You can configure FortiWeb to omit attack signature scans in some cases. You can also configure the signature to generate a log or alert only instead of blocking the attack.
Exceptions are useful when you know that some parameters, during normal use, cause false positives by matching an attack signature. Signature exceptions define request parameters that are not subject to signature rules. You can define exceptions using the following request elements:
For example, the HTTP POST
URL /pageupload
accepts input that is PHP code, but it is the only URL on the host that does. Create an exception that, in the PHP Injection category, disables that specific signature ID for the URL /pageupload
in the signature rule that normally blocks all injection attacks.
If you are not sure which exceptions to create, examine your attack log for messages generated by normal traffic on servers that are not actually vulnerable to that attack. Click the Message field content, and then click Add Exception. |
1. Go to Web Protection > Known Attacks > Signatures.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
2. Double-click the row that corresponds to the signature policy for which you want to disable one or more individual signatures.
A dialog appears.
3. Click Signature Details.
4. In the signature tree on the left, click a category folder to open the signature category where you need to disable a specific signature. Select an individual sub-category to display a list of individual signature IDs in the pane to the right.
5. Optionally, in the pane that lists individual signatures, for Search Description, enter keywords to create a filter, and then click Search (magnifying glass icon).
6. Click the row of the signature ID to disable.
The selected signature row is highlighted in blue.
7. To disable the signature for this rule, or globally, right-click the signature’s row and select the appropriate option.
8. On the Signature tab, do the following:
9. If you want to exempt specific host name/URL combinations, in the pane on the right side, click the Exception tab.
10. For Element Type, select the type of element to exempt from this signature, and then configure these settings:
Setting name | Description | |
---|---|---|
HTTP Method |
|
|
Operation |
|
|
HTTP Method | Select the methods to include or exclude from the signature exemption. | |
Client IP | ||
Operation |
|
|
Client IP | Specify the client IP address that FortiWeb uses to determine whether or not to perform a signature scan for the request. | |
Host | ||
Operation |
|
|
Value | Specifies the Host: field value to match.To create and test a regular expression, click the >> (test) icon (see Regular expression syntax). |
|
URI | ||
Operation |
|
|
Value | Specifies a URL value to match. The value does not include parameters. For example, /testpage.php , which match requests for http://www.test.com/testpage.php?a=1&b=2 .If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /causes-false-positives.php ).If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. When the URL value is a string, such as /causes-false-positives.php, the URL must begin with a slash ( / ). Do not include a domain name or parameters. To match a domain name, use the Host element type. To match a URL that includes parameters, use the Full URL type. To create and test a regular expression, click the >> (test) icon (see Regular expression syntax). |
|
Full URL | ||
Operation |
|
|
Value | Specifies a URL value that includes parameters to match. For example, /testpage.php?a=1&b=2 , which match requests for http://www.test.com/testpage.php?a=1&b=2 .If Operation is String Match, ensure the value starts with a forward slash ( / ) (for example, /testpage.php?a=1&b=2 ).If Operation is Regular Expression Match, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. Do not include a domain name. To match a domain name, use the Host element type. To match a URL that does not include parameters, use the URI type. To create and test a regular expression, click the >> (test) icon (see Regular expression syntax). |
|
Parameter | ||
Operation |
|
|
Name | Specifies the name of the parameter to match. To create and test a regular expression, click the >> (test) icon (see Regular expression syntax) |
|
Check Value of Specified Element | Select to specify a parameter value to match in addition to the parameter name. | |
Value | Specifies the parameter value to match. To create and test a regular expression, click the >> (test) icon (see Regular expression syntax). |
|
Cookie | ||
Operation |
|
|
Name | Specifies the name of the cookie to match. To create and test a regular expression, click the >> (test) icon (see Regular expression syntax) |
|
Check Value of Specified Element | Select to specify a cookie value to match in addition to the cookie name. | |
Value | Specifies the cookie value to match. To create and test a regular expression, click the >> (test) icon (see Regular expression syntax). |
|
Concatenate |
Later, you can use the exception list options to adjust the matching sequence for entries. See Example: Concatenating exceptions. |
11. Click Apply.
12. Repeat the previous steps for each entry that you want to add to the signature exception.
FortiWeb generates a dynamic description of the match sequence you created and displays it at the top of the exception list. You can adjust the sequence using the move options (up and down arrows).
The illustration displays the following signature exception configuration:
The final logic of the example is (2 And 3) OR (4), which means FortiWeb skips the signature when both the URI and HTTP Method exception rules match the request, or the Client IP rule matches.
You can filter signatures using a keyword
You can filter your view of the signatures in a signature policy to quickly find the following items:
To easily locate these kinds of signatures for review or editing, click Filters in the navigation tree, select the type of filter you want to apply, and then click Apply.