Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.
Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.
Default HTTP protocol constraint values reflect the buffer size of your FortiWeb model’s HTTP parser. Use protocol constraints to block requests that are too large for the memory size of FortiWeb’s scan buffers. Failure to block items that are too large to be buffered could compromise your network’s security, and allow requests without scanning or rewriting. See Buffer hardening. For example, if your web applications require HTTP This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines. |
1. If you plan to add constraint exceptions to your HTTP protocol constraints, configure the exceptions first. See Configuring HTTP protocol constraint exceptions. If you want to use a trigger when the rule is violated, configure it also. See Viewing log messages.
2. Go to Web Protection > Protocol > HTTP Protocol Constraints.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
3. Click Create New.
A dialog appears.
4. Configure these settings:
To disable a parameter check, type 0 . |
Setting name | Description |
---|---|
Name | Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. |
Action |
Select which action the FortiWeb appliance will take when it detects a violation of the rule:
The default value is Alert. Caution: This setting will be ignored if Monitor Mode is enabled. Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email. Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning. |
Block Period |
Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 60. See also Monitoring currently blocked IPs. |
Severity |
When rule violations are recorded in the attack log, each log message contains a Severity Level (
The default value is High. |
Trigger Action | Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages. |
Illegal Host Name |
Enable to check for illegal characters in the For example, characters such as Attack log messages contain |
Illegal HTTP Version |
Enable to check for invalid HTTP version numbers. Currently, the only valid version strings are Attack log messages contain |
Illegal HTTP Request Method |
Enable to check for invalid HTTP request methods according to RFC 2616 or RFC 4918. Any method not defined in these RFCs — including misspellings like Attack log messages contain |
HTTP Request Length |
Type the maximum acceptable length in bytes of the entire HTTP request, including both headers and body. Attack log messages contain |
Content Length |
Type the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Attack log messages contain Tip: RPC requests’ content length often do not match their own |
Body Length |
Type the maximum acceptable size in bytes of the HTTP body. For requests that use the HTTP Attack log messages contain |
Header Length |
Type the maximum acceptable size in bytes of all HTTP header lines. Attack log messages contain |
Header Line Length |
Type the maximum acceptable size in bytes of each line in the HTTP header. Attack log messages contain |
Number of Header Lines In Request |
Type the maximum acceptable number of lines in the HTTP header. Attack log messages contain |
Total URL and Body Parameters Length |
Type the total maximum total acceptable size in bytes of all parameters in the URL and/or, for HTTP Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included. Attack log messages contain |
Total URL Parameters Length |
Type the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a
It does not include parameters in the HTTP body, which can occur with HTTP Attack log messages contain |
Number of URL Parameters |
Type the maximum number of parameters in the URL. The maximum number is 104. It does not include parameters in the HTTP body, which can occur with HTTP Attack log messages contain |
Number of Cookies In Request |
Type the maximum acceptable number of cookies in an HTTP request. Attack log messages contain |
Number of ranges in Range Header |
Type the maximum acceptable number of Attack log messages contain Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many |
Malformed Request |
Enable to inspect the request for: Errors and buffer overflows can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities. Attack log messages contain Caution: Fortinet strongly recommends to enable this option unless large requests/parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. It also cannot perform rewrites. Unless you configure it to block, FortiWeb will allow oversized requests to pass through without scanning or rewriting. This could allow padded attacks to pass through, and rewriting to be skipped. If feasible, instead of disabling this option:
|
Exception Name |
Select the HTTP constraints exception, if any, that you want to apply to this policy (see Configuring HTTP protocol constraint exceptions). If you want to view or change the information associated with a exception, select the Detail link. The HTTP Constraints Exception dialog appears, where you can view and edit the exceptions. |
5. Click OK.
6. To apply the HTTP protocol constraint profile, select it in an inline or offline protection profile (see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation).
You can configure exceptions for use with HTTP protocol constraints.
Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint. Exceptions are useful when you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature.
For example, if no exceptions are defined, FortiWeb executes the HTTP protocol constraint as defined in HTTP/HTTPS protocol constraints. But, if you mark the check box for Header Length in a HTTP protocol constraint exception for a specific host, FortiWeb will skip the HTTP header length check when executing the web protection profile for that host.
As another example, some web applications require very large HTTP POST
requests. You can use Malformed Request to create an exception from the constraint for those requests.
1. Go to Web Protection > Protocol > HTTP Constraints Exception.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
2. Click Create New.
A dialog appears.
3. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
4. Click OK.
5. Click Create New to add an entry to the set.
A dialog appears.
6. Configure these settings:
Setting name | Description |
---|---|
Host Status |
Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host. Disable to apply the exceptions to all web hosts. |
Host |
Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies. This setting is available only if Host Status is enabled. |
Request Type | Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). |
URL Pattern |
Depending on your selection in the Request Type field, enter either:
Do not include the domain name, such as To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax). |
Header Length | Enable to omit the constraint on the maximum acceptable size in bytes of the HTTP header. |
Content Length | Enable to omit the constraint on the maximum acceptable size in bytes of the request body. |
Body Length | Enable to omit the constraint on the maximum acceptable size in bytes of the HTTP body. |
Parameter Length | Enable to omit the constraint on the maximum acceptable size in bytes of parameters in the URL or, for HTTP POST requests. |
Header Line Length | Enable to omit the constraint on the maximum acceptable size in bytes of each line in the HTTP header. |
HTTP Request Length | Enable to omit the constraint on the maximum acceptable length in bytes of the HTTP request. |
URL Parameter Length | Enable to omit the constraint on the maximum acceptable size of an URL parameter (including the name and value). |
Number of Cookies In Request | Enable to omit the constraint on the maximum acceptable number of cookies in an HTTP request. |
Number of Header Lines In Request | Enable to omit the constraint on the maximum acceptable number of lines in the HTTP header. |
Illegal HTTP Request Method | Enable to omit the constraint on to check for invalid HTTP version numbers. |
Number of URL Parameters | Enable to omit the constraint on the maximum number of parameters in the URL. |
Illegal Host Name | Enable to omit the constraint on invalid characters in the Host: line of the HTTP header, such as null characters or encoded characters. |
Number of ranges in Range Header |
Enable to omit the constraint on the maximum acceptable number of Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many |
Malformed Request |
Enable to omit the constraint on syntax and FortiWeb parsing errors. Caution: Some web applications require abnormal or very large HTTP |
7. Click OK.
8. Repeat the previous steps for each rule you want to add to the exception.
9. Group the HTTP protocol constraint exception in an HTTP protocol constraint profile (see HTTP/HTTPS protocol constraints).