config : waf file-upload-restriction-policy
 
waf file-upload-restriction-policy
Use this command to set the file upload restriction policies that the FortiWeb appliance uses to limit the types of files that can be uploaded to your web servers.
The policies are composed of individual rules set using the config waf file-upload-restriction-rule command. Each rule identifies the host and/or URL to which the restriction applies and the types of files allowed. To apply a file upload restriction policy, select it within an inline or offline protection profile.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf file-upload-restriction-policy
edit <file-upload-restriction-policy_name>
set action {alert | alert_deny | block‑period}
set severity {High | Medium | Low}
set trigger <trigger-policy_name>
set av-scan {enable |disable}
set block-period <seconds_int>
config rule
edit <entry_index>
set file-upload-restriction-rule <rule_name>
next
end
next
end
Variable
Description
Default
<file-upload-restriction-policy_name>
Type the name of an existing or new file upload restriction policy. The maximum length is 35 characters.
To display the list of existing policies, type:
edit ?
No default.
action {alert | alert_deny | block‑period}
 
Type the action you want FortiWeb to perform when the policy is violated:
alert — Accept the request and generate an alert and/or log message.
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If an auto-learning profile will be selected in the policy with offline protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
alert
severity {High | Medium | Low}
Select the severity level to use in logs and reports generated when a violation of the rule occurs.
Low
trigger <trigger-policy_name>
Type the name of the trigger to apply when this policy is violated (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing triggers, type:
set trigger ?
No default.
av-scan {enable |disable}
Specify enable to scan for trojans.
Also enable and configure the signature rule for the Trojans class (070000000; see “config waf signature”).
 
block-period <seconds_int>
If action is block-period, type the number of seconds that violating requests will be blocked. The valid range is from 1 to 3,600 seconds.
1
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
file-upload-restriction-rule <rule_name>
Type the name of an upload restriction rule to use with the policy, if any. See “config waf file-upload-restriction-rule”. The maximum length is 35 characters.
To display the list of existing rules, type:
set file-upload-restriction-rule ?
No default.
Related topics
config waf file-upload-restriction-rule
config log trigger-policy