Fortinet 397 FortiWeb 5.0 Patch 6 Administration Guide
6. If you enabled Information Disclosure, Troj ans , or Credit Card Detection, configure a
decompression rule. See “Configuring decompression to enable scanning & rewriting” on
page 460.
7. To apply the signature rule, select it in an inline protection profile or an offline protection
profile (see “Configuring a protection profile for inline topologies” on page 468 or
“Configuring a protection profile for an out-of-band topology or asynchronous mode of
operation” on page 477).
8. To verify your configuration, attempt a request that should be detected and/or blocked by
your configuration.
If detection fails:
Verify that routing and TCP/IP-layer firewalling does not prevent connectivity.
Verify that your simulated attack operates on either the HTTP header or HTTP body,
whichever component is analyzed by that feature.
If the feature operates on the HTTP body, verify that http-cachesize is large enough,
or that you have configured to Body Length block requests that exceed the buffer limit.
For details, see the FortiWeb CLI Reference.
If the HTTP body is compressed, verify that Maximum Antivirus Buffer Size is large
enough, or that you have configured to Body Length block requests that exceed the
buffer limit.
•If you enabled Troj ans , verify that you have also configured its configuration
dependencies (see “Limiting file uploads” on page 451).
If the feature operates on the parameters in the URL line in the HTTP headers, verify that
the total parameter length (after URL decoding, if required — configure Recursive URL
Decoding) is not larger than the buffer size of Total URL and Body Parameters Length or
Total URL Parameters Length.
9. If normal input for some URLs accidentally matches a signature, either create and use a
modified version of it instead via custom signatures, or create exceptions (“Configuring
action overrides or exceptions to data leak & attack detection signatures” on page 398).
See also
Finding signatures that are disabled or “Alert Only”
Configuring action overrides or exceptions to data leak & attack detection signatures
Sequence of scans
Preventing zero-day attacks
Limiting file uploads
How often does Fortinet provide FortiGuard updates for FortiWeb?
Failure to configure a decompression rule, or, for HTTPS requests, to provide the server’s x.509
certificate in either Certificate or Certificate File, will result in FortiWeb being unable to scan
requests. This effectively disables those features.
Instead of actually executing the exploit or uploading a virus, attempt a harmless script with
similar syntax, or upload an EICAR file. Alternatively, test your configuration in a non-production
environment.