{{ secondMenu.name }}
config waf profile
edit "Example_WAF_Profile" # Profile name
set external disable # Use internal WAF engine (not external device)
set extended-log enable # Enable extended logging for WAF
set comment "WAF profile for public web-server" # Remark/comment
config signature # Signature / attack-pattern based scanning
config main-class
edit 1
set status enable
set action block
set log enable
set severity high
next
end
set disabled-sub-class 1001,1002 # Disable specific signature subclasses
set disabled-signature 20001,20002 # Disable specific signature IDs
set credit-card-detection-threshold 0 # Threshold for credit-card detection
config custom-signature
edit "My_Custom_SQLi"
set status enable
set action block
set log enable
set severity high
set direction request
set case-sensitivity enable
set pattern "UNION SELECT .* FROM"
set target req-body, req-uri, req-header
next
end
end
config constraint # Protocol / HTTP constraint restrictions
config header-length
set status enable
set length 8192
set action block
set log enable
set severity medium
end
config content-length
set status enable
set length 1048576
set action block
set log enable
set severity medium
end
config param-length
set status enable
set length 512
set action block
set log enable
set severity medium
end
config url-param-length
set status enable
set length 256
set action block
set log enable
set severity medium
end
config method
set status enable
set regex disable
set allowed-methods GET,POST
set action block
set log enable
set severity high
end
end
config address-list # Whitelist / Blacklist by source address
set status enable
set blocked-log enable
set severity high
set trusted-address "Trusted_Net1","Trusted_Net2"
set blocked-address "Bad_IP1","Bad_IP2"
end
config url-access # URL access rules
edit 1
set address "all"
set action permit
set log enable
set severity low
config access-pattern
edit 1
set srcaddr "all"
set pattern "/public/*"
set regex disable
set negate disable
next
end
next
end
next
end
| FortiGate Parameter |
FortiGate Parameter Description |
Corresponding Sangfor NGAF Module/Parameter |
Migration Notes |
| name |
IPS policy name |
Objects > Security Policy Template > Intrusion Prevention |
It is recommended to keep the name consistent |
| comment |
Policy description |
Objects > Security Policy Template > Intrusion Prevention |
Can be migrated directly |
| entries |
Signature entry configuration |
Objects > Security Policy Template > Intrusion Prevention |
Sangfor uses a combination of built-in and custom rule sets |
| rule |
IPS rule ID (signature number) |
Objects > Security Policy Template > Intrusion Prevention |
NGAF has a built-in signature database; individual import is not required |
| action |
Rule action (default/block/monitor) |
Policies > Network Security > Policies |
No need to configure actions in the template; actions are set in the Network Security Policy |
Fortigate's WAF configuration file differs significantly from NGFW's. It is recommended to understand Fortigate's WAF protection capabilities before configuring it according to Sangfor NGFW's WAF template and referencing it in your policy.
Web App Firewall is a set of protection policies to protect LAN Web servers from Web application attacks, including system command injections, SQL injections, and XSS attacks. It also allows configuration against data leakage of Web servers. See the figure below.
Default Template: Enable regular WEB protection (by default) and disable the scanner block.
Default Template II (Scanner Blocker enabled for non-proxy access): Enable regular Web protection (by default) and Scanner Blocker.
Click Add to create a web app protection template, as shown in the figure below.
Template Name: Define the name of the template.
Description: Define the description of the template.
Network Secure Protection: Set up protection against server attacks.
Port: Specify the port of the protected server. This value is generally set to the server port. After setting, when the user accesses the server port, the system performs attack detection. For the HTTP port, you can also select Also protect HTTP access on other ports for auto-learning. See the figure below. 
In Attack Type, click SQL Injection,XSS Attack,Trojan,Website Scan,WebShell,CSRF,OS Command. In the Select Attack Type dialog box, select attack types. The device will prevent attacks against this service type. 
| Protection Type |
Note |
| SQL Injection |
By exploiting security vulnerabilities in design, attackers paste the SQL code to input boxes on web pages to obtain network resources or change data. |
| XSS Attack |
Short for cross-site scripting (XSS), XSS is a computer security vulnerability frequently seen in Web apps. It allows attackers to implant code into pages provided to other users. In the HTML code and client script, attackers can exploit XSS vulnerabilities to bypass access control and intercept data like accounts. |
| Trojan |
Trojan is an HTML web page wittily designed by hackers. When a user visits such a web page, the script embedded in it exploits the browser vulnerability to download and run the Trojan placed by the hacker on the browser. |
| Website Scan |
The structure and vulnerabilities of a website are scanned. |
| WebShell |
Also called the website backdoor Trojan, WebShell is a script tool for web intrusion and appears as an ASP, PHP, or JSP program page. After hacking a website, attackers usually place Trojans in the server's Web directory and mix it with normal web pages. Via WebShell, hackers can control the victim's website for a long time. |
| CSRF |
Cross-Site Request Forgery is an attack in which attackers exploit trusted websites by disguising requests from trusted users. |
| OS Command Injection |
By exploiting server OS vulnerabilities, attackers transmit OS commands to the server via Web access to obtain network resources or change data. |
| File Inclusion |
It is a malicious attack against PHP websites. When PHP variables are not strictly filtered and unknown whether the parameter is from a local or remote host, a file on the remote host may be specified as a parameter and submitted to the variable pointing. If the submitted file contains a malicious code or even a Trojan, the code or Trojan in the file will be successfully executed with the Web's permission. |
| Path Traversal |
Attackers access restricted directories outside the Web server's root directory by adding "../" or variants to any directory of the Web server or special directories through a browser. |
| Information Disclosure |
This vulnerability is caused by an incorrect Web server configuration or its security vulnerability. As a result, system files or configuration files are exposed to the Internet and sensitive information of the Web server is prone to leakage, including username, password, source code, server information, and configuration information. |
| Website vulnerabilities |
It provides safe, reliable, and high-quality protection for specific vulnerabilities in well-known whole-site Web systems. |
| WebShell Backdoor |
Having known a web system vulnerability, attackers may use it to implant a WebShell page into the Web system and access the database through the WebShell page. In doing so, they can execute system commands to control the Web system for a long time. |
| Custom WAF Signature |
The user can customize the protection rules for server protection in Custom Rules. |
Description of Web App Protection Types
Protection features: The main functions are Application Hiding, Password Protection, Privilege Control, HTTP Request Anomaly, and Scanner Blocker. To enable advanced protection features, click Advanced for settings. 
{{ $t('index.defaultHeader.chromeBrowserTip') }}