Fortinet Document Library

Version:


Table of Contents

5.3.0
Download PDF
Copy Link

Configurations

Topology

To configure a CSRF Protection policy:

  1. Go to Web Application Firewall.
  2. Click the Common Attacks Detection tab.
  3. Click the CSRF Protection tab
  4. Click Create New to display the configuration editor.
  5. Fill in the Name as “CSRF1”.
  6. Enable the Status.
  7. Modify the Action or Severity based on your requirements.
  8. Click Save to save the configuration.

  9. Click Edit to display the CSRF Protection.
  10. Click Create New in CSRF Page to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  11. Click Create New in CSRF URL to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  12. Click Save to save the configuration.

  13. To apply the CSRF Protection policy, select it in a WAF profile.

Examples of requests with the anti-CSRF parameter

For example, a web page in the list of pages contains the following <a href> element:

<a href=/csrf_test.php>test</a>

This link generates the following request, which includes the parameter that the javascript has added:

http://example.com/csrf_test1.php?tknfv=3DF5BDCCIG3DCXNTE3RUNCTKRS3E36AD

Therefore, to make the feature work for this web page, you add /csrf_test.php to the list of URLs.

For an example using an HTML form element, the web page csrf_login.html contains the following form:

<form name="do_some_action" id="form1" action="hello.php" method="GET">

<input type="text" name="username" value=""/>

<Input type="text" name="password" value=""/>

<input type="submit" value="do Action"/>

</form>

This form generates the following request when the page is added to the list of pages protected by a CSRF protection policy:

http://target-site.com/hello.php?username=test&password=123&tknfv=3DF5BDCCIG3DCXNTE3RUNCTKRS3E36AD

In this case, you add csrf_login.html to the list of pages and /hello.php to the list of URLs.

Troubleshooting

If the feature is not working properly, ensure the following:

  • The type of the web page to protect is HTML and contains the <html> and </html> tags.
  • The HTTP response code for the page is 200 OK.
  • If the page is compressed, a corresponding uncompressing policy is configured
  • The Maximum Body Cache Size value is larger than the size of the web page.

To configure an Input Validation policy

To configure a Parameter Validation rule

  1. Go to Web Application Firewall.
  2. Click the Input Validation tab.
  3. Click the Parameter Validation tab.
  4. Click Create New to display the configuration editor and fill the Name, Host Status, Host, Request URL, Action, Severity, and Parameter Validation Rule Element based on your security requirements.
  5. Click Save to save the configuration.

Notes: FortiADC checks the Host and Request URL by simple string or regular express matching.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts. Also, configure Host.

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

This option is available only if Host Status is enabled.

Request URL

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Max Length

The maximum string length of the string that is the input’s value. The default value is 64 characters.

To configure a Hidden Field rule

  1. Go to Web Application Firewall.
  2. Click the Input Validation tab.
  3. Click the Hidden Field tab.
  4. Click Create New to display the configuration editor and fill the Name, Host Status, Host, Request URL, Action, Severity, Post URL, and Hidden Fields based on your security requirements.
  5. Click Save to save the configuration.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts. Also, configure Host.

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

This option is available only if Host Status is enabled.

Request URL

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Post URL

Check URL by simple string or regular express matching.

Hidden Fields

The “Hidden Fields ” rules are for hidden parameters only, from <input type="hidden"> HTML tags.

To configure a File Restriction rule

  1. Go to Web Application Firewall.
  2. Click the Input Validation tab.
  3. Click the File Restriction tab.
  4. Click Create New in File Restriction Rule part to display the configuration editor and fill the Name, Host Status, Request URL, Action, Severity, Upload File Size, and Upload File Type, based on your security requirements.
  5. Click Save to save the configuration

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts. Also, configure Host.

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

This option is available only if Host Status is enabled.

Request URL

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Upload File Status

Allow or block the file type. The default value is allow.

Upload File Size

The maximum size of uploading file.

Upload File Type

Select a predefined file type.

To apply the input validation policy, you can add any rule or all those three rules into input validation policy and then select the input policy in a WAF profile.

To configure a brute force attack detection policy

  1. Go to Web Application Firewall.
  2. Click the Common Attacks Detection tab.
  3. Click the Brute Force Attack Detection tab.
  4. Click Create New to display the configuration editor and fill the Name, Status, Action, Severity, Exception, and Comments based on your security requirements.

