I have a simple question about a Fortigate VM in cloud.
Iam hosting multiple websites where Fortigate (mini) WAF Features are enabled like XSS, XSS Adv, SQL Injection, SQL Injections Advanced and so on.
The problem is that website editing with "FCK-Editor" in the administrative webgui of the hosted sites triggers XSS basic and extended and also sql injection basic+extended. Since this is the mini waf i cannot finetune the policies.
Can i do some kind of Internet-FSSO where for example a website admin can authenticate before editing a website so that I can create seperate firewall policy for authenticated admins?
All the admins are workgroup Windows Computers not domain joined or something all stand alone computers.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi luky,
Thank you for reaching out. Unfortunately WAF does not have such override feature. You can try setting up a policy with no WAF while the source includes a local user account or user accounts from other authentication servers such as ldap, fsso, raduis,etc and another policy with WAF enabled where NO user account as source and place the WAF policy lower on the list than the one without the WAF. That means if the user is not logging into the authentication server there traffic will have to match the policy with no useraccounts and WAF enabled. While if user login to the authentication server there traffic with match the policy with no WAF. I would recommend as well considering moving away from WAF as it is a limited feature and most if not all its functions are available on other UTMs such as Intrusion Prevention IPS, Application control and Webfiltering.
Thank you,
saleha
One little question to the User part. You mentioned "local user" above. Do you mean a fortigate local user? If yes where can a user authenticate in order for firewall policy to be active?
Yes local user authentication would be on the fortigate itself. You would in this case create the user account locally on the firewall and use that account or group on firewall policy similar to the example on the article link below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-authentication/ta-p/190084
Thank you,
saleha
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.