Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.2.5 Administration Guide
    7.2.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    FAQ

    FAQ

    How do I create a custom signature that erases response packet content?

    For 6.4.0 and later releases, we don’t recommend to use custom signatures to modify packets because signature is designed to detect malicious patterns instead of changing packet, and the erasing action of signature is actually masking, not deleting.

    Please use “URL rewrite” to delete response header or mask response body for any releases after 6.4.0. Please refer to FortiWeb Administration Guide > Application Delivery > Rewriting & Redirecting for details.

    For releases before 6.4.0, do the following.

    1. Create a custom signature rule that includes the following values:
      DirectionResponse
      ExpressionEither a simple string or a regular expression that matches the response to erase.
      Action

      Alert & Erase

      The erase action replaces the content specified by Expression with xxx.

    2. Add an appropriate target:

    • RESPONSE_BODY

    • RESPONSE_HEADER

    • RESPONSE_STATUS

      The RESPONSE_STATUS is not erased in the raw packet.

    If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.

  • Add the rule to a custom signature group, and then add the group to a signature policy that you can add to an inline or Offline Protection profile.

    • For detailed custom signature creation instructions, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?

    The waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class option, use one of the following IDs to specify the category of signature to match:

    Cross Site Scripting 01000000
    Cross Site Scripting (Extended) 02000000
    SQL Injection 03000000
    SQL Injection (Extended) 04000000
    Generic Attacks 05000000
    Generic Attacks (Extended) 06000000
    Known Exploits 09000000

    For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:

    config waf custom-access rule

    edit "sql-inject"

    set action block-period

    set severity High

    set trigger "notification-servers1"

    config signature-class

    edit 03000000

    set status enable

    next

    end

    next

    end

    config waf custom-access policy

    edit "sql-inject-policy"

    config rule

    edit 1

    set rule-name "sql-inject"

    next

    end

    next

    end

    For more information on the waf custom-access rule command, see the FortiWeb CLI Reference:

    HTTPS://docs.fortinet.com/product/fortiweb/

    How do I reduce false positives and false negatives?

    If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:

    1. If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting in FortiWeb Administration Guide), disable it.

      2. The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.

      For details, see "Blocking known attacks & data leaks" in FortiWeb Administration Guide.

    2. Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.

      3. For details, see "Configuring action overrides or exceptions to data leak & attack detection signatures" in FortiWeb Administration Guide.

    3. If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.

      4. Fortinet can resolve the issue by modifying the attack signature.

    If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:

    1. Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
    • All the appropriate signatures are enabled.
    • The enabled signatures do not have exceptions that permit the attack packets.
  • If your signature configuration is correct, capture the packet that FortiWeb did not identify as an attack and contact Fortinet Technical Support for assistance.

    • Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    For additional information about reducing false positives, see "Reducing false positives" in FortiWeb Administration Guide.

    Can signature attack be detected in WebSocket traffic?

    When Web Protection > Protocol > WebSocket >Enable Attack signature is enabled, attack signatures in WebSocket message body can be detected.

    But if WebSocket traffic has extension header and the extension header is allowed in WebSocket security rule, FortiWeb does not promise to detect attack signatures.

    When you select the WebSocket Security policy in Policy > Web Protection Profile > Protocol, do select the signature in Known Attacks > Signatures.

    From 7.0.2 and newer builds, signature attacks can be detected when websocket data is masked or compressed.

    Previous
    Next

    FAQ

    FAQ

    How do I create a custom signature that erases response packet content?

    For 6.4.0 and later releases, we don’t recommend to use custom signatures to modify packets because signature is designed to detect malicious patterns instead of changing packet, and the erasing action of signature is actually masking, not deleting.

    Please use “URL rewrite” to delete response header or mask response body for any releases after 6.4.0. Please refer to FortiWeb Administration Guide > Application Delivery > Rewriting & Redirecting for details.

    For releases before 6.4.0, do the following.

