Fortinet black logo

Administration Guide

Configuring action overrides or exceptions to data leak & attack detection signatures

Configuring action overrides or exceptions to data leak & attack detection signatures

You can configure FortiWeb to omit attack signature scans in some cases. You can also configure the signature to generate a log or alert only instead of simply blocking the attack.

Exceptions are useful when you know that some parameters cause false positives by matching an attack signature during normal use. Signature exceptions define request parameters that are not subject to signature rules. For example, the HTTP POST URL /pageupload accepts input that is PHP code, but it is the only URL on the host that does. Create an exception that, in the PHP Injection category, disables that specific signature ID for the URL /pageupload in the signature rule that normally blocks all injection attacks.

Supported HTTP elements in Exceptions

The following request elements can be defined in the Exceptions:

  • HTTP method
    HTTP Method includes GET, POST, HEAD, OPTIONS, TRACE, CONNECT, DELETE, PUT, PATCH, OTHERS. For example: GET / HTTP/1.1.
  • Client IP
    The IP address of the client that initiates the request.
  • Host
    The Host request-header field specifies the Internet host and port number of the resource being requested. FortiWeb will detect the HOST field in the HTTP Header. For example: Host: developer.mozilla.org:8080, Host: developer.mozilla.org.
  • URI
    URI is a literal URL which does not include parameters. It's placed after the HTTP Method in HTTP Header. For example: /folder1/index.htm.

  • Full URL
    Unlike URI, the full URL includes parameters. It's placed after the HTTP Method in HTTP Header. For example: /testpage.php?a=1&b=2.
  • Parameter
    HTTP Parameter is a name/value pairs. It appears in the URL after ? and in HTTP body.

    Example 1
    "P1=V1&P2=V2" is the parameter in "POST /dir/file.html?P1=V1&P2=V2 HTTP/1.1".
    Example 2

    "a=1&P2=V2" is the parameter in the following HTTP request body.

    POST /1.html HTTP/1.1

    Host: 10.100.20.138:8090

    User-Agent: curl/7.61.1

    Accept: */*

    Content-Length: 3

    Content-Type: application/x-www-form-urlencoded

    a=1&P2=V2

  • Cookie
    The Cookie field in HTTP Header. It include name and value pair.
    For example: cookiesession3=Rm9ydGl3ZWIK; domain=fwbqa-win2k3.fwbqa.com; path=/autotest/;
  • HTTP Header
    HTTP Head fields are a list of strings including name and value.
    For example: Server: Apache/2.4.38 (Win64) OpenSSL/1.1.1b PHP/7.0.5 mod_jk/1.2.42
  • JSON Elements
    The json element in HTTP Packet Body.
    For example:
    {"people":[{"JSONname1": "image_w3default.gif%20onmousedown=%22addlert('xss%20success')%22","ping_IPAddr":"12.12.12.12"},{"firstName":"Jason","lastName":"Hunter"}]}
If you are not sure which exceptions to create, examine your attack log for messages generated by normal traffic on servers that are not actually vulnerable to that attack. Click the Message field content, and then click Add Exception.
To configure a signature exception, action override, or disable a signature
  1. Go to Web Protection > Known Attacks > Signatures.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Select a signature policy and click Edit.
    Note: You can only view predefined signature policies. To further configure predefined policies, first clone them and then begin editing.
  3. Click Signature Details.
  4. In the signature tree on the left, click a signature folder to open the category in which you want to disable a specific signature. Select an individual sub-category to display a list of individual signature IDs in the pane to the right. Optionally, in the pane that lists individual signatures, click Search.
  5. Click the row of the signature ID to disable.
    The selected signature row is highlighted in yellow.
  6. To disable the signature for this rule, or globally, right-click the signature’s row and select to disable the signature in the current policy or in all policies.
  7. On the Signature tab, do the following:
    • If you want to receive only logs or alert email about detections, but do not want to block matching requests, in the Signature tab, select Alert Only. You can set Alert Only for up to 1024 signatures in one administrative domain.
    • For the signatures that support False Positive Mitigation, if you want to disable False Positive Mitigation to a signature, un-check False Positive Mitigation Support. For details, see False Positive Mitigation for SQL Injection signatures.
  8. If you want to exempt specific host name/URL combinations, in the Signature ID pane on the right side, select the Exception tab and click Create New.
  9. Note: You can create up to 128 exceptions for each signature.

