Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
samer_abk
New Contributor II

Fotigate WAF - How to create custom-signatures

The following config requires the Fortigate "Web Application Firewall" feature to be enabled under

System > Feature Visibility > Security Features > Web Application Firewall

Once the feature is enabled, you should find "Web Application Firewall" available under Security Profiles

 

Creating a custom signature helps in blocking/allowing a specific URL address, or URL path that could be related to a "false positive" you have identified. These custom-signatures can also act as your exception list rather than disabling a specific signature ID using the command  "set disabled-signature"

 

The default config values would look like this

config custom-signature
                Description: Custom signature.
                edit <name>
                    set status [enable|disable]
                    set action [allow|block|...]
                    set log [enable|disable]
                    set severity [high|medium|...]
                    set direction [request|response]
                    set case-sensitivity [disable|enable]
                    set pattern {string}
                    set target {option1}, {option2}, ...
                next

Note custom-signatures can be created only via command line (cli), and you can't use "regular expression" for the {string} value in the command  "set pattern". I did try it, not even a single match !

 

Custom-Signature Example

Let's say you need to allow any URL address that includes fortinet, such as "community.fortinet.com"

config custom-signature
                edit allow_fortinet
                    set status enable
                    set action block
                    set log enable
                    set severity medium
                    set direction request
                    set case-sensitivity disable
                    set pattern community.fortinet.com
//you can also use set pattern *.fortinet.com set target req-header
next

The key lines here are 

set direction request
set pattern community.fortinet.com
set target req-header

This signature will match only the URL address part

 

Now let's say you want to block access to the "FortiSIEM Community", which sits in

https://community.fortinet.com/t5/FortiSIEM/gh-p/fortisiem

The custom-signature will need to match the URL path "t5/FortiSIEM/gh-p/fortisiem"

config custom-signature 
edit block_fortinet_fortiseim
set status enable
set action allow
set log enable
set severity medium
set direction request
set case-sensitivity disable
set pattern "t5/FortiSIEM/*"
set target req-uri

The key lines here are 

set direction request
set pattern "t5/FortiSIEM/*"
set target req-uri

Also make sure logging is enabled at the signature level, to verify your custom-signatures are actually matching the intended traffic.

ABK
ABK
6 REPLIES 6
spoojary
Staff
Staff

This is a good one :D

 

Siddhanth Poojary
samer_abk
New Contributor II

Thanks spoojary

ABK
ABK
bsm1970
New Contributor

I can't seem to do this.  When I type 'config custom-signature' in CLI, I just get an error:

command parse error before 'custom-signature'
Command fail. Return code 1

bsm1970

Ok, actually I realized you had to drill down into the WAF profile.  I think I've created this but where does it show up in the GUI?  I don't see it under the WAF profile options.

 

samer_abk
New Contributor II

Hi

Make sure logging is enabled at the custom-signature level "

set log enable

If there is a match, logs should be available in

Log & Report > Security Events > Details > Web Application Firewall

ABK
ABK
bsm1970
New Contributor

It doesn't appear to be hitting my custom-signature.

What I'm trying to do is create a custom signature that allows the traffic is the pattern matches a specific string of text on the page.  For instance, if the page contains the words:  "Please choose an option", I want the WAF to allow it instead of blocking it.  But I can't figure out how to do that. 


edit "Test Signature"
set status enable
set action allow
set log enable
set severity high
set direction request
set case-sensitivity disable
set pattern "please choose an option"
set target req-body
    next

 

What should I do to get it to allow based on that pattern?  Or can it do that?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors