Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
heljag
Staff
Staff

Created on ‎08-26-2025 03:24 AM

Article Id 407534

Troubleshooting Tip: WAF limitation with filenames

Description This article describes a limitation on the names of files of a web server site when they start with CC- when a WAF profile is being used.
Scope FortiGate.
Solution

The FortiGate device is configured with a policy that uses a WAF profile and an SSL Inspection profile, as shown in the following diagram.

 

WAF.drawio.png

 

  • WAF profile configuration.

 

Screenshot 2025-08-21 110128.png

 

  • SSL Inspection configuration.

 

Screenshot 2025-08-21 110218.png

 

  • Policy configuration.

 

Screenshot 2025-08-21 110315.png

 

The website contains three images (as seen on the site1.com structure), and one of them, the name starts with CC-.
When accessing the website, this is the aspect.

 

Screenshot 2025-08-21 105747.png

 

Image 1 (CC-_image1.jpg) was not loaded, and when clicked on image the connection is blocked.

 

Screenshot 2025-08-21 105804.png

 

This happens because the name starts with 'CC-', and this is detected as a shell command by WAF (signature 50010001), and it is blocked.

 

FGT # diagnose waf dump
main classes:
  10000000 - Cross Site Scripting
  20000000 - Cross Site Scripting (Extended)
  30000000 - SQL Injection
  40000000 - SQL Injection (Extended)
  50000000 - Generic Attacks
  60000000 - Generic Attacks(Extended)
  70000000 - Trojans
  80000000 - Information Disclosure
  90000000 - Known Exploits
  100000000 - Credit Card Detection
  110000000 - Bad Robot
sub classes:
50010000 - OS Command Injection Attacks

...

 

FGT # diagnose waf dump | grep 50010001
  50010001 - This signature prevents attackers from accessing OS commands.

 

This detection can be observed in the WAD debug logs.

 

fmt:idxIDX name idx=67, priority:u=2, i enc_len=5,huf=1
0783:h2s=0x7f9e55f30688,strm_id=00003,h2dd=0x7f9e55f30970,curr_sz=1388, max_sz=4096, entry_cnt=20
[I]2025-08-21 04:19:16.976645 [p:805][s:9407][r:973078530] wad_dump_http_request :2915 hreq=0x7f9e55f3d8e8 Received request from client: 10.1.192.20:52542

 

GET /assets/CC-_image1.jpg HTTP/1.1
Host: site1.com
sec-ch-ua-platform: "Windows"
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
sec-ch-ua-mobile: ?0
accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
sec-fetch-site: same-origin
sec-fetch-mode: no-cors
sec-fetch-dest: image
referer: https://site1.com/
accept-encoding: gzip, deflate, br, zstd
accept-language: en-US,en;q=0.9
priority: u=2, i

 