  10. For Element Type, select the type of request element to exempt from this signature and configure these settings. Refer to Supported HTTP elements in Exceptions for the instruction on HTTP elements.
  11. HTTP Method

    Operation
    • IncludeFortiWeb does not perform a signature scan for requests that include the specified HTTP methods.
    • ExcludeFortiWeb only performs signature scans for requests that include the specified HTTP methods.
    HTTP Method Select the methods to include or exclude from the signature exemption.
    Client IP
    Operation
    • EqualFortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
    • Not EqualFortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
    Client IP Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request.
    Host
    Operation
    • String MatchValue is a literal host name.
    • Regular Expression MatchValue is a regular expression that matches all and only the hosts that the exception applies to.
    Value Specifies the Host: field value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    URI
    Operation
    • String MatchValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • Regular Expression MatchValue is a regular expression that matches all and only the URIs that the exception applies to.
    Value Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, /testpage.php, which match requests for HTTP://www.test.com/testpage.php?a=1&b=2.

    If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

    If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
    When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).
    Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Full URL
    Operation
    • String MatchValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • Regular Expression MatchValue is a regular expression that matches all and only the URLs that the exception applies to.
    Value Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for HTTP://www.test.com/testpage.php?a=1&b=2.

    If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

    If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

    Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Parameter
    Operation
    • String MatchName is the literal name of a parameter.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the parameter that the exception applies to.
    Name Specifies the name of the parameter to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Check Value of Specified Element Enable to specify a parameter value to match in addition to the parameter name.
    Value Specifies the parameter value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Cookie
    Operation
    • String MatchName is the literal name of a cookie.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the cookie that the exception applies to.
    Name Specifies the name of the cookie to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Check Value of Specified Element Select to specify a cookie value to match in addition to the cookie name.
    Value Specifies the cookie value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    HTTP header
    Operation
    • String MatchName is the literal name of an HTTP header.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the HTTP header that the exception applies to.
    Name Specifies the name of the HTTP header to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Check Value of Specified Element Enable to specify an HTTP header value to match in addition to the HTTP header name.
    Value Specifies the HTTP header value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

    JSON Elements

    Operation
    • String MatchName is the literal name of a JSON element.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the JSON element that the exception applies to.

    Name Specifies the name of the JSON element to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

    Check Value of Specified Element Enable to specify a JSON element value to match in addition to the JSON element name.

    Value Specifies the JSON element value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Concatenate
    • And—A matching request matches this entry in addition to other entries in the exemption list.
    • Or—A matching request matches this entry instead of other entries in the exemption list.

    Later, you can use the exception list options to adjust the matching sequence for entries. For details, see Example: Concatenating exceptions.

  12. Click Apply.
  13. Repeat the previous steps for each entry that you want to add to the signature exception.
  14. FortiWeb generates a dynamic description of the match sequence you created and displays it at the top of the exception list. You can adjust the sequence using the move options (up and down arrows).

To configure Signatures Exception Rules in attack logs
  1. Go to Log&Report > Log Access > Attack.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log&Report category. For details, see Permissions.
  2. Select an attack for which you would like to create an exception.
  3. In the window that populates to the right, click the Message information and select Add Exception as illustrated below:

  4. For Signature Policy Name, select the signature policy for which you want to create an exception.
  5. For Element Type, select the type of request element for the exception.
  6. Enable Advance Mode.
  7. Refer to the table in For Element Type, select the type of request element to exempt from this signature and configure these settings. Refer to Supported HTTP elements in Exceptions for the instruction on HTTP elements. to complete the exception rule based on the Element Type you selected.
  8. Click OK.
See also

Example: Concatenating exceptions

The illustration displays the following signature exception configuration:

  • The concatenate type for the HTTP Method exception rule (ID 2) is And.
  • The concatenate type for the Client IP rule (ID 3) is Or.
  • The concatenate type for the URI rule has no effect, because it is the first rule.

The final logic of the example is (1 And 2) OR (3), which means FortiWeb skips the signature when both the URI and HTTP Method exception rules match the request, or the Client IP rule matches.

Filtering signatures

You can filter signatures using a keyword. Examples of keywords include:

  • Disabled signatures
  • Signatures that you changed from their default action to Alert Only
  • SQL injection signatures for False Positive Mitigation Support, which provides additional SQL syntax validation, is disabled
  • Signatures that correspond to a specific CVE identifier
  • Signatures configured with one or more exceptions

To locate these kinds of signatures for review or editing, click Filters in the navigation tree, select the type of filter you want to apply, and then click Apply.

