Configuring action overrides or exceptions to data leak & attack detection signatures

You can configure FortiWeb to omit attack signature scans in some cases. You can also configure the signature to generate a log or alert only instead of simply blocking the attack.

Exceptions are useful when you know that some parameters cause false positives by matching an attack signature during normal use. Signature exceptions define request parameters that are not subject to signature rules. For example, the HTTP POST URL /pageupload accepts input that is PHP code, but it is the only URL on the host that does. Create an exception that, in the PHP Injection category, disables that specific signature ID for the URL /pageupload in the signature rule that normally blocks all injection attacks.

Supported HTTP elements in Exceptions

The following request elements can be defined in the Exceptions:

HTTP method
HTTP Method includes GET, POST, HEAD, OPTIONS, TRACE, CONNECT, DELETE, PUT, PATCH, OTHERS. For example: GET / HTTP/1.1.
Client IP
The IP address of the client that initiates the request.
Host
The Host request-header field specifies the Internet host and port number of the resource being requested. FortiWeb will detect the HOST field in the HTTP Header. For example: Host: developer.mozilla.org:8080, Host: developer.mozilla.org.
URI
URI is a literal URL which does not include parameters. It's placed after the HTTP Method in HTTP Header. For example: /folder1/index.htm.
Full URL
Unlike URI, the full URL includes parameters. It's placed after the HTTP Method in HTTP Header. For example: /testpage.php?a=1&b=2.
Parameter
HTTP Parameter is a name/value pairs. It appears in the URL after ? and in HTTP body.

Example 1
"P1=V1&P2=V2" is the parameter in "POST /dir/file.html?P1=V1&P2=V2 HTTP/1.1".
Example 2

"a=1&P2=V2" is the parameter in the following HTTP request body.

POST /1.html HTTP/1.1

Host: 10.100.20.138:8090

User-Agent: curl/7.61.1

Accept: */*

Content-Length: 3

Content-Type: application/x-www-form-urlencoded

a=1&P2=V2
Cookie
The Cookie field in HTTP Header. It include name and value pair.
For example: cookiesession3=Rm9ydGl3ZWIK; domain=fwbqa-win2k3.fwbqa.com; path=/autotest/;
HTTP Header
HTTP Head fields are a list of strings including name and value.
For example: Server: Apache/2.4.38 (Win64) OpenSSL/1.1.1b PHP/7.0.5 mod_jk/1.2.42
JSON Elements
The json element in HTTP Packet Body.
For example:
{"people":[{"JSONname1": "image_w3default.gif%20onmousedown=%22addlert('xss%20success')%22","ping_IPAddr":"12.12.12.12"},{"firstName":"Jason","lastName":"Hunter"}]}

If you are not sure which exceptions to create, examine your attack log for messages generated by normal traffic on servers that are not actually vulnerable to that attack. Click the Message field content, and then click Add Exception.

To configure a signature exception, action override, or disable a signature

Go to Web Protection > Known Attacks > Signatures.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
Select a signature policy and click Edit.
Note: You can only view predefined signature policies. To further configure predefined policies, first clone them and then begin editing.
Click Signature Details.
In the signature tree on the left, click a signature folder to open the category in which you want to disable a specific signature. Select an individual sub-category to display a list of individual signature IDs in the pane to the right. Optionally, in the pane that lists individual signatures, click Search.
Click the row of the signature ID to disable.
The selected signature row is highlighted in yellow.
To disable the signature for this rule, or globally, right-click the signature’s row and select to disable the signature in the current policy or in all policies.
On the Signature tab, do the following:
- If you want to receive only logs or alert email about detections, but do not want to block matching requests, in the Signature tab, select Alert Only. You can set Alert Only for up to 1024 signatures in one administrative domain.
- For the signatures that support False Positive Mitigation, if you want to disable False Positive Mitigation to a signature, un-check False Positive Mitigation Support. For details, see False Positive Mitigation for SQL Injection signatures.
If you want to exempt specific host name/URL combinations, in the Signature ID pane on the right side, select the Exception tab and click Create New.

Note: You can create up to 128 exceptions for each signature.

For Element Type, select the type of request element to exempt from this signature and configure these settings. Refer to Supported HTTP elements in Exceptions for the instruction on HTTP elements.

