Security Features : Using web application firewall policies : Configuring a Web Attack Signature policy
 
Configuring a Web Attack Signature policy
The FortiGuard Web Attack Signature service provides a database of attack signatures that is updated periodically to protect against new kinds of attacks. Table 55 summarizes the categories of threats that are detected by the signatures. The categories are reported in logs.
In the Web Attack Signature policy configuration, you can enable/disable the class of scanpoints and the action when traffic matches signatures.
There are three classes of scanpoints:
HTTP Header—Scans traffic against HTTP header signatures. If you enable a policy at all, you are enabling HTTP header scanning.
HTTP Request Body—Scans traffic against HTTP request body signatures.
HTTP Response Body—Scans traffic against HTTP response body signatures.
Header scanning is always a good practice, so enabling a policy always enables header scanning. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.
You can specify separate actions for three event severities:
High—We recommend you deny traffic for high severity events.
Medium—We recommend you deny or alert, according to your preference. To be strict, deny; otherwise, alert.
Low—We recommend you allow the traffic and log an alert for low severity events.
Table 53 describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.
Table 53: Web Attack Signature predefined policies
Policy
Status
Action
High-Level-Security
Scan HTTP header—Enabled.
Scan HTTP Request Body—Enabled.
Scan HTTP Response Body—Disabled.
High Severity Action—Deny.
Medium Severity Action—Deny.
Low Severity Action—Alert.
Medium-Level-Security
Scan HTTP header—Enabled.
Scan HTTP Request Body—Enabled.
Scan HTTP Response Body—Disabled.
High Severity Action—Deny.
Medium Severity Action—Alert.
Low Severity Action—Alert.
Alert-Only
Scan HTTP header—Enabled.
Scan HTTP Request Body—Disabled.
Scan HTTP Response Body—Disabled.
High Severity Action—Alert.
Medium Severity Action—Alert.
Low Severity Action—Alert.
Basic Steps
1. Configure the connection to FortiGuard so the system can receive periodic WAF Signature Database updates. See “Configuring FortiGuard service settings”.
2. Optionally, if you do not want to use the predefined policies, configure Web Attack Signature policies. See below.
3. Select a policy when you configure the WAF profile that you associate with virtual servers. See “Configuring a WAF Profile”.
Before you begin:
You must have Read-Write permission for Security settings.
To configure a Web Attack Signature policy:
1. Go to Security > Web Application Firewall.
2. Click the Web Attack Signature tab.
3. Click Add to display the configuration editor.
4. Complete the configuration as described in Table 54.
5. Save the configuration.
Table 54: Web Attack Signature configuration
Settings
Guidelines
Name
Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.
After you initially save the configuration, you cannot edit the name.
Status
Enable/disable scanning against the signature database. This includes HTTP header scanning but not HTTP body scanning.
Request Body Status
Enable/disable scanning of the HTTP request body.
Response Body Status
Enable/disable scanning of the HTTP response body.
High Severity Action
Alert—Allow the traffic and log the event.
Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.
The default is alert, but we recommend you deny traffic that matches high severity signatures.
Medium Severity Action
Alert—Allow the traffic and log the event.
Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.
The default is alert. For stricter security, you can deny traffic that matches medium severity signatures.
Low Severity Action
Alert—Allow the traffic and log the event.
Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.
The default is alert. Recommended for low severity signatures.
Table 55 summarizes the categories of threats that are detected by the signatures.
Table 55: Web Attack Signature categories and subcategories
Category (ID)
Subcategory (ID)
Cross Site Scripting (1)
 
SQL Injection (2)
 
Generic Attacks (3)
OS Command Injection (1)
Coldfusion Injection (2)
LDAP Injection (3)
Command Injection (4)
Session Fixation (5)
File Injection (6)
PHP Injection (7)
SSI Injection (8)
UPDF XSS (9)
Email Injection (10)
HTTP Response Splitting (11)
RFI Injection (12)
 
Trojans (4)
 
Information Disclosure (5)
Zope Information Leakage (13)
CF Information Leakage (14)
PHP Information Leakage (15)
ISA Server Existence Revealed (16)
Microsoft Office Document Properties Leakage (17)
CF Source Code Leakage (18)
IIS Information Leakage (19)
Weblogic information leakage (20)
Generic Filename and Directory leakage (21)
ASP/JSP Source Code Leakage (22)
PHP Source Code Leakage (23)
SQL Error leakage (24)
HTTP Header Leakage (25)
WordPress Leakage (26)
Known Exploits (6)
Oracle 9i (27)
Coppermine Photo Gallery (28)
Netscape Enterprise Server (29)
Cisco IOS HTTP Service (30)
Microsoft SQL Server (31)
HP OpenView Network Node Manager (32)
Best Sofrware SalesLogix (33)
IBM Lotus Domino Web Server (34)
Microsoft IIS (35)
Microsoft Windows Media Services (36)
Dave Carrigan Auth_LDAP (37)
427BB 38)
RaXnet Cacti Graph (39)
CHETCPASSWD (40)
SAP (41)
Credit Card Detection (7)
 
Bad Robot (8)