Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
Contributor

WAF Profile - Exempt certain URL's from Inspection

We have a web application firewall (WAF) profile applied to incoming traffic to our web application server.  This server hosts several different applications all using the same FQDN (and IP) but they are accessed by different sub directories as shown below:

 

https://example.com/Application1/

https://example.com/Application2/

https://example.com/Application3/

 

In the example above, there are 3 different web applications.  Is there a way to make the WAF profile exclude inspecting traffic to Application 2?  Looking through the FortiOS CLI options for the WAF profile, there doesn’t appear to be, but wanted to double check.  I was hoping there would be a way to exempt WAF inspection based on a specific URL or URL pattern (in this case https://example.com/Application2/*).

 

We do not have FortiWeb, but rather are relying on the WAF features baked into FortiOS 7.2.X.

 

Thanks in advance.

1 Solution
AEK
Honored Contributor

You can do this with FortiGate's WAF using one of the following methods:

  • Use different FQDN/IP for each web server
  • Use one FQDN/IP but with different ports (e.g.: 443, 8443)

This way you can use different WAF profiles.

AEK

View solution in original post

AEK
3 REPLIES 3
AEK
Honored Contributor

You can do this with FortiGate's WAF using one of the following methods:

  • Use different FQDN/IP for each web server
  • Use one FQDN/IP but with different ports (e.g.: 443, 8443)

This way you can use different WAF profiles.

AEK
AEK
kcheng
Staff
Staff

Hi @FortiNet_Newb 

 

The information provided by AEK is correct. The WAF feature on FortiGate does not allow you to achieve the objective that you wanted. If you are able to use different IP or different port mapping for the respective service, you can create different WAF profiles and implement the respective to the firewall policy.

Cheers,
Kayzie Cheng

If you have found a solution, please like and accept it to make it easily accessible for others.
FortiNet_Newb

Thanks for confirming it's not possible without a work around such as the one @AEK mentioned.

Labels
Top Kudoed Authors