Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

FortiWeb denies some uploaded files

Hi WAF admins

Sometimes my FortiWeb denies some uploaded files, just like pdf or png, and it logs an attack of type "generic attack" or "known exploit". The detected pattern can be something like this:

${�ǕN�������$�

Or something like that:

_/

I wonder if this is a real attack or just a false positive, since the signature is inside an uploaded file, while the string ${... looks like a kind of injection, and I think it should be blocked when it is in a form or in URL, not when it is in an uploaded binary data file.

Or maybe I'm misunderstanding something in WAF?

AEK
AEK
10 REPLIES 10
Jean-Philippe_P
Moderator
Moderator

Hello dear Abdelkrim, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
AEK

Thanks for your support, Philippe.

AEK
AEK
Jean-Philippe_P
Moderator
Moderator

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
Pedro_FTNT
Staff
Staff

Hi, do you have the logs ? Its possible reproduce ?? we need to take some captures also I could ask to dev team with information taken :)

Pedro Ortiz Guzman
AEK

Hi Pedro

Thanks for your response.

Yes the issue is always reproducible, is the same almost anytime I upload a file.

I'll try to share the related logs soon.

AEK
AEK
Pedro_FTNT

Hi, thanks, we could do a remote session to reproduce the issue and take, debugs, logs... :)

Pedro Ortiz Guzman
AEK

Hi Pedro

It's customer's FortiWeb but I'll schedule the session if possible and let you know. But meanwhile I'll share the logs you requested above.

Thanks a lot for your support, Pedro.

AEK
AEK
AEK
SuperUser
SuperUser

Hi Pedro

I could reproduce the same in my lab.

Here are some relevant screenshots. As mentioned it happens when I want to upload a file that contains a known attack signature.

Maybe it is worth mentioning that the protected server is Zimbra webmail.

 

fp1.pngfp2.pngfp3.png

AEK
AEK
skynode
New Contributor

FortiWeb might be flagging some uploaded files, like PDFs or PNGs, as potential threats due to patterns it detects, such as ${..., which resemble injection attempts. This could be a false positive, where the WAF interprets benign content in the file as an attack because it matches known signatures. To resolve this, review the file contents and the WAF's signature settings. If the files are safe, you can adjust the WAF to reduce false positives by fine-tuning the detection rules or excluding specific file types from scrutiny. This would help ensure that the WAF only blocks genuine threats while allowing legitimate files through.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors