Variable | Description | Default |
<custom-access_name> | Type the name of a new or existing custom access rule. The maximum length is 63 characters. To display a list of the existing rule, type: edit ? | No default. |
action {alert | alert_deny | block-period} | Select the specific action to be taken when the request matches the this signature. • alert — Accept the request and generate an alert email and/or log message. Note: If type is data-leakage, does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.) • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. | alert |
block-period <seconds_int> | Type the length of time for which the FortiWeb appliance will block additional requests after a source IP address violates this rule. The block period is shared by all clients whose traffic originates from the source IP address. The valid range is from 1 to 3,600 seconds. | 60 |
severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when a violation of the rule occurs. | Low |
trigger <trigger-policy_name> | Type the name of the trigger to apply when this policy is violated (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
real-browser-enforcement {enable | disable} | Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule. Disable this option to apply the access rule regardless of whether the client is a web browser (for example, Firefox) or an automated tool (for example, wget). | disable |
validation-timeout <timeout_int> | Specifies the maximum amount of time that FortiWeb waits for results from the web browser test. | 20 |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
access-rate-limit <rate_int> | Type the rate threshold for source IP addresses. The valid range is from 1 to 65535. To disable the rate limit, type 0. Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. | 1 |
header-name-type {custom | predefined} | Select whether to define the HTTP header filter by selecting a predefined HTTP header name, or by typing the name of a custom HTTP header. Also configure header-value <value_str> and, depending on which you indicate in this option, either: | predefined |
predefined-header {host | connection | authorization | x-pad | cookie | referer | user‑agent | X-Forwarded-For | Accept} | Select the name (key) of the HTTP header such as Accept: that must be present in order for the request to be allowed. This field appears only if header-name-type is predefined. | host |
pre-header-type {plain | regular} | Indicate whether header-value <value_str> is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular). | plain |
pre-header-rev-match {enable | disable} | Indicate how to use predefined-header {host | connection | authorization | x-pad | cookie | referer | user‑agent | X-Forwarded-For | Accept} and header-value <value_str> when determining whether or not this condition has been met. • no — If the regular expression does match the request object, the condition is met. • yes — If the regular expression does not match the request object, the condition is met. The effect is equivalent to preceding a regular expression with an exclamation point ( ! ). If all conditions are met, the FortiWeb appliance will allow access. | disable |
custom-header-name <key_str> | Type the name (key) without the trailing colon ( : ), such as X-Real-IP, of the HTTP header that must be present in order for the request to be allowed. This field appears only if header-name-type is custom. | No default. |
cus-header-type {plain | regular} | Indicate whether header-value <value_str> is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular). | plain |
cus-header-rev-match {enable | disable} | Indicate how to use custom-header-name <key_str> and header-value <value_str> when determining whether or not this condition has been met. • no — If the regular expression does match the request object, the condition is met. • yes — If the regular expression does not match the request object, the condition is met. The effect is equivalent to preceding a regular expression with an exclamation point ( ! ). If all conditions are met, the FortiWeb appliance will allow access. | disable |
header-value <value_str> | Depending on your selection in pre-header-type {plain | regular}, either: • Type the literal header value, such as 172.0.2.80, your specified HTTP header must contain in order to match the filter. Value matching is case sensitive. (If you require a filter based upon more than one HTTP header, create multiple entries in the set, one for each HTTP header.). • Type a regular expression, such as 172\.0\.2\.*, matching all and only the header values which accepted HTTP header values must match. For information on language and regular expression matching, see the FortiWeb Administration Guide. Tip: To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring. For example, entering the value 192.168.1.1 would also match the IPs 192.168.10-19 and 192.168.100-199. This result is probably unintended. The better solution would be to configure either: • a regular expression such as ^192.168.1.1$ or • a source IP condition instead of an HTTP header condition | No default. |
source-ip {address_ipv4 | address_ipv6} | Type the IP address of a client that will be allowed. Depending on your configuration of how FortiWeb will derive the client’s IP (see “waf x-forwarded-for”), this may be the IP address that is indicated in an HTTP header rather than the IP header. | No default. |
request-file <url_str> | Type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}. For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no. The pattern is not required to begin with a slash ( / ). The maximum length is 255 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}. | No default. |
reverse-match {no | yes} | Indicate how to use request-file <url_str> when determining whether or not this rule’s condition has been met. • no — If the regular expression does match the request URL, the condition is met. • yes — If the regular expression does not match the request URL, the condition is met. The effect is equivalent to preceding a regular expression with an exclamation point ( ! ). | no |
http-transation-timeout <timeout_int> | Specifies a timeout value of 1 to 3600 seconds. If the lifetime of a HTTP transaction exceeds this value, the transaction matches this condition. | 5 |
<response-code_int> | Specifies the start and end code in a range of HTTP response codes. To specify a single code, enter the same value for the start and end codes (for example, 404-404 or 500-503). If its HTTP response code is within this range, the HTTP transaction matches this condition. | No default. |
{text/html text/plain text/xml application/xml application/soap+xml application/json} | Specifies a file content type to match. Use with Occurrence to detect and control web scraping (content scraping) activity. | application/soap+xml application/xml(or)text/xml text/html text/plain application/json |
packet-interval-timeout <timeout_int> | Specifies the maximum number of seconds allowed between packets arriving from either the client or server (request or response packets), in seconds. Enter a value from 1 to 60. If the interval exceeds this value, the HTTP transaction matches this condition. | 1 |
{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000} | Specifies the ID of a signature class. Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. See “waf signature”. | No default. |
status {enable | disable} | Specifies whether the HTTP transaction matches this condition if it matches the specified signature. | disable |
custom-signature-enable {enable | disable} | Specifies whether the current custom signature filter is enabled. | disable |
{custom-signature-group | custom-signature} | Specifies whether <custom-signature-name_str> specifies a custom signature group or an individual signature. | custom-signature-group |
<custom-signature-name_str> | Specifies the custom signature group or individual signature to match. Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. See “waf signature”. | No default. |
<occurrence_int> | Specifies the maximum number of times a transaction can match other filter types in the current rule during the time period specified by within. Enter a value between 1 and 100,000. If the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition. | 1 |
<within_int> | Specifies the time period during which FortiWeb counts the number of times transactions match other filter types in the current rule. Enter a value between 1 and 600. | 1 |
percentage-flag {enable | disable} | Specifies whether the current filter matches when the rate of matches with other filter types in the current rule exceeds the <percentage_int> value. | disable |
<percentage_int> | The maximum rate of matches with other filter types in the current rule, expressed as percent of hits. If percentage-flag {enable | disable} is enabled and the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition. | No default. |
{Source-IP | User} | Specifies whether FortiWeb determines the rate at which a transaction matches other filter types in the current rule by counting matches by source client IP address or by client. To specify user, ensure that the value of http-session-management is enabled (see “waf web-protection-profile inline-protection”). | source-ip |