目錄
Fortiweb on AWS
Panel: https://Public DNS:8443
SSH: 22
Default login credentials are with a username of "admin" and the AWS Instance ID value as the password.
Firewall
它是個簡單 firewall 來, 只提供基本功能
V6.3.2
Default Action
For Default Action, select one of the following:
Deny—Firewall blocks traffic that does not match a policy rule.
However, administrative access is still allowed on network interfaces for which it has been configured.
Firewall FWMARK policy
The FWMARK policy allows you to mark the traffic coming in FortiWeb.
Using it together with policy route, you can direct the marked traffic to go out of FortiWeb
through a specified interface or/and to a specified next-hop gateway.
DNAT
To apply Firewall DNAT Policy, enable IP Forward in CLI config router setting.
get router setting
ip-forward : disable ip6-forward : disable
set
config router setting set ip-forward enable end
Virtual Server
It is not an actual server, but simply defines the listening network interface.
It includes a specialized proxy that only picks up HTTP and HTTPS.
IP 選項
- Virtual IP
- Use Interface IP
Setting
config waf ip-list
--- URL
config waf url-access url-access-rule
config waf url-access url-access-policy
--- Network
config waf http-request-flood-prevention-rule
config waf http-connection-flood-check-rule
config waf layer4-access-limit-rule
--- CA
config system certificate ca
--- Method
config waf allow-method-policy
config waf input-rule
---
config waf start-pages
--- inline
config waf web-protection-profile inline-protection
--- replace
config system replacemsg
--- cookie
config waf cookie-security
---
設定順序
- config server-policy vserver
- config server-policy server-pool
- config server-policy policy
Whitelist Client 's IP
Step1: 建立 IP List
IP Protection > IP List > 建立 list
Trust IP
The source IP address is trusted and allowed to access your web servers,
unless it fails a previous scan. 詳見: Sequence of scans
Step2: To apply the IP list in an inline or Offline Protection profile.
Policy > Web Protection Profile > Edit "YOUR_PROFILE"
> "IP Protection" Section > 在 "IP List" 選 Step1 建立的 List
Sequence of scans
In the order of execution according to the below table.
- TCP Connection Number Limit (TCP Flood Prevention)
- Add "X-Forwarded-For:"
- Client Management (X-header rules, Cookie, Session state)
- IP List (Whitelist/Backlist)
- IP Reputation
- Quarantined source IP addresses
- Known Bots
- Geo IP
- WebSocket protocol
- Add HSTS Header
- Protected Server Check("Host:" header)
- Allow Method
- ...
Regex
FortiWeb follows most Perl-compatible regular expression (PCRE)
應用: Allow "OPTIONS"
在 Web Protection > Access > Allow Method 設定了 allow OPTIONS 但佢被 Deny
Signature ID: 060180007
This signature prevents attackers from attacking Web server through a HTTP method except GET & POST method. This attack can be achieved in HTTP request method.
解決方法: Disable 060180007 再額外加 Custom Signature
Signature -> Edit Signature Policy -> Custom Signature Group
* Inverse string matching is not currently supported # => !(hamsters)
To match a string which does not contain the multi-character sequence ab, you want to use a negative lookahead "(?!regex)"
^(?!(?:GET|HEAD|POST|OPTIONS))