Fortinet black logo

Administration Guide

WebSocket Protocol

WebSocket protocol

WebSocket Protocol is a TCP-based network protocol, which enables full-duplex communication between a web browser and a server.

FortiWeb now secures WebSocket traffic with a variety of security controls such as allowed formats, frame and message size and signature detection.

Creating WebSocket security rules

This section provides instructions to:

  • Create a WebSocket security rule
  • Add a WebSocket security rule to a WebSocket security policy

To create a WebSocket security rule

  1. Go to Web Protection > Protocol > WebSocket > WebSocket Security Rule.
  2. Click Create New.
  3. Configure these settings:

    NameType a name that can be referenced by other parts of the configuration. The name will be used when selecting the WebSocket security policy.
    Host StatusEnable to compare the WebSocket security rule to the Host: field in the HTTP header. Also configure Host.
    HostSelect the IP address or fully qualified domain name (FQDN) of the protected host to which this rule applies. For details, see Defining your protected/allowed HTTP “Host:” header names.
    This setting is available only if Host Status is enabled.

    URL Type

    Select whether the URL fields must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    URL

    The URL which hosts the web page containing the user input fields you want to protect.

    Depending on your selection in URL type, enter either:

    • Simple String—The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    Block WebSocket TrafficEnable to deny the WebSocket traffic, and FortiWeb will not check any WebSocket related traffic. This option is disabled by default.
    The following fields can be configured only when this option is disabled.

    Action

    Select which action FortiWeb will take when it detects a violation of the WebSocket security policy:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.
    • Deny (no log)—Block the request (or reset the connection).

    The default value is Alert.

    Allowed Formats

    When the WebSocket connection is established , data is transmitted in the form of frame. Select the allowed frame formats that are acceptable matches.
    By default, both Plain Text and Binary are checked.

    Max Frame SizeSpecify the maximum acceptable frame header and body size in bytes. The valid range is 0–2147483647 bytes.
    Max Message SizeSpecify the maximum acceptable message header and body size in bytes. The valid range is 0–2147483647 bytes.
    Block ExtensionsEnable to not check the extension header in WebSocket handshake packet. By default, this option is disabled.
    When enabled, if the Action is Alert, FortiWeb will remove the extension field in the packet. While, if the Action is Deny (no log), the WebSocket protocol negotiation fails, as the traffic can not be established.
    Enable Attack Signatures

    Enable to detect attack in WebSocket message body. But if WebSocket traffic has extension header and allow extension header in WebSocket security rule, FortiWeb does not promise to detect attack signatures. This field is disabled by default.
    Note:

    • To make this take effect, when you select the WebSocket Security policy in Policy > Web Protection Profile > Protocol, do select the signature in Known Attacks > Signatures. When attack signature is detected, the actions FortiWeb will take follow those of related signatures.

    • FortiWeb can alert, period block, or deny the websocket packet if signature violations are detected. However, it can't erase, redirect, or send HTTP response even though such actions are configured for the corresponding signatures. For more information, see the description of Action (column) in Blocking known attacks

  4. Click OK.
  5. In Allowed Origin List, click Create New.
  6. Enter the allowed origin. For example, 121.40.165.18:8800. Only traffic from the allowed origin can be accepted.
  7. Click OK.
    If you do not configure the allowed origin, FortiWeb will not check the allowed origin fields.

To add a WebSocket security rule to a WebSocket security policy

For details about creating a WebSocket security policy, see Creating WebSocket security policies

  1. Go to Web Protection > Protocol > WebSocket > WebSocket Security Policy.
  2. Select the existing WebSocket security policy to which you want to add the WebSocket security rule.
  3. Click Edit.
  4. Click Create New.
  5. For WebSocket Security Rule, select the WebSocket security rule that you want to include in the WebSocket security policy.
  6. To view details about a selected WebSocket security rule, click next to the drop down list.

  7. Click OK.
  8. Repeat Steps 4-6 for as many WebSocket security rules as you want to add to the WebSocket security policy.

Creating WebSocket security policies

This section provides instructions to:

  • Create a WebSocket security policy
  • Apply a WebSocket security policy in a web protection profile

To create a WebSocket security policy

  1. Go to Web Protection > Protocol > WebSocket > WebSocket Security Policy.
  2. Click Create New.
  3. For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile.
  4. Click OK.
  5. To add WebSocket security rules to the policy, see To add a WebSocket security rule to a WebSocket security policy.

To add a WebSocket security policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Server Policy.
  2. Select an existing web protection profile to which you want to include the WebSocket security policy.
  3. Click Edit.
  4. Go to Security Configuration > Web Protection Profile.
  5. Click to enter the Edit Inline Protection Profile page.
  6. For Protocol > WebSocket Security, select the WebSocket security policy from the drop down list.
    You can also click to open the Edit WebSocket Security Policy page.
  7. Click OK.

