Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eksjonathan
New Contributor

Whitelisting source IPS from Web Application Firewall profiles

Hello,

 

During web application vulnerability testing, including PCI DSS scans, it is necessary to disable the WAF (or whitelist the sources) in order for the test to proceed without interference. This is industry standard practice, and is also a requirement of the PCI DSS specification (section 5.6 on “scan interference”).

 

The Fortigate firewall does not provide a method to whitelist the scanner’s IP address(es) meaning any tests could be considered invalid or fail to find relevant vulnerabilities.

 

How have others got around this issue?  I could create twice the rules, with one restricted to the tester's IP, but that will become unmanageable very quickly.  Alternatively I could disable the WAF profile during the tests, but that would weaken security.

 

I've requested this as a new feature with Fortinet, although I'd be surprised if it was progressed (2 others haven't been).

 

Any tips would be appreciated,

 

Jonathan

2 REPLIES 2
eksjonathan
New Contributor

Hello,

 

Seems support misunderstood my message and you can whitelist sources:

 

# config waf profile (profile) # edit test <<< instead of test place the profile name new entry 'test' added (test) # config address-list (address-list) # set status enable (address-list) # set trusted-address TrustedSrc1 <<<< Replace TrustedSrc1 with an address object (address-list) # end (test) # end

pal_FTNT
Staff
Staff

Hi, 

Unfortunately web application firewall is separate feature from IPS and is handled by a different team. The best thing you can do right now is to push your account manager or the TAC member who is handling your case for an update.