Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

FAQ

Why cannot hidden fields work fine with offline mode?

One of the following two conditions must be met with offline mode.

1) The HTTP request and response is in the same TCP session.

2) The Session Key configured in offline profile (if not configured, ASPSESSIONID, PHPSESSIONID, or JSESSIONID) must be used in HTTP.

Why doesn’t a WAF protection module work?

Some modules can disable other modules, such as URL access. When a certain module does not work, we should think about this. Here are some examples.

1) When URL access action is Pass, it can disable all security features after Global Object White List & URL Access, please refer to the module sequence in the following FAQ item.

2) IP white list can disable all security features after IP List Check.

3) When matched known engine, WAF will disable some RBE related features and all modules that may cause false positives. These modules are listed as follows

               HTTP Flood

               HTTP Access Limit

               Custom Access Policy

               GEO IP

               Malicious IP

               HTTP_Protocol Constraints

               Robot Check

               Bot Deception

               Biometrics Based Detection

               Threshold Based Detection

4) Some OWA URLs will result in errors, so FortiWeb will disable these modules below.

               All response followup modules are disabled

               File Security

               Webshell Detection

               Chunk Decode

               File Uncompress

               Signature

               URL Rewriting

               File Compress

               Machine Learning

What’s the sequence of WAF module scans in 7.0.0?

The WAF module scan sequence in 7.0.0 is shown as below for your reference:

WAF_X_FORWARD_FOR,     

WAF_SESSION_MANAGEMENT, //Client management

WAF_IP_LIST_CHECK,

WAF_IP_INTELLIGENCE,   

WAF_QUARANT_IP,        

WAF_BOT_MITIGATION_MOD,

WAF_BOT_MANAGEMENT,

WAF_GEO_BLOCK_LIST,

WAF_HTTP_WEBSOCKET_SECURITY,  

WAF_HSTS_HEADER,

WAF_PROTECTED_SERVER_CHECK,                                                                                                                            

WAF_ALLOW_METHOD_CHECK,

WAF_ACTIVE_SCRIPT,     

WAF_MOBILE_IDENTIFICATION,

WAF_HTTP_DOS_HTTP_FLOOD,

WAF_HTTP_DOS_MALICIOUS_IP,

WAF_HTTP_ACCESS_LIMIT,

WAF_TCP_FLOOD_PREVENTION,

WAF_HTTP_AUTHENTICATION,

WAF_GLOBAL_WHITE_LIST, 

WAF_ADFS_PROXY,

WAF_CUSTOM_RESPONSE_POLICY,

WAF_URL_ACCESS_POLICY,

WAF_MOBILE_API_PROTECTION,

WAF_PADDING_ORACLE_POLICY,

WAF_HTTP_PROTOCOL_CONSTRAINS,

WAF_FILE_PARSE,

WAF_FILE_UPLOAD,

WAF_WEBSHELL_DETECTION,

WAF_CHUNK_DECODE,

WAF_FILE_UNCOMPRESS,

WAF_WEB_CACHE, // NOTE: it has to be placed before the modules which will modify the original packs

WAF_BOT_DECEPTION,

WAF_ROBOT_CHECK,    // ML bot detection

WAF_CSRF_CHECK,

WAF_MITB_CHECK,

WAF_PARAMETER_VALIDATION_RULE,

WAF_AJAX_BLOCK,   

WAF_BOT_CLIENT,     // Biometric based bot detection

WAF_WEB_ACCELERATION,

WAF_XML_VALIDATION,                                                                                                                                    

WAF_JSON_VALIDATION,

WAF_SERVER_PROTECTION_RULE,   // Signature

WAF_SYNTAX_BASED_DETECTION,

WAF_SITE_PUBLISH,                                                                                                                                      

WAF_THREAT_WEIGHT,

WAF_HIDDEN_FIELDS,

WAF_CUSTOM_ACCESS_POLICY,

WAF_BOT_CUSTOM_ACCESS,        // Threshold based bot detection

WAF_USER_TRACKING,

WAF_API_MANAGEMENT,

WAF_OPENAPI_VALIDATION,

WAF_CORS_CHECK,

WAF_URL_REWRITING_POLICY,

WAF_URL_ENCRYPTION,

WAF_MLEARNING,     // Machine Learning framework

WAF_API_RECORD,     // Machine Learning API discovery

WAF_FILE_COMPRESS,

WAF_COOKIE_SECURITY,

WAF_HTTP_HEADER_SECURITY,

WAF_PROFILE,

WAF_HTTP_STATISTIC,

WAF_CLIENT_CERTIFICATE_FORWARD

FAQ

Why cannot hidden fields work fine with offline mode?

