Technical Tip: How to create a custom FortiGate WAF (Web Application Firewall) signature
| Description | This article describes how to create a custom WAF signature. |
| Scope | FortiGate, Web Application Firewall. |
| Solution | The following configuration requires the FortiGate 'Web Application Firewall' feature to be enabled under System -> Feature Visibility -> Security Features -> Web Application Firewall. Once the feature is enabled, 'Web Application Firewall' will be available under Security Profiles.
Creating a custom signature helps in blocking or allowing a specific URL address or URL path that could be related to a 'false positive' identified. These custom signatures can also act as an exception list rather than disabling a specific signature ID using the command 'set disabled-signature'.
The default config values would look as follows:
config custom-signature Description: Custom signature. edit <name> set status [enable|disable] set action [allow|block|...] set log [enable|disable] set severity [high|medium|...] set direction [request|response] set case-sensitivity [disable|enable] set pattern {string} set target {option1}, {option2}, ... next end
Note: custom-signatures can be created only via the command line (CLI), and 'regular expression' cannot be used for the {string} value in the command 'set pattern'.
Custom-signature example. Considering the URL address that includes Fortinet, such as 'community.fortinet.com' needs to be allowed, then the below example can be referred to for this purpose.
config custom-signature edit allow_fortinet set status enable set action block set log enable set severity medium set direction request set case-sensitivity disable set pattern community.fortinet.com --> set pattern *.fortinet.com can also be used set target req-header. next end
The key lines here are:
set direction request set pattern community.fortinet.com set target req-header
This signature will match only the URL address part.
Now, consider an example to block access to the FortiSIEM Community.
The custom signature below is an example that will need to match the URL path 't5/FortiSIEM/gh-p/fortisiem'.
config custom-signature end
The key lines here are:
set direction request
Also, enabling logging at the signature level will help to verify if the custom signatures are actually matching the intended traffic.
If there is a match, logs should be available in: Log & Report -> Security Events -> Details -> Web Application Firewall.
Related article: Technical Tip: Technical support on customization on various Fortinet products |