|
FortiWeb can be used to block the traffic coming from 'http_agent="ZmEu"'.
This can be achieved by using a Custom Policy. Steps can be performed as below:
- Navigate to Web Protection -> Advanced Protection -> Custom Policy -> Custom Rule -> Create New and give it a name accordingly and select OK.
- After the rule is made, it is necessary to add a Filter, so below the rule select Add Filter -> HTTP Header -> Select OK.
- Once it further opens the HTTP Header menu, set the Header Field as 'Predefined Header name' and Header Name as 'User-Agent'.
- In Header Value Type, set it as Regular Expression.
- Inside Header Value, fill the code as '^ZmEu' (this can be modified based on the http_agent in the traffic logs) and select OK.
- Once the rule is created, proceed with creating a Custom Policy and call the rule in that policy.
Once this is set up, call the Custom Policy in the required Web-protection profile, under Policy -> Web Protection Profile -> Custom Policy, and select OK.
From CLI:
config waf custom-access rule
edit "ZmEuagent"
set action alert_deny
config source-ip-filter
end
config geo-filter
end
config time-range-filter
end
config method
end
config url-filter
end
config http-header-filter
edit 1
set predefined-header user-agent
set header-value ^ZmEu
next
end
next
end
Apply a Custom access rule to the policy using CLI:
config waf custom-access policy
edit "ZmEuagentpol"
config rule
edit 1
set rule-name ZmEuagent
next
end
next
end
Note:
If the issue is not resolved, then reach out to the Support helpline with the required config and logs. The Regex code used above might need to be modified based on the requirement.
Related document:
Custom Policy
|
