Hi,
After upgrading to FortiOS 7.2.8 we are having some issues with the WAF filter on some of our services. It seems that the filter in this version is setup harder or that the exceptions we built in the past based on event ID's are being ignored.
I noticed that when an event has been blocked no Event ID is showing up. On previous versions I could use the event ID to create an exception but now I can't. Any ideas?
Thank you in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I ended up making a new profile but without blocking the constraint for malformed requests. That works. It is too bad that because of a false positive you have to avoid the constraint entirely but well ...
Hi @0xNat
Probably a display bug.
In order to confirm it please try with CLI.
config waf profile
edit <name>
config constraint
config exception
edit <id>
For the event ID if it is not displayed in GUI you may double-click on it, or you may find it with CLI logs:
execute log filter category
12: utm-waf <-- select this one
Hope it helps.
Created on 04-17-2024 03:15 AM Edited on 04-17-2024 03:18 AM
Thank you for your advice.
Probably a display bug.
In order to confirm it please try with CLI.
config waf profile
edit <name>
config constraint
config exception
edit <id>
I don't have a 'config exception' option under 'config constraint'.
config constraint
config header-length
set status enable
set length 16384
set action block
set log enable
set severity medium
end
config content-length
set status enable
set length 67108864
set action block
set log enable
set severity medium
end
config param-length
set status enable
set length 65536
set action block
set log enable
set severity medium
end
config line-length
set status enable
set length 1024
set action allow
set log enable
set severity medium
end
config url-param-length
set status enable
set length 32768
set action block
set log enable
set severity medium
end
config version
set status enable
set action block
set log enable
set severity medium
end
config method
set status enable
set action block
set log enable
set severity medium
end
config hostname
set status enable
set action block
set log enable
set severity medium
end
config malformed
set status enable
set action block
set log enable
set severity medium
end
config max-cookie
set status enable
set max-cookie 48
set action block
set log enable
set severity medium
end
config max-header-line
set status enable
set max-header-line 32
set action allow
set log enable
set severity medium
end
config max-url-param
set status enable
set max-url-param 48
set action block
set log enable
set severity medium
end
config max-range-segment
set status enable
set max-range-segment 10
set action block
set log enable
set severity medium
end
end
For the event ID if it is not displayed in GUI you may double-click on it, or you may find it with CLI logs:
execute log filter category
12: utm-waf <-- select this one
Double-clicking doesn't show any event ID and the FortiAnalyzer doesn't show it either.
CLI logging shows only logs from the last hour by the way. Do you now how I could configure it to show the last 24 hours? I couldn't find any docs about that.
I have this feature in my FOS 6.2.16 and seems to exist in 7.2.8 as well.
https://docs.fortinet.com/document/fortigate/7.2.8/cli-reference/495620/config-waf-profile
Didn't add such exceptions before but according to the man page it doesn't seem to have event-id as parameter, bu other fields like pattern and address.
For the log entries you can try with this:
execute log filter start-line
execute log filter view-lines
Thank you again.
I have configured exceptions before based on event ID's.
config waf profile
edit <profile name>
config signature
set disabled-signature <event ID>
end
next
end
But I do need an event ID :D
For the log entries you can try with this:
execute log filter start-line
execute log filter view-lines
When I try to generate logs in the CLI it goed like this:
# execute log filter reset
# execute log filter device 1
# execute log filter category 12
# execute log filter field srcip <IP address>
# execute log filter field date 2024/04/16-2024/04/17
# execute log display
0 logs found from 2024-04-17 20:35:48 to 2024-04-17 21:35:48.
0 logs returned.
Even though I specify today as my date it seems that the log settings are set to an hour. In the GUI I can select 24 hours or even 7 days, but I don't find a way to select that option in the CLI.
set disabled-signature <signature-id>, not <event-id>.
FW01 (signature) # set disabled-signature
id Signature ID.
10000001 signature
10000002 signature
10000003 signature
10000004 signature
10000005 signature
10000006 signature
10000007 signature
10000008 signature
10000009 signature
10000010 signature
...
Thank you again for taking the time to think about this problem. There is no any signature ID in the logging though. And before the upgrade I always used the event ID to build an exception into the WAF filter and worked perfectly.
I have been able to reproduce the problem. The eventid field is indeed not there when the WAF filter blocks the web page. Strange enough I see other records with a block action with event ID, so it seems to happen only when this type of alert pops up: malformed URL. Really annoying.
Example of log record with event ID:
5:
date=2024-04-18
time=21:41:16
id=XXXXXX
itime="2024-04-18 21:39:56"
euid=3
epid=101
dsteuid=3
dstepid=5462
logver=702081639
sfsid=XXXXXX
type="utm"
subtype="waf"
level="warning"
action="passthrough"
sessionid=95558186
policyid=123
srcip=XXX.XXX.XXX.XXX
dstip=XXX.XXX.XXX.XXX
srcport=123
dstport=124
proto=6
logid=1200030249
service="HTTP"
eventtime=1713469275980698908
eventid=80080001
severity="low"
direction="response"
srcintfrole="out"
dstintfrole="in"
eventtype="waf-signature"
srcintf="Out"
dstintf="In"
profile="My profile"
url="URL"
agent="-"
msg="Information Disclosure"
tz="+0200"
srcuuid="xxx"
dstuuid="xxx"
policytype="policy"
srccountry="France"
dstcountry="Reserved"
poluuid="xxx"
httpmethod="GET"
devid="123"
vd="vd"
csf="SRC"
dtime="2024-04-18 21:41:16"
itime_t=1713469196
devname="SRC"
srcuuid_name=all
dstuuid_name="NAT"
Example of log record without event ID:
4:
date=2024-04-18
time=21:43:39
id=XXX
itime="2024-04-18 21:42:19"
euid=3
epid=101
dsteuid=3
dstepid=1819
logver=702081639
sfsid=XXX
type="utm"
subtype="waf"
level="warning"
action="blocked"
sessionid=123
policyid=71134
srcip=XXX.XXX.XXX.XXX
dstip=XXX.XXX.XXX.XXX
srcport=123
dstport=443
proto=6
logid=1203030257
service="HTTPS"
eventtime=1713469419347962390
severity="medium"
direction="request"
srcintfrole="Out"
dstintfrole="In"
eventtype="waf-http-constraint"
srcintf="Out"
dstintf="In"
profile="MYp"
url="URL"
constraint="malform-req"
agent="-"
tz="+0200"
srcuuid="xxx"
dstuuid="xxx"
policytype="policy"
srccountry="France"
dstcountry="Reserved"
poluuid="xxx"
httpmethod="GET"
devid="xxx"
vd="vd"
csf="xxx"
dtime="2024-04-18 21:43:39"
itime_t=1713469339
devname="xxx"
srcuuid_name=all
I ended up making a new profile but without blocking the constraint for malformed requests. That works. It is too bad that because of a false positive you have to avoid the constraint entirely but well ...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.