Fortinet black logo

Administration Guide

FAQ

Why cannot hidden fields work fine with offline mode?

One of the following two conditions must be met with offline mode.

1) The HTTP request and response is in the same TCP session.

2) The Session Key configured in offline profile (if not configured, ASPSESSIONID, PHPSESSIONID, or JSESSIONID) must be used in HTTP.

Why doesn’t a WAF protection module work?

Some modules can disable other modules, such as URL access. When a certain module does not work, we should think about this. Here are some examples.

1) When URL access action is Pass, it can disable all security features after Global Object White List & URL Access, please refer to the module sequence in the following FAQ item.

2) IP white list can disable all security features after IP List Check.

3) When matched known engine, WAF will disable some RBE related features and all modules that may cause false positives. These modules are listed as follows

HTTP Flood

HTTP Access Limit

Custom Access Policy

GEO IP

Malicious IP

HTTP_Protocol Constraints

Robot Check

Bot Deception

Biometrics Based Detection

Threshold Based Detection

4) Some OWA URLs will result in errors, so FortiWeb will disable these modules below.

All response followup modules are disabled

File Security

Webshell Detection

Chunk Decode

File Uncompress

Signature

URL Rewriting

File Compress

Machine Learning

What’s the sequence of WAF module scans in 7.0.0?

The WAF module scan sequence in 7.0.0 is shown as below for your reference:

WAF_X_FORWARD_FOR,

WAF_SESSION_MANAGEMENT, //Client management

WAF_IP_LIST_CHECK,

WAF_IP_INTELLIGENCE,

WAF_QUARANT_IP,

WAF_BOT_MITIGATION_MOD,

WAF_BOT_MANAGEMENT,

WAF_GEO_BLOCK_LIST,

WAF_HTTP_WEBSOCKET_SECURITY,

WAF_HSTS_HEADER,

WAF_PROTECTED_SERVER_CHECK,

WAF_ALLOW_METHOD_CHECK,

WAF_ACTIVE_SCRIPT,

WAF_MOBILE_IDENTIFICATION,

WAF_HTTP_DOS_HTTP_FLOOD,

WAF_HTTP_DOS_MALICIOUS_IP,

WAF_HTTP_ACCESS_LIMIT,

WAF_TCP_FLOOD_PREVENTION,

WAF_HTTP_AUTHENTICATION,

WAF_GLOBAL_WHITE_LIST,

WAF_ADFS_PROXY,

WAF_CUSTOM_RESPONSE_POLICY,

WAF_URL_ACCESS_POLICY,

WAF_MOBILE_API_PROTECTION,

WAF_PADDING_ORACLE_POLICY,

WAF_HTTP_PROTOCOL_CONSTRAINS,

WAF_FILE_PARSE,

WAF_FILE_UPLOAD,

WAF_WEBSHELL_DETECTION,

WAF_CHUNK_DECODE,

WAF_FILE_UNCOMPRESS,

WAF_WEB_CACHE, // NOTE: it has to be placed before the modules which will modify the original packs

WAF_BOT_DECEPTION,

WAF_ROBOT_CHECK, // ML bot detection

WAF_CSRF_CHECK,

WAF_MITB_CHECK,

WAF_PARAMETER_VALIDATION_RULE,

WAF_AJAX_BLOCK,

WAF_BOT_CLIENT, // Biometric based bot detection

WAF_WEB_ACCELERATION,

WAF_XML_VALIDATION,

WAF_JSON_VALIDATION,

WAF_SERVER_PROTECTION_RULE, // Signature

WAF_SYNTAX_BASED_DETECTION,

WAF_SITE_PUBLISH,

WAF_THREAT_WEIGHT,

WAF_HIDDEN_FIELDS,

WAF_CUSTOM_ACCESS_POLICY,

WAF_BOT_CUSTOM_ACCESS, // Threshold based bot detection

WAF_USER_TRACKING,

WAF_API_MANAGEMENT,

WAF_OPENAPI_VALIDATION,

WAF_CORS_CHECK,

WAF_URL_REWRITING_POLICY,

WAF_URL_ENCRYPTION,

WAF_MLEARNING, // Machine Learning framework

WAF_API_RECORD, // Machine Learning API discovery

WAF_FILE_COMPRESS,

WAF_COOKIE_SECURITY,

WAF_HTTP_HEADER_SECURITY,

WAF_PROFILE,

WAF_HTTP_STATISTIC,

WAF_CLIENT_CERTIFICATE_FORWARD

Why cannot hidden fields work fine with offline mode?