WebSocket protocol

WebSocket Protocol is a TCP-based network protocol, which enables full-duplex communication between a web browser and a server.

FortiWeb now secures WebSocket traffic with a variety of security controls such as allowed formats, frame and message size and signature detection.

Creating WebSocket security rules

This section provides instructions to:

  • Create a WebSocket security rule
  • Add a WebSocket security rule to a WebSocket security policy

To create a WebSocket security rule

  1. Go to Web Protection > Protocol > WebSocket > WebSocket Security Rule.
  2. Click Create New.
  3. Configure these settings:

    NameType a name that can be referenced by other parts of the configuration. The name will be used when selecting the WebSocket security policy.
    Host StatusEnable to compare the WebSocket security rule to the Host: field in the HTTP header. Also configure Host.
    HostSelect the IP address or fully qualified domain name (FQDN) of the protected host to which this rule applies. For details, see Defining your protected/allowed HTTP “Host:” header names.
    This setting is available only if Host Status is enabled.

    URL Type

    Select whether the URL fields must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    URL

    The URL which hosts the web page containing the user input fields you want to protect.

    Depending on your selection in URL type, enter either:

    • Simple String—The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Host.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    Block WebSocket TrafficEnable to deny the WebSocket traffic, and FortiWeb will not check any WebSocket related traffic. This option is disabled by default.
    The following fields can be configured only when this option is disabled.

    Action

    Select which action FortiWeb will take when it detects a violation of the WebSocket security policy:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.
    • Deny (no log)—Block the request (or reset the connection).

    The default value is Alert.

    Allowed Formats

    When the WebSocket connection is established , data is transmitted in the form of frame. Select the allowed frame formats that are acceptable matches.
    By default, both Plain Text and Binary are checked.

    Max Frame SizeSpecify the maximum acceptable frame header and body size in bytes. The valid range is 0–2147483647 bytes.
    Max Message SizeSpecify the maximum acceptable message header and body size in bytes. The valid range is 0–2147483647 bytes.
    Block ExtensionsEnable to not check the extension header in WebSocket handshake packet. By default, this option is disabled.
    When enabled, if the Action is Alert, FortiWeb will remove the extension field in the packet. While, if the Action is Deny (no log), the WebSocket protocol negotiation fails, as the traffic can not be established.
    Enable Attack Signatures

    Enable to detect attack in WebSocket message body. But if WebSocket traffic has extension header and allow extension header in WebSocket security rule, FortiWeb does not promise to detect attack signatures. This field is disabled by default.
    Note:

    • To make this take effect, when you select the WebSocket Security policy in Policy > Web Protection Profile > Protocol, do select the signature in Known Attacks > Signatures. When attack signature is detected, the actions FortiWeb will take follow those of related signatures.

    • FortiWeb can alert, period block, or deny the websocket packet if signature violations are detected. However, it can't erase, redirect, or send HTTP response even though such actions are configured for the corresponding signatures. For more information, see the description of Action (column) in Blocking known attacks

  4. Click OK.
  5. In Allowed Origin List, click Create New.
  6. Enter the allowed origin. For example, 121.40.165.18:8800. Only traffic from the allowed origin can be accepted.
  7. Click OK.
    If you do not configure the allowed origin, FortiWeb will not check the allowed origin fields.

To add a WebSocket security rule to a WebSocket security policy

For details about creating a WebSocket security policy, see Creating WebSocket security policies

  1. Go to Web Protection > Protocol > WebSocket > WebSocket Security Policy.
  2. Select the existing WebSocket security policy to which you want to add the WebSocket security rule.
  3. Click Edit.
  4. Click Create New.
  5. For WebSocket Security Rule, select the WebSocket security rule that you want to include in the WebSocket security policy.
  6. To view details about a selected WebSocket security rule, click next to the drop down list.

  7. Click OK.
  8. Repeat Steps 4-6 for as many WebSocket security rules as you want to add to the WebSocket security policy.

Creating WebSocket security policies

This section provides instructions to:

  • Create a WebSocket security policy
  • Apply a WebSocket security policy in a web protection profile

To create a WebSocket security policy

  1. Go to Web Protection > Protocol > WebSocket > WebSocket Security Policy.
  2. Click Create New.
  3. For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile.
  4. Click OK.
  5. To add WebSocket security rules to the policy, see To add a WebSocket security rule to a WebSocket security policy.

To add a WebSocket security policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Server Policy.
  2. Select an existing web protection profile to which you want to include the WebSocket security policy.
  3. Click Edit.
  4. Go to Security Configuration > Web Protection Profile.
  5. Click to enter the Edit Inline Protection Profile page.
  6. For Protocol > WebSocket Security, select the WebSocket security policy from the drop down list.
    You can also click to open the Edit WebSocket Security Policy page.
  7. Click OK.