KB Article | Forcepoint Support

Problem Description

Block cross-site scripting (XSS) and SQL injection attacks with Forcepoint Next Generation Firewall


Note TLS inspection must be configured to implement protection for attacks performed in TLS/SSL encrypted connections such as HTTPS. For more information on configuring this, please see the Setting Up TLS Inspection section in the Next Generation Firewall product guide that matches your release.
To block SQL injection and XSS attacks: 
  1. Enable Deep Inspection for the connections where SQL injection attacks and XSS need to be blocked.
    1. Edit the Firewall policy.
    2. For the rules allowing these connections, right-click the Action cell.
    3. Select Edit options.
    4. Set Deep Inspection to On.
  2. Edit the Inspection Policy that is used by the firewall.
    1. Go to the Exceptions tab.
    2. Right-click a rule.
    3. Select Add Rule.
      1. To add a new situation, click the Situation cell of the new rule.
Note The Situation cell contains the traffic patterns that you want the rule to match. The Situation cell accepts Situation, Situation Type, Tag, and Vulnerability elements. Because we used the Vulnerability elements in the rules, if there are any new SQL injection or XSS situations in new update packages then those will be automatically included in these rules as the new situations would be included in the used vulnerabilities.
  1. On the Resources panel on the left, click Situations, and click By Vulnerability.
  1. Situations for detecting SQL injections are included in the SQL-Injection vulnerability element. Scroll down to find SQL-Injection and drag and drop it to the Situation cell.
  1. Situations for detecting XSS attacks are included in the HTTP-Possible-Cross-Site-Scripting vulnerability element. Scroll down to find HTTP-Possible-Cross-Site-Scripting and drag and drop it to the Situation cell.
  1. Define the Source and Destination cells as desired and set Action to Terminate.
Note The situations included in the SQL-Injection and the HTTP-Possible-Cross-Site-Scripting vulnerability are not terminated by default in the inspection policy templates because they may create false positives in some environments.
When terminating SQL Injection or XSS situations, to avoid false positives in other traffic, the exception rules in inspection policy should be limited so the destination includes only your protected servers.
To ensure there are no unacceptable false positives in your environment, you can first Permit them and set the logging option to Stored, with excerpt and payload. If there are matches to these situations, the payload excerpt and other information about matching connections and packets are then visible in the details of that log entry. This way, if matches are determined to be false positives, exceptions can be made for those sources or destinations.
  1. Right-click the Logging field and select Edit Logging.
  1. Check Override Settings Inherited From Continue Rule(s).
  1. Select the desired Log Level and other logging options. The default Log Level in the inspection policy is None.
  1. Save and install the policy.

Keywords: ngfw; block cross-site; script; xss; sql injection; attacks; tls; ssl; https

Article Feedback

Thank you for the feedback and comments.