Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
ddsouza_FTNT
Staff
Staff

Created on ‎12-06-2021 06:03 AM

Article Id 200346

Technical Tip: How to avoid False Positives triggered by the new-released signatures.

Description This article describes  ow to avoid False Positives triggered by the new-released signatures.
Scope For version 6.1 and above.
Solution

Explanation.

 

New signatures are released frequently by the Fortiguard servers, so there is a possibility that new signatures can match against legitimate traffic and block the traffic.

 

In order to avoid this unpleasant situation, enable 'config waf signature_update_policy' from CLI (by default it is enabled), so the action for the new signatures in the newly updated signatures database is set to 'Alert Only' and does not take the action set on the category in the signature profile.

 

```
config waf signature_update_policy
set status enable
end
```

 

Once the 'signature_update_policy' is enabled from CLI, a new Tab 'signature update management' is added in the FortiGuard setting page, and all the newly added signatures are received via the new security service update are shown up here with the status to 'Unapplied'.

 

In addition, administrators can monitor the attack logs and fine-tune the new signatures accordingly.

 

For example, 303 security service update added a few new signatures.

 

ddsouza_FTNT_0-1638798404363.pngddsouza_FTNT_1-1638798413964.png

 

For the testing purpose, let’s pick one signature 050180007.

 

ddsouza_FTNT_2-1638798435304.png

 

Although the alert_only is not set on the signature 050180007 itself and the signature main category is set to 'Alert-deny', FortiWeb does not block the HTTP request and generates an attack log.

 

Thanks to ‘Signature_Update_Policy’

 

ddsouza_FTNT_4-1638798579503.png

  

Admin can verify whether the HTTP request that matched the request is legitimate and then add an exception as needed.

 

Note.

As per the current design, the newly added signatures in the last signature database would be moved to block mode automatically when Fortiweb receives a new signature database.

 

If admin thinks signatures or other security profiles falsely flagging traffic as an attack due to the signature regex or pattern used in the signature is being too strict or wrong, then please collect the front end capture (client <-> FWB VIP IP), debug output (use the same commands mentioned earlier) and the attack logs and get in touch with the support to verify.

  

Refer to the following article to collect the debug and packet captures. 

 

https://community.fortinet.com/t5/FortiWeb/Technical-Tip-Collecting-debug-flow-output-for-troublesho...
Labels:
1026
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.