Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luky
New Contributor

Fortigate Webhosting different rules for Website Administrators vs guests

I have a simple question about a Fortigate VM in cloud.

Iam hosting multiple websites where Fortigate (mini) WAF Features are enabled like XSS, XSS Adv, SQL Injection, SQL Injections Advanced and so on.

The problem is that website editing with "FCK-Editor" in the administrative webgui of the hosted sites triggers XSS basic and extended and also sql injection basic+extended. Since this is the mini waf i cannot finetune the policies.

Can i do some kind of Internet-FSSO where for example a website admin can authenticate before editing a website so that I can create seperate firewall policy for authenticated admins?

 

All the admins are workgroup Windows Computers not domain joined or something all stand alone computers.

3 REPLIES 3
saleha
Staff
Staff

Hi luky,

 

Thank you for reaching out. Unfortunately WAF does not have such override feature. You can try setting up a policy with no WAF while the source includes a local user account or user accounts from other authentication servers such as ldap, fsso, raduis,etc and another policy with WAF enabled where NO user account as source and place the WAF policy lower on the list than the one without the WAF. That means if the user is not logging into the authentication server there traffic will have to match the policy with no useraccounts and WAF enabled. While if user login to the authentication server there traffic with match the policy with no WAF. I would recommend as well considering moving away from WAF as it is a limited feature and most if not all its functions are available on other UTMs such as Intrusion Prevention IPS, Application control and Webfiltering.

 

Thank you,

saleha

luky
New Contributor

One little question to the User part. You mentioned "local user" above. Do you mean a fortigate local user? If yes where can a user authenticate in order for firewall policy to be active?

saleha
Staff
Staff

Yes local user authentication would be on the fortigate itself. You would in this case create the user account locally on the firewall and use that account or group on firewall policy similar to the example on the article link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-authentication/ta-p/190084

 

Thank you,

saleha

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors