Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.0 Administration Guide
    8.0.0
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Enhanced Accuracy for Custom Rules Using Syntax-Based Detection (8.0.0)

    Enhanced Accuracy for Custom Rules Using Syntax-Based Detection (8.0.0)

    FortiWeb 8.0.0 enhances the Custom Rule filter mechanism by integrating Syntax-Based Detection (SBD) into the Signature Violation filter type. This improvement introduces an optional secondary check to reduce false positives by verifying whether traffic that matches a Signature-Based Detection (SD) pattern also exhibits known malicious syntax characteristics.

    Previously, Custom Rules relying on Signature Violation filters evaluated only SD results. While effective, SD can occasionally flag benign input—especially in cases involving uncommon or edge-case formats. When SBD is enabled as a follow-up check, the Custom Policy Detection (CPD) engine will only apply an action if both SD and SBD classify the same data as malicious.

    In the Custom Rule > Signature Violation filter editor, four new toggles allow administrators to selectively enable Syntax-Based Detection for the following SD categories:

    • Cross Site Scripting

    • Cross Site Scripting (Extended)

    • SQL Injection

    • SQL Injection (Extended)

    These toggles are disabled by default and must be explicitly enabled per class. Once enabled, when a request triggers a match against the selected signature class:

    • FortiWeb attempts to reuse SBD results for the relevant data segment (e.g., specific header, cookie, argument, or payload).

    • If no cached result is available, the CPD engine invokes the SBD module directly to perform additional inspection on the matched content.

    • If the content passes SBD analysis, the match is disregarded, and no Custom Rule action or log is generated.

    • If the content fails SBD validation, FortiWeb logs the event and applies the action configured in the Custom Rule.

    This process ensures that validation occurs in context—preserving the exact source (e.g., arg #2, cookie #1, header #0) and direction (request or response) of the original signature match.

    Note: To take effect, both the SBD and SD modules must be enabled in the same Web Protection Profile.

    This layered inspection approach improves accuracy without sacrificing performance. SBD execution is avoided when results can be reused, reducing redundant computation and ensuring efficient policy enforcement.

    Previous
    Next

    Enhanced Accuracy for Custom Rules Using Syntax-Based Detection (8.0.0)

    Enhanced Accuracy for Custom Rules Using Syntax-Based Detection (8.0.0)

    FortiWeb 8.0.0 enhances the Custom Rule filter mechanism by integrating Syntax-Based Detection (SBD) into the Signature Violation filter type. This improvement introduces an optional secondary check to reduce false positives by verifying whether traffic that matches a Signature-Based Detection (SD) pattern also exhibits known malicious syntax characteristics.

    Previously, Custom Rules relying on Signature Violation filters evaluated only SD results. While effective, SD can occasionally flag benign input—especially in cases involving uncommon or edge-case formats. When SBD is enabled as a follow-up check, the Custom Policy Detection (CPD) engine will only apply an action if both SD and SBD classify the same data as malicious.

    In the Custom Rule > Signature Violation filter editor, four new toggles allow administrators to selectively enable Syntax-Based Detection for the following SD categories:

    • Cross Site Scripting

    • Cross Site Scripting (Extended)

    • SQL Injection

    • SQL Injection (Extended)

    These toggles are disabled by default and must be explicitly enabled per class. Once enabled, when a request triggers a match against the selected signature class:

    • FortiWeb attempts to reuse SBD results for the relevant data segment (e.g., specific header, cookie, argument, or payload).

    • If no cached result is available, the CPD engine invokes the SBD module directly to perform additional inspection on the matched content.

    • If the content passes SBD analysis, the match is disregarded, and no Custom Rule action or log is generated.

    • If the content fails SBD validation, FortiWeb logs the event and applies the action configured in the Custom Rule.

    This process ensures that validation occurs in context—preserving the exact source (e.g., arg #2, cookie #1, header #0) and direction (request or response) of the original signature match.

    Note: To take effect, both the SBD and SD modules must be enabled in the same Web Protection Profile.

    This layered inspection approach improves accuracy without sacrificing performance. SBD execution is avoided when results can be reused, reducing redundant computation and ensuring efficient policy enforcement.

    Previous
    Next