Skip to main content
gpap_FTNT
Staff & Editor
gpap_FTNT
Staff & Editor
August 31, 2016

Technical Tip: Configuring an exemption for signatures and for constraints in a FortiGate Web Application Firewall (WAF)

  • August 31, 2016
  • 0 replies
  • 26978 views

Description

 

This article describes how to disable a particular signature and a particular constraint in a Web Application Firewall security profile.  


Scope

 

FortiGate,


Solution

 

A WAF profile consists of Signatures and Constraints:

 

signa.png


KOS.png

 

Exempting signatures:

Although an entire category of signatures can be enabled/disabled from the GUI, a specific signature within that category can only be disabled from the CLI by using its Signature ID, shown in the logs as Event ID.
eventid.png

 

Issue the following commands to exempt/disable the signature
 
config waf profile
    edit {Profile Name}
       config signature
            set disabled-signature {Event ID}
       end
    end
 
config waf profile
    edit {Profile Name}
        config signature
            set disabled-signature 30000040
        end
    end
 
Note: Be advised that if there an exemption where an attack signature has already been created and a new one is added, the new one will override the previous exemptions.
 
Example:
 
config waf profile
edit {Profile Name}
config signature
set disabled-signature 50140001 50140002 50140003
end
end

 

To add signature 50160002:

 

config waf profile

edit (Profile Name)

config signature

append disabled-signature 50160002

end

end

 

This allows the previous signature to be added without overriding the previous exemption.

 

To verify, see the signatures with the following command:

 

show full-configuration waf profile default | grep disabled-signature
set disabled-signature 50140001 50140002 50140003 50160002

 

In this example, 'default' is the name of the WAF profile. Adjust the command to the WAF profile as needed.

 

Exempting constraints:

In this section, exempting constraints will be shown.

 

In WAF logs, the following is observed: 

 

date=2024-08-27 time=14:36:43 eventtime=1724794603481958473 tz="-0700" logid="1203030257" type="utm" subtype="waf" eventtype="waf-http-constraint" level="warning" vd="vdom1" policyid=1 poluuid="5abc15ac-6409-51ef-c613-484e704e7afd" policytype="policy" sessionid=1674 transid=50331781 profile="ITWAF" srcip=10.1.11.19 srcport=53002 srccountry="Reserved" srcuuid="08cf8d3c-6409-51ef-6d62-77244ab42ec1" dstip=44.19.15.7 dstport=443 dstcountry="United States" dstuuid="08cf8d3c-6409-51ef-6d62-77244ab42ec1" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" proto=6 httpmethod="GET" service="HTTPS" url="https://www.opengroup.org/" severity="medium" action="blocked" direction="request" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" constraint="malform-req"

 

In WAD debugs, the following is observed:

 

[I]2024-08-26 02:20:13.841285 wad_http_waf_check_req_sanity :1118 WAF constraint=malform-req action=1
[I]2024-08-26 02:20:13.841291 wad_http_waf_check_req :1174 WAF sanity check msg=0x7f721a48db30 rid=57
[I]2024-08-26 02:20:13.841293 __wad_http_build_replmsg_resp :632 Generating replacement message. WAF attack detected repmsg_id 57

 

Regarding the constraints, the workaround is disable the constraint. In this situation, the malformed constraint should be disabled.


config waf profile
    edit "ITWAF"
        config constraint
            config malformed
                set status disable <-----
                set action allow
                set log enable
            end

Terms & ConditionsAccessibility statement