In Attack logs, it is possible to check blocked traffic related with FortiWeb signature 060050014, which show a message like this: 'Cookie(_clck) triggered signature ID 060050014 of Signatures policy...', and match with patterns like '|ftp', ';ftp' or other ftp-related:

This situation is related with cookies _clck and _clsk. Checking the Cookies details in the Attack logs, _clck and _clsk cookies contain 'ftp' pattern:

Description about signature ID 060050014 is: 'This signature prevents attackers from performing Command injection attacks using 'ftp' command. This attack can be achieved in HTTP request URL and arguments.' Based on this, any cookies, such as _clck or _clsk, that include '|ftp', ';ftp', or other ftp-related payloads may trigger this signature.

Cookies _clck and _clsk are associated with Microsoft Clarity. Microsoft Clarity requires setting cookies on visitors' browsers; these cookies are placed by the setup script installed to run Clarity. When installed, Clarity's cookies send non-personally identifiable information about users; this suggests that Microsoft Clarity may be active on the website and could be triggering certain security rules, depending on how it is used.

To solve this, take the following steps:

• On the FortiWeb configuration: Disable or add an exception for signature 060050014 if to allow these cookie values is required.
• On the web server configuration: Check the website settings to determine who is setting the cookies and why. For example, some cookie values ​​automatically generated by Microsoft promotions sites (specifically for Microsoft Clarity and Microsoft Ads tracking) could contain '|ftp' along with random numbers. This may trigger signature 060050014.

Related notes:

• Information about Microsoft Clarity cookies 
• How to add an exception in a Signature in FortiWeb