Fortinet 5.0 Patch 6

Fortinet 473 FortiWeb 5.0 Patch 6 Administration Guide

Cookie Poisoning

Detection

Enable to detect cookie poisoning, then select which of the following

actions the FortiWeb appliance will take if cookie tampering is

detected:

•Alert — Accept the request and generate an alert email and/or log

message.

•Alert & Deny — Block the request and generate an alert and/or

log message.

•Period Block — Block requests for a specified number of

seconds as set in the accompanying field to the right. The range is

1 to 3600. See also “Monitoring currently blocked IPs” on

page 606.

Note: If FortiWeb is deployed behind a NAT load balancer, when

using this option, you must also define an X-header that indicates

the original client’s IP (see “Defining your proxies, clients, &

X-headers” on page 266). Failure to do so may cause FortiWeb to

block all connections when it detects a violation of this type.

•Remove Cookie — Accept the request, but remove the poisoned

cookie from the datagram before it reaches the web server, and

generate an alert and/or log message.

For more information on logging and alerts, see “Configuring logging”

on page 545.

When enabled, each cookie is accompanied by a cookie named

<cookie_name>_fortinet_waf_auth, which tracks the cookie’s

original value when set by the web server. If the cookie returned by

the client does not match this digest, the FortiWeb appliance will

detect cookie poisoning. This feature can be useful to prevent many

types of cookie-based attack, such as session ID fraud.

Note: This feature requires that the client support cookies.

Signatures Select the name of the signature set, if any, that will be applied to

matching requests. Also configure Enable AMF3 Protocol Detection.

Attack log messages for this feature vary by which type of attack was

detected. For a list, see “Blocking known attacks & data leaks” on

page 387.

Enable AMF3

Protocol Detection

Enable to scan requests that use action message format 3.0 (AMF3)

for:

• cross-site scripting (XSS) attacks

• SQL injection attacks

• common exploits

and other attack signatures that you have enabled in Signatures.

AMF3 is a binary format that can be used by Adobe Flash/Flex clients

to send input to server-side software.

Caution: To scan for attacks or enforce input rules on AMF3, you

must enable this option. Failure to enable the option will cause the

FortiWeb appliance to be unable to scan AMF3 requests for attacks.

Enable XML

Protocol Detection

Enable to scan for matches with attack and data leak signatures in

Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in

the bodies of HTTP POST requests.

Setting name Description