Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide. |
Variable | Description | Default |
<hidden-field-rule_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing rules, type: edit ? | No default. |
action {alert | alert_deny | redirect | block-period | send_403_forbidden} | Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry: • alert — Accept the request and generate an alert email and/or log message. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. • redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}. • send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | alert |
block-period <seconds_int> | If action is block-period, type the number of seconds that the connection will be blocked. The valid range is from 1 to 3,600 seconds. | 0 |
host <protected-hosts_name> | Type the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 255 characters. This setting applies only if host-status is enable. | No default. |
host-status {enable | disable} | Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host <protected-hosts_name>. Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field. | disable |
request-file <url_str> | Type the literal URL, such as /login.jsp, that contains the hidden form. The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-hosts_name>. Regular expressions are not supported. The maximum length is 255 characters. | No default. |
action-url0 <url_str> | Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule. | No default. |
action-url1 <url_str> | ||
action-url2 <url_str> | ||
action-url3 <url_str> | ||
action-url4 <url_str> | ||
action-url5 <url_str> | ||
action-url6 <url_str> | ||
action-url7 <url_str> | ||
action-url8 <url_str> | ||
action-url9 <url_str> | ||
severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when a violation of the rule occurs. | High |
trigger <trigger-policy_name> | Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
argument <hidden-field_str> | Type the name of the hidden form input, such as languagepref. The maximum length is 35 characters. | No default. |