[V]2025-08-21 04:19:16.976654 [p:805][s:9407][r:973078530] wad_http_marker_uri :1270 path=/assets/CC-_image1.jpg len=22
[V]2025-08-21 04:19:16.976659 [p:805][s:9407][r:973078530] wad_http_parse_host :1649 host_len=9
[I]2025-08-21 04:19:16.976664 [p:805][s:9407][r:973078530] wad_http_parse_host :1681 host=[9]site1.com
[I]2025-08-21 04:19:16.976669 [p:805][s:9407][r:973078530] wad_http_str_canonicalize :2196 enc=0 path=/assets/CC-_image1.jpg len=22 changes=0
[V]2025-08-21 04:19:16.976674 [p:805][s:9407][r:973078530] wad_http_normalize_uri :2586 host_len=9 path_len=22 query_len=0
[I]2025-08-21 04:19:16.976679 [p:805][s:9407][r:973078530] wad_http_req_detect_special :16110 captive_portal detected: false, preflight=(null)
[V]2025-08-21 04:19:16.976684 [p:805][s:9407][r:973078530] wad_http_req_exec_act :14497 request(0x7f9e55f3d8e8), intercept(pass), block(0)
[V]2025-08-21 04:19:16.976688 [p:805][s:9407][r:973078530] wad_http_req_exec_act :14586 dst_addr_type=1 wc_nontp=0 sec_web=1 web_cache=0 req_bypass=1
[I]2025-08-21 04:19:16.976696 [p:805][s:9407][r:973078530] wad_http_urlfilter_check :386 uri_norm=1 inval_host=0 inval_url=0 scan-hdr/body=1/0 url local=0 block=0 user-cat=0 allow=0 ftgd=0 keyword=0 wisp=0
[I]2025-08-21 04:19:16.976702 [p:805][s:9407][r:973078530] wad_http_req_proc_waf :1375 req=0x7f9e55f3d8e8 ssl.deep_scan=1 proto=10 exempt=0 waf=(nil) body_len=18446744073709551615 ua=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/5
37.36 skip_scan=0
[I]2025-08-21 04:19:16.976707 [p:805][s:9407][r:973078530] wad_http_waf_access_control :1239
[I]2025-08-21 04:19:16.976712 [p:805][s:9407][r:973078530] wad_http_req_proc_waf_body :1334
[V]2025-08-21 04:19:16.976716 [p:805][s:9407][r:973078530] wad_http_req_proc_waf_body :1353 WAF Calling waf
[I]2025-08-21 04:19:16.976720 [p:805][s:9407][r:973078530] wad_http_waf_check_req :1202 WAF sanity check msg=0x7f9e55f3d8e8 rid=72
...
[I]2025-08-21 04:19:16.976787 [p:805][s:9407][r:973078530] wad_waf_sig_match_request :426 WAF sig=20000182 sig_flags=0xc0 kw_sig_flags=0xc0 check_body_args=0 body_bypass=1
[I]2025-08-21 04:19:16.976792 [p:805][s:9407][r:973078530] wad_waf_pattern_line_should_match :764 WAF check hdr_id=41 name=Host: extra=0x7f9e55da19d8 negate=1
[I]2025-08-21 04:19:16.976797 [p:805][s:9407][r:973078530] wad_waf_pattern_line_should_match :779 WAF node->id=69
WAF data=Host ret=0/-1/-1
WAF data=Host: site1.com
ret=0/-1/-1
...
[I]2025-08-21 04:19:16.976916 [p:805][s:9407][r:973078530] wad_waf_sig_match_request :426 WAF sig=50010001 sig_flags=0x20 kw_sig_flags=0x420 check_body_args=0 body_bypass=1
WAF data=/assets/CC-_image1.jpg ret=1/7/11
[I]2025-08-21 04:19:16.976923 [p:805][s:9407][r:973078530] wad_waf_match_signatures :755 WAF sig=50010001 matched action=1 severity=1
[I]2025-08-21 04:19:16.976942 [p:805][s:9407][r:973078530] wad_http_parse_referer_hline :4141 referer_len 18
[I]2025-08-21 04:19:16.976950 [p:805][s:9407][r:973078530] wad_http_waf_check_signature :1170 WAF signature-based attack detected msg=0x7f9e55f3d8e8
[I]2025-08-21 04:19:16.976956 [p:805][s:9407][r:973078530] __wad_http_build_replmsg_resp :789 Generating replacement message. WAF attack detected repmsg_id 62
[V]2025-08-21 04:19:16.976967 [p:805][s:9407][r:973078530] wad_mem_c_malloc :138 size 32770 exceeds max_elm_size (18392); not using bucket
[V]2025-08-21 04:19:16.977084 [p:805][s:9407][r:973078530] wad_mem_c_malloc :138 size 30350 exceeds max_elm_size (18392); not using bucket
[V]2025-08-21 04:19:16.977128 [p:805][s:9407][r:973078530] wad_http_msg_start_setup_proc :2248 msg(0x7f9e55f3d8e8) proc-setup started from: req_resp_ready.
[V]2025-08-21 04:19:16.977133 [p:805][s:9407][r:973078530] wad_http_def_proc_msg_plan :2210 msg(0x7f9e55f3d8e8) setting up processor(req_resp_ready)
[V]2025-08-21 04:19:16.977137 [p:805][s:9407][r:973078530] wad_http_msg_start_setup_proc :2248 msg(0x7f9e550b4c68) proc-setup started from: resp_forward.
[V]2025-08-21 04:19:16.977144 [p:805][s:9407][r:973078530] wad_http_def_proc_msg_plan :2210 msg(0x7f9e550b4c68) setting up processor(resp_forward)
[I]2025-08-21 04:19:16.977149 [p:805][s:9407][r:973078530] wad_dump_fwd_http_resp :2936 hreq=0x7f9e55f3d8e8 Forward response from Internal:

 

HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 35026

 

Workaround: To resolve this issue, rename the files to avoid the CC- prefix, or alternatively, use FortiWeb, which offers more advanced features.

Troubleshooting Tip: Understand how WAF signatures are evaluated and logs are generated.
131
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.