Technical Tip: Using IPS signature to block HTTP POST, PUT and DELETE requests

All FortiGate units running FortiOS 7.0.

1. Access the FortiGate GUI:
• Log in to the FortiGate GUI.
2. Enable Application Control:
   • Go to System -> Feature Visibility.
   • In the Security Features section, enable Application Control.
   • Select Apply.
3. Create custom IPS signatures:
• Go to Security Profiles -> Intrusion Prevention.
• Edit an existing IPS sensor or create a new one.
• Select View IPS Signatures in the right-hand pane.
4. Define Custom Signatures:
   • Use the syntax for custom IPS signatures to define rules that match HTTP POST, PUT, and DELETE requests.

Example signature syntax:

Example to define a custom signature to block HTTP POST requests:

F-SBID( --name "Block HTTP POST"; --protocol tcp; --service HTTP; --pattern "POST"; --context header; )

Similarly, create signatures for PUT and DELETE requests by replacing 'POST' with 'PUT' and 'DELETE' respectively.

5. Apply the Custom Signatures:
   • Once the custom signatures are created, ensure they are included in the IPS sensor profile that is applied to the relevant firewall policies.

6. Test the configuration:
   • After applying the changes, test the configuration to ensure that HTTP POST, PUT, and DELETE requests are being blocked as expected.