Description | This article describes how to create a custom WAF signature. |
Scope | FortiGate, Web Application Firewall. |
Solution |
The following configuration requires the FortiGate 'Web Application Firewall' feature to be enabled under System -> Feature Visibility -> Security Features -> Web Application Firewall. Once the feature is enabled, 'Web Application Firewall' will be available under Security Profiles.
Creating a custom signature helps in blocking or allowing a specific URL address, or URL path that could be related to a 'false positive' identified. These custom signatures can also act as an exception list rather than disabling a specific signature ID using the command 'set disabled-signature'.
The default config values would look as below:
config custom-signature Description: Custom signature. edit <name> set status [enable|disable] set action [allow|block|...] set log [enable|disable] set severity [high|medium|...] set direction [request|response] set case-sensitivity [disable|enable] set pattern {string} set target {option1}, {option2}, ... next
Note: custom-signatures can be created only via the command line (CLI), and 'regular expression' cannot be used for the {string} value in the command 'set pattern'.
Custom-Signature Example. Considering the URL address that includes Fortinet, such as 'community.fortinet.com' needs to be allowed, then the below example can be referred to for this purpose.
config custom-signature edit allow_fortinet set status enable set action block set log enable set severity medium set direction request set case-sensitivity disable set pattern community.fortinet.com --> set pattern *.fortinet.com can also be used set target req-header. next end
The key lines here are:
set direction request set pattern community.fortinet.com set target req-header
This signature will match only the URL address part.
Now, consider an example to block access to the 'FortiSIEM Community', which is a sub-path in the following: https://community.fortinet.com/t5/FortiSIEM/gh-p/fortisiem. The below custom signature is an example that will need to match the URL path 't5/FortiSIEM/gh-p/fortisiem'.
config custom-signature end
The key lines here are:
set direction request
Also, enabling logging at the signature level will help to verify if the custom sigantures are actually matching the intended traffic.
Related article: Technical Tip: Technical support on customization on various Fortinet products |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.