Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fotigate WAF - How to create custom-signatures
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Fotigate WAF - How to create custom-signatures
The following config requires the Fortigate "Web Application Firewall" feature to be enabled under
System > Feature Visibility > Security Features > Web Application Firewall
Once the feature is enabled, you should find "Web Application Firewall" available under Security Profiles
Creating a custom signature helps in blocking/allowing a specific URL address, or URL path that could be related to a "false positive" you have identified. These custom-signatures can also act as your exception list rather than disabling a specific signature ID using the command "set disabled-signature"
The default config values would look like this
config custom-signature
Description: Custom signature.
edit <name>
set status [enable|disable]
set action [allow|block|...]
set log [enable|disable]
set severity [high|medium|...]
set direction [request|response]
set case-sensitivity [disable|enable]
set pattern {string}
set target {option1}, {option2}, ...
nextNote custom-signatures can be created only via command line (cli), and you can't use "regular expression" for the {string} value in the command "set pattern". I did try it, not even a single match !
Custom-Signature Example
Let's say you need to allow any URL address that includes fortinet, such as "community.fortinet.com"
config custom-signature
edit allow_fortinet
set status enable
set action block
set log enable
set severity medium
set direction request
set case-sensitivity disable
set pattern community.fortinet.com
//you can also use set pattern *.fortinet.com
set target req-header
nextThe key lines here are
set direction request
set pattern community.fortinet.com
set target req-header
This signature will match only the URL address part
Now let's say you want to block access to the "FortiSIEM Community", which sits in
https://community.fortinet.com/t5/FortiSIEM/gh-p/fortisiem
The custom-signature will need to match the URL path "t5/FortiSIEM/gh-p/fortisiem"
config custom-signature
edit block_fortinet_fortiseim
set status enable
set action allow
set log enable
set severity medium
set direction request
set case-sensitivity disable
set pattern "t5/FortiSIEM/*"
set target req-uri
The key lines here are
set direction request
set pattern "t5/FortiSIEM/*"
set target req-uri
Also make sure logging is enabled at the signature level, to verify your custom-signatures are actually matching the intended traffic.
ABK
ABK
Labels:
- Labels:
-
FortiGate
2752
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I can't seem to do this. When I type 'config custom-signature' in CLI, I just get an error:
command parse error before 'custom-signature'
Command fail. Return code 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Ok, actually I realized you had to drill down into the WAF profile. I think I've created this but where does it show up in the GUI? I don't see it under the WAF profile options.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi
Make sure logging is enabled at the custom-signature level "
set log enable
If there is a match, logs should be available in
Log & Report > Security Events > Details > Web Application Firewall
ABK
ABK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
It doesn't appear to be hitting my custom-signature.
What I'm trying to do is create a custom signature that allows the traffic is the pattern matches a specific string of text on the page. For instance, if the page contains the words: "Please choose an option", I want the WAF to allow it instead of blocking it. But I can't figure out how to do that.
edit "Test Signature"
set status enable
set action allow
set log enable
set severity high
set direction request
set case-sensitivity disable
set pattern "please choose an option"
set target req-body
next
What should I do to get it to allow based on that pattern? Or can it do that?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate local admin console access only 58 Views
- IPsec tunnel initiating on the outside... 43 Views
- How to Modify convergence times in... 76 Views
- ForticlientVPN - Permission denied (-455) 181 Views
- Azure Front Door on-premis Fortigate 78 Views
Labels
-
FortiGate
8,372 -
FortiClient
1,692 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
536 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
Authentication
30 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Logging
23 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
20 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.