  5. Click Save to save the configuration.
  6. Click Edit to display the configuration editor and click Create New in Match Condition part to display the configuration editor and fill the Host Status, URL Pattern, Login Failed Code, and IP Access Limit based on your security requirements.

  7. Save the configuration.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Status

Enable or disable this function.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Exception

Exception policy.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts.

URL Pattern

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Login Failed Code

The response code which used to judge the login is failed or not. The default is 0, which means will not match any status code.

IP Access Limit

The threshold for source IP address that is single client’s login. If login failed count exceeded the threshold, FortiADC will perform the corresponding WAF action.

The default is 1.

8. To apply the brute force detection policy, select it in a WAF profile.

To configure an anti-defacement policy

  1. Go to Web Application Firewall.
  2. Click the Web Anti-Defacement tab.
  3. Click Create New to display the configuration editor and fill or change the configurations based on your security requirements.
  4. Click Test Connection to test the connection between the FortiADC appliance and the web server. During the next interval, FortiADC should connect to download its first backup. You should notice that Total Files and Total Files would increment.If not, first verify the login and IP address that you provided. Also, on the web server, check the file system permissions for the account that FortiADC is using to connect.
  5. Save the configuration.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Description

Enter a comment. up to 63 characters long. This field is optional.

Monitor

Enable to monitor the web site’s files for changes.

Host Name/IP Address

Type the IP address or FQDN of the web server on which the web site is hosted.

Connection Type

Select which protocol (FTP, SSH) to use when connecting to the web site in order to monitor its contents and download web site backups.

Port

Enter the TCP port number on which the web site’s real server listens. The standard port number for FTP is 21; the standard port number for SSH is 22.

Folder of Web Site

Type the path to the web site’s folder, such as public_html or wwwroot, on the real server. The path is relative to the initial location when logging in with the user name that you specify in User Name.

Username

Enter the user name that the FortiADC appliance will use to log in to the web site’s real server.

Password

Enter the password for the user name you entered in User Name.

Monitor Interval for Root Folder

Enter the time interval in seconds between each monitoring connection from the FortiADC appliance to the web server. During this connection, the FortiADC appliance examines Folder of Web Site (but not its subfolders) to see if any files have changed by comparing the files with the latest backup.

Monitor Interval for other Folder

Enter the time interval in seconds between each monitoring connection from the FortiADC appliance to the web server. During this connection, the FortiADC appliance examines subfolders to see if any files have been changed by comparing the files with the latest backup.

Maximum Depth of Monitored Folders

Type how many folder levels deep to monitor for changes to the web site’s files.

Skip Files Larger Than

Type a file size limit in kilobytes (KB) to indicate which files will be included in the web site backup. Files exceeding this size will not be backed up. The default file size limit is 10240 KB.

Skip Files with These Extensions

Type zero or more file extensions, such as iso, avi, to exclude from the web site backup. Separate each file extension with a comma.

Automatic Action

Enable to automatically restore the web site to the previous revision number when it detects that the web site has been changed.

  • Disable
  • Acknowledge
  • Restore

From the Web Anti-Defacement page, you can check the status of each web site that FortiADC is monitoring.

Monitor

Indicates whether or not anti-defacement is currently enabled for the web site.

To configure a cookie security policy

  1. Go to Web Application Firewall.
  2. Click the Sensitive Data Protection tab.
  3. Click Cookie Security tab.
  4. Click Create New to display the configuration editor and fill or change the configurations based on your security requirements.

    Name

    Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

    Security Mode

    • No — FortiADC does not apply cookie tampering protection or encrypt cookie values.
    • Encrypted — Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiADC decrypts cookies submitted by clients before it sends them to the back-end server. No back-end server configuration changes are required.
    • Signed — Prevents tampering (cookie poisoning) by tracking the cookie value.

    HTTP Only

    Enable--add "HTTPOnly" flag to cookies. HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).

    Secure

    Enable--add the secure flag to cookies. The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)

    Encrypted Cookie Type

    When security-mode is selected to encrypted:

    • All—will encrypt all the cookies
    • List—will encrypt the cookie that match with the cookie-list

    Cookie Replay

    Optionally, select whether FortiADC uses the IP address of a request to determine the owner of the cookie.

    Allow Suspicious Cookies

    Note: only for security-mode encrypted

    Whether allows requests that contain cookies ADC does not recognize by encrypted cookie function or with missing cookies.

