Skip to main content
FortiNet_Newb
FortiNet_Newb
New Member
October 26, 2023
Solved

WAF Profile - Exempt certain URL's from Inspection

  • October 26, 2023
  • 2 replies
  • 2582 views

We have a web application firewall (WAF) profile applied to incoming traffic to our web application server.  This server hosts several different applications all using the same FQDN (and IP) but they are accessed by different sub directories as shown below:

 

https://example.com/Application1/

https://example.com/Application2/

https://example.com/Application3/

 

In the example above, there are 3 different web applications.  Is there a way to make the WAF profile exclude inspecting traffic to Application 2?  Looking through the FortiOS CLI options for the WAF profile, there doesn’t appear to be, but wanted to double check.  I was hoping there would be a way to exempt WAF inspection based on a specific URL or URL pattern (in this case https://example.com/Application2/*).

 

We do not have FortiWeb, but rather are relying on the WAF features baked into FortiOS 7.2.X.

 

Thanks in advance.

Best answer by AEK

You can do this with FortiGate's WAF using one of the following methods:

  • Use different FQDN/IP for each web server
  • Use one FQDN/IP but with different ports (e.g.: 443, 8443)

This way you can use different WAF profiles.

2 replies

AEK
SuperUser
AEKAnswer
SuperUser
October 29, 2023

You can do this with FortiGate's WAF using one of the following methods:

  • Use different FQDN/IP for each web server
  • Use one FQDN/IP but with different ports (e.g.: 443, 8443)

This way you can use different WAF profiles.

AEK
    kcheng
    Staff & Editor
    kcheng
    Staff & Editor
    October 30, 2023

    Hi @FortiNet_Newb 

     

    The information provided by AEK is correct. The WAF feature on FortiGate does not allow you to achieve the objective that you wanted. If you are able to use different IP or different port mapping for the respective service, you can create different WAF profiles and implement the respective to the firewall policy.

      FortiNet_Newb
      FortiNet_NewbAuthor
      New Member
      October 31, 2023

      Thanks for confirming it's not possible without a work around such as the one @AEK mentioned.

      Terms & ConditionsAccessibility statement