Fortinet 5.0 Patch 6 Configuring action overrides or exceptions to data leak & attack detection signatures

Fortinet 398 FortiWeb 5.0 Patch 6 Administration Guide

Configuring action overrides or exceptions to data leak & attack detection signatures

You can configure FortiWeb to omit attack signature scans in some cases. You can also

configure the signature to only log/alert instead of blocking the attack.

Exceptions may be useful if you know that some URLs, during normal use, will cause false

positives by matching an attack signature. Signature exceptions define request URLs that will

not be subject to signature rules.

For example, if the HTTP POST URL /pageupload should accept input that is PHP code, but it

is the only URL on the host that should do so, you would create an exception that, in the PHP

Injection category, disables that specific signature ID for the URL /pageupload in the

signature rule that normally would block all injection attacks.

Figure 44:Disabling signatures or adding exceptions while viewing the attack log

To configure a signature exception, action override, or disable a signature

1. Go to Web Protection > Known Attacks > Signatures.

To access this part of the web UI, your administrator’s account access profile must have

Read and Write permission to items in the Web Protection Configuration category. For

details, see “Permissions” on page 47.

If you are not sure which exceptions are advisable, examine your attack log for attack log

messages generated by normal traffic on servers that are not actually vulnerable to that attack.

You can click the Add Exception link directly in the attack log message display to create an

exception.