Variable | Description | Default |
<inline-protection-profile_name> | Type the name of the inline protection profile. The maximum length is 35 characters. To display the list of existing profile, type: edit ? | No default. |
allow-method-policy <policy_name> | Type the name of an allowed method policy. See “config waf allow-method-policy”. The maximum length is 35 characters. To display the list of existing policies, type: set allow-method-policy ? | No default. |
amf3-protocol-detection {enable | disable} | Enable to scan requests that use action message format 3.0 (AMF3) for • cross-site scripting (XSS) attacks • SQL injection attacks • common exploits if you have enabled those in the signature set specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}. AMF3 is a binary format that Adobe Flash clients can use to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will make the FortiWeb appliance unable to scan AMF3 requests for attacks. | disable |
xml-protocol-detection {enable | disable} | Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX) and other XML submitted by clients in the bodies of HTTP POST requests. | disable |
malformed-xml-block-period <block-period_int> | Type the length of time that FortiWeb blocks XML traffic that contains malformed XML, in seconds. The valid range is from 1 to 3,600 seconds. | 60 |
malformed-xml-check {enable | disable} | Enable to validate that XML elements and attributes in the request’s body conforms to the W3C XML 1.1 and/or XML 2.0 standards.Malformed XML, such as without the final > or with multiple >> in the closing tag, is often an attempt to exploit an unhandled error condition in a web application’s XHTML or XML parser. This feature is applicable only when xml-protocol-detection is enable. Attack log messages contain Illegal XML Format when this feature detects malformed XML. | disable |
malformed-xml-check-action {alert | alert_deny | block-period} | Specify the action that FortiWeb takes when it detects a request that contains malformed XML: • alert — Accept the request and generate an alert email, a log message, or both. • alert_deny — Block the request and generate an alert email, a log message, or both. • block-period — Block the XML traffic for a number of seconds. Also configure malformed-xml-block-period <block-period_int>. | alert |
malformed-xml-check-severity {High | Low | Medium} | Select the severity level to use in logs and reports generated when illegal XML formats are detected. | High |
malformed-xml-check-trigger <trigger-policy_name> | Type the name of the trigger to apply when illegal XML formats are detected (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
custom-access-policy <combo-access_name> | Type the name of a custom access policy. See “config waf custom-access policy”. The maximum length is 35 characters. To display the list of existing policies, type: set custom-access-policy ? | No default. |
brute-force-login <sensor_name> | Type the name of a brute force login attack sensor. See “config waf brute-force-login”. The maximum length is 35 characters. To display the list of existing sensors, type: set brute-force-login ? | No default. |
cookie-poison {enable | disable} | Enable to detect cookie poisoning. When enabled, each cookie is accompanied by a cookie named <cookie_name>_fortinet_waf_auth, which tracks the cookie’s original value when set by the web server. If the cookie returned by the client does not match this digest, the FortiWeb appliance will detect cookie poisoning. | disable |
cookie-poison-action {alert | alert_deny | block-period | remove_cookie} | Select one of the following actions that the FortiWeb appliance will perform when it detects cookie poisoning: • alert — Accept the request and generate an alert email and/or log message. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. • remove_cookie — Accept the request, but remove the poisoned cookie from the datagram before it reaches the web server, and generate an alert and/or log message. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | No default. |
cookie-poison-severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when cookie poisoning is detected. | High |
block-period <seconds_int> | Type the number of seconds to block a connection when cookie-poison-action is set to block-period. The valid range is from 1 to 3,600 seconds. | 1 |
cookie-poison-trigger <trigger-policy_name> | Type the name of the trigger to apply when cookie poisoning is detected (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
file-upload-policy <policy_name> | Type the name of a file upload restriction policy to use, if any. See “config waf file-upload-restriction-policy”. The maximum length is 35 characters. To display the list of existing policies, type: set file-upload-policy ? | No default. |
geo-block-list-policy <policy_name> | Type the name of a geographically-based client IP black list that you want to apply, if any. See “config waf geo-block-list”. The maximum length is 35 characters. To display the list of existing group, type: set geo-block-list-policy ? | No default. |
hidden-fields-protection <group_name> | Type the name of a hidden field rule group that you want to apply, if any. See “config waf hidden-fields-protection”. The maximum length is 35 characters. To display the list of existing group, type: set hidden-fields-protection ? | No default. |
http-authen-policy <policy_name> | Type the name of an HTTP authentication policy, if any, that will be applied to matching HTTP requests. See “config waf http-authen http-authen-policy”. The maximum length is 35 characters. To display the list of existing profile, type: set http-authen-policy ? If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message. | No default. |
http-protocol-parameter-restriction <constraint_name> | Type the name of an HTTP protocol constraint that you want to apply, if any. See “config waf http-protocol-parameter-restriction”. The maximum length is 35 characters. To display the list of existing profile, type: set http-protocol-parameter-restriction ? | No default. |
http-session-management {enable | disable} | Enable to add an implementation of HTTP sessions, and track their states, using a cookie such as cookiesession1. Also configure http-session-timeout <seconds_int>. Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features. For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat each request independently, without knowledge of anything previous, it could not, by definition, enforce page order. Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again. The session management feature provides such FortiWeb session support. This feature requires that the client support cookies. Note: You must enable this option: • to enforce the start page rule, page access rule, and hidden fields rule, if any of those are selected. • if you want to include this profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For more information, see “config log attack-log” and “config log memory”. | disable |