    When cookie-replay enable, the suspicious cookie is a missing cookie that tracks the client IP address. 

    In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

    • Never—never allow suspicious cookies.
    • Always—always allow suspicious cookies.
    • Custom—Don't Block suspicious cookies Until dont_block_until  specified date.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

    Remove Cookie

    Enable this option to accept the request, but remove the cookie before send it to the web server.

    Action

    Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Deny—Block the request (or reset the connection).
    • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
    • Silent-deny—Deny without log.

    The default value is Alert.

    Max Age

    Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.

    To configure no expiry age for cookies, enter 0.

    Exception

    Exception list for encrypted/ signed.

  5. Save the configuration.
  6. To apply the cookie security policy, select in a WAF profile.

To configure a data leak prevention policy

  1. Go to Web Application Firewall.
  2. Click the Sensitive Data Protection tab.
  3. Click the Data Leak Prevention tab.
  4. Click Create New to display the configuration editor and fill or change the configurations based on your security requirements.

    Setting name

    Description

    Name

    Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

    Status

    Click to enable or disable this policy.

    Masking

    To replace sensitive data with asterisks (*) by enabling it. The default is disable.

    It only works with alert action.

    Action

    Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Deny—Block the request (or reset the connection).
    • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
    • Silent-deny—Deny without log.

    The default value is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

    URL Pattern

    Depending on your selection in Request URL Type, type either:

    • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
    • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

    Note: Rule will not work when URL Pattern is empty.

    Sensitive Data Type

    The specified data type that created in Web Application Firewall à Sensitive Data Type.

    Threshold

    The rule will take effect when the threshold is hit. The default value is 1.

    Note: It will not take effect when the masking is enabled.

  5. Save the configuration.
  6. To apply DLP, select it in a WAF profile.

Configurations

Topology

To configure a CSRF Protection policy:

  1. Go to Web Application Firewall.
  2. Click the Common Attacks Detection tab.
  3. Click the CSRF Protection tab
  4. Click Create New to display the configuration editor.
  5. Fill in the Name as “CSRF1”.
  6. Enable the Status.
  7. Modify the Action or Severity based on your requirements.
  8. Click Save to save the configuration.

  9. Click Edit to display the CSRF Protection.
  10. Click Create New in CSRF Page to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  11. Click Create New in CSRF URL to display the configuration editor and fill the Full URL Pattern and enable or disable Parameter Filter based on your security requirements.
  12. Click Save to save the configuration.

  13. To apply the CSRF Protection policy, select it in a WAF profile.

Examples of requests with the anti-CSRF parameter

For example, a web page in the list of pages contains the following <a href> element:

<a href=/csrf_test.php>test</a>

This link generates the following request, which includes the parameter that the javascript has added:

http://example.com/csrf_test1.php?tknfv=3DF5BDCCIG3DCXNTE3RUNCTKRS3E36AD

Therefore, to make the feature work for this web page, you add /csrf_test.php to the list of URLs.

For an example using an HTML form element, the web page csrf_login.html contains the following form:

<form name="do_some_action" id="form1" action="hello.php" method="GET">

<input type="text" name="username" value=""/>

<Input type="text" name="password" value=""/>

<input type="submit" value="do Action"/>

</form>

This form generates the following request when the page is added to the list of pages protected by a CSRF protection policy:

http://target-site.com/hello.php?username=test&password=123&tknfv=3DF5BDCCIG3DCXNTE3RUNCTKRS3E36AD

In this case, you add csrf_login.html to the list of pages and /hello.php to the list of URLs.

Troubleshooting

If the feature is not working properly, ensure the following:

  • The type of the web page to protect is HTML and contains the <html> and </html> tags.
  • The HTTP response code for the page is 200 OK.
  • If the page is compressed, a corresponding uncompressing policy is configured
  • The Maximum Body Cache Size value is larger than the size of the web page.

To configure an Input Validation policy

To configure a Parameter Validation rule

  1. Go to Web Application Firewall.
  2. Click the Input Validation tab.
  3. Click the Parameter Validation tab.
  4. Click Create New to display the configuration editor and fill the Name, Host Status, Host, Request URL, Action, Severity, and Parameter Validation Rule Element based on your security requirements.
  5. Click Save to save the configuration.

Notes: FortiADC checks the Host and Request URL by simple string or regular express matching.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts. Also, configure Host.

