Variable | Description | Default |
<input-rule_name> | Type the name of a new or existing rule. The maximum length is 35 characters. To display the list of existing rules, type: edit ? | No default. |
action {alert | alert_deny | redirect | send_403_forbidden | block-period} | Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry: • alert — Accept the request and generate an alert email and/or log message. • alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”. • block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>. • redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}. • send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”. Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”. | alert |
block-period <seconds_int> | Type the number of seconds to block the source IP. The valid range is from 0 to 3,600 seconds. This setting applies only if action is block-period. | 60 |
host <protected-host_name> | Type the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 255 characters. This setting applies only if host-status is enable. | No default. |
host-status {enable | disable} | Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host <protected-host_name>. Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field. | disable |
request-file <url_str> | Depending on your selection in request-type {plain | regular}, type either: • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ). • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm. Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-host_name>. The maximum length is 255 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide. | No default. |
request-type {plain | regular} | Select whether request-file <url_str> will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). | plain |
severity {High | Medium | Low} | Select the severity level to use in logs and reports generated when a violation of the rule occurs. | Low |
trigger <trigger-policy_name> | Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters. To display the list of existing trigger policies, type: set trigger ? | No default. |
<entry_index> | Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999. | No default. |
is-essential {yes | no} | Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no. | no |
max-length <limit_int> | Type the maximum allowed length of the parameter value. The valid range is from 0 to 1,024 characters. To disable the length limit, type 0. | 0 |
type-checked (enable | disable} | Enable to use predefined or configured data types when validating parameters. Also configure data-type, custom-data-type, or argument-expression. Disable to ignore data-type and custom-data-type settings. | enable |
argument-type <custom-data-type | data-type | regular-expression} | Specify the type of argument. | No default. |
argument-name-type {plain | regular} | Specify one of the following options: • plain — argument-name is the name attribute of the parameter’s input tag exactly as it appears in the form on the web page. • regular — argument-name is a regular expression designed to match the name attribute of the parameter’s input tag. | |
argument-name <input_name> | If argument-name-type is plain, specify the name of the input as it appears in the HTTP content, such as username. The maximum length is 35 characters. If argument-name-type is regular, specify a regular expression designed to match the name attribute of the parameter’s input tag. | No default. |
argument-expression <regex_pattern> | Type a regular expression that matches all valid values, and no invalid values, for this input. The maximum length is 2,071 characters. Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. | |
custom-data-type <custom-data-type_name> | Type the name of a custom data type, if any. The maximum length is 35 characters. To display the list of custom data types, type: set custom-data-type ? This setting applies only if type-checked is enable. | No default. |
data-type <predefined_name> | Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates). To display available options, type: set data type ? For match descriptions of each option, see “server-policy pattern data-type-group”). Alternatively, configure argument-type <custom-data-type | data-type | regular-expression}. This option is ignored if you configure argument-type <custom-data-type | data-type | regular-expression}, which also defines parameters to which the input rule applies, but supersedes this option. | No default. |