http-session-timeout <seconds_int> | Type the HTTP session timeout in seconds. The valid range is from 20 to 3,600 seconds. This setting is available only if http-session-management is enabled. | 1200 |
ip-list-policy <policy_name> | Type the name of a trusted IP or blacklisted IP policy. See “config waf ip-list”. The maximum length is 35 characters. To display the list of existing policy, type: set ip-list-policy ? | No default. |
known-search-engine {enable | disable} | Enable to allow or block predefined search engines, robots, spiders, and web crawlers according to your settings in the global list. Enable to exempt popular search engines’ robots, spiders, and web crawlers from DoS sensors, brute force login sensors, HTTP protocol constraints, and combination rate & access control (called “advanced protection” and “custom policies” in the web UI). This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be suspicious for web browsers are often normal with search engines. If you block them, your web sites’ rankings and visibility may be affected. By default, this option allows all popular predefined search engines. Known search engine indexer source IPs are updated via FortiGuard Security Service. To specify which search engines will be exempt, enable or disable each search engine in “server-policy pattern custom-global-white-list-group”. Note: X-header-derived client source IPs (see “waf x-forwarded-for”) do not support this feature in this release. If FortiWeb is deployed behind a load balancer or other web proxy that applies source NAT, this feature will not work. | disable |
padding-oracle <rule_name> | Type the name of a padding oracle protection rule. See “config waf padding-oracle”. The maximum length is 35 characters. To display the list of existing rule, type: set padding-oracle ? | No default. |
page-access-rule <rule_name> | Type the name of a page order rule. See “config waf page-access-rule”. The maximum length is 35 characters. To display the list of existing rule, type: set page-access-rule ? | No default. |
parameter-validation-rule <rule_name> | Type the name of a parameter validation rule. See “config waf parameter-validation-rule”. The maximum length is 35 characters. To display the list of existing rule, type: set parameter-validation-rule ? | No default. |
redirect-url <redirect_fqdn> | Type a URL including the FQDN/IP and path, if any, to which an HTTP client will be redirected if their HTTP request violates any of the rules in this profile. For example, you could enter www.example.com/products/. If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error message. The maximum length is 255 characters. | No default. |
signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>} | Specify a signature policy to include in the profile (see “config waf signature”). The maximum length is 35 characters. To display the list of existing rules, type: set server-protection-rule ? The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see “config waf signature”. | No default. |
rdt-reason {enable | disable} | Enable to include the reason for URL redirection as a parameter in the URL, such as reason=DETECT_PARAM_RULE_FAILED, when traffic has been redirected using redirect-url <redirect_fqdn>. The FortiWeb appliance also adds fortiwaf=1 to the URL to detect and cancel a redirect loop (when the redirect action recursively triggers an attack event). Caution: If you specify a redirect URL that is protected by the FortiWeb appliance, you should enable this option to prevent infinite redirect loops. | No default. |
site-publisher-helper <policy_name> | Type the name of a site publishing policy, if any, that will be applied to matching HTTP requests. See “config waf site-publish-helper policy”. The maximum length is 35 characters. To display the list of existing profile, type: set site-publisher-policy ? If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message. | No default. |
start-pages <rule_name> | Type the name of a start page rule. See “config waf start-pages”. The maximum length is 35 characters. To display the list of existing rule, type: set start-pages ? This setting is available only if http-session-management is enabled. | No default. |
web-cache-policy <web-cache-policy_name> | Type the name of content caching policy. See “config waf web-cache-policy”. The maximum length is 35 characters. To display the list of existing policies, type: set web-cache-policy ? | No default. |
ip-intelligence {enable | disable} | Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in config waf ip-intelligence. | disable |
url-rewrite-policy <group_name> | Type the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. The maximum length is 35 characters. To display the list of existing policy, type: set url-rewrite-policy ? | No default. |
url-access-policy <policy_name> | Type the name of a url access policy. See “config waf url-access url-access-policy”. The maximum length is 35 characters. To display the list of existing policy, type: set url-access-policy ? | No default. |
file-compress-rule <rule_name> | Type the name of an existing file compression rule to use with this profile, if any. See “config waf file-compress-rule”. The maximum length is 35 characters. To display the list of existing rule, type: set file-compress-rule ? | No default. |
file-uncompress-rule <rule_name> | Type the name of an existing file uncompression rule to use with this profile, if any. See “config waf file-uncompress-rule”. The maximum length is 35 characters. To display the list of existing rule, type: set file-uncompress-rule ? | No default. |
application-layer-dos-prevention <policy_name> | Type the name of an existing DoS protection policy to use with this profile, if any. See “waf application-layer-dos-prevention”. The maximum length is 35 characters. To display the list of existing profile, type: set application-layer-dos-prevention ? | No default. |
data-analysis {enable | disable} | Enable this to collect data for servers covered by this profile. To view the statistics for collected data, in the web UI, go to Log&Report > Monitor > Data Analytics. | disable |
x-forwarded-for-rule <x-forwarded-for_name> | Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP (see “waf x-forwarded-for”). | No default. |