Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JMATAS
New Contributor

FORTIWEB

 

Good afternoon.

I've been having this problem for a while and I can't find a solution. If you can give me a hand I appreciate it.

We have some applications configured in Pass mode in URL Access Rule, like: /application/*

This means that no alerts are left in the log if a signature is included.

Ask:
Can the waf be configured in some way, so that it lets the urls through, but that the alerts that would block the application appeared?
There is no "Alert" option, which would solve the problem, in the actions of the Action of:Restricting access to specific URLs

Thank you
 



Restricting access to specific URLs





3 REPLIES 3
gfleming
Staff
Staff

Slightly confused. You want to pass traffic through to a URL but alert on something? What are you wanting to alert on?

Cheers,
Graham
JMATAS

Thank you very much for answering my question. I will try to explain myself better.
We have url access policy with several url access rules. In with the "Action" Pass and others in "Alert& Deny" and in them we have Url Access Condition, which allude to a URL Pattern.
If a rule is in Pass, the url that is not protected does not give us information about what would be blocked in the Log&Report\Attacks
If the rule is set to Alert&Deny, the WAF denies communications according to its policies and the alert appears in the Log&Report, but it denies us the connection.
We need the communication of those URLs configured in the URL Access Policy to go through the WAF, that they are not denied, but that their vulnerabilities or the attack that the WAF would have denied appear in the Log&Report\Attacks.
We have tried putting the "continue" option, but it denies communications when a policy detects it.
We also don't want to create a policy in “monitor” mode, so that it gives it to us.
A greeting and thank you very much again

shafiq23

Hello,

 

I believe action that you are looking for is 'Continue' however you mentioned that it is still getting denied with that action. Please look into respective attack log on which web protection profile was blocking the connection. In this way, you could fine tune the related profile action to 'Alert'. Please refer Fortiweb sequence of scans for more information;

 

https://docs.fortinet.com/document/fortiweb/7.2.1/administration-guide/234292/sequence-of-scans

 

Regards

Top Kudoed Authors