waf signature
Use this command to configure web server protection rules.
There are several security features specifically designed to protect web servers from known attacks. You can configure defenses against:
- Cross-site scripting (XSS)
- SQL injection and many other code injection styles
- Remote file inclusion (RFI)
- Local file inclusion (LFI)
- OS commands
- Trojans/viruses
- Exploits
- Sensitive server information disclosure
- Credit card data leaks
To defend against known attacks, FortiWeb scans:
- Parameters in the URL of HTTP
GET
requests - Parameters in the body of HTTP
POST
requests - XML in the body of HTTP
POST
requests (if waf web-protection-profile inline-protection is enabled) - Cookies
- Headers
- JSON Protocol Detection
- Uploaded filename(MULTIPART_FORM_DATA_FILENAME)
In addition to scanning standard requests, signatures can also scan action message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate with server-side software and XML. For details, see amf3-protocol-detection {enable | disable} and waf web-protection-profile inline-protection (for inline protection profiles) or amf3-protocol-detection {enable | disable} (for Offline Protection profiles).
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Updating signatures
Known attack signatures can be updated. For details about uploading a new set of attack definitions, see the FortiWeb Administration Guide:
https://docs.fortinet.com/fortiweb/admin-guides
You can also create your own. For details, see waf custom-protection-rule.
Configuring signatures
Before configuring a server protection rule, if you want to configure your own attack or data leak signatures, you must also configure custom server protection rules. For details, see waf custom-protection-group.
Each server protection rule can be configured with the severity and notification settings (“trigger”) that, in combination with the action, determines how FortiWeb handles each violation.
For example, attacks categorized as cross-site scripting and SQL injection could have the action
set to alert_deny
, the severity
set to High
, and a trigger set to deliver an alert email each time these rule violations are detected. Specific signatures in those categories, however, might be disabled, set to log/alert instead, or exempt requests to specific host names/URLs.
Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see the FortiWeb Administration Guide: |
Overriding signature category configuration
To override category-wide actions for a specific signature, configure:
- config signature_disable_list—Disable a specific signature ID (e.g. 040000007), even if the category in general (e.g. SQL Injection (Extended)) is enabled.
- config sub_class_disable_list—Disable a subcategory of signatures (e.g. Session Fixation), even if the category in general (e.g. General Attacks) is enabled.
- config alert_only_list—Only log/alert when detecting the attack, even if the category in general is configured to block.
- config filter_list—Exempt specific host name and/or URL combinations from scanning with this signature.
Applying signature policies
To apply server protection rules, select them within an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.
You can use SNMP traps to notify you when an attack or data leak has been detected. For details, see system snmp community.
Syntax
set credit-card-detection-threshold <instances_int>
set custom-protection-group "<group_name>"
set sensitivity-level {1|2|3|4}
set personally-identifiable-information-hyperscan-mode {enable | disable}
config main_class_list
set block-period <seconds_int>
set severity {Low | Medium | High | Info}
set trigger "trigger-policy_name>"
next
end
edit "<signature-id_str>"
next
end
next
end
edit "<alert-only-list_signature-id_str>"
next
end
config fpm_disable_list
edit "<fpm-disable-list_signature-id_str>"
next
end
config scoring_override_disable_list
edit "<scoring-override-disable-list_signature-id_str>"
next
end
config score_grade_list
edit "<score-grade-list_signature-id_str>"
set scoring-grade {low | critical | informational | moderate | substantial | severe}
next
end
edit <entry_index>
set signature_id "<signature-id_str>"
set operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}
set HTTP-method {get post head options trace connect delete put others patch}
set name {"<name_str>" | "<name_pattern>"}
set value-check {enable | disable}
set value {"<value_str>" | "<value_pattern>"}
set concatenate-type {AND | OR}
next
end
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Enter the number of credit cards that triggers the credit card number detection feature. For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter The valid range is 1–128. |
1 | |
Enter the name of the custom signature group to be used, if any. The maximum length is 63 characters. To display the list of existing custom signature groups, enter:
|
No default. | |
Increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic. |
4 |
|
personally-identifiable-information-hyperscan-mode {enable | disable} |
Enable to use hyperscan to detect personally identifiable information in the response body. Run As shown in the following screenshot, the "Hyperscan valid platform" confirms that your FortiWeb model supports hyperscan. However, the remaining lines indicate that the current version of the FDS does not yet support hyperscan signatures.
