config security waf http-protocol-constraint
Use this command to configure HTTP protocol constraints: URI length, HTTP request method, and HTTP response code policies.
Table 14 describes the three predefined policies.
Table 14: Predefined HTTP protocol constraint policies
Predefined Rules | Description |
High-Level-Security | Maximum URI length is 2048 characters. Action is set to deny. Severity is set to high. |
Medium-Level-Security | Maximum URI length is 2048 characters. Action is set to alert. Severity is set to medium. |
Alert-Only | Maximum URI length is 2048 characters. Action is set to alert. Severity is set to low. |
The configurations for these rules are shown in the examples that follow. If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.
Before you begin:
• You must have read-write permission for security settings.
After you have created an HTTP protocol constraint policy, you can specify it in a WAF profile configuration.
Syntax
config security waf http-protocol-constraint
edit <name>
set max-uri-length <integer>
set max-uri-length-action {alert|deny}
set max-uri-length-priority {high|medium|low}
config request-method-rule
edit <No.>
set action {alert|deny}
set severity {high|medium|low}
set method {CONNECT DELETE GET HEAD OPTIONS OTHERS POST PUT TRACE }
next
end
config response-code-rule
edit <No.>
set action {alert|deny}
set severity {high|medium|low}
set code-min <400-599>
set code-max <400-599>
next
end
next
end
max-uri-length | Maximum characters in an HTTP request URI. The valid range is 1-8192. |
max-uri-length-action | • alert • deny |
max-uri-length-priority | • high • medium • low |
config request-method-rule |
action | • alert • deny |
severity | • high • medium • low |
method | Specify a space-separated list of methods to match in the HTTP request line: • CONNECT • DELETE • GET • HEAD • OPTIONS • POST • PUT • TRACE • Others Note: The first 8 methods are described in RFC 2616. Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions. |
response-code-rule |
action | • alert • deny |
severity | • high • medium • low |
code-min | Start of the range. |
code-max | End of the range. |
Example
FortiADC-VM (heuristic-sql-~s) # get security waf http-protocol-constraint High-Level-Security
max-uri-length : 2048
max-uri-length-action : deny
max-uri-length-severity : high
FortiADC-VM (heuristic-sql-~s) # end
# get security waf http-protocol-constraint Medium-Level-Security
max-uri-length : 2048
max-uri-length-action : alert
max-uri-length-severity : medium
FortiADC-VM # get security waf http-protocol-constraint Alert-Only
max-uri-length : 2048
max-uri-length-action : alert
max-uri-length-severity : low