FAQ
How do I create a custom signature that erases response packet content?
For 6.4.0 and later releases, we don’t recommend to use custom signatures to modify packets because signature is designed to detect malicious patterns instead of changing packet, and the erasing action of signature is actually masking, not deleting.
Please use “URL rewrite” to delete response header or mask response body for any releases after 6.4.0. Please refer to FortiWeb Administration Guide > Application Delivery > Rewriting & Redirecting for details.
For releases before 6.4.0, do the following.
- Create a custom signature rule that includes the following values:
Direction Response Expression Either a simple string or a regular expression that matches the response to erase. Action Alert & Erase
The erase action replaces the content specified by Expression with
xxx
. - Add an appropriate target:
-
RESPONSE_BODY
- RESPONSE_HEADER
-
RESPONSE_STATUS
The RESPONSE_STATUS is not erased in the raw packet.
If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.
For detailed custom signature creation instructions, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.
What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?
The waf custom-access rule
command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class
option, use one of the following IDs to specify the category of signature to match:
Cross Site Scripting | 01000000 |
Cross Site Scripting (Extended) | 02000000 |
SQL Injection | 03000000 |
SQL Injection (Extended) | 04000000 |
Generic Attacks | 05000000 |
Generic Attacks (Extended) | 06000000 |
Known Exploits | 09000000 |
For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:
config waf custom-access rule
edit "sql-inject"
set action block-period
set severity High
set trigger "notification-servers1"
config signature-class
edit 03000000
set status enable
next
end
next
end
config waf custom-access policy
edit "sql-inject-policy"
config rule
edit 1
set rule-name "sql-inject"
next
end
next
end
For more information on the waf custom-access rule
command, see the FortiWeb CLI Reference:
HTTPs://docs.fortinet.com/product/fortiweb/
How do I reduce false positives and false negatives?
If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:
- If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting in FortiWeb Administration Guide), disable it.
- Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.
- If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.
The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.
For details, see "Blocking known attacks & data leaks" in FortiWeb Administration Guide.
For details, see "Configuring action overrides or exceptions to data leak & attack detection signatures" in FortiWeb Administration Guide.
Fortinet can resolve the issue by modifying the attack signature.
If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:
- Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
- All the appropriate signatures are enabled.
- The enabled signatures do not have exceptions that permit the attack packets.
Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.
For additional information about reducing false positives, see "Reducing false positives" in FortiWeb Administration Guide.