config : waf custom-protection-rule
 
waf custom-protection-rule
Use this command to configure custom data leak and attack signatures.
 
Before you enter custom signatures via the CLI, first enable cli-signature {enable | disable} in config system global.
To use your custom signatures, you must first group them so that they can be included in a rule. For details, see “config waf custom-protection-group”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf custom-protection-rule
edit <custom-protection rule_name>
set type {request | response}
set action {alert | alert_deny | alert_erase | redirect | block-period | send_403_forbidden}
set block-period <seconds_int>
set case-sensitive {enable | disable}
set expression <regex_pattern>
set severity {High | Medium | Low}
set trigger <trigger-policy_name>
config meet-targets
edit <entry_index>
set target {ARGS | ARGS_NAMES | REQUEST_BODY | REQUEST_COOKIES | REQUEST_COOKIES_NAMES | REQUEST_FILENAME | REQUEST_HEADERS | REQUEST_HEADERS_NAMES | REQUEST_RAW_URI | REQUEST_URI | RESPONSE_HEADER | RESPONSE_BODY | RESPONSE_STATUS}
next
end
next
end
Variable
Description
Default
<custom-protection rule_name>
Type the name of the new or existing custom signature. The maximum length is 35 characters.
To display a list of the existing rules, type:
edit ?
No default.
type {request | response}
Specify the type of regular expression:
request — The expression is an attack signature.
data-leakage — The expression is a server information disclosure signature.
request
action {alert | alert_deny | alert_erase | redirect | block-period | send_403_forbidden}
Select the specific action to be taken when the request matches the this signature.
alert — Accept the request and generate an alert email and/or log message.
Note: If type is data-leakage, does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.)
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
alert_erase — Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message. This option is applicable only if type is data-leakage.
If the sensitive information is a status code, you can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
Note: This option is not fully supported in offline protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.
send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message. This option is applicable only if type is signature-creation.
alert
 
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If an auto-learning profile will be selected in the policy with offline protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
 
block-period <seconds_int>
If action is block-period, number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. For information on viewing the list of currently blocked clients, see the FortiWeb Administration Guide.
The valid range is from 1 to 3,600 (1 hour).
1
case-sensitive {enable | disable}
Enable to differentiate upper case and lower case letters when evaluating the web server’s response for data leaks according to expression <regex_pattern>.
For example, when enabled, an HTTP reply containing the phrase Credit card would not match an expression that looks for the phrase credit card (difference highlighted in bold).
enable
expression <regex_pattern>
Depending on your selection in type {request | response}, type a regular expression that matches either:
an attack from a client
a data leak from the server
To prevent false positives, it should not match anything else. The maximum length is 2,071 characters.
No default.
severity {High | Medium | Low}
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule.
Medium
trigger <trigger-policy_name>
Select which trigger policy, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
target {ARGS | ARGS_NAMES | REQUEST_BODY | REQUEST_COOKIES | REQUEST_COOKIES_NAMES | REQUEST_FILENAME | REQUEST_HEADERS | REQUEST_HEADERS_NAMES | REQUEST_RAW_URI | REQUEST_URI | RESPONSE_HEADER | RESPONSE_BODY | RESPONSE_STATUS}
Type the name of a location in the HTTP request or response (for example, ARGS_NAMES for the names of parameters or REQUEST_COOKIES for strings in the HTTP Cookie: header) to scan for a signature match.
If you want to scan multiple locations, create multiple entries in the meet-targets table.
No default.
Example
This example configures a signature to detect and block an LFI attack that uses directory traversal through an unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named notification-servers1 will be used to send alert email and attack log messages whose severity level is High.
config waf custom-protection-rule
edit "Joomla_controller_LFI"
set type signature-creation
set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"
set action alert_deny
set severity High
set trigger notification-servers1
config meet-targets
edit 1
set target REQUEST_RAW_URI
next
end
next
end
Related topics
config waf custom-protection-group
config log trigger-policy