Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
samer_abk
New Contributor II

Created on ‎08-20-2023 09:57 PM

Fotigate WAF - How to create custom-signatures

The following config requires the Fortigate "Web Application Firewall" feature to be enabled under

System > Feature Visibility > Security Features > Web Application Firewall

Once the feature is enabled, you should find "Web Application Firewall" available under Security Profiles

 

Creating a custom signature helps in blocking/allowing a specific URL address, or URL path that could be related to a "false positive" you have identified. These custom-signatures can also act as your exception list rather than disabling a specific signature ID using the command  "set disabled-signature"

 

The default config values would look like this

config custom-signature
                Description: Custom signature.
                edit <name>
                    set status [enable|disable]
                    set action [allow|block|...]
                    set log [enable|disable]
                    set severity [high|medium|...]
                    set direction [request|response]
                    set case-sensitivity [disable|enable]
                    set pattern {string}
                    set target {option1}, {option2}, ...
                next

Note custom-signatures can be created only via command line (cli), and you can't use "regular expression" for the {string} value in the command  "set pattern". I did try it, not even a single match !

 

Custom-Signature Example

Let's say you need to allow any URL address that includes fortinet, such as "community.fortinet.com"

config custom-signature
                edit allow_fortinet
                    set status enable
                    set action block
                    set log enable
                    set severity medium
                    set direction request
                    set case-sensitivity disable
                    set pattern community.fortinet.com
                    //you can also use set pattern *.fortinet.com
                    set target req-header                
next

The key lines here are 

set direction request
set pattern community.fortinet.com
set target req-header

This signature will match only the URL address part

 

Now let's say you want to block access to the "FortiSIEM Community", which sits in

https://community.fortinet.com/t5/FortiSIEM/gh-p/fortisiem

The custom-signature will need to match the URL path "t5/FortiSIEM/gh-p/fortisiem"

config custom-signature 
edit block_fortinet_fortiseim
set status enable
set action allow
set log enable
set severity medium
set direction request
set case-sensitivity disable
set pattern "t5/FortiSIEM/*"
set target req-uri

The key lines here are 

set direction request
set pattern "t5/FortiSIEM/*"
set target req-uri

Also make sure logging is enabled at the signature level, to verify your custom-signatures are actually matching the intended traffic.

ABK
ABK
Labels:
3733
6 REPLIES 6
spoojary
Staff
Staff

Created on ‎08-28-2023 05:20 AM

This is a good one :D

 

Siddhanth Poojary
3642
0 Kudos
samer_abk
New Contributor II

Created on ‎10-15-2023 08:19 PM

Thanks spoojary

ABK
ABK
3516
0 Kudos
bsm1970
New Contributor

Created on ‎10-26-2023 04:45 AM

I can't seem to do this.  When I type 'config custom-signature' in CLI, I just get an error:

command parse error before 'custom-signature'
Command fail. Return code 1

3468
0 Kudos
bsm1970
New Contributor
In response to bsm1970

Created on ‎10-26-2023 05:16 AM

Ok, actually I realized you had to drill down into the WAF profile.  I think I've created this but where does it show up in the GUI?  I don't see it under the WAF profile options.

 

3465
0 Kudos
samer_abk
New Contributor II

Created on ‎10-26-2023 01:55 PM

Hi

Make sure logging is enabled at the custom-signature level "

set log enable

If there is a match, logs should be available in

Log & Report > Security Events > Details > Web Application Firewall

ABK
ABK
3455
0 Kudos
bsm1970
New Contributor

Created on ‎11-15-2023 12:47 PM

It doesn't appear to be hitting my custom-signature.

What I'm trying to do is create a custom signature that allows the traffic is the pattern matches a specific string of text on the page.  For instance, if the page contains the words:  "Please choose an option", I want the WAF to allow it instead of blocking it.  But I can't figure out how to do that. 


edit "Test Signature"
set status enable
set action allow
set log enable
set severity high
set direction request
set case-sensitivity disable
set pattern "please choose an option"
set target req-body
    next

 

What should I do to get it to allow based on that pattern?  Or can it do that?

3363
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.