Technical Tip: Deploying Fortinet AWS WAF Partner Rule Groups (AWS WAF v2)

This article describes how to setup and deploy Fortinet's AWS WAF Partner Rule Groups (AKA managed rule groups) on the AWS WAF v2 platform.

AWS WAF Partner Rule Groups are sets of subscription-based web application firewall (WAF) rules/signatures offered by third-party vendors that can be used to augment the basic WAF protections offered by Amazon’s WAF product. For more information on AWS WAF, refer to the following document provided by AWS: AWS WAF

Note that AWS WAF has two versions, those being AWS WAF v1/'Classic' and AWS WAF v2. Notable feature improvements of AWS WAF v2 over AWS WAF v1-based groups include the following:

• Versioning support - Fortinet managed rule groups support AWS WAF Versioning, which allows users to select from multiple versions of a given rule group (for those that need to have controlled iterations of WAF rules, rather than immediately using the latest rules/signatures). See the 'Introduction to versioning support for Fortinet Managed Rules for AWS WAF' section further below for more information.
• SNS Notifications - Fortinet managed rule groups can utilize Amazon Simple Notification Service (SNS) to notify administrators of new versions, security updates, and other rule group changes.

For information regarding the legacy AWS WAF 'Classic' version of Fortinet's managed rule groups, refer to the following KB article: Technical Tip: Deploying Fortinet AWS WAF Partner Rule Groups (AWS WAF v1/'Classic')

Fortinet currently offers two rulesets for AWS WAF v2 that are based on the FortiWeb WAF service signatures and receive regular updates by the FortiGuard Labs team:

• Fortinet Managed Rules for AWS WAF - Complete OWASP Top 10
• Fortinet Managed Rules for AWS WAF - API Security

For technical assistance/support regarding these managed rule groups, contact Fortinet directly by email at awswaf@fortinet.com.

Configuring Fortinet Managed Rules for AWS WAF:

It is important to understand that managed rule groups do not require administrators to deploy new VM instances to AWS. Instead, managed rule groups are deployed as modules that can be installed into AWS protection packs (AKA web ACLs) to protect AWS resources, just like the standard AWS WAF solution. Below is an example of deploying a Fortinet AWS WAF Partner Rule Group.

Subscribe to the Service:

In AWS Marketplace, search for 'Fortinet Managed Rules for AWS WAF', or use the links provided above. Ensure that an AWS WAF v2 listing is chosen, rather than an AWS WAF v1/Classic listing, then select the Continue to Subscribe button:

Review the pricing information, then select Subscribe to subscribe to the module:

Add the managed rule group to an AWS Protection Pack (web ACL):

Navigate to the AWS WAF & Shield application, then select AWS WAF -> Protection Packs (web ACLs). Create or select a protection pack, then navigate to the Rules tab and choose Add managed rule groups:

Find the section labelled 'Fortinet managed rule groups' and enable the Add to web ACL toggle, followed by selecting Add rules.

After committing the change, a new entry labelled 'Fortinet-all_rules' will be visible under the protection pack/web ACL.

Verification:

There are two typical methods available for confirming that the new Fortinet managed rule group for AWS WAF is working correctly:

Method 1: Access testing using HTTP/HTTPS:

Use a tool like cURL or a web browser to access the WAF-protected application using the following URL and test path. This should trigger an HTTP 403 Forbidden response/block page to be sent back, indicating that WAF denied the request:

http://<domain_name_here>/?a=%3Cscript%3E OR https://<domain_name_here>/?a=%3Cscript%3E

Method 2: Checking Attack Logs:

Before testing, ensure that logging has been enabled in the protection pack (web ACL). It may be necessary to create a log group first in order to receive the generated logs (note that the log group name should start with 'aws-waf-logs-'):

Once logging has been enabled, use Method 1 (or similar) to trigger another block page. This should result in AWS log entries being generated for these block events.

Utilizing versioning support for Fortinet Managed Rules for AWS WAF:

AWS WAF started supporting versioning as of November 2021, and this allows users to switch between different versions of a given managed rule group as they are updated over time. This can be particularly useful for environments that need to lock-in a particular version for validation and for clients who are wary of new signature updates causing unexpected changes in traffic handling.

Take care when specifying a static version of a managed rule group, as the ruleset will not be updated to address new threats until an administrator manually changes the version again. To specify a particular ruleset version using the versioning system, use the following steps:

Navigate back to the AWS WAF & Shield application, then select AWS WAF -> Protection Packs (web ACLs). Select the protection pack to modify, navigate to the Rules section, then select the 'Fortinet-all_rules' entry and select Edit.

Use the ruleset's Version dropdown menu to select the version. Three version options will be available for the Complete OWASP Top 10 ruleset:

• Default - always up-to-date and receives new signatures periodically.
• Main_* - statically sets the ruleset to the listed version number and does not receive any further updates.
• Others, such as Test_* - typically available for testing purposes but not recommended for end-user usage.

Simple Notification Service (SNS) support for Fortinet Managed Rules for AWS WAF:

An SNS topic exists that users can subscribe to in order to receive notices of updates and new releases for Fortinet managed rule groups. The following Amazon Resource Name (ARN) can be used to subscribe to the topic:

arn:aws:sns:us-east-1:040422370703:Fortinet_OWASP_Top_10_Notifications

It is also possible to find the SNS topic ARN for a given managed rule group in the same page as the Version setting:

Currently there are two types of notifications published by Fortinet via these SNS topics:

• Version Release - once a new version is released, a notification will be sent out as well as information about updated rules.
• Version Revocation - Once an old version is obsoleted, a notification is sent out to initiate the revocation process for the old version. This occurs in two steps:
  1. The revoked version becomes invisible for those who have not already selected the version statically, and a notification will be received regarding the revocation.
  2. For those that are manually using this version, a notification will be sent out along with a 30 day grace period of continued usage so that administrators may upgrade versions. After 30 days have passed, the version is fully-removed and becomes unavailable.

Additional Information:

• Signatures in the default version are typically updated on monthly basis, though the release of vulnerabilities may cause this timeline to change depending on the urgency/severity of the vulnerability, and new static versions are typically released on a quarterly basis.
• Each static version is supported for up to 6 months, after which it is subject to revocation and the 30 day grace period specified above.
  • Users that continue to use this version after the 30 day grace period has expired will be automatically switched to the default version.
• Partner Rule Groups are typically deployed on a per-region basis except in the case of AWS CloudFront, which is a global deployment. It is generally necessary to deploy Partner Rule Groups in each AWS region that has applications requiring WAF protection.
• WAF signature regex information is considered proprietary vendor information and is not exposed to end-users to view.
• Each WAF rule carries a ruleID field that states the name of that WAF rule. This can be used within the AWS attack logs to determine which rule took effect for a given traffic stream.

• AWS logs do not provide any visibility into HTTP request bodies, and so it is not possible to check for details such as HTTP POST arguments made by a blocked request.
• If necessary, users can whitelist WAF signatures/rules that are triggering false positives or are blocking unexpected traffic. To do so, use one of the following options:
  1. Switching to the COUNT action for that specific rule (see also: Using rule actions in AWS WAF), or
  2. Using AWS Scope-down statements, which will be visible on the same page as the rule view.
• Take note that Fortinet AWS WAF Partner Rule Groups do include technical support in the form of email support. Send an email directly to awswaf@fortinet.com for any questions or concerns regarding false positive matches to WAF signatures, and for expedited support ensure that the following information is captured and shared in the email:
  • AWS region name.
  • Rule Name/ID.
  • Packet Captures of offending/triggering traffic.

Related documents:

• AWS WAF Partner Rule Group vendors
• Using managed rule groups in AWS WAF
• Testing and tuning your AWS WAF protections
• FortiWeb Managed Rules for AWS WAF Data Sheet
• Technical Tip: Deploying Fortinet AWS WAF Partner Rule Groups (AWS WAF v1/'Classic')