Alternatively, you can automatically configure a server protection rule that detects all attack types by generating a default auto-learning profile. For details, see the FortiWeb Administration Guide. |
Variable | Description | Default |
<signature-set_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing rules, type: edit ? | No default. |
credit-card-detection-threshold <instances_int> | Type 0 to report any credit card number disclosures, or type a threshold if the web page must contain a number of credit cards that equals or exceeds the threshold in order to trigger the credit card number detection feature. For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2. The valid range is from 0 to 128 instances. | 0 |
custom-protection-group <group_name> | Type the name of the custom signature group to be used, if any. The maximum length is 35 characters. To display the list of existing custom signature groups, type: set custom-protection-group ? | No default. |
{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000} | Type the ID of a signature class (or, for subclass overrides, the subclass ID). To display the list of signature classes, type: edit ? | No default. |
action {alert |alert_deny | block‑period |only_erase | alert_erase | redirect | send_403_forbidden} | Select which action the FortiWeb appliance will take when it detects a signature match. Note: This is not a single setting. Available actions may vary slightly, depending on what is possible for each specific type of attack/information disclosure. • alert — Accept the request and generate an alert email and/or log message. Note: Does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.) • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. • only_erase — Hide sensitive information in replies from the web server (sometimes called “cloaking”). Block the request or remove the sensitive information, but do not generate an alert email and/or log message. Caution: This option is not supported in offline protection mode. • alert_erase — Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message. Note: This option is not fully supported in offline protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased. | alert |
• redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}. • send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If an auto-learning profile will be selected in the policy with offline protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | ||
block-period <seconds_int> | Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. The valid range is from 1 to 3,600. The setting is applicable only if action is period-block. Note: This is not a single setting. You can configure the block period separately for each signature category. | 60 |
severity {Low | Medium | High} | When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule: • Low • Medium • High Note: This is not a single setting. You can configure the severity separately for each signature category. | Medium |
trigger <trigger-policy_name> | Type the name of the trigger, if any, to apply when a protection rule is violated (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing triggers, type: set trigger ? Note: This is not a single setting. You can configure a different trigger for each signature category. | No default. |
<signature-id_str> | Type the ID of a specific signature that you want to disable. Some signatures often cause false positives and are disabled by default. To display a list, type: edit ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 32. | No default. |
signature_id <signature‑id_str> | Type the ID of a specific signature that you want to disable when the request matches a specific Host: name and/or URL. Also configure host-status {enable | disable}, host-status {enable | disable}, and request-file <url_str>. | No default. |
host <protected-hosts_name> | Type the name of a protected host that the Host: field of an HTTP request must be in order to match the start page rule. The maximum length is 255 characters. This setting applies only if host-status is enable. | No default. |
host-status {enable | disable} | Enable to apply this start page rule only to HTTP requests for specific web hosts. Also configure host <protected-hosts_name>. Disable to match the start page rule based upon the other criteria, such as the URL, but regardless of the Host: field. | disable |
type {plain | regular} | Select whether request-file <url_str> will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). | plain |
request-file <url_str> | Depending on your selection in type {plain | regular}, type either: • the literal URL, such as /index.php, that the HTTP request must contain in order to match the signature exception. The URL must begin with a slash ( / ). • a regular expression, such as ^/*.php, matching all and only the URLs to which the signature exception should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-hosts_name>. The maximum length is 255 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide. | No default. |