FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
mtse
Staff
Staff
Article Id 197562
Description
An attack can match multiple signatures.

It depends on the detection order.
In such case only one attack event will be logged for the first match.
If verification of logging for the second signature is required, the action of the signature can be temporarily set to 'alert only' (default is 'alert_deny').

Attack events of both signatures can be displayed.

For example,
Following should match both signature 090501003 and 050080035.
GET /index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo() HTTP/1.1

Solution
By default setting ('alert_deny'), only attack event for signature 050080035 will be logged.





To allow logging of the second signature to be displayed as well, set the first signature 050080035 to 'alert_only'.




Then attack log for both signatures 050080035 and 090501003 will be displayed.








Note.
Verify if the signature package version is up to date, otherwise it may not include all the signatures.
Apply command '# execute update-now' to update if necessary.
FWB_Lab # diagnose system update info
FortiWeb signature
----------
Version: 0.00294                           <----- Verify if the signature package version is up to date.

Contributors