Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
richinnz
New Contributor

WAF custom signature on HTTP header

Hi all,

 

Sorry if this is in the wrong location - I couldn't see a WAF forum.

 

I have a website where the origin servers are located behind my FG60E and I am front-ending them with CloudFront.  I want to restrict access so only traffic via CloudFront can get to the origin servers.  The documented approach from Amazon is to have Cloudfront set a custom header with a secret value and the backend server should check this.  

 

So I've done this and I want the Fortigate to drop any traffic that doesn't have the correct secret (assumption being that this is non-cloudfront originated traffic).  My backend/origin servers cannot do this check so I need the Fortigate to implement it.  I created a WAF rule which appears to have the right functionality and it seems to be almost working.  There's little documentation on this so I've figured the below with trial and error.  I have the FG matching the header secret value, and the logs confirm a WAF hit.  As you can see from my config below, this hit has an action of "allow", but it seems the WAF treats this as "passthrough" and continues to inspect the remainder of the rules.  Ultimately, it then hits my "deny" WAF rule and the traffic gets blocked.  I've tried without the "deny" rule, but it then just allows anything.

 

I'm sure I've misunderstood something.  I cannot see the purpose of an "allow" action that just implements passthrough. 

 

Anyone have any thoughts?

 

config waf profile
    edit "WAF-CloudFront-Header"
        set external disable
        set extended-log disable
        config signature
            config custom-signature
                edit "x-cf-auth"
                    set status enable
                    set action allow
                    set log enable
                    set direction request
                    set case-sensitivity enable
                    set pattern "mysecretkey"
                    set target req-header
                next
                edit "deny"
                    set status enable
                    set action block
                    set log enable
                    set severity medium
                    set direction request
                    set case-sensitivity disable
                    set pattern "^.*$"
                    set target req-header
                next
            end
        end
        set comment "Restrict requests to CloudFront"
    next
end

 

And this results in log entries like this:

 

Jul 14 14:18:31 172.16.1.10 date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030252" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="passthrough" direction="request" agent="Firefox/68.0" name="x-cf-auth"
Jul 14 14:18:31 172.16.1.10 date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030251" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="blocked" direction="request" agent="Firefox/68.0" name="deny"

 

Admittedly, this is running 6.2.0 which was a bit of a punt!

 

Rich

1 REPLY 1
DirkDuesentrieb
New Contributor

Morning!

Just found this post, because I tried to do the same thing, but the signature list is not a "first match" policy.

 

The action "allow" can be used for logging events without blocking them. That makes perfectly sense if you want to test your own signatures first without breaking anything.

 

So if someone searches for this in 2023 - this might help you.

 

Regards,

 

Dirk

Labels
Top Kudoed Authors