Hi all,
Sorry if this is in the wrong location - I couldn't see a WAF forum.
I have a website where the origin servers are located behind my FG60E and I am front-ending them with CloudFront. I want to restrict access so only traffic via CloudFront can get to the origin servers. The documented approach from Amazon is to have Cloudfront set a custom header with a secret value and the backend server should check this.
So I've done this and I want the Fortigate to drop any traffic that doesn't have the correct secret (assumption being that this is non-cloudfront originated traffic). My backend/origin servers cannot do this check so I need the Fortigate to implement it. I created a WAF rule which appears to have the right functionality and it seems to be almost working. There's little documentation on this so I've figured the below with trial and error. I have the FG matching the header secret value, and the logs confirm a WAF hit. As you can see from my config below, this hit has an action of "allow", but it seems the WAF treats this as "passthrough" and continues to inspect the remainder of the rules. Ultimately, it then hits my "deny" WAF rule and the traffic gets blocked. I've tried without the "deny" rule, but it then just allows anything.
I'm sure I've misunderstood something. I cannot see the purpose of an "allow" action that just implements passthrough.
Anyone have any thoughts?
config waf profile
edit "WAF-CloudFront-Header"
set external disable
set extended-log disable
config signature
config custom-signature
edit "x-cf-auth"
set status enable
set action allow
set log enable
set direction request
set case-sensitivity enable
set pattern "mysecretkey"
set target req-header
next
edit "deny"
set status enable
set action block
set log enable
set severity medium
set direction request
set case-sensitivity disable
set pattern "^.*$"
set target req-header
next
end
end
set comment "Restrict requests to CloudFront"
next
end
And this results in log entries like this:
Jul 14 14:18:31 172.16.1.10 date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030252" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="passthrough" direction="request" agent="Firefox/68.0" name="x-cf-auth"
Jul 14 14:18:31 172.16.1.10 date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030251" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="blocked" direction="request" agent="Firefox/68.0" name="deny"
Admittedly, this is running 6.2.0 which was a bit of a punt!
Rich
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Morning!
Just found this post, because I tried to do the same thing, but the signature list is not a "first match" policy.
The action "allow" can be used for logging events without blocking them. That makes perfectly sense if you want to test your own signatures first without breaking anything.
So if someone searches for this in 2023 - this might help you.
Regards,
Dirk
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1522 | |
1020 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.