Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mzainuddinahm
Staff & Editor
Staff & Editor

Created on ‎11-04-2024 03:46 AM

Article Id 355036

Technical Tip: How to create a custom FortiGate WAF (Web Application Firewall) signature

Description This article describes how to create a custom WAF signature.
Scope FortiGate, Web Application Firewall.
Solution

The following configuration requires the FortiGate 'Web Application Firewall' feature to be enabled under System -> Feature Visibility -> Security Features -> Web Application Firewall.

Once the feature is enabled, 'Web Application Firewall' will be available under Security Profiles.

 

Creating a custom signature helps in blocking or allowing a specific URL address, or URL path that could be related to a 'false positive' identified. These custom signatures can also act as an exception list rather than disabling a specific signature ID using the command  'set disabled-signature'.

 

The default config values would look as below:

 

config custom-signature

Description: Custom signature.

    edit <name>

        set status [enable|disable]

     set action [allow|block|...]

        set log [enable|disable]

        set severity  [high|medium|...]

        set direction [request|response]

        set case-sensitivity [disable|enable]

        set pattern {string}

        set target {option1}, {option2},    ...

    next

 

Note: custom-signatures can be created only via the command line (CLI), and 'regular expression' cannot be used for the {string} value in the command  'set pattern'.

 

Custom-Signature Example.

Considering the URL address that includes Fortinet, such as 'community.fortinet.com' needs to be allowed, then the below example can be referred to for this purpose. 

 

config custom-signature

    edit allow_fortinet

        set status enable

        set action block

        set log enable

        set severity medium

        set direction request

        set case-sensitivity disable

        set pattern community.fortinet.com --> set pattern *.fortinet.com can also be used set target req-header.

    next

end

 

The key lines here are:

 

set direction request

set pattern community.fortinet.com

set target req-header

 

This signature will match only the URL address part.

 

Now, consider an example to block access to the 'FortiSIEM Community', which is a sub-path in the following:

https://community.fortinet.com/t5/FortiSIEM/gh-p/fortisiem.

The below custom signature is an example that will need to match the URL path 't5/FortiSIEM/gh-p/fortisiem'.

 

config custom-signature
    edit block_fortinet_fortiseim
        set status enable
        set action allow
        set log enable
        set severity medium
        set direction request
        set case-sensitivity disable
        set pattern "t5/FortiSIEM/*"
        set target req-uri

end

 

The key lines here are:

 

set direction request
set pattern "t5/FortiSIEM/*"
set target req-uri

 

Also, enabling logging at the signature level will help to verify if the custom sigantures are actually matching the intended traffic.

 

Related article:

Technical Tip: Technical support on customization on various Fortinet products
912
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.