This article describes how to deploy Fortinet AWS WAF managed rules on AWS WAF v2.

It also describes the how to use the following:

- Versioning support - versioning is a new feature by AWS WAF that allows vendors to provide multiple versions of the rule group.  

SNS support to get the latest notification.

- SNS messages - AWS WAF now allows customers to subscribe to a message feed that vendors can communicate via

AWS WAF Partner Rule Groups are subscription-based web application firewall signatures offered by third-party vendors to augment the basic WAF protections offered by Amazon’s WAF product.

These new rule groups allow AWS WAF customers to choose pre-packaged WAF rules from leading IT security providers.

With Partner Rule Groups, vendors can offer protection from a wide variety of application layer attacks packaged in a variety of security rulesets.

Fortinet is offering a complete rule group to AWS customers based on the FortiWeb WAF Service offered by FortiGuard:

OWASP Top 10 - The Complete Ruleset.

Deploying Fortinet AWS WAF Partner Rule Group V2.

Setup, configuration and FAQ for Fortinet’s WAF Rule Group on Amazon Web Services.

(Updated December 17, 2021).

Setup.

Similar to the existing AWS WAF solution, Partner Rule Groups are implemented like a module or service for use.

Since these are a set of signatures and not an actual platform you are not deploying a new VM but rather installing these on an existing Web ACL.

Below is an example of deploying Fortinet AWS WAF Partner Rule Group.

Subscribe to the Service.

Search for 'Fortinet AWS WAF' in the marketplace.
Make sure it’s the V2 listing.
The listing description will start with 'not for AWS WAF Classic.

Then select 'Continue to Subscribe'.

 Select ‘Subscribe’.

Reference the Service to the Web ACL.

- Go to Web ACLs. Switch to 'Rules' under a Web ACL, and choose 'Add managed rule groups'.

- Find the section 'Fortinet managed rule groups', enable 'Add to web ACL', and select 'Add rules'.

- Finally, 'Fortinet-all_rules' will be visible under the Web ACL, and it is  all set.

Verify if It Really Works.

Usually, there are two ways to check if AWS WAF is working.

Access Test.

Use command line tool cURL or the browser to access the address below, and a 403 block page will be visible.

http://your-domain/?a=%3Cscript%3E

Or

https://your-domain/?a=%3Cscript%3E

Attack Logs.

First of all, make sure the logging is enabled under the Web ACL.

It is necessary to create a log group to receive the logs.

Note - The log group name should start with 'aws-waf-logs-'.

Then try to trigger block pages like the last section.

Logs under the log group will be visible.

Introduction to Versioning.

AWS WAF started supporting versioning Nov. 2021.

This allows customers to switch among different rule group versions and use version that does not update which prevents from new signature updates blocking legitimate requests.

Note -  if a static version is chosen, it does not update.

meaning the system will not be protected from new threats.

Usage.

To use Versioning edit the rule group.

Under 'OWASP Top 10 – The Complete Ruleset', see the 'Version' field will be visible.

So far, Fortinet provides 3 types of versions.

- Default: always up-to-date. This version will keep protected with signatures added periodically.

- Main_*: once it’s available, it will never change to provide customers stable behavior. 

- Others, like Test_*: usually for testing purposes. Customer should not select these versions.

Choose a version that works best for the user. The default version is 'Default'.

SNS.

a SNS topic is created to inform customers about new updates and releases.

If interested subscribe.

arn:aws:sns:us-east-1:040422370703:Fortinet_OWASP_Top_10_Notifications

Alternatively,  simply select on the link below 'Version'.

So far, there are 2 types of notifications.

Version Release.

Once a new version is released, a notification will be received as well as the relevant updated rules. 

- Version Revocation.

Once an old version is obsolete, a process will be launched to revoke it.

This process involves 2 steps.

- The version becomes invisible for those who have not selected the version. And a notification will be received about this event.

BUT, for those who have chosen the version, it is possible to continue to use it for 30 days at most.

So there is enough time to prepare for that.

- After it expires (30 days later), the version will is completely unavailable.

FAQ.

Q: How often does the the "Default" version updates with new/updated signatures? what about new "Versions"?

A: Signatures usually update once a month. In some cases when a severe vulnerability is found the timeline could change. ly or depending on urgnecy coulfor signatures, it is usually update on a monthly basis, and just for 'Default'. New Versions are usually updated quarterly.

Q: How often would a version expire?

A: A version usually expires every 6 months.

Q: What will happen if a user is using a version that expired (after 30 days)?

A: It will be taken over by 'Default' automatically, though still visible.

Q: Are Partner Rule Groups deployed globally or per region?

A: Per region. Unless  Partner Rule Groups are deployed on CloudFront, which is global, it is necessary to deploy Partner Rule Groups in each AWS region there is an application deployed.

Q: Is there a way to view the signature regex itself?

A: No. The signature regex is proprietary vendor information and is not exposed to customers.

Q: Can User view the rule name that blocked a request?

A: Yes. In the attack log details, field 'ruleId' would be visibke, like this.

Q: Does an AWS log provide HTTP body information as well?

A: No. AWS logs do not provide visibility into the HTTP body, so HTTP POST arguments are not visible.

Q: Can a user easily whitelist a signature/rule that triggers a false positive or blocks the traffic?

A: Yes. There are 2 choices.

- Switching action to COUNT of a specific rule.

- Using Scope-down statements. On the same page, scroll down and you will see it.

Customers that believe that the false positive is caused by a wrong signature rather than particular application behavior can reach out to support.

Q: Does the Fortinet Rule Group include support?

A: Yes. By purchasing a Fortinet Rule Group, customers are entitled for support from Fortinet.

Support is via email only. Reach out to awswaf@fortinet.com.

In addition, to help more effectively, share the region name, rule name/ID and the raw traffic capture.

Appendix A.

AWS WAF Partner Rule Group vendors. https://aws.amazon.com/mp/security/WAFManagedRules/

AWS WAF Rule Group step by step. explanation. http://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html

Viewing a Sample of the Web Requests.
http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing.html#web-acl-testing-view-sampl...