Im not familiarized with waf profiles and I'm not a web server expert. I have Fortigate 600E with 7.2.4 firmware and I would to apply a generic WAF profile to protect my web servers like I protect thems using IPS sensors. I know that the waf UTM included in Fortigate is very basic.
I have observed that WAF profiles have 2 sections: Signatures and constraints. I had trought to use the default waf profile blocking all severity "High" signatures. My doubt is about the constraints. I'have observed all of them with monitor action and three of them, with blocking action, disabled (Illegal HTTP version) (Ilegal HTTP request method).
Why all the constraints are in monitor action? I Do you think is a good idea to use the WAF default profile blocking all "high signatures" just to give a higher security to my web servers?
The signatures section contains rules that match specific patterns or behaviors commonly associated with web application attacks. Blocking severity "High" signatures is a good starting point for enhanced security. However, it's crucial to regularly update the signature database to stay protected against emerging threats.
I have learn than if you want to log blocked signatures, you need to enable log using CLI. Now I have problems cause WAF blocks some "normal" traffic with "know exploits" signature... I will try to make some exceptions or I go to create more specific profiles.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.