Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Whitelisting source IPS from Web Application Firewall profiles



During web application vulnerability testing, including PCI DSS scans, it is necessary to disable the WAF (or whitelist the sources) in order for the test to proceed without interference. This is industry standard practice, and is also a requirement of the PCI DSS specification (section 5.6 on “scan interference”).


The Fortigate firewall does not provide a method to whitelist the scanner’s IP address(es) meaning any tests could be considered invalid or fail to find relevant vulnerabilities.


How have others got around this issue?  I could create twice the rules, with one restricted to the tester's IP, but that will become unmanageable very quickly.  Alternatively I could disable the WAF profile during the tests, but that would weaken security.


I've requested this as a new feature with Fortinet, although I'd be surprised if it was progressed (2 others haven't been).


Any tips would be appreciated,



New Contributor



Seems support misunderstood my message and you can whitelist sources:


# config waf profile (profile) # edit test <<< instead of test place the profile name new entry 'test' added (test) # config address-list (address-list) # set status enable (address-list) # set trusted-address TrustedSrc1 <<<< Replace TrustedSrc1 with an address object (address-list) # end (test) # end



Unfortunately web application firewall is separate feature from IPS and is handled by a different team. The best thing you can do right now is to push your account manager or the TAC member who is handling your case for an update. 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors