Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JMATAS
New Contributor

Fortiweb:Parameter mensaje in log-attack-attack-view

 

 

We have a block in the Fortiweb Log see 7.25 in the attacks section, which although we put an exception in the signature with Regular Expression, it does not make it exceptional and causes us a "false positive"


The blocking occurs in a "parameter" that the Web does not have and is called "message", in which, if different "parameters" of the web are seen, it is like the "message" parameter is generated by the WAF in the Log and although in the exception of the signature, we refer to this parameter called "message", it cannot be exceptionalized, although within the "message" parameter, there are the parameters that carry the values ​​of the lock.

 

Parámetro: mensaje

Mached Pattern: 0000000000000077

 

id_original=null&ref=null&idx_cert=&numr_ref_delta2=522287&ano_ref_delta2=2023&trab_codg_ipf=1&trab_ipf=79410826Z&egc_num_expediente=00000000000000774997&trab_ccc=38000169404&trab_naf=381071694164&codg_prov_centro=38&fech_accidente=2023-06-21&fech_baja=2023-06-21&pat_num

 

Ejemplo Excepción de la firma: 090410001

 

Element Type:                                    Parameter

Operation:                                           Regular Expression Match

Name:                                                 mensaje

Check Value of Specified Element    True

Value:                                                  0*(\d)                                     

Concatenate                                        OR

 

 

2 REPLIES 2
anignan
Staff
Staff

Hi @JMATAS ,

Can you try disabling or add an exception for this signature directly from the log.

 

REF: https://help.fortinet.com/fweb/552/Content/FortiWeb/fortiweb-admin/action_overrides.htm

 

Thanks

JMATAS
New Contributor

Thank you very much for your response Anignan,

It is a good answer and has given us the basis for a future "solution", because clicking on the context menu in the Attack Log, as you say, will result in an exception in the signature and will tell us how to address these blockages that We "still" do not know how to exceptionalize so that there are no "false positive" blocks. The problem is that we are consultants and not administrators, we have to tell the FortiWeb "administrator" how to bypass the blocking with "regular expressions" and that is the problem.

We are going to ask for it in the way you indicate and it will be reflected in the signature exception and I will comment on it in this thread.


Thank you so much

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors