Identify the reason why traffic to the URL is blocked by which WAF signature using the event ID shown in WAF logs.

Below is an example of traffic being blocked due to event ID 40000108 by the WAF filter:

Aug 12 09:53:08 172.26.xx.xx date=2024-08-12 time=09:53:08 devname=”fgt-01″ devid=”FG100FTK********” eventtime=1723470787203338779 tz=”-0400″ logid=”1200030248″ type=”utm” subtype=”waf” eventtype=”waf-signature” level=”warning” vd=”root” policyid=66 poluuid=”xxx” policytype=”policy” sessionid=2604338458 profile=”WAF_profile” srcip=209.xx.xx.xx srcport=19355 srccountry=”United States” srcuuid=”xxx” dstip=160.xx.xx.xx dstport=443 dstcountry=”United States” dstuuid=”xxx” srcintf=”wan2″ srcintfrole=”wan” dstintf=”FG” dstintfrole=”dmz” proto=6 httpmethod=”POST” service=”HTTPS” url=”https://xxx/api/” severity=”medium” action=”blocked” direction=”request” eventid=40000108 msg=”SQL Injection (Extended)”

 

The below command gives the signature details based on the WAF event ID:

 

diag waf dump | grep 40000108 <—– This signature prevents attackers from probing for SQL injection vulnerabilities.

 

Signature information has been generated using the command to allow the traffic that is getting blocked due to Event ID 40000108.

 

Here the WAF profile that is being used is ‘WAF_profile’.

 

config waf profile

    edit WAF_profile

        config signature

            set disable-signature 40000108

        end

 

If there is already an existing signature, the list can be appended as well:

 

config waf profile

    edit WAF_profile

        config signature

        append disable-signature 40000108

    end

 

Note: 

After creating a Web application firewall security profile, create a policy in proxy mode to get an option to use the WAF profile.

 

Below is the sample output:

 

source : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Allow-particular-event-ID-in-web-application/ta-p/341789

Posted on: February 28, 2025, by : Julian's | 1 views