目錄

•  
• regex

---

Fortiweb on AWS

 

Panel: https://Public DNS:8443

SSH: 22

Default login credentials are with a username of "admin" and the AWS Instance ID value as the password.

 

---

Firewall

 

它是個簡單 firewall 來, 只提供基本功能

V6.3.2

Default Action

For Default Action, select one of the following:

Deny—Firewall blocks traffic that does not match a policy rule.

However, administrative access is still allowed on network interfaces for which it has been configured.

Firewall FWMARK policy

The FWMARK policy allows you to mark the traffic coming in FortiWeb.

Using it together with policy route, you can direct the marked traffic to go out of FortiWeb

through a specified interface or/and to a specified next-hop gateway.

DNAT

To apply Firewall DNAT Policy, enable IP Forward in CLI config router setting.

get router setting

ip-forward          : disable
ip6-forward         : disable

set

config router setting
    set ip-forward enable
end

 

---

Virtual Server

 

It is not an actual server, but simply defines the listening network interface.

It includes a specialized proxy that only picks up HTTP and HTTPS.

IP 選項

• Virtual IP
• Use Interface IP

 

---

Setting

 

config waf ip-list

--- URL

config waf url-access url-access-rule

config waf url-access url-access-policy

--- Network

config waf http-request-flood-prevention-rule

config waf http-connection-flood-check-rule

config waf layer4-access-limit-rule

--- CA

config system certificate ca

--- Method

config waf allow-method-policy

config waf input-rule

---

config waf start-pages

--- inline

config waf web-protection-profile inline-protection

--- replace

config system replacemsg

--- cookie

config waf cookie-security

---

設定順序

1. config server-policy vserver
2. config server-policy server-pool
3. config server-policy policy

 

---

Whitelist Client 's IP

 

Step1: 建立 IP List

IP Protection > IP List > 建立 list

Trust IP

The source IP address is trusted and allowed to access your web servers,

unless it fails a previous scan. 詳見: Sequence of scans

Step2: To apply the IP list in an inline or Offline Protection profile.

Policy > Web Protection Profile > Edit "YOUR_PROFILE"

> "IP Protection" Section > 在 "IP List" 選 Step1 建立的 List

 

---

Sequence of scans

 

In the order of execution according to the below table.

1. TCP Connection Number Limit (TCP Flood Prevention)
2. Add "X-Forwarded-For:"
3. Client Management (X-header rules, Cookie, Session state)
4. IP List (Whitelist/Backlist)
5. IP Reputation
6. Quarantined source IP addresses
7. Known Bots
8. Geo IP
9. WebSocket protocol
10. Add HSTS Header
11. Protected Server Check("Host:" header)
12. Allow Method
13. ...

 

---

Regex

 

FortiWeb follows most Perl-compatible regular expression (PCRE)

參考

應用: Allow "OPTIONS"

在 Web Protection > Access > Allow Method 設定了 allow OPTIONS 但佢被 Deny

Signature ID: 060180007

This signature prevents attackers from attacking Web server through a HTTP method except GET & POST method.
This attack can be achieved in HTTP request method.

解決方法: Disable 060180007 再額外加 Custom Signature

Signature -> Edit Signature Policy -> Custom Signature Group

 * Inverse string matching is not currently supported   # => !(hamsters)

To match a string which does not contain the multi-character sequence ab, you want to use a negative lookahead "(?!regex)"
 

^(?!(?:GET|HEAD|POST|OPTIONS))