Variable | Description | Default |
<url-access-rule_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing rules, type: edit ? | No default. |
action {alert_deny | continue | pass} | Select which action the FortiWeb appliance will take when a request matches the URL access rule. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • continue — Generate an alert and/or log message, then continue by evaluating any subsequent rules defined in the web protection profile (see “debug flow trace”). If no other rules are violated, allow the request. If multiple rules are violated, a single request will generate multiple attack log messages. • pass — Allow the request. Do not generate an alert and/or log message. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If an auto-learning profile will be selected in the policy with offline protection profiles that use this rule, you should select pass. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | alert |
host <protected-hosts_name> | Type the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 255 characters. This setting is used only if host-status is enable. | No default. |
host-status {enable | disable} | Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host <protected-hosts_name>. | disable |
severity {Low | Medium | High} | When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers: • Low • Medium • High | No default. |
trigger <trigger-policy_name> | Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
reg-exp <object_pattern> | Depending on your selection in type {regular-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}. For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no. The pattern is not required to begin with a slash ( / ). The maximum length is 255 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}. | No default. |
reverse-match {yes | no} | Indicate how to use reg-exp <object_pattern> when determining whether or not this rule’s condition has been met. • no — If the simple string or regular expression does match the request URL, the condition is met. • yes — If the simple string or regular expression does not match the request URL, the condition is met. The effect is equivalent to preceding a regular expression with an exclamation point ( ! ). | no |
sip-address-check {enable | disable} | Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sdomain | sip} and either sip-address-domain <fqdn_str> or sip-address-value <client_ip>. | disable |
sip-address-domain <fqdn_str> | Type the fully qualified domain name (FQDN) that a client source IP must reverse resolve (RDNS query) in order to match. This option appears only if sip-address-type {sdomain | sip} is domain. | No default. |
sip-address-type {sdomain | sip} | Select how you want to define matching client source IPs, by either: | sip |
sip-address-value <client_ip> | Enter one of the following values: • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20). • A range or addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). This option is available only if sip-address-type {sdomain | sip} is sip. | 0.0.0.0 |
type {regular-expression | simple-string} | Select how to use the text in reg-exp <object_pattern> to determine whether or not a request URL meets the conditions for this rule. • simple-string — The text is a string that request URLs must match exactly. • regular-expression — The text is a regular expression that defines a set of matching URLs. | No default. |