Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nobox
New Contributor III

Created on ‎01-31-2025 01:43 AM

Custom FortiGate WAF signature act as an exception list - doesn't work

Hi, I'm trying to use custom WAF signatures to implement exceptions as described on the page: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-create-a-custom-FortiGate-WAF-Web/t...


Unfortunately, this method doesn't work for me, yes, the custom rule does work, the logs show that the URL was detected and allowed, but right after this entry the next entry shows that the same URL was blocked by the WAF rule.

The config looks pretty simple:

config waf profile
edit "xxxx"
config custom-signature
edit "allow_search"
set status enable
set log enable
set pattern "search.php"
set target req-uri
next
...
I want to exclude the "search.php" page from WAF protection (always allowed)
The page is blocked despite the existence of this exception. log:
First, there is an entry about the page being blocked:
2025/01/31 10:26:26, blocked, SQL Injection (Extended), 40000137, waf-signature
and then:
2025/01/31 10:26:26, passthrough, , , waf-custom-signature
In both cases, the same URL containing "search.php"

Does anyone use these exceptions and does it work for anyone?

Or maybe someone knows how to do it differently?

 

Fortigate 70F, 7.4.7

Labels:
388
0 Kudos
3 REPLIES 3
vifi
Staff
Staff

Created on ‎01-31-2025 03:11 AM

Hi,

You can disable this signature in WAF profile.
config waf profile
edit "Profile_name"
config signature
set disabled-signature 40000137





367
0 Kudos
nobox
New Contributor III
In response to vifi

Created on ‎01-31-2025 03:44 AM

Hi, thanks for your answer
that's the whole problem, I don't want to disable this signature for other sites and at the same time on this specific site it can cause it to be blocked (for some queries)

347
0 Kudos
nobox
New Contributor III
In response to RookieSideloader

Created on ‎01-31-2025 03:55 AM

Hi, thanks for your reply
The default action for such a signature is "allow" (set action allow)
You are right that it is probably about the priorities of these signatures, but a custom signature should have a higher priority than the built-in one.
I do not know how to change the priority of these signatures. I am not sure if there is such an option in this module in FG.

341
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.