FAQ
Why cannot hidden fields work fine with offline mode?
One of the following two conditions must be met with offline mode.
1) The HTTP request and response is in the same TCP session.
2) The Session Key configured in offline profile (if not configured, ASPSESSIONID, PHPSESSIONID, or JSESSIONID) must be used in HTTP.
Why doesn’t a WAF protection module work?
Some modules can disable other modules, such as URL access. When a certain module does not work, we should think about this. Here are some examples.
1) When URL access action is Pass, it can disable all security features after Global Object White List & URL Access, please refer to the module sequence in the following FAQ item.
2) IP white list can disable all security features after IP List Check.
3) When matched known engine, WAF will disable some RBE related features and all modules that may cause false positives. These modules are listed as follows
HTTP Flood
HTTP Access Limit
Custom Access Policy
GEO IP
Malicious IP
HTTP_Protocol Constraints
Robot Check
Bot Deception
Biometrics Based Detection
Threshold Based Detection
4) Some OWA URLs will result in errors, so FortiWeb will disable these modules below.
All response followup modules are disabled
File Security
Webshell Detection
Chunk Decode
File Uncompress
Signature
URL Rewriting
File Compress
Machine Learning
What’s the sequence of WAF module scans in 7.0.0?
The WAF module scan sequence in 7.0.0 is shown as below for your reference:
WAF_X_FORWARD_FOR,
WAF_SESSION_MANAGEMENT, //Client management
WAF_IP_LIST_CHECK,
WAF_IP_INTELLIGENCE,
WAF_QUARANT_IP,
WAF_BOT_MITIGATION_MOD,
WAF_BOT_MANAGEMENT,
WAF_GEO_BLOCK_LIST,
WAF_HTTP_WEBSOCKET_SECURITY,
WAF_HSTS_HEADER,
WAF_PROTECTED_SERVER_CHECK,
WAF_ALLOW_METHOD_CHECK,
WAF_ACTIVE_SCRIPT,
WAF_MOBILE_IDENTIFICATION,
WAF_HTTP_DOS_HTTP_FLOOD,
WAF_HTTP_DOS_MALICIOUS_IP,
WAF_HTTP_ACCESS_LIMIT,
WAF_TCP_FLOOD_PREVENTION,
WAF_HTTP_AUTHENTICATION,
WAF_GLOBAL_WHITE_LIST,
WAF_ADFS_PROXY,
WAF_CUSTOM_RESPONSE_POLICY,
WAF_URL_ACCESS_POLICY,
WAF_MOBILE_API_PROTECTION,
WAF_PADDING_ORACLE_POLICY,
WAF_HTTP_PROTOCOL_CONSTRAINS,
WAF_FILE_PARSE,
WAF_FILE_UPLOAD,
WAF_WEBSHELL_DETECTION,
WAF_CHUNK_DECODE,
WAF_FILE_UNCOMPRESS,
WAF_WEB_CACHE, // NOTE: it has to be placed before the modules which will modify the original packs
WAF_BOT_DECEPTION,
WAF_ROBOT_CHECK, // ML bot detection
WAF_CSRF_CHECK,
WAF_MITB_CHECK,
WAF_PARAMETER_VALIDATION_RULE,
WAF_AJAX_BLOCK,
WAF_BOT_CLIENT, // Biometric based bot detection
WAF_WEB_ACCELERATION,
WAF_XML_VALIDATION,
WAF_JSON_VALIDATION,
WAF_SERVER_PROTECTION_RULE, // Signature
WAF_SYNTAX_BASED_DETECTION,
WAF_SITE_PUBLISH,
WAF_THREAT_WEIGHT,
WAF_HIDDEN_FIELDS,
WAF_CUSTOM_ACCESS_POLICY,
WAF_BOT_CUSTOM_ACCESS, // Threshold based bot detection
WAF_USER_TRACKING,
WAF_API_MANAGEMENT,
WAF_OPENAPI_VALIDATION,
WAF_CORS_CHECK,
WAF_URL_REWRITING_POLICY,
WAF_URL_ENCRYPTION,
WAF_MLEARNING, // Machine Learning framework
WAF_API_RECORD, // Machine Learning API discovery
WAF_FILE_COMPRESS,
WAF_COOKIE_SECURITY,
WAF_HTTP_HEADER_SECURITY,
WAF_PROFILE,
WAF_HTTP_STATISTIC,
WAF_CLIENT_CERTIFICATE_FORWARD