config : waf http-constraints-exceptions
 
waf http-constraints-exceptions
Use set statements under this command to configure exceptions to existing HTTP protocol parameter constraints for specific hosts.
Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint policy.
For example, if you enable max-http-header-length in a HTTP protocol constraint exception for a specific host, FortiWeb ignores the HTTP header length check when executing the web protection profile for that host.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf http-constraints-exceptions
edit <http-exception_name>
config http_constraints-exception-list
edit <entry_index>
set request-file <url_pattern>
set request-type {plain | regular}
set host <protected-hosts_name>
set host-status {enable | disable}
set block-malformed-request {enable | disable}
set Illegal-host-name-check {enable | disable}
set Illegal-http-request-method-check {enable | disable}
set max-cookie-in-request {enable | disable}
set max-header-line-request {enable | disable}
set max-http-body-length {enable | disable}
set max-http-content-length {enable | disable}
set max-http-header-length {enable | disable}
set max-http-header-line-length {enable | disable}
set max-http-parameter-length {enable | disable}
set max-http-request-length {enable | disable}
set max-url-parameter {enable | disable}
set max-url-parameter-length {enable | disable}
set number-of-ranges-in-range-header {enable | disable}
next
end
next
end
Variable
Description
Default
<http-exception_name>
Type the name of a new or existing HTTP protocol constraint exception. The maximum length is 35 characters.
To display the list of existing exceptions, type:
edit ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
request-file <url_pattern>
Type either:
the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as www.example.com, which is configured separately in host. The maximum length is 255 characters.
No default.
request-type {plain | regular}
Type either plain or regular (for a regular expression) to match the string entered in request-file.
No default.
host <protected-hosts_name>
Type the name of a protected host that the Host: field of an HTTP request must be in order to match the exception. The maximum length is 255 characters.
This setting applies only if host-status is enable.
No default.
host-status {enable | disable}
Enable to apply this exception only to HTTP requests for specific web hosts. Also configure host <protected-hosts_name>.
Disable to match the exception based upon the other criteria, such as the URL, but regardless of the Host: field.
disable
block-malformed-request {enable | disable}
Enable to omit the constraint on syntax and FortiWeb parsing errors.
Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.
 
Illegal-host-name-check {enable | disable}
Enable to omit the constraint on host names with illegal characters.
disable
Illegal-http-request-method-check {enable | disable}
Enable to omit the constraint on illegal HTTP request methods.
disable
max-cookie-in-request {enable | disable}
Enable to omit the constraint on the maximum number of cookies per request.
disable
max-header-line-request {enable | disable}
Enable to omit the constraint on the maximum number of HTTP header lines.
disable
max-http-body-length {enable | disable}
Enable to omit the constraint on the maximum HTTP body length.
disable
max-http-content-length {enable | disable}
Enable to omit the constraint on the maximum HTTP content length.
disable
max-http-header-length {enable | disable}
Enable to omit the constraint on the maximum HTTP header length.
disable
max-http-header-line-length {enable | disable}
Enable to omit the constraint on the maximum HTTP header line length.
disable
max-http-parameter-length {enable | disable}
Enable to omit the constraint on the maximum HTTP parameter length.
disable
max-http-request-length {enable | disable}
Enable to omit the constraint on the maximum HTTP request length.
disable
max-url-parameter {enable | disable}
Enable to omit the constraint on the maximum number of parameters in the URL.
disable
max-url-parameter-length {enable | disable}
Enable to omit the constraint on the maximum length of parameters in the URL.
disable
number-of-ranges-in-range-header {enable | disable}
Enable to omit the constraint on the maximum acceptable number of Range: fields of an HTTP header.
disable
Example
This example omits header length limits for HTTP requests to www.example.com and 10.0.0.1 for /login.asp.
config waf http-constraints-exceptions
edit "exception1"
config http_constraints-exception-list
edit 1
set host "www.example.com"
set host-status enable
set max-http-header-length enable
set request-file "/login.asp"
next
edit 2
set host "10.0.0.1"
set host-status enable
set max-http-body-length enable
set request-file "/login.asp"
next
end
next
end
Related topics
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection
config log trigger-policy
config waf http-protocol-parameter-restriction