WAF custom signature on HTTP header

Author
richinnz
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/08 14:51:54
  • Status: offline
2019/07/13 19:57:57 (permalink)
0

WAF custom signature on HTTP header

Hi all,
 
Sorry if this is in the wrong location - I couldn't see a WAF forum.
 
I have a website where the origin servers are located behind my FG60E and I am front-ending them with CloudFront.  I want to restrict access so only traffic via CloudFront can get to the origin servers.  The documented approach from Amazon is to have Cloudfront set a custom header with a secret value and the backend server should check this.  
 
So I've done this and I want the Fortigate to drop any traffic that doesn't have the correct secret (assumption being that this is non-cloudfront originated traffic).  My backend/origin servers cannot do this check so I need the Fortigate to implement it.  I created a WAF rule which appears to have the right functionality and it seems to be almost working.  There's little documentation on this so I've figured the below with trial and error.  I have the FG matching the header secret value, and the logs confirm a WAF hit.  As you can see from my config below, this hit has an action of "allow", but it seems the WAF treats this as "passthrough" and continues to inspect the remainder of the rules.  Ultimately, it then hits my "deny" WAF rule and the traffic gets blocked.  I've tried without the "deny" rule, but it then just allows anything.
 
I'm sure I've misunderstood something.  I cannot see the purpose of an "allow" action that just implements passthrough. 
 
Anyone have any thoughts?
 
config waf profile
    edit "WAF-CloudFront-Header"
        set external disable
        set extended-log disable
        config signature
            config custom-signature
                edit "x-cf-auth"
                    set status enable
                    set action allow
                    set log enable
                    set direction request
                    set case-sensitivity enable
                    set pattern "mysecretkey"
                    set target req-header
                next
                edit "deny"
                    set status enable
                    set action block
                    set log enable
                    set severity medium
                    set direction request
                    set case-sensitivity disable
                    set pattern "^.*$"
                    set target req-header
                next
            end
        end
        set comment "Restrict requests to CloudFront"
    next
end

 
And this results in log entries like this:
 
Jul 14 14:18:31 172.16.1.10 date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030252" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="passthrough" direction="request" agent="Firefox/68.0" name="x-cf-auth"
Jul 14 14:18:31 172.16.1.10 date=2019-07-14 time=14:18:56 devname="fw1a" devid="FGT60EXXXXXXXX" logid="1201030251" type="utm" subtype="waf" eventtype="waf-custom-signature" level="warning" vd="DC" eventtime=1563070736 policyid=96 sessionid=2375021 profile="WAF-CloudFront-Header" srcip=11.22.33.44 srcport=52433 dstip=172.16.20.14 dstport=80 srcintf="VL100-DC" srcintfrole="wan" dstintf="VL200-DC" dstintfrole="lan" proto=6 service="HTTP" url="http://myapp.domain.tld/" severity="medium" action="blocked" direction="request" agent="Firefox/68.0" name="deny"

 
Admittedly, this is running 6.2.0 which was a bit of a punt!
 
Rich
#1

0 Replies Related Threads

    Jump to:
    © 2019 APG vNext Commercial Version 5.5