config : waf input-rule
 
waf input-rule
Use this command to configure input rules.
Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests matching the host and URL defined in the input rule.
Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.
For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.
To apply input rules, select them within a parameter validation rule. For details, see “config waf parameter-validation-rule”.
Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “config server-policy allow-hosts”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf input-rule
edit <input-rule_name>
set action {alert | alert_deny | redirect | send_403_forbidden | block-period}
set block-period <seconds_int>
set host <protected-host_name>
set host-status {enable | disable}
set request-file <url_str>
set request-type {plain | regular}
set severity {High | Medium | Low}
set trigger <trigger-policy_name>
config rule-list
edit <entry_index>
set type-checked (enable | disable}
set argument-type <custom-data-type | data-type | regular-expression}
set argument-name-type {plain | regular}
set argument-name <input_name>
set argument-expression <regex_pattern>
set custom-data-type <custom-data-type_name>
set data-type <predefined_name>
set is-essential {yes | no}
set max-length <limit_int>
next
end
next
end
Variable
Description
Default
<input-rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
action {alert | alert_deny | redirect | send_403_forbidden | block-period}
Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry:
alert — Accept the request and generate an alert email and/or log message.
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.
send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
alert
block-period <seconds_int>
Type the number of seconds to block the source IP. The valid range is from 0 to 3,600 seconds.
This setting applies only if action is block-period.
60
host <protected-host_name>
Type the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 255 characters.
This setting applies only if host-status is enable.
No default.
host-status {enable | disable}
Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host <protected-host_name>.
Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.
disable
request-file <url_str>
Depending on your selection in request-type {plain | regular}, type either:
the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.
Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-host_name>. The maximum length is 255 characters.
Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide.
No default.
request-type {plain | regular}
Select whether request-file <url_str> will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular).
plain
severity {High | Medium | Low}
Select the severity level to use in logs and reports generated when a violation of the rule occurs.
Low
trigger <trigger-policy_name>
Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
is-essential {yes | no}
Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no.
no
max-length <limit_int>
Type the maximum allowed length of the parameter value.
The valid range is from 0 to 1,024 characters. To disable the length limit, type 0.
0
type-checked (enable | disable}
Enable to use predefined or configured data types when validating parameters. Also configure data-type, custom-data-type, or argument-expression.
Disable to ignore data-type and custom-data-type settings.
enable
argument-type <custom-data-type | data-type | regular-expression}
Specify the type of argument.
No default.
argument-name-type {plain | regular}
Specify one of the following options:
plainargument-name is the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
regularargument-name is a regular expression designed to match the name attribute of the parameter’s input tag.
 
argument-name <input_name>
If argument-name-type is plain, specify the name of the input as it appears in the HTTP content, such as username. The maximum length is 35 characters.
If argument-name-type is regular, specify a regular expression designed to match the name attribute of the parameter’s input tag.
No default.
argument-expression <regex_pattern>
Type a regular expression that matches all valid values, and no invalid values, for this input.
The maximum length is 2,071 characters.
Note: Regular expressions beginning with an exclamation point ( ! ) are not supported.
 
custom-data-type <custom-data-type_name>
Type the name of a custom data type, if any. The maximum length is 35 characters.
To display the list of custom data types, type:
set custom-data-type ?
This setting applies only if type-checked is enable.
No default.
data-type <predefined_name>
Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates).
To display available options, type:
set data type ?
For match descriptions of each option, see “server-policy pattern data-type-group”).
Alternatively, configure argument-type <custom-data-type | data-type | regular-expression}. This option is ignored if you configure argument-type <custom-data-type | data-type | regular-expression}, which also defines parameters to which the input rule applies, but supersedes this option.
No default.
Example
This example blocks and logs requests for the file named login.php that do not include a user name and password, both of which are required, or whose user name and password exceed the 64-character limit.
config waf input-rule
edit "input_rule1"
set action alert_deny
set request-file "/login.php?*"
request-type regular
config rule-list
edit 1
set argument-name "username"
set argument-type data-type
set data-type Email
set is-essential yes
set max-length 64
next
edit 2
set argument-name "password"
set data-type String
set is-essential yes
set max-length 64
next
end
next
end
Related topics
config server-policy allow-hosts
config waf parameter-validation-rule