config security waf profile
Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.
In many cases, you can use predefined profiles to get started.
Table 15 describes the three predefined policies.
Table 15: Predefined WAF profiles
Predefined Rules | Description |
High-Level-Security | • HTTP protocol constraints policy: High-Level-Security • SQL injection and XSS detection policy: High-Level-Security |
Medium-Level-Security | • HTTP protocol constraints policy: Medium-Level-Security • SQL injection and XSS detection policy: Medium-Level-Security |
Alert-Only | • HTTP protocol constraints policy: Alert-Only • SQL injection and XSS detection policy: Alert-Only |
The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.
Before you begin:
• You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
• You must have read-write permission for security settings.
After you have created a WAF profile, you can specify it in a virtual server configuration.
Syntax
config security waf profile
edit <name>
set description <string>
set heuristic-sql-xss-injection-detection <datasource>
set http-protocol-constraint <datasource>
set url-protection <datasource>
set web-attack-signature <datasource>
next
end
description | A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. |
heuristic-sql-xss-injection-detection | Specify a predefined or user-defined configuration object. |
http-protocol-constraint | Specify a predefined or user-defined configuration object. |
url-protection | Specify a predefined or user-defined configuration object. |
web-attack-signature | Specify a predefined or user-defined configuration object. |
Example
FortiADC-VM # get security waf profile High-Level-Security
web-attack-signature : High-Level-Security
url-protection :
http-protocol-constraint : High-Level-Security
heuristic-sql-xss-injection-detect: High-Level-Security
description :
FortiADC-VM # get security waf profile Medium-Level-Security
web-attack-signature : Medium-Level-Security
url-protection :
http-protocol-constraint : Medium-Level-Security
heuristic-sql-xss-injection-detect: Medium-Level-Security
description :
FortiADC-VM # get security waf profile Alert-Only
web-attack-signature : Alert-Only
url-protection :
http-protocol-constraint : Alert-Only
heuristic-sql-xss-injection-detect: Alert-Only
description :
FortiADC-VM # config security waf profile
FortiADC-VM (profile) # edit waf-profile
Add new entry 'waf-profile' for node 3000
FortiADC-VM (waf-profile) # get
web-attack-signature :
url-protection :
http-protocol-constraint :
heuristic-sql-xss-injection-detect:
description :
FortiADC-VM (waf-profile) # set web-attack-signature Alert-Only
FortiADC-VM (waf-profile) # set http-protocol-constraint Alert-Only
FortiADC-VM (waf-profile) # set heuristic-sql-xss-injection-detect Alert-Only
FortiADC-VM (waf-profile) # set description "evaluate Alert-Only policies"
FortiADC-VM (waf-profile) # get
web-attack-signature : Alert-Only
url-protection :
http-protocol-constraint : Alert-Only
heuristic-sql-xss-injection-detect: Alert-Only
description : "evaluate Alert-Only policies"
FortiADC-VM (waf-profile) # end