Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
0xNat
New Contributor II

Created on ‎04-17-2024 12:33 AM

FortiOS 7.2.8 WAF Event ID not showing when blocked

Hi,

After upgrading to FortiOS 7.2.8 we are having some issues with the WAF filter on some of our services. It seems that the filter in this version is setup harder or that the exceptions we built in the past based on event ID's are being ignored.

I noticed that when an event has been blocked no Event ID is showing up. On previous versions I could use the event ID to create an exception but now I can't. Any ideas?

Thank you in advance.

291
0 Kudos
1 Solution
0xNat
New Contributor II
In response to AEK

Created on ‎04-18-2024 01:18 PM

I ended up making a new profile but without blocking the constraint for malformed requests. That works. It is too bad that because of a false positive you have to avoid the constraint entirely but well ...

View solution in original post

164
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎04-17-2024 01:01 AM

Hi @0xNat 

Probably a display bug.

In order to confirm it please try with CLI.

config waf profile
 edit <name>
  config constraint
   config exception
    edit <id>

 

For the event ID if it is not displayed in GUI you may double-click on it, or you may find it with CLI logs:

execute log filter category
  12: utm-waf <-- select this one

 

Hope it helps.

AEK
AEK
283
0xNat
New Contributor II
In response to AEK

Created on ‎04-17-2024 03:15 AM Edited on ‎04-17-2024 03:18 AM

Thank you for your advice.

 

Probably a display bug.

In order to confirm it please try with CLI.

config waf profile
 edit <name>
  config constraint
   config exception
    edit <id>

I don't have a 'config exception' option under 'config constraint'.

 

 

 

	config constraint
            config header-length
                set status enable
                set length 16384
                set action block
                set log enable
                set severity medium
            end
            config content-length
                set status enable
                set length 67108864
                set action block
                set log enable
                set severity medium
            end
            config param-length
                set status enable
                set length 65536
                set action block
                set log enable
                set severity medium
            end
            config line-length
                set status enable
                set length 1024
                set action allow
                set log enable
                set severity medium
            end
            config url-param-length
                set status enable
                set length 32768
                set action block
                set log enable
                set severity medium
            end
            config version
                set status enable
                set action block
                set log enable
                set severity medium
            end
            config method
                set status enable
                set action block
                set log enable
                set severity medium
            end
            config hostname
                set status enable
                set action block
                set log enable
                set severity medium
            end
            config malformed
                set status enable
                set action block
                set log enable
                set severity medium
            end
            config max-cookie
                set status enable
                set max-cookie 48
                set action block
                set log enable
                set severity medium
            end
            config max-header-line
                set status enable
                set max-header-line 32
                set action allow
                set log enable
                set severity medium
            end
            config max-url-param
                set status enable
                set max-url-param 48
                set action block
                set log enable
                set severity medium
            end
            config max-range-segment
                set status enable
                set max-range-segment 10
                set action block
                set log enable
                set severity medium
            end
        end

 

 

 

 

 

For the event ID if it is not displayed in GUI you may double-click on it, or you may find it with CLI logs:

execute log filter category
  12: utm-waf <-- select this one

Double-clicking doesn't show any event ID and the FortiAnalyzer doesn't show it either.

 

eventid.png

no_eventid.png

CLI logging shows only logs from the last hour by the way. Do you now how I could configure it to show the last 24 hours? I couldn't find any docs about that.

259
0 Kudos
AEK
SuperUser
SuperUser
In response to 0xNat

Created on ‎04-17-2024 03:40 AM

I have this feature in my FOS 6.2.16 and seems to exist in 7.2.8 as well.

https://docs.fortinet.com/document/fortigate/7.2.8/cli-reference/495620/config-waf-profile

Didn't add such exceptions before but according to the man page it doesn't seem to have event-id as parameter, bu other fields like pattern and address.

For the log entries you can try with this:

execute log filter start-line 
execute log filter view-lines

 

AEK
AEK
252
0 Kudos
0xNat
New Contributor II
In response to AEK

Created on ‎04-17-2024 12:39 PM

Thank you again.

 

I have configured exceptions before based on event ID's.