|
disable |
{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000} |
Enter the ID of a signature class (or, for subclass overrides, the subclass ID). To display the list of signature classes, enter:
|
No default. |
action {alert |alert_deny | block-period |only_erase | send_HTTP_response | alert_erase | redirect | deny_no_log} |
Select which action the FortiWeb appliance will take when it detects a signature match. Note: This is not a single setting. Available actions may vary slightly, depending on what is possible for each specific type of attack/information disclosure.
Note: This option is not fully supported in Offline Protection mode. Effects will be identical to |
alert
|
Caution: FortiWeb ignores this setting if monitor-mode {enable | disable} is enabled. Note: Actions that generate log messages alert email actions require the features to be enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile in the policy with Offline Protection profiles that use this rule, select |
||
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. The valid range is 1–3,600 seconds. The setting is applicable only if Note: This is not a single setting. You can configure the block period separately for each signature category. |
600
|
|
When rule violations are recorded in the attack log, each log message contains a Severity Level (
Note: This is not a single setting. You can configure the severity separately for each signature category. |
Medium | |
Enter the name of the trigger, if any, to apply when a protection rule is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing triggers, enter:
Note: This is not a single setting. You can configure a different trigger for each signature category. |
No default. | |
Enter the ID of a specific signature that you want to disable. Some signatures often cause false positives and are disabled by default. To display a list, enter:
|
No default. | |
Enter the ID of a specific signature that generates logs or alert email only and does not block matching requests. |
No default. | |
Enter the ID of a specific signature for which false positive mitigation is disabled. The false positive mitigation feature performs additional lexical and syntax analysis after a SQL injection signature matches a request. |
No default. | |
Enter the ID of a specific signature that will not be affected by the threat weight settings, if any. When traffic violates specified signature, FortiWeb takes the local action specified for that signature. |
No default. | |
Enter the ID of a specific signature to configure its threat weight. Specify the |
No default. | |
scoring-grade {low | critical | informational | moderate | substantial | severe} |
Specify the threat weight that the signature adds to the combined threat weight. Global threat weight risk level values can be modified using server-policy pattern threat-weight. |
No default. |
Enter the index number of the individual entry in the table. The valid range is 1–128. You can create up to 128 exceptions for each signature. | No default. | |
Enter the ID of a specific signature that you want to disable when the request matches the specified object. | No default. | |
match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} |
Enter the type of object that FortiWeb examines for matching values:
|
|
operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE} |
Enter the type of values to match. The
|
|
HTTP-method {get post head options trace connect delete put others patch} |
When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is |
No default. |
When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is |
No default. | |
Enter the name of a parameter or cookie to match. Whether the value is a literal value or a regular expression is determined by the value of operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}. Available when match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is |
No default. | |
Enable to specify whether matching requests match a specified parameter or cookie value as well as the specified parameter or cookie name. |
disable
|
|
Enter the value to match (for example, a |
No default. | |
|
AND
|
|
Enter a description or other comment. | No default. |
Example
This example enables both the Trojans (070000000
) and XSS (010000000
) classes of signatures, setting them to result in attack logs with a severity_level
field of High
, and using the email and SNMP settings defined in notification-servers1
. It also enables use of custom attack and data leak signatures in the set named custom-signature-group1
.
This example disables by ID a signature that is known to cause false positives (080200001
). It also makes an exception (config filter_list
) by ID for a specific signature (070000001
) for a URL (/virus-sample-upload
) on a host (www.example.com
) that is used by security researchers to receive virus samples.
config waf signature
edit "attack-signatures1"
set custom-protection-group "custom-signature-group1"
config main_class_list
edit "010000000"
set severity High
set trigger "notification-servers1"
next
edit "070000000"
set severity High
set trigger "notification-servers1"
next
end
edit "080200001"
next
end
edit 1
set signature_id "070000001"
set match-target HOST
set value "www.example.com"
next
edit 2
set signature_id "070000001"
set match-target URI
set value "/virus-sample-upload"
next
end
next
end