config : waf signature
 
waf signature
Use this command to configure server protection rules.
There are several security features specifically designed to protect web servers from known attacks. You can configure defenses against:
cross-site scripting (XSS)
SQL injection and many other code injection styles
generic attacks
known exploits
trojans/viruses
information disclosure
bad robots
credit card data leaks
FortiWeb scans:
HTTP headers
parameters in the URL of HTTP GET requests
parameters in the body of HTTP POST requests
XML in the body of HTTP POST requests (if xml-protocol-detection {enable | disable} is enabled)
cookies
In addition to scanning standard requests, signatures can also scan action message format 3.0 (AMF3) binary inputs used by Adobe Flash clients to communicate with server-side software and XML. For more information, see amf3-protocol-detection {enable | disable} and malformed-xml-check {enable | disable} (for inline protection profiles) or amf3-protocol-detection {enable | disable} (for offline protection profiles).
Known attack signatures can be updated. For information on uploading a new set of attack definitions, see the FortiWeb Administration Guide. You can also create your own. See “config waf custom-protection-rule”.
Each server protection rule can be configured with the severity and notification settings (“trigger”) that, in combination with the action, determines how each violation will be handled.
For example, attacks categorized as cross-site scripting and SQL injection could have the action set to alert_deny, the severity set to High, and a trigger set to deliver an alert email each time these rule violations are detected. Specific signatures in those categories, however, might be disabled, set to log/alert instead, or exempt requests to specific host names/URLs.
To override category-wide actions for a specific signature, configure:
config signature_disable_list — Disable a specific signature ID (e.g. 040000007), even if the category in general (e.g. SQL Injection (Extended)) is enabled.
config sub_class_disable_list — Disable a subcategory of signatures (e.g. Session Fixation), even if the category in general (e.g. General Attacks) is enabled.
config alert_only_list — Only log/alert when detecting the attack, even if the category in general is configured to block.
config filter_list — Exempt specific host name and/or URL combinations from scanning with this signature.
Before configuring a server protection rule, if you want to configure your own attack or data leak signatures, you must also configure custom server protection rules. For details, see “config waf custom-protection-group”.
To apply server protection rules, select them within an inline or offline protection profile. For details, see “config waf web-protection-profile inline-protection” or “config waf web-protection-profile offline-protection”.
You can use SNMP traps to notify you when an attack or data leak has been detected. For details, see “config system snmp community”.
 
Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see the FortiWeb Administration Guide.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf signature
edit <signature-set_name>
set credit-card-detection-threshold <instances_int>
[set custom-protection-group <group_name>]
config main_class_list
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000}
set action {alert |alert_deny | block‑period |only_erase | alert_erase | redirect | send_403_forbidden}
set block-period <seconds_int>
set severity {Low | Medium | High}
set trigger <trigger-policy_name>
next
end
config signature_disable_list
edit <signature-id_str>
next
end
config sub_class_disable_list
edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000}
next
end
config alert_only_list
edit <signature-id_str>
next
end
config filter_list
edit <entry_index>
set signature_id <signature‑id_str>
set host-status {enable | disable}
set host <protected-hosts_name>
set type {plain | regular}
set request-file <url_str>
next
end
next
end
Variable
Description
Default
<signature-set_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
credit-card-detection-threshold <instances_int>
Type 0 to report any credit card number disclosures, or type a threshold if the web page must contain a number of credit cards that equals or exceeds the threshold in order to trigger the credit card number detection feature.
For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2.
The valid range is from 0 to 128 instances.
0
custom-protection-group <group_name>
Type the name of the custom signature group to be used, if any. The maximum length is 35 characters.
To display the list of existing custom signature groups, type:
set custom-protection-group ?
No default.
{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000}
Type the ID of a signature class (or, for subclass overrides, the subclass ID).
To display the list of signature classes, type:
edit ?
No default.
action {alert |alert_deny | block‑period |only_erase | alert_erase | redirect | send_403_forbidden}
Select which action the FortiWeb appliance will take when it detects a signature match.
Note: This is not a single setting. Available actions may vary slightly, depending on what is possible for each specific type of attack/information disclosure.
alert — Accept the request and generate an alert email and/or log message.
Note: Does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.)
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
only_erase — Hide sensitive information in replies from the web server (sometimes called “cloaking”). Block the request or remove the sensitive information, but do not generate an alert email and/or log message.
Caution: This option is not supported in offline protection mode.
alert_erase — Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.
Note: This option is not fully supported in offline protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.
alert
 
redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.
send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If an auto-learning profile will be selected in the policy with offline protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
 
block-period <seconds_int>
Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.
The valid range is from 1 to 3,600. The setting is applicable only if action is period-block.
Note: This is not a single setting. You can configure the block period separately for each signature category.
60
severity {Low | Medium | High}
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:
Low
Medium
High
Note: This is not a single setting. You can configure the severity separately for each signature category.
Medium
trigger <trigger-policy_name>
Type the name of the trigger, if any, to apply when a protection rule is violated (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing triggers, type:
set trigger ?
Note: This is not a single setting. You can configure a different trigger for each signature category.
No default.
<signature-id_str>
Type the ID of a specific signature that you want to disable.
Some signatures often cause false positives and are disabled by default. To display a list, type:
edit ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 32.
No default.
signature_id <signature‑id_str>
Type the ID of a specific signature that you want to disable when the request matches a specific Host: name and/or URL. Also configure host-status {enable | disable}, host-status {enable | disable}, and request-file <url_str>.
No default.
host <protected-hosts_name>
Type the name of a protected host that the Host: field of an HTTP request must be in order to match the start page rule. The maximum length is 255 characters.
This setting applies only if host-status is enable.
No default.
host-status {enable | disable}
Enable to apply this start page rule only to HTTP requests for specific web hosts. Also configure host <protected-hosts_name>.
Disable to match the start page rule based upon the other criteria, such as the URL, but regardless of the Host: field.
disable
type {plain | regular}
Select whether request-file <url_str> will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).
plain
request-file <url_str>
Depending on your selection in type {plain | regular}, type either:
the literal URL, such as /index.php, that the HTTP request must contain in order to match the signature exception. The URL must begin with a slash ( / ).
a regular expression, such as ^/*.php, matching all and only the URLs to which the signature exception should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-hosts_name>. The maximum length is 255 characters.
Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide.
No default.
Example
This example enables both the Trojans (070000000) and XSS (010000000) classes of signatures, setting them to result in attack logs with a severity_level field of High, and using the email and SNMP settings defined in notification-servers1. It also enables use of custom attack and data leak signatures in the set named custom-signature-group1.
This example disables by ID a signature that is known to cause false positives (080200001). It also makes an exception (config filter_list) by ID for a specific signature (070000001) for a URL (/virus-sample-upload) on a host (www.example.com) that is used by security researchers to receive virus samples.
config waf signature
edit "attack-signatures1"
set custom-protection-group "custom-signature-group1"
config main_class_list
edit "010000000"
set severity High
set trigger "notification-servers1"
next
edit "070000000"
set severity High
set trigger "notification-servers1"
next
end
config signature_disable_list
edit "080200001"
next
end
config filter_list
edit 1
set signature_id "070000001"
set host-status enable
set host "www.example.com"
set request-file "/virus-sample-upload"
next
end
next
end
Related topics
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection
config system snmp community
config waf custom-protection-group
config log trigger-policy