Hi all,
Im not familiarized with waf profiles and I'm not a web server expert. I have Fortigate 600E with 7.2.4 firmware and I would to apply a generic WAF profile to protect my web servers like I protect thems using IPS sensors. I know that the waf UTM included in Fortigate is very basic.
I have observed that WAF profiles have 2 sections: Signatures and constraints. I had trought to use the default waf profile blocking all severity "High" signatures. My doubt is about the constraints. I'have observed all of them with monitor action and three of them, with blocking action, disabled (Illegal HTTP version) (Ilegal HTTP request method).
Why all the constraints are in monitor action? I Do you think is a good idea to use the WAF default profile blocking all "high signatures" just to give a higher security to my web servers?
Thanks for your help.
Hello fortimaster,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi,
I found this document concerning WAF:
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortiweb-cloud.pdf
Did you already have a look into it?
Regards,
The signatures section contains rules that match specific patterns or behaviors commonly associated with web application attacks. Blocking severity "High" signatures is a good starting point for enhanced security. However, it's crucial to regularly update the signature database to stay protected against emerging threats.
Thanks for your help. I was very useful.
I have learn than if you want to log blocked signatures, you need to enable log using CLI. Now I have problems cause WAF blocks some "normal" traffic with "know exploits" signature... I will try to make some exceptions or I go to create more specific profiles.
Thanks for your help.
Hi fortimaster!
It's great that you're looking to secure your web servers with a WAF profile on your Fortigate device. Regarding the constraints, the reason many of them are set to 'monitor' action by default is that they can sometimes block legitimate traffic if not configured correctly. The goal is to detect potential issues first before blocking them outright, which is safer when you're not fully familiar with WAF configurations.
As for blocking 'high' severity signatures, it can provide an extra layer of security, but it’s important to test thoroughly before applying it to a live environment. Blocking high-severity signatures might inadvertently block some legitimate traffic or cause false positives. You can start by monitoring traffic first to see if there are any issues before enforcing stricter blocking.
If you're new to WAF profiles, I’d recommend starting with the default profile and gradually fine-tuning it, reviewing the logs and adjusting based on the behavior you observe. This way, you can balance security and functionality without causing disruptions.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.