HTTP Method
	Operation	Include—FortiWeb does not perform a signature scan for requests that include the specified HTTP methods. Exclude—FortiWeb only performs signature scans for requests that include the specified HTTP methods.
	HTTP Method	Select the methods to include or exclude from the signature exemption.
Client IP
	Operation	Equal—FortiWeb does not perform a signature scan for requests with a client IP address or IP range that matches the value of Client IP. Not Equal—FortiWeb only performs a signature scan for requests with a client IP address or IP range that matches the value of Client IP.
	Client IP	Specify the client IP address or IP range that FortiWeb uses to determine whether or not to perform a signature scan for the request.
Host
	Operation	String Match—Value is a literal host name. Regular Expression Match—Value is a regular expression that matches all and only the hosts that the exception applies to.
	Value	Specifies the `Host:` field value to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
URI
	Operation	String Match—Value is a literal URL, such as `/folder1/index.htm` that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as `/folder1/` or `/folder1//index.htm`. Regular Expression Match—Value is a regular expression that matches all and only the URIs that the exception applies to.
	Value	Specifies a URL value to match. You can use up to 2048 characters in regex configuration for signature. The value does not include parameters. For example, `/testpage.php`, which match requests for `http://www.test.com/testpage.php?a=1&b=2`. If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, `/causes-false-positives.php`). If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ). Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
Full URL
	Operation	String Match—Value is a literal URL, such as `/folder1/index.htm` that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as `/folder1/` or `/folder1//index.htm`. Regular Expression Match—Value is a regular expression that matches all and only the URLs that the exception applies to.
	Value	Specifies a URL value that includes parameters to match. For example, `/testpage.php?a=1&b=2`, which match requests for `http://www.test.com/testpage.php?a=1&b=2`. If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, `/testpage.php?a=1&b=2`). If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
Parameter
	Operation	String Match—Name is the literal name of a parameter. Regular Expression Match— Name is a regular expression that matches all and only the name of the parameter that the exception applies to.
	Name	Specifies the name of the parameter to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
	Check Value of Specified Element	Enable to specify a parameter value to match in addition to the parameter name.
	Value	Specifies the parameter value to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
Cookie
	Operation	String Match—Name is the literal name of a cookie. Regular Expression Match— Name is a regular expression that matches all and only the name of the cookie that the exception applies to.
	Name	Specifies the name of the cookie to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
	Check Value of Specified Element	Select to specify a cookie value to match in addition to the cookie name.
	Value	Specifies the cookie value to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
HTTP header
	Operation	String Match—Name is the literal name of an HTTP header. Regular Expression Match— Name is a regular expression that matches all and only the name of the HTTP header that the exception applies to.
	Name	Specifies the name of the HTTP header to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
	Check Value of Specified Element	Enable to specify an HTTP header value to match in addition to the HTTP header name.
	Value	Specifies the HTTP header value to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
JSON Elements
	Operation	String Match—Name is the literal name of a JSON element. Regular Expression Match— Name is a regular expression that matches all and only the name of the JSON element that the exception applies to.
	Name	Specifies the name of the JSON element to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
	Check Value of Specified Element	Enable to specify a JSON element value to match in addition to the JSON element name.
	Value	Specifies the JSON element value to match. To create and test a regular expression, click the >> (test) icon. For details, see Regular expression syntax.
Concatenate		And—A matching request matches this entry in addition to other entries in the exemption list. Or—A matching request matches this entry instead of other entries in the exemption list. Later, you can use the exception list options to adjust the matching sequence for entries. For details, see Example: Concatenating exceptions.

Click Apply.
Repeat the previous steps for each entry that you want to add to the signature exception.

FortiWeb generates a dynamic description of the match sequence you created and displays it at the top of the exception list. You can adjust the sequence using the move options (up and down arrows).

To configure Signatures Exception Rules in attack logs

Go to Log&Report > Log Access > Attack.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Log&Report category. For details, see Permissions.
Select an attack for which you would like to create an exception.
In the window that populates to the right, click the Message information and select Add Exception as illustrated below:

For Signature Policy Name, select the signature policy for which you want to create an exception.
For Element Type, select the type of request element for the exception.
Enable Advance Mode.
Refer to the table in For Element Type, select the type of request element to exempt from this signature and configure these settings. Refer to Supported HTTP elements in Exceptions for the instruction on HTTP elements. to complete the exception rule based on the Element Type you selected.
Click OK.

Example: Concatenating exceptions

The illustration displays the following signature exception configuration:

The concatenate type for the HTTP Method exception rule (ID 2) is And.
The concatenate type for the Client IP rule (ID 3) is Or.
The concatenate type for the URI rule has no effect, because it is the first rule.

The final logic of the example is (1 And 2) OR (3), which means FortiWeb skips the signature when both the URI and HTTP Method exception rules match the request, or the Client IP rule matches.

Filtering signatures

You can filter signatures using a keyword. Examples of keywords include:

Disabled signatures
Signatures that you changed from their default action to Alert Only
SQL injection signatures for False Positive Mitigation Support, which provides additional SQL syntax validation, is disabled
Signatures that correspond to a specific CVE identifier
Signatures configured with one or more exceptions

To locate these kinds of signatures for review or editing, click Filters in the navigation tree, select the type of filter you want to apply, and then click Apply.