Web Application Firewall is blocking access to URLs

Abdal_opr · ‎10-16-2024

Hello,

The Web Application Firewall on FortiGates is blocking access to two URLs due to the following event IDs:

1. URL: [https://web.domain.com/page.php]
Event ID: 60140003
Event Type: waf-signature
Sub Type: waf
Type: utm

FortiGate  # diagnose waf dump | grep -f 60140003
  60140003 - This signature prevents attackers from performing RFI attacks to include a malicious code from a remote resource. <---

2. URL: [https://web.domain.com/file.php]
Event ID: 40000141
Event Type: waf-signature
Sub Type: waf
Type: utm

FortiGate # diagnose waf dump | grep -f 40000141
  40000141 - This signature prevents attackers from injecting SQL Databases using  "\*". <---

Could you please guide me on how to add exceptions in WAF profile for these two URLs in FortiManager, so that access will be granted?

Thank you!

jintrah_FTNT · ‎10-17-2024

Hi,

Please see the article Creating an exemption for a FortiGate Web... - Fortinet Community on adding exemptions to signatures in a profile.

best regards,

Jin

Abdal_opr · ‎10-17-2024

Hello @jintrah_FTNT,

Thank you for your response. If i disable the signature, will it be disabled for all other URLs as well, or just for the two specific URLs?

When I edit the WAF profile in FMG and navigate to the 'disabled-signatures' option, I cannot find the signature ID in the drop-down menu. Should I instead go to the 'custom-signatures' section, create a new custom signature, and add the event IDs in the pattern field and then set action to permit?

Thank you!

jintrah_FTNT · ‎10-17-2024

Hello,

If disabled in the profile, this goes for all urls.

best regards,

Jin

Web Application Firewall is blocking access to URLs

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website