Variable | Description | Default |
<offline-protection-profile_name> | Type the name of the offline protection profile. The maximum length is 35 characters. To display the list of existing profile, type: edit ? | No default. |
allow-method-policy <policy_name> | Type the name of an allowed method policy. See “config waf allow-method-policy”. The maximum length is 35 characters. To display the list of existing policies, type: set allow-method-policy ? | No default. |
amf3-protocol-detection {enable | disable} | Enable to be able to scan requests that use action message format 3.0 (AMF3) for • cross-site scripting (XSS) attacks • SQL injection attacks • common exploits if you have enabled those in the set of signatures specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}. AMF3 is a binary format that can be used by Adobe Flash clients to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option makes the FortiWeb appliance unable to scan AMF3 requests for attacks. | disable |
xml-protocol-detection {enable | disable} | Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX) and other XML submitted by clients in the bodies of HTTP POST requests. | disable |
malformed-xml-block-period <block-period_int> | Type the length of time that FortiWeb blocks XML traffic that contains malformed XML, in seconds. The valid range is from 1 to 3,600 seconds. | 60 |
malformed-xml-check {enable | disable} | Enable to validate that XML elements and attributes in the request’s body conforms to the W3C XML 1.1 and/or XML 2.0 standards.Malformed XML, such as without the final > or with multiple >> in the closing tag, is often an attempt to exploit an unhandled error condition in a web application’s XHTML or XML parser. This feature is applicable only when xml-protocol-detection is enable. Attack log messages contain Illegal XML Format when this feature detects malformed XML. | disable |
malformed-xml-check-action {alert | alert_deny | block-period} | Specify the action that FortiWeb takes when it detects a request that contains malformed XML: • alert — Accept the request and generate an alert email, a log message, or both. • alert_deny — Block the request and generate an alert email, a log message, or both. • block-period — Block the XML traffic for a number of seconds. Also configure malformed-xml-block-period <block-period_int>. | alert |
malformed-xml-check-severity {High | Low | Medium} | Select the severity level to use in logs and reports generated when illegal XML formats are detected. | High |
malformed-xml-check-trigger <trigger-policy_name> | Type the name of the trigger to apply when illegal XML formats are detected (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
file-upload-policy <policy_name> | Type the name of a file upload restriction policy. See “config waf file-upload-restriction-policy”. The maximum length is 35 characters. To display the list of existing policy, type: set file-upload-policy ? | No default. |
geo-block-list-policy <policy_name> | Type the name of a geographically-based client IP black list that you want to apply, if any. See “config waf geo-block-list”. The maximum length is 35 characters. To display the list of existing group, type: set geo-block-list-policy ? | No default. |
http-session-keyword <key_str> | If you want to use an HTTP header other than Session-Id: to track separate HTTP sessions, enter the key portion of the HTTP header that you want to use, such as Session-Num. The maximum length is 35 characters. | No default. |
http-session-management {enable | disable} | Enable to track the states of HTTP sessions. Also configure http-session-timeout <seconds_int>. Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features. For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat each request independently, without knowledge of anything previous, it could not, by definition, enforce page order. Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again. The session management feature provides such FortiWeb session support. Note: This feature requires that the client support cookies. Note: You must enable this option if you want to include this profile’s traffic in the traffic log, in addition to enabling traffic logs in general. For more information, see “config log attack-log” and “config log memory”. | disable |
http-session-timeout <seconds_int> | Type the HTTP session timeout in seconds. The valid range is from 20 to 3,600 seconds. This setting is available only if http-session-management is enabled. | 1200 |
ip-list-policy <policy_name> | Type the name of a trusted IP or blacklisted IP policy. See “config waf ip-list”. The maximum length is 35 characters. To display the list of existing policy, type: set ip-list-policy ? | No default. |
ip-intelligence {enable | disable} | Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in config waf ip-intelligence. | disable |
known-search-engine {enable | disable} | Enable to allow or block predefined search engines, robots, spiders, and web crawlers according to your settings in the global list. | disable |
padding-oracle <rule_name> | Type the name of a padding oracle protection rule. See “config waf padding-oracle”. The maximum length is 35 characters. To display the list of existing rule, type: set padding-oracle ? | No default. |
parameter-validation-rule <rule_name> | Type the name of a parameter validation rule. See “config waf parameter-validation-rule”. The maximum length is 35 characters. To display the list of existing rule, type: set parameter-validation-rule ? | No default. |
url-access-policy <policy_name> | Type the name of a URL access policy. See “config waf url-access url-access-policy”. The maximum length is 35 characters. To display the list of existing policy, type: set url-access-policy ? | No default. |
signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>} | Specify a signature policy to include in the profile (see “config waf signature”). The maximum length is 35 characters. To display the list of existing rules, type: set server-protection-rule ? The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see “config waf signature”. | No default. |
http-authen-policy <http-auth_name> | Type the name of an HTTP authentication policy, if any, that will be applied to matching HTTP requests. See “config waf http-authen http-authen-policy”. The maximum length is 35 characters. To display the list of existing policies, type: set http-authent-policy ? If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message. | No default. |
hidden-fields-protection <group_name> | Type the name of a hidden field rule group that you want to apply, if any. See “config waf hidden-fields-protection”. The maximum length is 35 characters. To display the list of existing group, type: set hidden-fields-protection ? | No default. |
http-protocol-parameter-restriction <constraint_name> | Type the name of an HTTP protocol constraint that you want to apply, if any. See “config waf http-protocol-parameter-restriction”. The maximum length is 35 characters. To display the list of existing constraint, type: set http-protocol-parameter-restriction ? | No default. |
file-uncompress-rule <rule_name> | Type the name of an existing file decompression rule to use with this profile, if any. See “config waf file-uncompress-rule”. The maximum length is 35 characters. To display the list of existing rule, type: set file-uncompress-rule ? | No default. |
brute-force-login <sensor_name> | Type the name of a brute force login attack sensor. See “config waf brute-force-login”. The maximum length is 35 characters. To display the list of existing sensor, type: edit ? | No default. |
custom-access-policy <combo-access_name> | Type the name of a custom access policy. See “config waf custom-access policy”. The maximum length is 35 characters. To display the list of existing policies, type: set custom-access-policy ? | No default. |
data-analysis {enable | disable} | Enable this to collect data for servers covered by this profile. To view the statistics for collected data, in the web UI, go to Log&Report > Monitor > Data Analytics. | disable |
x-forwarded-for-rule <x-forwarded-for_name> | Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP (see “waf x-forwarded-for”). | No default. |