 

config waf profile
	edit <profile name>
		config signature
			set disabled-signature <event ID>
		end
	next
end

 

But I do need an event ID :D

 

For the log entries you can try with this:

execute log filter start-line 
execute log filter view-lines

When I try to generate logs in the CLI it goed like this:

# execute log filter reset
# execute log filter device 1
# execute log filter category 12
# execute log filter field srcip <IP address>
# execute log filter field date 2024/04/16-2024/04/17
# execute log display
0 logs found from 2024-04-17 20:35:48 to 2024-04-17 21:35:48.
0 logs returned.

Even though I specify today as my date it seems that the log settings are set to an hour. In the GUI I can select 24 hours or even 7 days, but I don't find a way to select that option in the CLI.

204
0 Kudos
AEK
SuperUser
SuperUser
In response to 0xNat

Created on ‎04-17-2024 04:17 PM

set disabled-signature <signature-id>, not <event-id>.

FW01 (signature) # set disabled-signature 
id Signature ID.
10000001 signature
10000002 signature
10000003 signature
10000004 signature
10000005 signature
10000006 signature
10000007 signature
10000008 signature
10000009 signature
10000010 signature
...

 

AEK
AEK
196
0 Kudos
0xNat
New Contributor II
In response to AEK

Created on ‎04-18-2024 01:09 PM

Thank you again for taking the time to think about this problem. There is no any signature ID in the logging though. And before the upgrade I always used the event ID to build an exception into the WAF filter and worked perfectly.

I have been able to reproduce the problem. The eventid field is indeed not there when the WAF filter blocks the web page. Strange enough I see other records with a block action with event ID, so it seems to happen only when this type of alert pops up: malformed URL. Really annoying.

Example of log record with event ID:

 

5:
date=2024-04-18
time=21:41:16
id=XXXXXX
itime="2024-04-18 21:39:56"
euid=3
epid=101
dsteuid=3
dstepid=5462
logver=702081639
sfsid=XXXXXX
type="utm"
subtype="waf"
level="warning"
action="passthrough"
sessionid=95558186
policyid=123
srcip=XXX.XXX.XXX.XXX
dstip=XXX.XXX.XXX.XXX
srcport=123
dstport=124
proto=6
logid=1200030249
service="HTTP"
eventtime=1713469275980698908
eventid=80080001
severity="low"
direction="response"
srcintfrole="out"
dstintfrole="in"
eventtype="waf-signature"
srcintf="Out"
dstintf="In"
profile="My profile"
url="URL"
agent="-"
msg="Information Disclosure"
tz="+0200"
srcuuid="xxx"
dstuuid="xxx"
policytype="policy"
srccountry="France"
dstcountry="Reserved"
poluuid="xxx"
httpmethod="GET"
devid="123"
vd="vd"
csf="SRC"
dtime="2024-04-18 21:41:16"
itime_t=1713469196
devname="SRC"
srcuuid_name=all
dstuuid_name="NAT"

 

Example of log record without event ID:

4:
date=2024-04-18
time=21:43:39
id=XXX
itime="2024-04-18 21:42:19"
euid=3
epid=101
dsteuid=3
dstepid=1819
logver=702081639
sfsid=XXX
type="utm"
subtype="waf"
level="warning"
action="blocked"
sessionid=123
policyid=71134
srcip=XXX.XXX.XXX.XXX
dstip=XXX.XXX.XXX.XXX
srcport=123
dstport=443
proto=6
logid=1203030257
service="HTTPS"
eventtime=1713469419347962390
severity="medium"
direction="request"
srcintfrole="Out"
dstintfrole="In"
eventtype="waf-http-constraint"
srcintf="Out"
dstintf="In"
profile="MYp"
url="URL"
constraint="malform-req"
agent="-"
tz="+0200"
srcuuid="xxx"
dstuuid="xxx"
policytype="policy"
srccountry="France"
dstcountry="Reserved"
poluuid="xxx"
httpmethod="GET"
devid="xxx"
vd="vd"
csf="xxx"
dtime="2024-04-18 21:43:39"
itime_t=1713469339
devname="xxx"
srcuuid_name=all
144
0 Kudos
0xNat
New Contributor II
In response to AEK

Created on ‎04-18-2024 01:18 PM

I ended up making a new profile but without blocking the constraint for malformed requests. That works. It is too bad that because of a false positive you have to avoid the constraint entirely but well ...

165
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.