Sorry if this is in the wrong location - I couldn't see a WAF forum.
I have a website where the origin servers are located behind my FG60E and I am front-ending them with CloudFront. I want to restrict access so only traffic via CloudFront can get to the origin servers. The documented approach from Amazon is to have Cloudfront set a custom header with a secret value and the backend server should check this.
So I've done this and I want the Fortigate to drop any traffic that doesn't have the correct secret (assumption being that this is non-cloudfront originated traffic). My backend/origin servers cannot do this check so I need the Fortigate to implement it. I created a WAF rule which appears to have the right functionality and it seems to be almost working. There's little documentation on this so I've figured the below with trial and error. I have the FG matching the header secret value, and the logs confirm a WAF hit. As you can see from my config below, this hit has an action of "allow", but it seems the WAF treats this as "passthrough" and continues to inspect the remainder of the rules. Ultimately, it then hits my "deny" WAF rule and the traffic gets blocked. I've tried without the "deny" rule, but it then just allows anything.
I'm sure I've misunderstood something. I cannot see the purpose of an "allow" action that just implements passthrough.
Anyone have any thoughts?
config waf profile edit "WAF-CloudFront-Header" set external disable set extended-log disable config signature config custom-signature edit "x-cf-auth" set status enable set action allow set log enable set direction request set case-sensitivity enable set pattern "mysecretkey" set target req-header next edit "deny" set status enable set action block set log enable set severity medium set direction request set case-sensitivity disable set pattern "^.*$" set target req-header next end end set comment "Restrict requests to CloudFront" next end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.