Variable | Description | Default |
<padding-oracle_rule_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing policies, type: edit ? | No default. |
{alert | alert_deny | block-period} | Specify the action that FortiWeb takes when a request violates the rule: alert — Accept the request and generate an alert email and/or log message. alert_deny — Block the request (reset the connection) and generate an alert and/or log message. block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. Attack log messages contain Padding Oracle Attack when this feature detects a possible attack. Because this attack involves some repeated brute force, the attack log may not appear immediately, but should occur within 2 minutes, depending on your configured DoS alert interval. Caution: This setting is ignored if the value of monitor-mode is enabled. See Note: Logging and/or alert email occur only when the these features are enabled and configured. See “Logging” and “Alert email”. See Note: To use this rule set with auto-learning, select alert. If action is alert_deny or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the session information for auto-learning will be incomplete. | alert |
<block-period_int> | Type the number of seconds that FortiWeb blocks subsequent requests from the client after it detects that the client has violated the rule. This setting is available only if action is block-period. The valid range is from 1 to 4,294,967,295. | 1 |
{High | Medium | Low} | When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Specify the severity level FortiWeb uses when it logs a violation of this rule. | Medium |
<trigger-policy_name> | Type the name of the trigger policy, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a violation of the rule. See “config log trigger-policy”. To display the list of existing triggers, type: set trigger ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
host-status {enable | disable} | Specify enable to apply this rule only to HTTP requests for specific web hosts. Also specify host. Specify disable to match the rule based on the other criteria, such as the URL, but regardless of the Host: field. | disable |
<host_str> | Specify which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule. This option is available only if the value of host-status is enabled. Maximum length is 255 characters. | No default. |
{plain | regular} | Specify how the value of protected-url is specified: plain — A literal URL. regular — A regular expression designed to match multiple URLs. | plain |
<protected-url_str> | If the value of url-type is plain, specify the literal URL that HTTP requests that match the rule contain. For example: /profile.jsp The URL must begin with a backslash ( / ). If the value of url-type is regular, specify a regular expression matching all and only the URLs to which the rule should apply. For example: ^/*\.jsp\?uid\=(.*) The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /profile.cfm. Do not include the domain name, such as www.example.com, which is specified by host. Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide. | No default. |
{cookie parameter url} | Specify which parts of the client’s requests FortiWeb examines for padding attack attempts: url — A URL (for example, the parameter /user/0000012FE03BC2 is embedded in the URL). parameter — A parameter (for example, the parameter /index.php?user=0000012FE03BC2 appended to a traditional GET or POST body). cookie — A cookie. | parameter |