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

This option is available only if Host Status is enabled.

Request URL

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Max Length

The maximum string length of the string that is the input’s value. The default value is 64 characters.

To configure a Hidden Field rule

  1. Go to Web Application Firewall.
  2. Click the Input Validation tab.
  3. Click the Hidden Field tab.
  4. Click Create New to display the configuration editor and fill the Name, Host Status, Host, Request URL, Action, Severity, Post URL, and Hidden Fields based on your security requirements.
  5. Click Save to save the configuration.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts. Also, configure Host.

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

This option is available only if Host Status is enabled.

Request URL

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Post URL

Check URL by simple string or regular express matching.

Hidden Fields

The “Hidden Fields ” rules are for hidden parameters only, from <input type="hidden"> HTML tags.

To configure a File Restriction rule

  1. Go to Web Application Firewall.
  2. Click the Input Validation tab.
  3. Click the File Restriction tab.
  4. Click Create New in File Restriction Rule part to display the configuration editor and fill the Name, Host Status, Request URL, Action, Severity, Upload File Size, and Upload File Type, based on your security requirements.
  5. Click Save to save the configuration

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts. Also, configure Host.

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

Host

Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the signature exception.

This option is available only if Host Status is enabled.

Request URL

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Upload File Status

Allow or block the file type. The default value is allow.

Upload File Size

The maximum size of uploading file.

Upload File Type

Select a predefined file type.

To apply the input validation policy, you can add any rule or all those three rules into input validation policy and then select the input policy in a WAF profile.

To configure a brute force attack detection policy

  1. Go to Web Application Firewall.
  2. Click the Common Attacks Detection tab.
  3. Click the Brute Force Attack Detection tab.
  4. Click Create New to display the configuration editor and fill the Name, Status, Action, Severity, Exception, and Comments based on your security requirements.

  5. Click Save to save the configuration.
  6. Click Edit to display the configuration editor and click Create New in Match Condition part to display the configuration editor and fill the Host Status, URL Pattern, Login Failed Code, and IP Access Limit based on your security requirements.

  7. Save the configuration.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Status

Enable or disable this function.

Action

Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

  • Low
  • Medium
  • High

The default value is Low.

Exception

Exception policy.

Host Status

Enable to apply this input rule only to HTTP requests for specific web hosts.

URL Pattern

Depending on your selection in Request URL Type, type either:

  • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
  • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

Login Failed Code

The response code which used to judge the login is failed or not. The default is 0, which means will not match any status code.

IP Access Limit

The threshold for source IP address that is single client’s login. If login failed count exceeded the threshold, FortiADC will perform the corresponding WAF action.

The default is 1.

8. To apply the brute force detection policy, select it in a WAF profile.

To configure an anti-defacement policy

  1. Go to Web Application Firewall.
  2. Click the Web Anti-Defacement tab.
  3. Click Create New to display the configuration editor and fill or change the configurations based on your security requirements.
  4. Click Test Connection to test the connection between the FortiADC appliance and the web server. During the next interval, FortiADC should connect to download its first backup. You should notice that Total Files and Total Files would increment.If not, first verify the login and IP address that you provided. Also, on the web server, check the file system permissions for the account that FortiADC is using to connect.
  5. Save the configuration.

Name

Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

Description

Enter a comment. up to 63 characters long. This field is optional.

Monitor

Enable to monitor the web site’s files for changes.

Host Name/IP Address

Type the IP address or FQDN of the web server on which the web site is hosted.

Connection Type

Select which protocol (FTP, SSH) to use when connecting to the web site in order to monitor its contents and download web site backups.

Port

Enter the TCP port number on which the web site’s real server listens. The standard port number for FTP is 21; the standard port number for SSH is 22.

Folder of Web Site

Type the path to the web site’s folder, such as public_html or wwwroot, on the real server. The path is relative to the initial location when logging in with the user name that you specify in User Name.

Username

Enter the user name that the FortiADC appliance will use to log in to the web site’s real server.

Password

Enter the password for the user name you entered in User Name.

Monitor Interval for Root Folder

Enter the time interval in seconds between each monitoring connection from the FortiADC appliance to the web server. During this connection, the FortiADC appliance examines Folder of Web Site (but not its subfolders) to see if any files have changed by comparing the files with the latest backup.

