New Member

Solved

FortiOS 7.2.8 WAF Event ID not showing when blocked

Forum|Forum|2 years ago
April 17, 2024
1 reply
4342 views

Hi,

After upgrading to FortiOS 7.2.8 we are having some issues with the WAF filter on some of our services. It seems that the filter in this version is setup harder or that the exceptions we built in the past based on event ID's are being ignored.

I noticed that when an event has been blocked no Event ID is showing up. On previous versions I could use the event ID to create an exception but now I can't. Any ideas?

Thank you in advance.

Best answer by 0xNat

I ended up making a new profile but without blocking the constraint for malformed requests. That works. It is too bad that because of a false positive you have to avoid the constraint entirely but well ...

AEK

SuperUser

Hi @0xNat

Probably a display bug.

In order to confirm it please try with CLI.

config waf profile
 edit <name>
  config constraint
   config exception
    edit <id>

For the event ID if it is not displayed in GUI you may double-click on it, or you may find it with CLI logs:

execute log filter category
  12: utm-waf <-- select this one

Hope it helps.

AEK

0xNatAuthor

New Member

Thank you for your advice.

Probably a display bug.
In order to confirm it please try with CLI.
config waf profile
 edit <name>
  config constraint
   config exception
    edit <id>

I don't have a 'config exception' option under 'config constraint'.

	config constraint             config header-length                 set status enable                 set length 16384                 set action block                 set log enable                 set severity medium             end             config content-length                 set status enable                 set length 67108864                 set action block                 set log enable                 set severity medium             end             config param-length                 set status enable                 set length 65536                 set action block                 set log enable                 set severity medium             end             config line-length                 set status enable                 set length 1024                 set action allow                 set log enable                 set severity medium             end             config url-param-length                 set status enable                 set length 32768                 set action block                 set log enable                 set severity medium             end             config version                 set status enable                 set action block                 set log enable                 set severity medium             end             config method                 set status enable                 set action block                 set log enable                 set severity medium             end             config hostname                 set status enable                 set action block                 set log enable                 set severity medium             end             config malformed                 set status enable                 set action block                 set log enable                 set severity medium             end             config max-cookie                 set status enable                 set max-cookie 48                 set action block                 set log enable                 set severity medium             end             config max-header-line                 set status enable                 set max-header-line 32                 set action allow                 set log enable                 set severity medium             end             config max-url-param                 set status enable                 set max-url-param 48                 set action block                 set log enable                 set severity medium             end             config max-range-segment                 set status enable                 set max-range-segment 10                 set action block                 set log enable                 set severity medium             end         end

For the event ID if it is not displayed in GUI you may double-click on it, or you may find it with CLI logs:
execute log filter category
  12: utm-waf <-- select this one

Double-clicking doesn't show any event ID and the FortiAnalyzer doesn't show it either.

CLI logging shows only logs from the last hour by the way. Do you now how I could configure it to show the last 24 hours? I couldn't find any docs about that.

AEK

SuperUser

I have this feature in my FOS 6.2.16 and seems to exist in 7.2.8 as well.

https://docs.fortinet.com/document/fortigate/7.2.8/cli-reference/495620/config-waf-profile

Didn't add such exceptions before but according to the man page it doesn't seem to have event-id as parameter, bu other fields like pattern and address.

For the log entries you can try with this:

execute log filter start-line 
execute log filter view-lines

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded