Technical Tip: How to collect Web application firewall (WAF) profile debug log

ssriswadpong · ‎09-19-2023

Description

This article describes how to collect a waf-profile debug log on FortiGate.

Scope

FortiGate.

Solution

The related process is WAD, so the debugging command is the same as debugging explicit proxy HTTP flow.

diagnose wad debug enable category http
diagnose wad debug enable level info
diagnose debug enable

The related WAD debug category is HTTP.
In addition, during troubleshooting other categories and debug timestamps may be run to display more information such as:

diagnose wad debug enable category http
diagnose wad debug enable category policy
diagnose wad debug enable level info
diagnose debug console timestamp enable
diagnose debug enable

Stop debugging by:

diagnose debug disable
diagnose debug reset

Here is a sample debugging output from WAD debug all categories (diagnose wad debug enable category all, note that debug filter should be applied while debugging all categories to prevent high CPU issue) showing the incoming request matches WAF signature:

[I]2023-09-18 21:11:40.125317 [p:2454][s:239973] wad_tcp_port_learn_session_config :465 vf_id=0 ses_ctx=0x7f46854a93b8 policy-id=1, sec_profile=0x7f46859866e8 app_type=http
wan_opt_mode=0 av_idx=1 dd_method=0 wan_opt_tcp=0
tp-mode=0 web_cache=0 webcache_ssl=0
check_policy: http=0 ssh=0 ssh_tun=0 fw_ztna=0 ap=0
ipsapp_redirect=0
ssl_enabled=0 ssl_full=0 wanopt_ssl=0 ssl_proc=
ses_ctx:t|P|M|Hhf|C|A7|O fwdsvr=''
[I]2023-09-18 21:11:40.125320 [p:2454][s:239973] wad_tcp_port_alloc :1464 alloc tcp_port=0x7f46854c8420
[I]2023-09-18 21:11:40.125345 [p:2454][s:239973] wad_tcp_port_connect_with_fd :2268 TCP port=0x7f46854c8420 sock=109 vrf=0 connecting 10.207.1.234:27431->10.207.1.188:8081
[I]2023-09-18 21:11:40.125348 [p:2454][s:239973] wad_tcp_port_alloc :1464 alloc tcp_port=0x7f46854c8568
[I]2023-09-18 21:11:40.125363 [p:2454] wad_tcp_port_put :627 free tcp_port=0x7f46854c8568
[I]2023-09-18 21:11:40.146527 [p:2454][s:239972] wad_tcp_port_on_connect :2042 TCP connection 0x7f46854c8190 fd=106 connected 10.207.1.234:27430->10.207.1.188:8081
[I]2023-09-18 21:11:40.146550 [p:2454][s:239972] wad_http_srv_selector_static_make :1015 make static server selector.
[I]2023-09-18 21:11:40.146557 [p:2454][s:239972] wad_http_srv_slct_static_set_connectable:459 static server selector connectable set to 0.
[I]2023-09-18 21:11:40.146559 [p:2454][s:239972] wad_http_srv_slct_static_set_connectable:459 static server selector connectable set to 0.
[I]2023-09-18 21:11:40.146560 [p:2454][s:239972] wad_http_full_ses_make :16194 make ok session=0x7f46871db290 server=0x7f46854c8190.
[I]2023-09-18 21:11:40.146565 [p:2454][s:239973] wad_tcp_port_on_connect :2042 TCP connection 0x7f46854c8420 fd=109 connected 10.207.1.234:27431->10.207.1.188:8081
[I]2023-09-18 21:11:40.146567 [p:2454][s:239973] wad_http_srv_selector_static_make :1015 make static server selector.
[I]2023-09-18 21:11:40.146569 [p:2454][s:239973] wad_http_srv_slct_static_set_connectable:459 static server selector connectable set to 0.
[I]2023-09-18 21:11:40.146570 [p:2454][s:239973] wad_http_srv_slct_static_set_connectable:459 static server selector connectable set to 0.
[I]2023-09-18 21:11:40.146571 [p:2454][s:239973] wad_http_full_ses_make :16194 make ok session=0x7f46871db308 server=0x7f46854c8420.
[I]2023-09-18 21:11:40.187599 [p:2454][s:239973] wad_tcp_port_on_event :1885 start processing tcp event=0x1 events=0x1 fd=108 n_out_block=0 state=2 close/shut=0/0 n_out_block=0
[I]2023-09-18 21:11:40.187641 [p:2454][s:239973] wad_tcp_port_on_read :1761 sock 108 read (0,4080)
[I]2023-09-18 21:11:40.187698 [p:2454][s:239973][r:19] wad_dump_http_request :2671 hreq=0x7f46859a81f8 Received request from client: 10.177.1.10:27431

GET /index.php?username=1%27%20or%20%271%27%20=%20%271&password=1%27%20or%20%271%27%20=%20%271 HTTP/1.1
Host: 10.177.2.99:8081
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: th-TH,th;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6

[I]2023-09-18 21:11:40.187714 [p:2454][s:239973][r:19] wad_http_str_canonicalize :2213 enc=0 path=/index.php len=10 changes=0
[I]2023-09-18 21:11:40.187719 [p:2454][s:239973][r:19] wad_http_str_canonicalize :2215 end=4 path=username=1%27%20or%20%271%27%20=%20%271&password=1%27%20or%20%271%27%20=%20%271 len=79 changes=0
[I]2023-09-18 21:11:40.187723 [p:2454][s:239973][r:19] wad_http_req_detect_special :15023 captive_portal detected: false, preflight=(null)
[I]2023-09-18 21:11:40.187734 [p:2454][s:239973][r:19] wad_http_urlfilter_check :383 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0
[I]2023-09-18 21:11:40.187739 [p:2454][s:239973][r:19] wad_http_req_proc_waf :1309 req=0x7f46859a81f8 ssl.deep_scan=0 proto=1 exempt=0 waf=(nil) body_len=0 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 skip_scan=0
[I]2023-09-18 21:11:40.187742 [p:2454][s:239973][r:19] wad_http_waf_access_control :1209
[I]2023-09-18 21:11:40.187744 [p:2454][s:239973][r:19] wad_http_req_proc_waf_body :1268
[I]2023-09-18 21:11:40.187746 [p:2454][s:239973][r:19] wad_http_waf_check_req :1174 WAF sanity check msg=0x7f46859a81f8 rid=68
WAF matched keyword=1077 kw_sig_flags=0x420
WAF keyword enable sig=80030002 kw_sig_flags=0x420
WAF matched keyword=738 kw_sig_flags=0x403
...
WAF keyword enable sig=40000108 kw_sig_flags=0xc0
WAF matched keyword=626 kw_sig_flags=0xc0
WAF matched keyword=622 kw_sig_flags=0xc0
WAF keyword enable sig=40000108 kw_sig_flags=0xc0
[I]2023-09-18 21:11:40.187836 [p:2454][s:239973][r:19] wad_waf_sig_match_request :414 WAF sig=80030002 sig_flags=0x400 kw_sig_flags=0x420 check_body_args=0 -> match SQL injection signature.
WAF data=/index.php?username=1' or '1' = '1&password=1' or '1' = '1 ret=0/-1/-1
[I]2023-09-18 21:11:40.187844 [p:2454][s:239973][r:19] wad_waf_sig_match_request :414 WAF sig=40000040 sig_flags=0x3 kw_sig_flags=0x403 check_body_args=0
WAF query=username=1%27%20or%20%271%27%20=%20%271&password=1%27%20or%20%271%27%20=%20%271 n_args=2
WAF data=1' or '1' = '1 ret=1/3/11
[I]2023-09-18 21:11:40.187851 [p:2454][s:239973][r:19] wad_waf_match_signatures :729 WAF sig=40000040 matched action=1 severity=2
[I]2023-09-18 21:11:40.187978 [p:2454][s:239973][r:19] wad_http_waf_check_signature :1144 WAF signature-based attack detected msg=0x7f46859a81f8
[I]2023-09-18 21:11:40.187990 [p:2454][s:239973][r:19] __wad_http_build_replmsg_resp :705 Generating replacement message. WAF attack detected repmsg_id 58
[I]2023-09-18 21:11:40.188237 [p:2454][s:239973][r:19] wad_dump_fwd_http_resp :2686 hreq=0x7f46859a81f8 Forward response from Internal:

HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 35650

[I]2023-09-18 21:11:40.188249 [p:2454][s:239973][r:19] wad_http_req_resp_fwd_done :4906 req(0x7f46859a81f8) resp(0x7f468734f9f0/(nil)) resp-fwd done!
[I]2023-09-18 21:11:40.188253 [p:2454][s:239973][r:19] wad_http_req_finished :1539 req=0x7f46859a81f8 stream=0x7f4685483458 req_done=1 done_close=1
[I]2023-09-18 21:11:40.188256 [p:2454][s:239973][r:19] __wad_http_req_close :1642 ret = -1!
[I]2023-09-18 21:11:40.188266 [p:2454][s:239973][r:19] __wad_http_session_task_end :14958 wad_http_clt_hmsg_task_end:2229: hcs=0x7f4685483428 good=-1 state=3 processing=3
[I]2023-09-18 21:11:40.188270 [p:2454][s:239973] wad_tcp_port_transport_close :1097 0x7f46854c82d8 has bytes to sync 35912
[I]2023-09-18 21:11:40.188272 [p:2454][s:239973] wad_tcp_port_transport_close :1101 sock 108 read_block enforced, turn off readability.
[I]2023-09-18 21:11:40.188274 [p:2454][s:239973] wad_tcp_port_proc_end :809 tcp=0x7f46854c8420 socket=109 good=0 both ends closed.
[I]2023-09-18 21:11:40.188350 [p:2454][s:239973] wad_tcp_port_end_event :764 sock 109 close
[I]2023-09-18 21:11:40.188356 [p:2454][s:239973] wad_tcp_port_proc_end :855 tcp 0x7f46854c8420 closed on sock 109
[I]2023-09-18 21:11:40.188358 [p:2454][s:239973] wad_http_session_free :14777 http cache session 0x7f4685483428 req=(nil) close
[I]2023-09-18 21:11:40.188364 [p:2454][s:239973] wad_tcp_port_put :627 free tcp_port=0x7f46854c8420
[I]2023-09-18 21:11:40.188366 [p:2454][s:239973] wad_http_srv_free :6499 http cache server close n_left=0
[I]2023-09-18 21:11:40.188369 [p:2454][s:239973] __wad_http_session_task_end :14958 state=4 processing=1 freed
[I]2023-09-18 21:11:40.188371 [p:2454][s:239973] wad_tcp_port_on_event :1961 sock 108 remove readability events=0x0.
[I]2023-09-18 21:11:40.188504 [p:2454][s:239973] wad_tcp_port_flush :1556 sock 108 write (13,35912,35912) n_written=35912 tcp_port 0x7f46854c82d8
[I]2023-09-18 21:11:40.188510 [p:2454][s:239973] wad_tcp_port_proc_end :809 tcp=0x7f46854c82d8 socket=108 good=0 both ends closed.
[I]2023-09-18 21:11:40.188515 [p:2454][s:239973] wad_tcp_port_end_event :764 sock 108 close
[I]2023-09-18 21:11:40.188516 [p:2454][s:239973] wad_tcp_port_proc_end :855 tcp 0x7f46854c82d8 closed on sock 108
[I]2023-09-18 21:11:40.188534 [p:2454] wad_tcp_port_put :627 free tcp_port=0x7f46854c82d8