Description | This article describes ow to avoid False Positives triggered by the new-released signatures. |
Scope | For version 6.1 and above. |
Solution |
Explanation.
New signatures are released frequently by the Fortiguard servers, so there is a possibility that new signatures can match against legitimate traffic and block the traffic.
In order to avoid this unpleasant situation, enable 'config waf signature_update_policy' from CLI (by default it is enabled), so the action for the new signatures in the newly updated signatures database is set to 'Alert Only' and does not take the action set on the category in the signature profile.
Once the 'signature_update_policy' is enabled from CLI, a new Tab 'signature update management' is added in the FortiGuard setting page, and all the newly added signatures are received via the new security service update are shown up here with the status to 'Unapplied'.
In addition, administrators can monitor the attack logs and fine-tune the new signatures accordingly.
For example, 303 security service update added a few new signatures.
For the testing purpose, let’s pick one signature 050180007.
Although the alert_only is not set on the signature 050180007 itself and the signature main category is set to 'Alert-deny', FortiWeb does not block the HTTP request and generates an attack log.
Thanks to ‘Signature_Update_Policy’
Admin can verify whether the HTTP request that matched the request is legitimate and then add an exception as needed.
Note. As per the current design, the newly added signatures in the last signature database would be moved to block mode automatically when Fortiweb receives a new signature database.
If admin thinks signatures or other security profiles falsely flagging traffic as an attack due to the signature regex or pattern used in the signature is being too strict or wrong, then please collect the front end capture (client <-> FWB VIP IP), debug output (use the same commands mentioned earlier) and the attack logs and get in touch with the support to verify.
Refer to the following article to collect the debug and packet captures.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.