Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filiaks1
Contributor II

Created on ‎06-13-2025 01:12 PM Edited on ‎06-14-2025 03:53 AM

Will fortigate WAF scan for XSS or SQL injections with a flow mode rules in newer versions?

For some reason the  XSS or SQL injections are moved to a seperate WAF profile in Fortigate and not in the normal IPS functions but I saw the below article:

 

Stream-based antivirus scanning for HTML and Javascript files | FortiGate / FortiOS 7.6.0 | Fortinet...

 

 

Screenshot 2025-06-14 134457.png

 

Screenshot 2025-06-14 134634.png

 

 

 

As I have test fortigate I confirmed with proxy mode rule and WAF feature enabled that basic web attacks are detected but in the newer trial versions proxy rules can't be used because of the RAM limit, so I can't test if now the newer versions can scan web traffic with a flow rule not only for antivirus.

 

 

If anyone can confirm if not now then in the future flow mode rules will support WAF profiles it will be great as at the moment even the waf profile is not visible under flow rules in the trial option!

 

Screenshot 2025-06-14 135304.png

 

 

I know that FortiWeb is a true WAF that has auto policy building with url, header and parameter learnings, API protections and discoveries, Javascript Bot Protections that use AI/ML but for basic security of a non impotant web servers fortigate could be enough.

Labels:
369
0 Kudos
1 Solution
sjoshi
Staff
Staff
In response to filiaks1

Created on ‎06-15-2025 09:39 AM

While FortiOS has enhanced its antivirus engine to support stream-based scanning in flow mode—allowing partial buffering for HTML and JavaScript to reduce memory usage—this approach hasn't been extended to WAF signature scanning because WAF requires full HTTP session reconstruction to accurately analyze complex web traffic patterns, such as multipart forms, headers, and obfuscated attacks.

Which is why proxy based inspection is needed for WAF profile

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi

View solution in original post

269
4 REPLIES 4
sjoshi
Staff
Staff

Created on ‎06-14-2025 11:51 AM

Hi @filiaks1 ,

 

Please refer below article:-

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/64335/web-application-firewa...

 

You can apply WAF profiles to firewall policies when the inspection mode is set to proxy-based.

 

So if the device does not support proxy for small end model then WAF can not be implemented as it required proxy based policy

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
319
0 Kudos
filiaks1
Contributor II
In response to sjoshi

Created on ‎06-15-2025 02:18 AM

Thanks for confirming it. Still as mentioned in https://docs.fortinet.com/document/fortigate/7.6.0/new-features/518502/stream-based-antivirus-scanni... in 7.X fortigate can scan javascript and html files in stream mode, so why this has not been used for scanning WAF signatures with a flow based rule is strange  as that is something I focused on.

288
0 Kudos
sjoshi
Staff
Staff
In response to filiaks1

Created on ‎06-15-2025 09:39 AM

While FortiOS has enhanced its antivirus engine to support stream-based scanning in flow mode—allowing partial buffering for HTML and JavaScript to reduce memory usage—this approach hasn't been extended to WAF signature scanning because WAF requires full HTTP session reconstruction to accurately analyze complex web traffic patterns, such as multipart forms, headers, and obfuscated attacks.

Which is why proxy based inspection is needed for WAF profile

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
270
filiaks1
Contributor II
In response to sjoshi

Created on ‎06-15-2025 02:36 PM

Thanks for the info @sjoshi  !

250
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.