config : waf allow-method-policy
 
waf allow-method-policy
Use this command to allow only specific HTTP request methods.
To define specific exceptions to this policy, use config waf allow-method-exceptions.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf allow-method-policy
edit <allowed-methods_name>
set allow-method {connect delete get head options others post put trace}
set severity {High | Medium | Low}
set triggered-action <trigger-policy_name>
set [allow-method-exception <method-exception_name>]
next
end
Variable
Description
Default
<allowed-methods_name>
Type the name of a new or existing allowed methods policy. This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name. The maximum length is 35 characters.
To display a list of the existing policies, type:
edit ?
No default.
allow-method {connect delete get head options others post put trace}
Select one or more HTTP request methods that you want to allow for this specific policy.
Methods that you do not select will be denied, unless specifically allowed for a host and/or URL in [allow-method-exception <method-exception_name>].
The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 2518) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY.
Note: If a WAF Auto Learning Profile is used in the server policy where the HTTP request method is applied (via the Web Protection Profile), you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session.
No default.
severity {High | Medium | Low}
Select the severity level to use in logs and reports generated when a violation of the policy occurs.
High
triggered-action <trigger-policy_name>
Type the name of the trigger policy you want FortiWeb to apply when a violation of the HTTP request method policy occurs. Trigger policies determine who will be notified by email when the policy violation occurs, and whether the log message associated with the violation are recorded. The maximum length is 35 characters.
To display a list of the existing policies, type:
set triggered-action ?
No default.
[allow-method-exception <method-exception_name>]
Type the name of an existing HTTP request method exception, if any, to apply to it. The maximum length is 35 characters.
To display a list of the existing policy, type:
set allow-method-exception ?
No default.
Example
This example allows the HTTP GET and POST methods and rejects others, except according to the exceptions defined in MethodExceptions1.
config waf allow-method-policy
edit "allowpolicy1"
set allow-method get post
set triggered-action "TriggerActionPolicy1"
set allow-method-exception "MethodExceptions1"
next
end
Related topics
config waf allow-method-exceptions