Monitor Interval for other Folder

Enter the time interval in seconds between each monitoring connection from the FortiADC appliance to the web server. During this connection, the FortiADC appliance examines subfolders to see if any files have been changed by comparing the files with the latest backup.

Maximum Depth of Monitored Folders

Type how many folder levels deep to monitor for changes to the web site’s files.

Skip Files Larger Than

Type a file size limit in kilobytes (KB) to indicate which files will be included in the web site backup. Files exceeding this size will not be backed up. The default file size limit is 10240 KB.

Skip Files with These Extensions

Type zero or more file extensions, such as iso, avi, to exclude from the web site backup. Separate each file extension with a comma.

Automatic Action

Enable to automatically restore the web site to the previous revision number when it detects that the web site has been changed.

  • Disable
  • Acknowledge
  • Restore

From the Web Anti-Defacement page, you can check the status of each web site that FortiADC is monitoring.

Monitor

Indicates whether or not anti-defacement is currently enabled for the web site.

To configure a cookie security policy

  1. Go to Web Application Firewall.
  2. Click the Sensitive Data Protection tab.
  3. Click Cookie Security tab.
  4. Click Create New to display the configuration editor and fill or change the configurations based on your security requirements.

    Name

    Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

    Security Mode

    • No — FortiADC does not apply cookie tampering protection or encrypt cookie values.
    • Encrypted — Encrypts cookie values the back-end web server sends to clients. Clients see only encrypted cookies. FortiADC decrypts cookies submitted by clients before it sends them to the back-end server. No back-end server configuration changes are required.
    • Signed — Prevents tampering (cookie poisoning) by tracking the cookie value.

    HTTP Only

    Enable--add "HTTPOnly" flag to cookies. HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts).

    Secure

    Enable--add the secure flag to cookies. The Secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS)

    Encrypted Cookie Type

    When security-mode is selected to encrypted:

    • All—will encrypt all the cookies
    • List—will encrypt the cookie that match with the cookie-list

    Cookie Replay

    Optionally, select whether FortiADC uses the IP address of a request to determine the owner of the cookie.

    Allow Suspicious Cookies

    Note: only for security-mode encrypted

    Whether allows requests that contain cookies ADC does not recognize by encrypted cookie function or with missing cookies.

    When cookie-replay enable, the suspicious cookie is a missing cookie that tracks the client IP address. 

    In many cases, when you first introduce the cookie security features, cookies that client browsers have cached earlier generate false positives. To avoid this problem, either select Never, or select Custom and enter an appropriate date on which to start taking the specified action against suspicious cookies.

    • Never—never allow suspicious cookies.
    • Always—always allow suspicious cookies.
    • Custom—Don't Block suspicious cookies Until dont_block_until  specified date.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

    Remove Cookie

    Enable this option to accept the request, but remove the cookie before send it to the web server.

    Action

    Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Deny—Block the request (or reset the connection).
    • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
    • Silent-deny—Deny without log.

    The default value is Alert.

    Max Age

    Enter the maximum age (in minutes) permitted for cookies that do not have an “Expires” or “Max-Age” attribute.

    To configure no expiry age for cookies, enter 0.

    Exception

    Exception list for encrypted/ signed.

  5. Save the configuration.
  6. To apply the cookie security policy, select in a WAF profile.

To configure a data leak prevention policy

  1. Go to Web Application Firewall.
  2. Click the Sensitive Data Protection tab.
  3. Click the Data Leak Prevention tab.
  4. Click Create New to display the configuration editor and fill or change the configurations based on your security requirements.

    Setting name

    Description

    Name

    Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.

    Status

    Click to enable or disable this policy.

    Masking

    To replace sensitive data with asterisks (*) by enabling it. The default is disable.

    It only works with alert action.

    Action

    Select which action FortiADC takes when the conditions are fulfilled for File Restriction.

    • Alert—Accept the request and generate an alert email, log message, or both.
    • Deny—Block the request (or reset the connection).
    • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
    • Silent-deny—Deny without log.

    The default value is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

    URL Pattern

    Depending on your selection in Request URL Type, type either:

    • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
    • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.html.

    Note: Rule will not work when URL Pattern is empty.

    Sensitive Data Type

    The specified data type that created in Web Application Firewall à Sensitive Data Type.

    Threshold

    The rule will take effect when the threshold is hit. The default value is 1.

    Note: It will not take effect when the masking is enabled.

  5. Save the configuration.
  6. To apply DLP, select it in a WAF profile.