Fortinet black logo

Handbook

Web application firewall configuration overview

Web application firewall configuration overview

WAF configuration overview shows the relationship between WAF configuration elements. A WAF profile comprises a Web Attack Signature policy, URL Protection policy, HTTP Protocol Constraint policy, SQL/XSS Injection Detection, Bot Detection policy, and more. The profile is applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules. WAF profiles can be applied to HTTP and HTTPS virtual servers but not HTTP Turbo virtual servers.

WAF configuration overview

Predefined configuration elements

The FortiADC WAF includes many predefined configuration elements to help you get started: WAF profiles, Web Attack Signature policies, HTTP Protocol Constraint policies, SQL/XSS Injection Detection policies, JSON Detection and XML Detection.

Severity

The severity ratings for predefined Web Attack Signatures and the default severity rating for feature options like SQL/XSS Injection Detection are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. In order to harmonize the significance of severity levels in logs, we recommend you use this methodology to assign severity for any custom elements you create.

Action

You can create an action which FortiADC takes when the conditions are fulfilled for WAF.

Basic Steps
  1. Create configuration objects that define the action.
  2. Select this action to a WAF rule configuration.

Exceptions

You can create exceptions so that traffic to specific hosts or URL patterns is not subject to processing by WAF rules. Exception lists are processed before traffic is inspected. If an exception applies, the traffic bypasses the WAF module.

Basic Steps

  1. Create configuration objects that define the exception.
  2. Add the exception to a WAF profile configuration or WAF rule configuration.

Web application firewall configuration overview

WAF configuration overview shows the relationship between WAF configuration elements. A WAF profile comprises a Web Attack Signature policy, URL Protection policy, HTTP Protocol Constraint policy, SQL/XSS Injection Detection, Bot Detection policy, and more. The profile is applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules. WAF profiles can be applied to HTTP and HTTPS virtual servers but not HTTP Turbo virtual servers.

WAF configuration overview

Predefined configuration elements

The FortiADC WAF includes many predefined configuration elements to help you get started: WAF profiles, Web Attack Signature policies, HTTP Protocol Constraint policies, SQL/XSS Injection Detection policies, JSON Detection and XML Detection.

Severity

The severity ratings for predefined Web Attack Signatures and the default severity rating for feature options like SQL/XSS Injection Detection are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. In order to harmonize the significance of severity levels in logs, we recommend you use this methodology to assign severity for any custom elements you create.

Action

You can create an action which FortiADC takes when the conditions are fulfilled for WAF.

Basic Steps
  1. Create configuration objects that define the action.
  2. Select this action to a WAF rule configuration.

Exceptions

You can create exceptions so that traffic to specific hosts or URL patterns is not subject to processing by WAF rules. Exception lists are processed before traffic is inspected. If an exception applies, the traffic bypasses the WAF module.

Basic Steps

  1. Create configuration objects that define the exception.
  2. Add the exception to a WAF profile configuration or WAF rule configuration.