config : waf http-protocol-parameter-restriction
 
waf http-protocol-parameter-restriction
Use this command to configure HTTP protocol constraints.
HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the content payload.
Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.
 
You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, configure “block-malformed-request-check {enable | disable}” to harden your configuration. To configure the buffer size, see “max-http-argbuf-length {8k-cache | 12k-cache | 32k-cache | 64k-cache}”.
Each protocol parameter can be uniquely configured with an action, severity and trigger that determines how an attack on that parameter is handled. For example, header constraints could have the action set to alert, the severity set to high, and a trigger set to deliver an email each time these protocol parameters are violated.
To apply HTTP protocol constraints, select them in an inline or offline protection profile. For details, see “config waf web-protection-profile inline-protection” or “config waf web-protection-profile offline-protection”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf http-protocol-parameter-restriction
edit <http-constraint_name>
set block-malformed-request-check {enable | disable}
set Illegal-host-name-check {enable | disable}
set Illegal-http-request-method-check {enable | disable}
set Illegal-http-version-check {enable | disable}
set max-cookie-in-request <limit_int>
set max-header-line-request <limit_int>
set max-http-body-length <limit_int>
set max-http-content-length <limit_int>
set max-http-header-length <limit_int>
set max-http-header-line-length <limit_int>
set max-http-parameter-length <limit_int>
set max-http-request-length <limit_int>
set max-url-parameter <limit_int>
set max-url-parameter-length <limit_int>
set number-of-ranges-in-range-header <limit_int>
set <parameter_name>-action {alert | alert_deny | block-period}
set <parameter_name>-severity {High | Medium | Low}
set <parameter_name>-trigger <trigger-policy_name>
set <parameter_name>-block-period <seconds_int>
[set exception_name <http-exception_name>]
next
end
Variable
Description
Default
<http-constraint_name>
Type the name of a new or existing HTTP protocol constraint. The maximum length is 35 characters.
To display the list of existing constraints, type:
edit ?
No default.
block-malformed-request-check {enable | disable}
Enable to block the request if either:
it has syntax errors
parsing errors occur while FortiWeb is scanning the request (see “debug flow trace”)
These can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities.
Caution: Fortinet strongly recommends to enable this option unless large requests or parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. Unless you enable this option to block oversized items, FortiWeb will allow oversized those requests to pass through without scanning. This could allow attackers to craft large attacks to bypass your FortiWeb policies, and reach your web servers. If feasible, instead of disabling this option:
omit this only for URLs that require oversized parameters (see “config waf http-constraints-exceptions”)
Note: Do not enable this option if requests normally contain:
parameters larger than the scan buffer (Buffer size is configurable — see “max-http-argbuf-length {8k-cache | 12k-cache | 32k-cache | 64k-cache}”.)
large numbers of parameters
more than 32 cookies
Requests like this will be flagged as potentially malformed by FortiWeb’s parser, causing FortiWeb to block normal requests.
enable
Illegal-host-name-check {enable | disable}
Enable to check the Host: line of the HTTP header for illegal characters, such as null or encoded characters like 0x0 or %00*.
enable
Illegal-http-request-method-check {enable | disable}
Enable to check for illegal HTTP version numbers.
enable
Illegal-http-version-check {enable | disable}
Enable to check for illegal HTTP version numbers. If the HTTP version is not “HTTP/1.0” or “HTTP/1.1”, it is considered illegal.
enable
max-cookie-in-request <limit_int>
Type the maximum acceptable number of cookies in an HTTP request. The valid range is from 0 to 32.
16
max-header-line-request <limit_int>
Type the maximum acceptable number of lines in the HTTP header. The valid range is from 0 to 32.
32
max-http-body-length <limit_int>
Type the maximum acceptable length in bytes of the HTTP body.
The valid range is from 0 to 67,108,864. To disable the limit, type 0.
0
max-http-content-length <limit_int>
Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.
The valid range is from 0 to 67,108,864. To disable the limit, type 0.
0
max-http-header-length <limit_int>
Type the maximum acceptable length in bytes of the HTTP header.
The valid range is from 0 to 12,288. To disable the limit, type 0.
4096
max-http-header-line-length <limit_int>
Type the maximum acceptable length in bytes of each line in the HTTP header.
The valid range is from 0 to 12,288. To disable the limit, type 0.
1024
max-http-parameter-length <limit_int>
Type the total maximum total acceptable length in bytes of all parameters in the URL and/or, for HTTP POST requests, the HTTP body.
Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
The valid range is from 0 to 65,536. To disable the limit, type 0.
6144
max-http-request-length <limit_int>
Type the maximum acceptable length in bytes of the HTTP request.
The valid range is from 0 to 67,108,864. To disable the limit, type 0.
67108864
max-url-parameter <limit_int>
Type the maximum number of URL parameters.
The valid range is from 1 to 64.
16
max-url-parameter-length <limit_int>
Type the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as:
/url?parameter=value
It does not include parameters in the HTTP body, which can occur with HTTP POST requests.
The valid range is from 0 to 12,288.
2048
number-of-ranges-in-range-header <limit_int>
Type the maximum acceptable number of Range: fields of an HTTP header.
Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. The default value is appropriate for unpatched versions of Apache 2.0 and 2.1.
The valid range is from 0 to 64.
5
<parameter_name>-action {alert | alert_deny | block-period}
Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules:
alert — Accept the request and generate an alert email and/or log message.
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
block-period — Block subsequent requests from the client for a number of seconds. Also configure <parameter_name>-block-period <seconds_int>.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
Caution: This setting is ignored when the value of monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types.
For example, for maximum HTTP header length violations, you might type the accompanying setting:
set max-http-header-length-action alert
Note: Available actions vary depending on operating mode and protocol parameter.
alert
<parameter_name>-severity {High | Medium | Low}
Select the severity level to use in logs and reports generated when a violation of the rule occurs.
Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types.
For example, for maximum HTTP header length violations, you might type the accompanying setting:
set max-http-header-length-severity High
High
<parameter_name>-trigger <trigger-policy_name>
Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types.
For example, for maximum HTTP header length violations, you might type accompanying setting:
set max-http-header-length-trigger trigger-policy1
No default.
<parameter_name>-block-period <seconds_int>
If action is block-period, type the number of seconds that the connection will be blocked. The valid range is from 1 to 3,600 seconds.
0
exception_name <http-exception_name>
Type the name of an exceptions to existing HTTP protocol parameter constraints (see “config waf http-constraints-exceptions”).
 
Example
This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.
config waf http-protocol-parameter-restriction
edit "http-constraint1"
set max-http-header-length 2048
set max-http-header-length-action alert
set max-http-header-length-severity Medium
set max-http-header-length-trigger email-admin
next
end
Related topics
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection
config log trigger-policy
config waf http-constraints-exceptions
diagnose debug application http
diagnose debug flow trace