config security : config security waf heuristic-sql-xss-injection-detection
config security waf heuristic-sql-xss-injection-detection
Use this command to configure SQL injection and cross-site scripting (XSS) detection policies.
In many cases, you can use predefined policies, and you do not need to create them.
Table 13 describes the predefined policies.
Table 13: Predefined SQL injection and XSS detection policies
| SQL Injection | XSS |
Predefined Rules | Detection | Action | Severity | Detection | Action | Severity |
High-Level-Security | All except Body SQL Injection Detection | Deny | High | All except Body XSS Injection Detection | Deny | High |
Medium-Level-Security | Only SQL URI SQL Injection Detection | Deny | High | None | Alert | Low |
Alert-Only | Only SQL URI SQL Injection Detection | Alert | High | None | Alert | Low |
The configurations for these policies are shown in the examples that follow. If desired, you can create user-defined policies.
Before you begin:
• You must have read-write permission for security settings.
After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.
Syntax
config security waf heuristic-sql-xss-injection-detection
edit <name>
set sql-injection-detection {enable|disable}
set sql-injection-action {alert|deny}
set sql-injection-severity {high|medium|low}
set uri-sql-injection-detection {enable|disable}
set referer-sql-injection-detection {enable|disable}
set cookie-sql-injection-detection {enable|disable}
set body-sql-injection-detection {enable|disable}
set xss-detection {enable|disable}
set xss-action {alert|deny}
set xss-severity {high|medium|low}
set uri-xss-detection {enable|disable}
set referer-xss-detection {enable|disable}
set cookie-xss-detection {enable|disable}
set body-xss-detection {enable|disable}
next
end
sql-injection-detection | Enable/disable SQL injection detection. |
sql-injection-action | • alert • deny |
sql-injection-severity | • high • medium • low |
uri-sql-injection-detection | Enable/disable detection in the HTTP request. |
referer-sql-injection-detection | Enable/disable detection in the Referer header. |
cookie-sql-injection-detection | Enable/disable detection in the Cookie header. |
body-sql-injection-detection | Enable/disable detection in the HTTP Body message. |
xss-detection | Enable/disable XSS detection. |
xss-action | • alert • deny |
xss-severity | • high • medium • low |
uri-xss-injection-detection | Enable/disable detection in the HTTP request. |
referer-xss-injection-detection | Enable/disable detection in the Referer header. |
cookie-xss-injection-detection | Enable/disable detection in the Cookie header. |
body-xss-injection-detection | Enable/disable detection in the HTTP Body message. |
Example
FortiADC-VM (heuristic-sql-~s) # get security waf heuristic-sql-xss-injection-detection High-Level-Security
sql-injection-detection : enable
sql-injection-action : deny
sql-injection-severity : high
uri-sql-injection-detection : enable
referer-sql-injection-detection: enable
cookie-sql-injection-detection: enable
body-sql-injection-detection : disable
xss-detection : enable
xss-action : deny
xss-severity : high
uri-xss-detection : enable
referer-xss-detection : enable
cookie-xss-detection : enable
body-xss-detection : disable
FortiADC-VM (heuristic-sql-~s) # get security waf heuristic-sql-xss-injection-detection Medium-Level-Security
sql-injection-detection : enable
sql-injection-action : deny
sql-injection-severity : high
uri-sql-injection-detection : enable
referer-sql-injection-detection: disable
cookie-sql-injection-detection: disable
body-sql-injection-detection : disable
xss-detection : disable
xss-action : alert
xss-severity : low
FortiADC-VM (heuristic-sql-~s) # get security waf heuristic-sql-xss-injection-detection Alert-Only
sql-injection-detection : enable
sql-injection-action : alert
sql-injection-severity : high
uri-sql-injection-detection : enable
referer-sql-injection-detection: disable
cookie-sql-injection-detection: disable
body-sql-injection-detection : disable
xss-detection : disable
xss-action : alert
xss-severity : low