature scan for requests that include the HTTP methods specified by http-method.

http-method {get post head options trace connect delete put others patch}

When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is HTTP_METHOD, specifies one or more HTTP methods to match.

No default.

ip {<ipv4> | <ipv6>}

When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is CLIENT_IP, specifies the IP address or IP range to match.

No default.

name {"<name_str>" | "<name_pattern>"}

Enter the name of a parameter or cookie to match. Whether the value is a literal value or a regular expression is determined by the value of operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}.

Available when match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is PARAMETER or COOKIE.

No default.

value-check {enable | disable}

Enable to specify whether matching requests match a specified parameter or cookie value as well as the specified parameter or cookie name.

disable

value {"<value_str>" | "<value_pattern>"}

Enter the value to match (for example, a Host: field value). Whether the value is a literal value or a regular expression is determined by the value of operator.

No default.

concatenate-type {AND | OR}

  • AND—A matching request matches this entry in addition to other entries in the list.
  • OR—A matching request matches this entry or other entries in the list.
AND

comment "<comment_str>"

Enter a description or other comment. No default.

Example

This example enables both the Trojans (070000000) and XSS (010000000) classes of signatures, setting them to result in attack logs with a severity_level field of High, and using the email and SNMP settings defined in notification-servers1. It also enables use of custom attack and data leak signatures in the set named custom-signature-group1.

This example disables by ID a signature that is known to cause false positives (080200001). It also makes an exception (config filter_list) by ID for a specific signature (070000001) for a URL (/virus-sample-upload) on a host (www.example.com) that is used by security researchers to receive virus samples.

config waf signature

edit "attack-signatures1"

set custom-protection-group "custom-signature-group1"

config main_class_list

edit "010000000"

set severity High

set trigger "notification-servers1"

next

edit "070000000"

set severity High

set trigger "notification-servers1"

next

end

config signature_disable_list

edit "080200001"

next

end

config filter_list

edit 1

set signature_id "070000001"

set match-target HOST

set value "www.example.com"

next

edit 2

set signature_id "070000001"

set match-target URI

set value "/virus-sample-upload"

next

end

next

end

Related topics

waf signature

waf signature

Use this command to configure web server protection rules.

There are several security features specifically designed to protect web servers from known attacks. You can configure defenses against:

  • Cross-site scripting (XSS)
  • SQL injection and many other code injection styles
  • Remote file inclusion (RFI)
  • Local file inclusion (LFI)
  • OS commands
  • Trojans/viruses
  • Exploits
  • Sensitive server information disclosure
  • Credit card data leaks

To defend against known attacks, FortiWeb scans:

  • Parameters in the URL of HTTP GET requests
  • Parameters in the body of HTTP POST requests
  • XML in the body of HTTP POST requests (if waf web-protection-profile inline-protection is enabled)
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename(MULTIPART_FORM_DATA_FILENAME)

In addition to scanning standard requests, signatures can also scan action message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate with server-side software and XML. For details, see amf3-protocol-detection {enable | disable} and waf web-protection-profile inline-protection (for inline protection profiles) or amf3-protocol-detection {enable | disable} (for Offline Protection profiles).

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Updating signatures

Known attack signatures can be updated. For details about uploading a new set of attack definitions, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

You can also create your own. For details, see waf custom-protection-rule.

Configuring signatures

Before configuring a server protection rule, if you want to configure your own attack or data leak signatures, you must also configure custom server protection rules. For details, see waf custom-protection-group.

Each server protection rule can be configured with the severity and notification settings (“trigger”) that, in combination with the action, determines how FortiWeb handles each violation.

For example, attacks categorized as cross-site scripting and SQL injection could have the action set to alert_deny, the severity set to High, and a trigger set to deliver an alert email each time these rule violations are detected. Specific signatures in those categories, however, might be disabled, set to log/alert instead, or exempt requests to specific host names/URLs.

Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

Overriding signature category configuration

To override category-wide actions for a specific signature, configure:

  • config signature_disable_list—Disable a specific signature ID (e.g. 040000007), even if the category in general (e.g. SQL Injection (Extended)) is enabled.
  • config sub_class_disable_list—Disable a subcategory of signatures (e.g. Session Fixation), even if the category in general (e.g. General Attacks) is enabled.
  • config alert_only_list—Only log/alert when detecting the attack, even if the category in general is configured to block.
  • config filter_list—Exempt specific host name and/or URL combinations from scanning with this signature.
Applying signature policies

To apply server protection rules, select them within an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

You can use SNMP traps to notify you when an attack or data leak has been detected. For details, see system snmp community.

Syntax

config waf signature

edit "<signature-set_name>"

set credit-card-detection-threshold <instances_int>

set custom-protection-group "<group_name>"

config main_class_list

edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

set action {alert |alert_deny | block-period |only_erase | send_http_response | alert_erase | redirect | deny_no_log}

set block-period <seconds_int>

set severity {Low | Medium | High | Info}

set trigger "trigger-policy_name>"

next

end

config signature_disable_list

edit "<signature-id_str>"

next

end

config sub_class_disable_list

edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

next

end

config alert_only_list

edit "<alert-only-list_signature-id_str>"

next

end

config fpm_disable_list

edit "<fpm-disable-list_signature-id_str>"

next

end

config scoring_override_disable_list

edit "<scoring-override-disable-list_signature-id_str>"

next

end

config score_grade_list

edit "<score-grade-list_signature-id_str>"

set scoring-grade {low | critical | informational | moderate | substantial | severe}

next

end

config filter_list

edit <entry_index>

set signature_id "<signature-id_str>"

set match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS}

set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}

set http-method {get post head options trace connect delete put others patch}

set ip {<ipv4> | <ipv6>}

set name {"<name_str>" | "<name_pattern>"}

set value-check {enable | disable}

set value {"<value_str>" | "<value_pattern>"}

set concatenate-type {AND | OR}

next

set comment "<comment_str>"

end

next

end

Variable Description Default

"<signature-set_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

credit-card-detection-threshold <instances_int>

Enter the number of credit cards that triggers the credit card number detection feature.

For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2.

The valid range is 1–128.

1

custom-protection-group "<group_name>"

Enter the name of the custom signature group to be used, if any. The maximum length is 63 characters.

To display the list of existing custom signature groups, enter:

set custom-protection-group ?

No default.

{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

Enter the ID of a signature class (or, for subclass overrides, the subclass ID).

To display the list of signature classes, enter:

edit ?

No default.

action {alert |alert_deny | block-period |only_erase | send_http_response | alert_erase | redirect | deny_no_log}

Select which action the FortiWeb appliance will take when it detects a signature match.

Note: This is not a single setting. Available actions may vary slightly, depending on what is possible for each specific type of attack/information disclosure.

  • alert—Accept the request and generate an alert email and/or log message.

    Note: Does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.)

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • only_erase—Hide sensitive information in replies from the web server (sometimes called “cloaking”). Block the request or remove the sensitive information, but do not generate an alert email and/or log message.

    Caution: This option is not supported in Offline Protection mode.

  • send_http_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both

  • alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

alert

Caution: FortiWeb ignores this setting if monitor-mode {enable | disable} is enabled.

Note: Actions that generate log messages alert email actions require the features to be enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile in the policy with Offline Protection profiles that use this rule, select alert. If the action is alert_deny, the FortiWeb appliance resets the connection when it detects an attack and the session information for the auto-learning feature will be incomplete. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

block-period <seconds_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

The valid range is 1–3,600 seconds. The setting is applicable only if action is period-block.

Note: This is not a single setting. You can configure the block period separately for each signature category.

600

severity {Low | Medium | High | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

Note: This is not a single setting. You can configure the severity separately for each signature category.

Medium

trigger "trigger-policy_name>"

Enter the name of the trigger, if any, to apply when a protection rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

Note: This is not a single setting. You can configure a different trigger for each signature category.

No default.

"<signature-id_str>"

Enter the ID of a specific signature that you want to disable.

Some signatures often cause false positives and are disabled by default. To display a list, enter:

edit ?

No default.