See also

Configuring action overrides or exceptions to data leak & attack detection signatures

You can configure FortiWeb to omit attack signature scans in some cases. You can also configure the signature to generate a log or alert only instead of simply blocking the attack.

Exceptions are useful when you know that some parameters cause false positives by matching an attack signature during normal use. Signature exceptions define request parameters that are not subject to signature rules. For example, the HTTP POST URL /pageupload accepts input that is PHP code, but it is the only URL on the host that does. Create an exception that, in the PHP Injection category, disables that specific signature ID for the URL /pageupload in the signature rule that normally blocks all injection attacks.

Supported HTTP elements in Exceptions

The following request elements can be defined in the Exceptions:

  • HTTP method
    HTTP Method includes GET, POST, HEAD, OPTIONS, TRACE, CONNECT, DELETE, PUT, PATCH, OTHERS. For example: GET / HTTP/1.1.
  • Client IP
    The IP address of the client that initiates the request.
  • Host
    The Host request-header field specifies the Internet host and port number of the resource being requested. FortiWeb will detect the HOST field in the HTTP Header. For example: Host: developer.mozilla.org:8080, Host: developer.mozilla.org.
  • URI
    URI is a literal URL which does not include parameters. It's placed after the HTTP Method in HTTP Header. For example: /folder1/index.htm.

  • Full URL
    Unlike URI, the full URL includes parameters. It's placed after the HTTP Method in HTTP Header. For example: /testpage.php?a=1&b=2.
  • Parameter
    HTTP Parameter is a name/value pairs. It appears in the URL after ? and in HTTP body.

    Example 1
    "P1=V1&P2=V2" is the parameter in "POST /dir/file.html?P1=V1&P2=V2 HTTP/1.1".
    Example 2

    "a=1&P2=V2" is the parameter in the following HTTP request body.

    POST /1.html HTTP/1.1

    Host: 10.100.20.138:8090

    User-Agent: curl/7.61.1

    Accept: */*

    Content-Length: 3

    Content-Type: application/x-www-form-urlencoded

    a=1&P2=V2

  • Cookie
    The Cookie field in HTTP Header. It include name and value pair.
    For example: cookiesession3=Rm9ydGl3ZWIK; domain=fwbqa-win2k3.fwbqa.com; path=/autotest/;
  • HTTP Header
    HTTP Head fields are a list of strings including name and value.
    For example: Server: Apache/2.4.38 (Win64) OpenSSL/1.1.1b PHP/7.0.5 mod_jk/1.2.42
  • JSON Elements
    The json element in HTTP Packet Body.
    For example:
    {"people":[{"JSONname1": "image_w3default.gif%20onmousedown=%22addlert('xss%20success')%22","ping_IPAddr":"12.12.12.12"},{"firstName":"Jason","lastName":"Hunter"}]}
If you are not sure which exceptions to create, examine your attack log for messages generated by normal traffic on servers that are not actually vulnerable to that attack. Click the Message field content, and then click Add Exception.
To configure a signature exception, action override, or disable a signature
  1. Go to Web Protection > Known Attacks > Signatures.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Select a signature policy and click Edit.
    Note: You can only view predefined signature policies. To further configure predefined policies, first clone them and then begin editing.
  3. Click Signature Details.
  4. In the signature tree on the left, click a signature folder to open the category in which you want to disable a specific signature. Select an individual sub-category to display a list of individual signature IDs in the pane to the right. Optionally, in the pane that lists individual signatures, click Search.
  5. Click the row of the signature ID to disable.
    The selected signature row is highlighted in yellow.
  6. To disable the signature for this rule, or globally, right-click the signature’s row and select to disable the signature in the current policy or in all policies.
  7. On the Signature tab, do the following:
    • If you want to receive only logs or alert email about detections, but do not want to block matching requests, in the Signature tab, select Alert Only. You can set Alert Only for up to 1024 signatures in one administrative domain.
    • For the signatures that support False Positive Mitigation, if you want to disable False Positive Mitigation to a signature, un-check False Positive Mitigation Support. For details, see False Positive Mitigation for SQL Injection signatures.
  8. If you want to exempt specific host name/URL combinations, in the Signature ID pane on the right side, select the Exception tab and click Create New.
  9. Note: You can create up to 128 exceptions for each signature.

