Fortinet 387 FortiWeb 5.0 Patch 6 Administration Guide
Blocking known attacks & data leaksMany attacks and data leaks can be detected by FortiWeb using signatures. Enable signatures
to defend against many attacks in the OWASP Top 10, plus more:
• cross-site scripting (XSS)
• SQL injection and many other code injection styles
• remote file inclusion (RFI)
• local file inclusion (LFI)
• OS commands
• trojans/viruses
• exploits
• sensitive server information disclosure
• credit card data leaks
FortiWeb will scan:
• parameters in the URL of HTTP GET requests
• parameters in the body of HTTP POST requests
• XML in the body of HTTP POST requests (if Enable XML Protocol Detection is enabled)
• cookies
In addition to scanning standard requests, FortiWeb can also scan XML And Action Message
Format 3.0 (AMF3) serialized binary inputs used by Adobe Flash clients to communicate with
server-side software. For more information, see Enable AMF3 Protocol Detection and Illegal
XML Format (for inline protection profiles) or Enable AMF3 Protocol Detection (for offline
protection profiles).
Known attack signatures can be updated. For information on uploading a new set of attack
definitions, see “Uploading signature & geography-to-IP updates” on page 146 and Connecting
to FortiGuard services. You can also create your own. See “Defining custom data leak & attack
signatures” on page 401.
Each server protection rule can be configured with the severity and notification settings
(“trigger”) that, in combination with the action, determines how each violation will be handled.
For example, attacks categorized as cross-site scripting and SQL injection could have the
action set to alert_deny, the severity set to High, and a trigger set to deliver an alert
email each time these rule violations are detected. Specific signatures in those categories,
however, might be disabled, set to log/alert instead, or exempt requests to specific host
names/URLs.
To configure a signature rule
1. Before you create a signature rule, create custom signatures, if any, that you will add to the
rule (see “Defining custom data leak & attack signatures” on page 401).
2. Go to Web Protection > Known Attacks > Signatures.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
3. Click Create New.
A dialog appears.