"<alert-only-list_signature-id_str>"

Enter the ID of a specific signature that generates logs or alert email only and does not block matching requests.

No default.

"<fpm-disable-list_signature-id_str>"

Enter the ID of a specific signature for which false positive mitigation is disabled.

The false positive mitigation feature performs additional lexical and syntax analysis after a SQL injection signature matches a request.

No default.

"<scoring-override-disable-list_signature-id_str>"

Enter the ID of a specific signature that will not be affected by the threat weight settings, if any. When traffic violates specified signature, FortiWeb takes the local action specified for that signature.

No default.

"<score-grade-list_signature-id_str>"

Enter the ID of a specific signature to configure its threat weight.

Specify the scoring-grade to set the threat weight of the specified signature.

No default.

scoring-grade {low | critical | informational | moderate | substantial | severe}

Specify the threat weight that the signature adds to the combined threat weight.

Global threat weight risk level values can be modified using server-policy pattern threat-weight.

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–128. You can create up to 128 exceptions for each signature. No default.

signature_id "<signature-id_str>"

Enter the ID of a specific signature that you want to disable when the request matches the specified object. No default.

match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS}

Enter the type of object that FortiWeb examines for matching values:

operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}

Enter the type of values to match. The match-target value determines which types are available.

  • STRING_MATCHvalue is a literal value (for example, a literal host name).
  • REGEXP_MATCHvalue is a regular expression that matches the object the exception applies to.
  • EQ—When match-target is CLIENT_IP, FortiWeb only performs a signature scan for requests with a client IP address that matches the value of ip.
  • NE—When match-target is CLIENT_IP, FortiWeb does not perform a signature scan for requests with a client IP address that matches the value of ip.
  • INCLUDE—When match-target is HTTP_METHOD, FortiWeb does not perform a signature scan for requests that include the HTTP methods specified by http-method.
  • EXCLUDE—When match-target is HTTP_METHOD, FortiWeb only performs a signature scan for requests that include the HTTP methods specified by http-method.

http-method {get post head options trace connect delete put others patch}

When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is HTTP_METHOD, specifies one or more HTTP methods to match.

No default.

ip {<ipv4> | <ipv6>}

When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is CLIENT_IP, specifies the IP address or IP range to match.

No default.

name {"<name_str>" | "<name_pattern>"}

Enter the name of a parameter or cookie to match. Whether the value is a literal value or a regular expression is determined by the value of operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}.

Available when match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is PARAMETER or COOKIE.

No default.

value-check {enable | disable}

Enable to specify whether matching requests match a specified parameter or cookie value as well as the specified parameter or cookie name.

disable

value {"<value_str>" | "<value_pattern>"}

Enter the value to match (for example, a Host: field value). Whether the value is a literal value or a regular expression is determined by the value of operator.

No default.

concatenate-type {AND | OR}

  • AND—A matching request matches this entry in addition to other entries in the list.
  • OR—A matching request matches this entry or other entries in the list.
AND

comment "<comment_str>"

Enter a description or other comment. No default.

Example

This example enables both the Trojans (070000000) and XSS (010000000) classes of signatures, setting them to result in attack logs with a severity_level field of High, and using the email and SNMP settings defined in notification-servers1. It also enables use of custom attack and data leak signatures in the set named custom-signature-group1.

This example disables by ID a signature that is known to cause false positives (080200001). It also makes an exception (config filter_list) by ID for a specific signature (070000001) for a URL (/virus-sample-upload) on a host (www.example.com) that is used by security researchers to receive virus samples.

config waf signature

edit "attack-signatures1"

set custom-protection-group "custom-signature-group1"

config main_class_list

edit "010000000"

set severity High

set trigger "notification-servers1"

next

edit "070000000"

set severity High

set trigger "notification-servers1"

next

end

config signature_disable_list

edit "080200001"

next

end

config filter_list

edit 1

set signature_id "070000001"

set match-target HOST

set value "www.example.com"

next

edit 2

set signature_id "070000001"

set match-target URI

set value "/virus-sample-upload"

next

end

next

end

Related topics