One of the following two conditions must be met with offline mode.

1) The HTTP request and response is in the same TCP session.

2) The Session Key configured in offline profile (if not configured, ASPSESSIONID, PHPSESSIONID, or JSESSIONID) must be used in HTTP.

Why doesn’t a WAF protection module work?

Some modules can disable other modules, such as URL access. When a certain module does not work, we should think about this. Here are some examples.

1) When URL access action is Pass, it can disable all security features after Global Object White List & URL Access, please refer to the module sequence in the following FAQ item.

2) IP white list can disable all security features after IP List Check.

3) When matched known engine, WAF will disable some RBE related features and all modules that may cause false positives. These modules are listed as follows

HTTP Flood

HTTP Access Limit

Custom Access Policy

GEO IP

Malicious IP

HTTP_Protocol Constraints

Robot Check

Bot Deception

Biometrics Based Detection

Threshold Based Detection

4) Some OWA URLs will result in errors, so FortiWeb will disable these modules below.

All response followup modules are disabled

File Security

Webshell Detection

Chunk Decode

File Uncompress

Signature

URL Rewriting

File Compress

Machine Learning

What’s the sequence of WAF module scans in 7.0.0?

The WAF module scan sequence in 7.0.0 is shown as below for your reference:

WAF_X_FORWARD_FOR,

WAF_SESSION_MANAGEMENT, //Client management

WAF_IP_LIST_CHECK,

WAF_IP_INTELLIGENCE,

WAF_QUARANT_IP,

WAF_BOT_MITIGATION_MOD,

WAF_BOT_MANAGEMENT,

WAF_GEO_BLOCK_LIST,

WAF_HTTP_WEBSOCKET_SECURITY,

WAF_HSTS_HEADER,

WAF_PROTECTED_SERVER_CHECK,

WAF_ALLOW_METHOD_CHECK,

WAF_ACTIVE_SCRIPT,

WAF_MOBILE_IDENTIFICATION,

WAF_HTTP_DOS_HTTP_FLOOD,

WAF_HTTP_DOS_MALICIOUS_IP,

WAF_HTTP_ACCESS_LIMIT,

WAF_TCP_FLOOD_PREVENTION,

WAF_HTTP_AUTHENTICATION,

WAF_GLOBAL_WHITE_LIST,

WAF_ADFS_PROXY,

WAF_CUSTOM_RESPONSE_POLICY,

WAF_URL_ACCESS_POLICY,

WAF_MOBILE_API_PROTECTION,

WAF_PADDING_ORACLE_POLICY,

WAF_HTTP_PROTOCOL_CONSTRAINS,

WAF_FILE_PARSE,

WAF_FILE_UPLOAD,

WAF_WEBSHELL_DETECTION,

WAF_CHUNK_DECODE,

WAF_FILE_UNCOMPRESS,

WAF_WEB_CACHE, // NOTE: it has to be placed before the modules which will modify the original packs

WAF_BOT_DECEPTION,

WAF_ROBOT_CHECK, // ML bot detection

WAF_CSRF_CHECK,

WAF_MITB_CHECK,

WAF_PARAMETER_VALIDATION_RULE,

WAF_AJAX_BLOCK,

WAF_BOT_CLIENT, // Biometric based bot detection

WAF_WEB_ACCELERATION,

WAF_XML_VALIDATION,

WAF_JSON_VALIDATION,

WAF_SERVER_PROTECTION_RULE, // Signature

WAF_SYNTAX_BASED_DETECTION,

WAF_SITE_PUBLISH,

WAF_THREAT_WEIGHT,

WAF_HIDDEN_FIELDS,

WAF_CUSTOM_ACCESS_POLICY,

WAF_BOT_CUSTOM_ACCESS, // Threshold based bot detection

WAF_USER_TRACKING,

WAF_API_MANAGEMENT,

WAF_OPENAPI_VALIDATION,

WAF_CORS_CHECK,

WAF_URL_REWRITING_POLICY,

WAF_URL_ENCRYPTION,

WAF_MLEARNING, // Machine Learning framework

WAF_API_RECORD, // Machine Learning API discovery

WAF_FILE_COMPRESS,

WAF_COOKIE_SECURITY,

WAF_HTTP_HEADER_SECURITY,

WAF_PROFILE,

WAF_HTTP_STATISTIC,

WAF_CLIENT_CERTIFICATE_FORWARD