    1. Create a custom signature rule that includes the following values:
      DirectionResponse
      ExpressionEither a simple string or a regular expression that matches the response to erase.
      Action

      Alert & Erase

      The erase action replaces the content specified by Expression with xxx.

    2. Add an appropriate target:

    • RESPONSE_BODY

    • RESPONSE_HEADER

    • RESPONSE_STATUS

      The RESPONSE_STATUS is not erased in the raw packet.

    If the target is RESPONSE_HEADER or RESPONSE_STATUS, the body of the response is still displayed.

  • Add the rule to a custom signature group, and then add the group to a signature policy that you can add to an inline or Offline Protection profile.

    • For detailed custom signature creation instructions, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule?

    The waf custom-access rule command allows you to configure custom access rules, which can include Signature Violation filters. When you configure the signature-class option, use one of the following IDs to specify the category of signature to match:

    Cross Site Scripting 01000000
    Cross Site Scripting (Extended) 02000000
    SQL Injection 03000000
    SQL Injection (Extended) 04000000
    Generic Attacks 05000000
    Generic Attacks (Extended) 06000000
    Known Exploits 09000000

    For example, the following command creates a custom rule that detects SQL injection attacks, such as blind SQL injection:

    config waf custom-access rule

    edit "sql-inject"

    set action block-period

    set severity High

    set trigger "notification-servers1"

    config signature-class

    edit 03000000

    set status enable

    next

    end

    next

    end

    config waf custom-access policy

    edit "sql-inject-policy"

    config rule

    edit 1

    set rule-name "sql-inject"

    next

    end

    next

    end

    For more information on the waf custom-access rule command, see the FortiWeb CLI Reference:

    HTTPS://docs.fortinet.com/product/fortiweb/

    How do I reduce false positives and false negatives?

    If FortiWeb is identifying legitimate requests as attacks (false positives), complete the following troubleshooting steps:

    1. If your web protection profile uses a signature policy in which the extended version of a signature set is enabled (for example, Cross Site Scripting in FortiWeb Administration Guide), disable it.

      2. The extended signature sets detect a wider range of attacks but are also more likely to generate false positives.

      For details, see "Blocking known attacks & data leaks" in FortiWeb Administration Guide.

    2. Specify the appropriate URL as an exception in the signature configuration. To create this exception, click either the Exception link in the Message field of the attack log item or Advanced Mode in the Edit Signature Policy dialog box.

      3. For details, see "Configuring action overrides or exceptions to data leak & attack detection signatures" in FortiWeb Administration Guide.

    3. If the configuration changes do not solve the problem, capture the packet that FortiWeb has incorrectly identified as an attack and contact Fortinet Technical Support for assistance.

      4. Fortinet can resolve the issue by modifying the attack signature.

    If FortiWeb is identifying attacks as legitimate requests (false negatives), complete the following troubleshooting steps:

    1. Use the Advanced Mode option to ensure that the signature policy that your web protection profile uses has the following configuration:
    • All the appropriate signatures are enabled.
    • The enabled signatures do not have exceptions that permit the attack packets.
  • If your signature configuration is correct, capture the packet that FortiWeb did not identify as an attack and contact Fortinet Technical Support for assistance.

    • Fortinet can resolve the issue by adding an attack signature. In the meantime, you can resolve the problem by creating a custom signature. For details, see "Defining custom data leak & attack signatures" in FortiWeb Administration Guide.

    For additional information about reducing false positives, see "Reducing false positives" in FortiWeb Administration Guide.

    Can signature attack be detected in WebSocket traffic?

    When Web Protection > Protocol > WebSocket >Enable Attack signature is enabled, attack signatures in WebSocket message body can be detected.

    But if WebSocket traffic has extension header and the extension header is allowed in WebSocket security rule, FortiWeb does not promise to detect attack signatures.

    When you select the WebSocket Security policy in Policy > Web Protection Profile > Protocol, do select the signature in Known Attacks > Signatures.

    From 7.0.2 and newer builds, signature attacks can be detected when websocket data is masked or compressed.

    Previous
    Next