| Description |
The article describes how to allow traffic dropped by a particular WAF signature. |
| Scope | FortiGate. |
| Solution |
This article helps to configure the WAF profile: Technical Tip: How to configure a Web Application Firewall (WAF) to protect a web server behind Fort...
Below is an example of traffic being blocked due to event ID 40000108 by the WAF filter:
Aug 12 09:53:08 172.26.xx.xx date=2024-08-12 time=09:53:08 devname="fgt-01" devid="FG100FTK********" eventtime=1723470787203338779 tz="-0400" logid="1200030248" type="utm" subtype="waf" eventtype="waf-signature" level="warning" vd="root" policyid=66 poluuid="xxx" policytype="policy" sessionid=2604338458 profile="WAF_profile" srcip=209.xx.xx.xx srcport=19355 srccountry="United States" srcuuid="xxx" dstip=160.xx.xx.xx dstport=443 dstcountry="United States" dstuuid="xxx" srcintf="wan2" srcintfrole="wan" dstintf="FG" dstintfrole="dmz" proto=6 httpmethod="POST" service="HTTPS" url="https://xxx/api/" severity="medium" action="blocked" direction="request" eventid=40000108 msg="SQL Injection (Extended)"
The below command gives the signature details based on the WAF event ID:
diag waf dump | grep 40000108 <----- This signature prevents attackers from probing for SQL injection vulnerabilities.
Signature information has been generated using the command to allow the traffic that is getting blocked due to Event ID 40000108.
Here the WAF profile that is being used is 'WAF_profile'.
config waf profile edit WAF_profile config signature set disable-signature 40000108 end
If there is already an existing signature, the list can be appended as well:
config waf profile edit WAF_profile config signature append disable-signature 40000108 end Note: After creating a Web application firewall security profile, create a policy in proxy mode to get an option to use the WAF profile.
Below is the sample output:
|
