Skip to main content
luky
luky
New Member
July 24, 2024
Question

Fortigate Webhosting different rules for Website Administrators vs guests

  • July 24, 2024
  • 3 replies
  • 1244 views

I have a simple question about a Fortigate VM in cloud.

Iam hosting multiple websites where Fortigate (mini) WAF Features are enabled like XSS, XSS Adv, SQL Injection, SQL Injections Advanced and so on.

The problem is that website editing with "FCK-Editor" in the administrative webgui of the hosted sites triggers XSS basic and extended and also sql injection basic+extended. Since this is the mini waf i cannot finetune the policies.

Can i do some kind of Internet-FSSO where for example a website admin can authenticate before editing a website so that I can create seperate firewall policy for authenticated admins?

 

All the admins are workgroup Windows Computers not domain joined or something all stand alone computers.

3 replies

saleha
Staff & Editor
saleha
Staff & Editor
July 25, 2024

Hi luky,

 

Thank you for reaching out. Unfortunately WAF does not have such override feature. You can try setting up a policy with no WAF while the source includes a local user account or user accounts from other authentication servers such as ldap, fsso, raduis,etc and another policy with WAF enabled where NO user account as source and place the WAF policy lower on the list than the one without the WAF. That means if the user is not logging into the authentication server there traffic will have to match the policy with no useraccounts and WAF enabled. While if user login to the authentication server there traffic with match the policy with no WAF. I would recommend as well considering moving away from WAF as it is a limited feature and most if not all its functions are available on other UTMs such as Intrusion Prevention IPS, Application control and Webfiltering.

 

Thank you,

saleha

luky
lukyAuthor
New Member
July 25, 2024

One little question to the User part. You mentioned "local user" above. Do you mean a fortigate local user? If yes where can a user authenticate in order for firewall policy to be active?

saleha
Staff & Editor
saleha
Staff & Editor
July 25, 2024

Yes local user authentication would be on the fortigate itself. You would in this case create the user account locally on the firewall and use that account or group on firewall policy similar to the example on the article link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-authentication/ta-p/190084

 

Thank you,

saleha

Terms & ConditionsAccessibility statement