首頁 » network » FortiGate

fortiweb

由 datahunter 在 二, 11/05/2021 - 11:37 發表

 

目錄

Fortiweb on AWS

 

Panel: https://Public DNS:8443

SSH: 22

Default login credentials are with a username of "admin" and the AWS Instance ID value as the password.

 

Firewall

 

它是個簡單 firewall 來, 只提供基本功能

V6.3.2

Default Action

For Default Action, select one of the following:

Deny—Firewall blocks traffic that does not match a policy rule.

However, administrative access is still allowed on network interfaces for which it has been configured.

Firewall FWMARK policy

The FWMARK policy allows you to mark the traffic coming in FortiWeb.

Using it together with policy route, you can direct the marked traffic to go out of FortiWeb

through a specified interface or/and to a specified next-hop gateway.

DNAT

To apply Firewall DNAT Policy, enable IP Forward in CLI config router setting.

get router setting

ip-forward          : disable
ip6-forward         : disable

set

config router setting
    set ip-forward enable
end

 

Virtual Server

 

It is not an actual server, but simply defines the listening network interface.

It includes a specialized proxy that only picks up HTTP and HTTPS.

IP 選項

  • Virtual IP
  • Use Interface IP

 

Setting

 

config waf ip-list

--- URL

config waf url-access url-access-rule

config waf url-access url-access-policy

--- Network

config waf http-request-flood-prevention-rule

config waf http-connection-flood-check-rule

config waf layer4-access-limit-rule

--- CA

config system certificate ca

--- Method

config waf allow-method-policy

config waf input-rule

---

config waf start-pages

--- inline

config waf web-protection-profile inline-protection

--- replace

config system replacemsg

--- cookie

config waf cookie-security

---

設定順序

  1. config server-policy vserver
  2. config server-policy server-pool
  3. config server-policy policy

 

Whitelist Client 's IP

 

Step1: 建立 IP List

IP Protection > IP List > 建立 list

Trust IP

The source IP address is trusted and allowed to access your web servers,

unless it fails a previous scan. 詳見: Sequence of scans

Step2: To apply the IP list in an inline or Offline Protection profile.

Policy > Web Protection Profile > Edit "YOUR_PROFILE"

> "IP Protection" Section > 在 "IP List" 選 Step1 建立的 List

 

Sequence of scans

 

In the order of execution according to the below table.

  1. TCP Connection Number Limit (TCP Flood Prevention)
  2. Add "X-Forwarded-For:"
  3. Client Management (X-header rules, Cookie, Session state)
  4. IP List (Whitelist/Backlist)
  5. IP Reputation
  6. Quarantined source IP addresses
  7. Known Bots
  8. Geo IP
  9. WebSocket protocol
  10. Add HSTS Header
  11. Protected Server Check("Host:" header)
  12. Allow Method
  13. ...

 

Custom Protection Rule

 

應用, 取代原有的 Signatures (e.g. 060180006, 060180007)

建立 Signatures Rules

Signature 內可以有多條 condition rule

* condition rules in the same custom signature are in "AND" relationship.

GUI: Web Protection > Known Attacks > Custom Signature

config waf custom-protection-rule
  edit "Replace_060180007"
    set action alert_deny
    config meet-condition
      edit 1
        set request-target HTTP_METHOD
        set case-sensitive enable
        set expression ^(?!(?:GET|HEAD|POST|OPTIONS))
      next
    end
  next
  edit "Replace_060180006"
    set action alert_deny
    config meet-condition
      edit 1
        set request-target REQUEST_HEADERS
        set expression ^(?:.{401,})$
      next
    end
  next
end

Notes

Signature ID: 060180006

This signature prevents attackers from performing potential buffer overflow attacks using overlong request header values.

有機會誤中的 header: User-Agent, Referer

建立 Signatures Group

config waf custom-protection-group
  edit "api"
    config type-list
      edit 1
        set custom-protection-rule Replace_060180007
      next
      edit 2
        set custom-protection-rule Replace_060180006
      next
    end
  next
end

 

Regex

 

FortiWeb follows most Perl-compatible regular expression (PCRE)

參考

應用1: Allow "OPTIONS"

在 Web Protection > Access > Allow Method 設定了 allow OPTIONS 但仍被 Deny

Signature ID: 060180007

This signature prevents attackers from attacking Web server through a HTTP method except GET & POST method.
This attack can be achieved in HTTP request method.

解決方法: Disable 060180007 再額外加 Custom Signature

Signature -> Edit Signature Policy -> Custom Signature Group

 * Inverse string matching is not currently supported   # => !(hamsters)

To match a string which does not contain the multi-character sequence ab,
    you want to use a negative lookahead "(?!regex)"

HTTP_METHOD

^(?!(?:GET|HEAD|POST|OPTIONS))

Notes

(?!regex)     # negative lookahead

(?:regex)     # Non-capturing group.

 

應用2:

Request Header               # 每單一個 Header 的 Value
Request Header Name      # header name only

由於係要限制 header 的 value 的長度, 所以要用 Request Header (REQUEST_HEADERS)

^(?:.{401,})$

 

 

»
  • 瀏覽次數: 792

Creative Commons license icon Creative Commons license icon