One of the following two conditions must be met with offline mode.

1) The HTTP request and response is in the same TCP session.

2) The Session Key configured in offline profile (if not configured, ASPSESSIONID, PHPSESSIONID, or JSESSIONID) must be used in HTTP.

Why doesn’t a WAF protection module work?

Some modules can disable other modules, such as URL access. When a certain module does not work, we should think about this. Here are some examples.

1) When URL access action is Pass, it can disable all security features after Global Object White List & URL Access, please refer to the module sequence in the following FAQ item.

2) IP white list can disable all security features after IP List Check.

3) When matched known engine, WAF will disable some RBE related features and all modules that may cause false positives. These modules are listed as follows

               HTTP Flood

               HTTP Access Limit

               Custom Access Policy

               GEO IP

               Malicious IP

               HTTP_Protocol Constraints

               Robot Check

               Bot Deception

               Biometrics Based Detection

               Threshold Based Detection

4) Some OWA URLs will result in errors, so FortiWeb will disable these modules below.

               All response followup modules are disabled

               File Security

               Webshell Detection

               Chunk Decode

               File Uncompress

               Signature

               URL Rewriting

               File Compress

               Machine Learning

What’s the sequence of WAF module scans in 7.0.0?

The WAF module scan sequence in 7.0.0 is shown as below for your reference:

WAF_X_FORWARD_FOR,     

WAF_SESSION_MANAGEMENT, //Client management

WAF_IP_LIST_CHECK,

WAF_IP_INTELLIGENCE,   

WAF_QUARANT_IP,        

WAF_BOT_MITIGATION_MOD,

WAF_BOT_MANAGEMENT,

WAF_GEO_BLOCK_LIST,

WAF_HTTP_WEBSOCKET_SECURITY,  

WAF_HSTS_HEADER,

WAF_PROTECTED_SERVER_CHECK,                                                                                                                            

WAF_ALLOW_METHOD_CHECK,

WAF_ACTIVE_SCRIPT,     

WAF_MOBILE_IDENTIFICATION,

WAF_HTTP_DOS_HTTP_FLOOD,

WAF_HTTP_DOS_MALICIOUS_IP,

WAF_HTTP_ACCESS_LIMIT,

WAF_TCP_FLOOD_PREVENTION,

WAF_HTTP_AUTHENTICATION,

WAF_GLOBAL_WHITE_LIST, 

WAF_ADFS_PROXY,

WAF_CUSTOM_RESPONSE_POLICY,

WAF_URL_ACCESS_POLICY,

WAF_MOBILE_API_PROTECTION,

WAF_PADDING_ORACLE_POLICY,

WAF_HTTP_PROTOCOL_CONSTRAINS,

WAF_FILE_PARSE,

WAF_FILE_UPLOAD,

WAF_WEBSHELL_DETECTION,

WAF_CHUNK_DECODE,

WAF_FILE_UNCOMPRESS,

WAF_WEB_CACHE, // NOTE: it has to be placed before the modules which will modify the original packs

WAF_BOT_DECEPTION,

WAF_ROBOT_CHECK,    // ML bot detection

WAF_CSRF_CHECK,

WAF_MITB_CHECK,

WAF_PARAMETER_VALIDATION_RULE,

WAF_AJAX_BLOCK,   

WAF_BOT_CLIENT,     // Biometric based bot detection

WAF_WEB_ACCELERATION,

WAF_XML_VALIDATION,                                                                                                                                    

WAF_JSON_VALIDATION,

WAF_SERVER_PROTECTION_RULE,   // Signature

WAF_SYNTAX_BASED_DETECTION,

WAF_SITE_PUBLISH,                                                                                                                                      

WAF_THREAT_WEIGHT,

WAF_HIDDEN_FIELDS,

WAF_CUSTOM_ACCESS_POLICY,

WAF_BOT_CUSTOM_ACCESS,        // Threshold based bot detection

WAF_USER_TRACKING,

WAF_API_MANAGEMENT,

WAF_OPENAPI_VALIDATION,

WAF_CORS_CHECK,

WAF_URL_REWRITING_POLICY,

WAF_URL_ENCRYPTION,

WAF_MLEARNING,     // Machine Learning framework

WAF_API_RECORD,     // Machine Learning API discovery

WAF_FILE_COMPRESS,

WAF_COOKIE_SECURITY,

WAF_HTTP_HEADER_SECURITY,

WAF_PROFILE,

WAF_HTTP_STATISTIC,

WAF_CLIENT_CERTIFICATE_FORWARD