You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, configure “block-malformed-request-check {enable | disable}” to harden your configuration. To configure the buffer size, see “max-http-argbuf-length {8k-cache | 12k-cache | 32k-cache | 64k-cache}”. |
Variable | Description | Default |
<http-constraint_name> | Type the name of a new or existing HTTP protocol constraint. The maximum length is 35 characters. To display the list of existing constraints, type: edit ? | No default. |
block-malformed-request-check {enable | disable} | Enable to block the request if either: • it has syntax errors • parsing errors occur while FortiWeb is scanning the request (see “debug flow trace”) These can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities. Caution: Fortinet strongly recommends to enable this option unless large requests or parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. Unless you enable this option to block oversized items, FortiWeb will allow oversized those requests to pass through without scanning. This could allow attackers to craft large attacks to bypass your FortiWeb policies, and reach your web servers. If feasible, instead of disabling this option: • enlarge the scan buffers (see “max-http-argbuf-length {8k-cache | 12k-cache | 32k-cache | 64k-cache}”) • omit this only for URLs that require oversized parameters (see “config waf http-constraints-exceptions”) Note: Do not enable this option if requests normally contain: • parameters larger than the scan buffer (Buffer size is configurable — see “max-http-argbuf-length {8k-cache | 12k-cache | 32k-cache | 64k-cache}”.) • large numbers of parameters • more than 32 cookies Requests like this will be flagged as potentially malformed by FortiWeb’s parser, causing FortiWeb to block normal requests. | enable |
Illegal-host-name-check {enable | disable} | Enable to check the Host: line of the HTTP header for illegal characters, such as null or encoded characters like 0x0 or %00*. | enable |
Illegal-http-request-method-check {enable | disable} | Enable to check for illegal HTTP version numbers. | enable |
Illegal-http-version-check {enable | disable} | Enable to check for illegal HTTP version numbers. If the HTTP version is not “HTTP/1.0” or “HTTP/1.1”, it is considered illegal. | enable |
max-cookie-in-request <limit_int> | Type the maximum acceptable number of cookies in an HTTP request. The valid range is from 0 to 32. | 16 |
max-header-line-request <limit_int> | Type the maximum acceptable number of lines in the HTTP header. The valid range is from 0 to 32. | 32 |
max-http-body-length <limit_int> | Type the maximum acceptable length in bytes of the HTTP body. The valid range is from 0 to 67,108,864. To disable the limit, type 0. | 0 |
max-http-content-length <limit_int> | Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header. The valid range is from 0 to 67,108,864. To disable the limit, type 0. | 0 |
max-http-header-length <limit_int> | Type the maximum acceptable length in bytes of the HTTP header. The valid range is from 0 to 12,288. To disable the limit, type 0. | 4096 |
max-http-header-line-length <limit_int> | Type the maximum acceptable length in bytes of each line in the HTTP header. The valid range is from 0 to 12,288. To disable the limit, type 0. | 1024 |
max-http-parameter-length <limit_int> | Type the total maximum total acceptable length in bytes of all parameters in the URL and/or, for HTTP POST requests, the HTTP body. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included. The valid range is from 0 to 65,536. To disable the limit, type 0. | 6144 |
max-http-request-length <limit_int> | Type the maximum acceptable length in bytes of the HTTP request. The valid range is from 0 to 67,108,864. To disable the limit, type 0. | 67108864 |
max-url-parameter <limit_int> | Type the maximum number of URL parameters. The valid range is from 1 to 64. | 16 |
max-url-parameter-length <limit_int> | Type the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter=value It does not include parameters in the HTTP body, which can occur with HTTP POST requests. The valid range is from 0 to 12,288. | 2048 |
number-of-ranges-in-range-header <limit_int> | Type the maximum acceptable number of Range: fields of an HTTP header. Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. The default value is appropriate for unpatched versions of Apache 2.0 and 2.1. The valid range is from 0 to 64. | 5 |
<parameter_name>-action {alert | alert_deny | block-period} | Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules: • alert — Accept the request and generate an alert email and/or log message. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure <parameter_name>-block-period <seconds_int>. Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types. For example, for maximum HTTP header length violations, you might type the accompanying setting: set max-http-header-length-action alert Note: Available actions vary depending on operating mode and protocol parameter. | alert |
<parameter_name>-severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when a violation of the rule occurs. Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types. For example, for maximum HTTP header length violations, you might type the accompanying setting: set max-http-header-length-severity High | High |
<parameter_name>-trigger <trigger-policy_name> | Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types. For example, for maximum HTTP header length violations, you might type accompanying setting: set max-http-header-length-trigger trigger-policy1 | No default. |
<parameter_name>-block-period <seconds_int> | If action is block-period, type the number of seconds that the connection will be blocked. The valid range is from 1 to 3,600 seconds. | 0 |
exception_name <http-exception_name> | Type the name of an exceptions to existing HTTP protocol parameter constraints (see “config waf http-constraints-exceptions”). |