  10. For Element Type, select the type of request element to exempt from this signature and configure these settings. Refer to Supported HTTP elements in Exceptions for the instruction on HTTP elements.
  11. HTTP Method

    Operation
    • IncludeFortiWeb does not perform a signature scan for requests that include the specified HTTP methods.
    • ExcludeFortiWeb only performs signature scans for requests that include the specified HTTP methods.
    HTTP Method Select the methods to include or exclude from the signature exemption.
    Client IP
    Operation
    • EqualFortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
    • Not EqualFortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
    Client IP Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request.
    Host
    Operation
    • String MatchValue is a literal host name.
    • Regular Expression MatchValue is a regular expression that matches all and only the hosts that the exception applies to.
    Value Specifies the Host: field value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    URI
    Operation
    • String MatchValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • Regular Expression MatchValue is a regular expression that matches all and only the URIs that the exception applies to.
    Value Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, /testpage.php, which match requests for HTTP://www.test.com/testpage.php?a=1&b=2.

    If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php).

    If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.
    When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ).
    Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Full URL
    Operation
    • String MatchValue is a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.
    • Regular Expression MatchValue is a regular expression that matches all and only the URLs that the exception applies to.
    Value Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2, which match requests for HTTP://www.test.com/testpage.php?a=1&b=2.

    If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2).

    If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash.

    Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Parameter
    Operation
    • String MatchName is the literal name of a parameter.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the parameter that the exception applies to.
    Name Specifies the name of the parameter to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Check Value of Specified Element Enable to specify a parameter value to match in addition to the parameter name.
    Value Specifies the parameter value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Cookie
    Operation
    • String MatchName is the literal name of a cookie.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the cookie that the exception applies to.
    Name Specifies the name of the cookie to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Check Value of Specified Element Select to specify a cookie value to match in addition to the cookie name.
    Value Specifies the cookie value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    HTTP header
    Operation
    • String MatchName is the literal name of an HTTP header.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the HTTP header that the exception applies to.
    Name Specifies the name of the HTTP header to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Check Value of Specified Element Enable to specify an HTTP header value to match in addition to the HTTP header name.
    Value Specifies the HTTP header value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

    JSON Elements

    Operation
    • String MatchName is the literal name of a JSON element.
    • Regular Expression MatchName is a regular expression that matches all and only the name of the JSON element that the exception applies to.

    Name Specifies the name of the JSON element to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.

    Check Value of Specified Element Enable to specify a JSON element value to match in addition to the JSON element name.

    Value Specifies the JSON element value to match.

    To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
    Concatenate
    • And—A matching request matches this entry in addition to other entries in the exemption list.
    • Or—A matching request matches this entry instead of other entries in the exemption list.

    Later, you can use the exception list options to adjust the matching sequence for entries. For details, see Example: Concatenating exceptions.

  12. Click Apply.
  13. Repeat the previous steps for each entry that you want to add to the signature exception.
  14. FortiWeb generates a dynamic description of the match sequence you created and displays it at the top of the exception list. You can adjust the sequence using the move options (up and down arrows).

To configure Signatures Exception Rules in attack logs
  1. Go to Log&Report > Log Access > Attack.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log&Report category. For details, see Permissions.
  2. Select an attack for which you would like to create an exception.
  3. In the window that populates to the right, click the Message information and select Add Exception as illustrated below:

  4. For Signature Policy Name, select the signature policy for which you want to create an exception.
  5. For Element Type, select the type of request element for the exception.
  6. Enable Advance Mode.
  7. Refer to the table in For Element Type, select the type of request element to exempt from this signature and configure these settings. Refer to Supported HTTP elements in Exceptions for the instruction on HTTP elements. to complete the exception rule based on the Element Type you selected.
  8. Click OK.
See also

Example: Concatenating exceptions

The illustration displays the following signature exception configuration:

  • The concatenate type for the HTTP Method exception rule (ID 2) is And.
  • The concatenate type for the Client IP rule (ID 3) is Or.
  • The concatenate type for the URI rule has no effect, because it is the first rule.

The final logic of the example is (1 And 2) OR (3), which means FortiWeb skips the signature when both the URI and HTTP Method exception rules match the request, or the Client IP rule matches.

Filtering signatures

You can filter signatures using a keyword. Examples of keywords include:

  • Disabled signatures
  • Signatures that you changed from their default action to Alert Only
  • SQL injection signatures for False Positive Mitigation Support, which provides additional SQL syntax validation, is disabled
  • Signatures that correspond to a specific CVE identifier
  • Signatures configured with one or more exceptions

To locate these kinds of signatures for review or editing, click Filters in the navigation tree, select the type of filter you want to apply, and then click Apply.

See also