We have a block in the Fortiweb Log see 7.25 in the attacks section, which although we put an exception in the signature with Regular Expression, it does not make it exceptional and causes us a "false positive"
The blocking occurs in a "parameter" that the Web does not have and is called "message", in which, if different "parameters" of the web are seen, it is like the "message" parameter is generated by the WAF in the Log and although in the exception of the signature, we refer to this parameter called "message", it cannot be exceptionalized, although within the "message" parameter, there are the parameters that carry the values of the lock.
Parámetro: mensaje
Mached Pattern: 0000000000000077
id_original=null&ref=null&idx_cert=&numr_ref_delta2=522287&ano_ref_delta2=2023&trab_codg_ipf=1&trab_ipf=79410826Z&egc_num_expediente=00000000000000774997&trab_ccc=38000169404&trab_naf=381071694164&codg_prov_centro=38&fech_accidente=2023-06-21&fech_baja=2023-06-21&pat_num
Ejemplo Excepción de la firma: 090410001
Element Type: Parameter
Operation: Regular Expression Match
Name: mensaje
Check Value of Specified Element True
Value: 0*(\d)
Concatenate OR
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @JMATAS ,
Can you try disabling or add an exception for this signature directly from the log.
REF: https://help.fortinet.com/fweb/552/Content/FortiWeb/fortiweb-admin/action_overrides.htm
Thanks
Thank you very much for your response Anignan,
It is a good answer and has given us the basis for a future "solution", because clicking on the context menu in the Attack Log, as you say, will result in an exception in the signature and will tell us how to address these blockages that We "still" do not know how to exceptionalize so that there are no "false positive" blocks. The problem is that we are consultants and not administrators, we have to tell the FortiWeb "administrator" how to bypass the blocking with "regular expressions" and that is the problem.
We are going to ask for it in the way you indicate and it will be reflected in the signature exception and I will comment on it in this thread.
Thank you so much
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.