config : waf url-access url-access-rule
 
waf url-access url-access-rule
Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on their host name and URL.
Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.
To apply URL access rules, first group them within a URL access policy. For details see, “config waf url-access url-access-policy”.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see “config system snmp community”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf url-access url-access-rule
edit <url-access-rule_name>
set action {alert_deny | continue | pass}
set host <protected-hosts_name>
set host-status {enable | disable}
set severity {Low | Medium | High}
set trigger <trigger-policy_name>
config match-condition
edit <entry_index>
set type {regular-expression | simple-string}
set reverse-match {yes | no}
set reg-exp <object_pattern>
set sip-address-check {enable | disable}
set sip-address-type {sdomain | sip}
set sip-address-domain <fqdn_str>
set sip-address-value <client_ip>
next
end
next
end
Variable
Description
Default
<url-access-rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
action {alert_deny | continue | pass}
Select which action the FortiWeb appliance will take when a request matches the URL access rule.
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
continue — Generate an alert and/or log message, then continue by evaluating any subsequent rules defined in the web protection profile (see “debug flow trace”). If no other rules are violated, allow the request. If multiple rules are violated, a single request will generate multiple attack log messages.
pass — Allow the request. Do not generate an alert and/or log message.
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If an auto-learning profile will be selected in the policy with offline protection profiles that use this rule, you should select pass. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
alert
host <protected-hosts_name>
Type the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 255 characters.
This setting is used only if host-status is enable.
No default.
host-status {enable | disable}
Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host <protected-hosts_name>.
disable
severity {Low | Medium | High}
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers:
Low
Medium
High
No default.
trigger <trigger-policy_name>
Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
reg-exp <object_pattern>
Depending on your selection in type {regular-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}.
For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.
The pattern is not required to begin with a slash ( / ). The maximum length is 255 characters.
Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.
No default.
reverse-match {yes | no}
Indicate how to use reg-exp <object_pattern> when determining whether or not this rule’s condition has been met.
no — If the simple string or regular expression does match the request URL, the condition is met.
yes — If the simple string or regular expression does not match the request URL, the condition is met.
The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
no
sip-address-check {enable | disable}
Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sdomain | sip} and either sip-address-domain <fqdn_str> or sip-address-value <client_ip>.
disable
sip-address-domain <fqdn_str>
Type the fully qualified domain name (FQDN) that a client source IP must reverse resolve (RDNS query) in order to match.
This option appears only if sip-address-type {sdomain | sip} is domain.
No default.
sip-address-type {sdomain | sip}
Select how you want to define matching client source IPs, by either:
sip — Configure sip-address-value <client_ip>.
sdomain — Configure sip-address-domain <fqdn_str>.
sip
sip-address-value <client_ip>
Enter one of the following values:
• A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
• A range or addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100).
This option is available only if sip-address-type {sdomain | sip} is sip.
0.0.0.0
type {regular-expression | simple-string}
Select how to use the text in reg-exp <object_pattern> to determine whether or not a request URL meets the conditions for this rule.
simple-string — The text is a string that request URLs must match exactly.
regular-expression — The text is a regular expression that defines a set of matching URLs.
No default.
Example
This example defines two sets of URL access rules.
The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.
The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic forms of the index page.
Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.
config waf url-access url-access-rule
edit "Blocked URL"
config match-condition
edit 1
set type simple-string
set reg-exp "/admin.php"
next
edit 2
set type regular-expression
set reverse-match no
set reg-exp "statistics.php*"
next
end
next
edit "Allowed URL"
config match-condition
edit 1
set type regular-expression
set reverse-match no
set reg-exp "index.php*"
next
end
next
end
Related topics
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection
config waf url-access url-access-policy