Hello,
I have a problem with a suspected hacking attack because someone created a user bobby tables in our webapp.
We have IPS+WAF+DPI however WAF is lightly configured and only blocks exploits and trojans but everything else is monitor because otherwise we cannot create news on our webpage because WAF would block it.
Can you recommend changes for fortigate in my config?
I have enabled this 2 Security Profiles together with Full DPI:
config ips sensor
edit "IPS-LinuxServer"
set comment "Test"
set scan-botnet-connections block
config entries
edit 1
set location server
set severity medium high critical
set os Linux
set status enable
set action block
next
end
next
end
And this WAF Profile:
config waf profile
edit "linux-waf"
config signature
config main-class 100000000
set action block
set severity high
end
config main-class 20000000
set status enable
end
config main-class 30000000
set status enable
set severity high
end
config main-class 40000000
set status enable
set severity high
end
config main-class 50000000
set status enable
set severity high
end
config main-class 60000000
set status enable
set severity high
end
config main-class 70000000
set status enable
set action block
set severity high
end
config main-class 80000000
set status enable
set severity low
end
config main-class 110000000
set status enable
set severity high
end
config main-class 90000000
set status enable
set action block
set severity high
end
config main-class 10000000
set status enable
end
set disabled-signature 80080005 80200001 60030001 60120001 80080003 90410001 90410002
end
config constraint
config header-length
set status enable
set log enable
set severity low
end
config content-length
set status enable
set log enable
set severity low
end
config param-length
set status enable
set log enable
set severity low
end
config line-length
set status enable
set log enable
set severity low
end
config url-param-length
set status enable
set log enable
set severity low
end
config version
set log enable
end
config method
set action block
set log enable
end
config hostname
set action block
set log enable
end
config malformed
set log enable
end
config max-cookie
set status enable
set log enable
set severity low
end
config max-header-line
set status enable
set log enable
set severity low
end
config max-url-param
set status enable
set log enable
set severity low
end
config max-range-segment
set status enable
set log enable
set severity high
end
end
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Luky
If the attack is SQL injection then your WAF profile (with only exploits and Trojans) will not block such attack.
Furthermore for your production Web server it is not recommended to use FG's WAF, but you should use WAF appliance instead.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.