Variable | Description | Default |
<rule_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing rules, type: edit ? | No default. |
access-limit-standalone-ip <limit_int> | Type the maximum number of HTTP requests allowed per second from any source IP address representing a single client. The valid range is from 0 to 65,536. | 0 |
access-limit-share-ip <limit_int> | Type the maximum number of HTTP requests allowed per second from any source IP address shared by multiple clients behind a network address translation (NAT) device, such as a firewall or router. The valid range is from 0 to 65,536. | 0 |
action {alert | alert_deny | block-period} | Select one of the following actions that the FortiWeb appliance will perform when the count exceeds either threshold limit: • alert — Accept the request and generate an alert email and/or log message. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | alert |
real-browser-enforcement {enable | disable} | Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit. If the client either fails the test or does not return results before the timeout specified by validation-timeout, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to exceed the rate limit. Disable this option to apply the rate limit regardless of whether the client is a web browser (for example, Firefox) or an automated tool (for example, wget). | disable |
block-period <seconds_int> | Type the number of seconds to block access to the client. This applies only when the action setting is block-period. The valid range is from 0 to 10,000. | 0 |
severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when a violation of the rule occurs. | Medium |
trigger-policy <trigger-policy_name> | Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
validation-timeout <timeout_int> | Specifies the maximum amount of time that FortiWeb waits for results from the client for Real Browser Enforcement. |