Fortinet 5.0 Patch 6 Blocking known attacks & data leaks

Fortinet 387 FortiWeb 5.0 Patch 6 Administration Guide

Blocking known attacks & data leaks

Many attacks and data leaks can be detected by FortiWeb using signatures. Enable signatures

to defend against many attacks in the OWASP Top 10, plus more:

• cross-site scripting (XSS)

• SQL injection and many other code injection styles

• remote file inclusion (RFI)

• local file inclusion (LFI)

• OS commands

• trojans/viruses

• exploits

• sensitive server information disclosure

• credit card data leaks

FortiWeb will scan:

• parameters in the URL of HTTP GET requests

• parameters in the body of HTTP POST requests

• XML in the body of HTTP POST requests (if Enable XML Protocol Detection is enabled)

• cookies

In addition to scanning standard requests, FortiWeb can also scan XML And Action Message

Format 3.0 (AMF3) serialized binary inputs used by Adobe Flash clients to communicate with

server-side software. For more information, see Enable AMF3 Protocol Detection and Illegal

XML Format (for inline protection profiles) or Enable AMF3 Protocol Detection (for offline

protection profiles).

Known attack signatures can be updated. For information on uploading a new set of attack

definitions, see “Uploading signature & geography-to-IP updates” on page 146 and Connecting

to FortiGuard services. You can also create your own. See “Defining custom data leak & attack

signatures” on page 401.

Each server protection rule can be configured with the severity and notification settings

(“trigger”) that, in combination with the action, determines how each violation will be handled.

For example, attacks categorized as cross-site scripting and SQL injection could have the

action set to alert_deny, the severity set to High, and a trigger set to deliver an alert

email each time these rule violations are detected. Specific signatures in those categories,

however, might be disabled, set to log/alert instead, or exempt requests to specific host

names/URLs.

To configure a signature rule

1. Before you create a signature rule, create custom signatures, if any, that you will add to the

rule (see “Defining custom data leak & attack signatures” on page 401).

2. Go to Web Protection > Known Attacks > Signatures.

To access this part of the web UI, your administrator’s account access profile must have

Read and Write permission to items in the Web Protection Configuration category. For

details, see “Permissions” on page 47.

3. Click Create New.

A dialog appears.