config security waf profile
Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.
In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.
Predefined Rules | Description |
---|---|
High-Level-Security |
HTTP protocol constraints policy: High-Level-Security SQL injection and XSS detection policy: High-Level-Security |
Medium-Level-Security |
HTTP protocol constraints policy: Medium-Level-Security SQL injection and XSS detection policy: Medium-Level-Security |
Alert-Only |
HTTP protocol constraints policy: Alert-Only SQL injection and XSS detection policy: Alert-Only |
The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.
Before you begin:
- You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
- You must have read-write permission for security settings.
After you have created a WAF profile, you can specify it in a virtual server configuration.
Syntax
config security waf profile
edit <name>
set advanced-protection <datasource>
set bot-detection <datasource>
set brute-force-login <datasource>
set cookie-security <datasource>
set csrf-protection <datasource>
set data-leak-prevention <datasource>
set description <string>
set exception <datasource>
set heuristic-sql-xss-injection-detection <datasource>
set http-header-cache {enable|disable}
set http-protocol-constraint <datasource>
set input-validation-policy <datasource>
set json-validation <datasource>
set openapi-validation <datasource>
set url-protection <datasource>
set web-attack-signature <datasource>
set xml-validation <datasource>
next
end
exception |
Specify an exception configuration object. |
bot-detection |
Specify a user-defined configuration object. |
description |
A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. |
heuristic-sql-xss-injection-detection |
Specify a predefined or user-defined configuration object. |
http-protocol-constraint |
Specify a predefined or user-defined configuration object. |
url-protection |
Specify a predefined or user-defined configuration object. |
web-attack-signature |
Specify a predefined or user-defined configuration object. |
http-header-cache |
Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning. Can only be set with the CLI. |
input-validation-policy |
Specify a predefined or user-defined configuration object. |
xml-validation |
Specify a predefined or user-defined configuration object. |
json-validation |
Specify a predefined or user-defined configuration object. |
openapi-validation |
Specify a predefined or user-defined configuration object. |
url-protection |
Specify a predefined or user-defined configuration object. |
web-attack-signature |
Specify a predefined or user-defined configuration object. |
Example
FortiADC-docs # get security waf profile High-Level-Security
web-attack-signature : High-Level-Security
url-protection :
http-protocol-constraint : High-Level-Security
heuristic-sql-xss-injection-detect: High-Level-Security
description :
http-header-cache : enable
exception :
FortiADC-docs # get security waf profile Medium-Level-Security
web-attack-signature : Medium-Level-Security
url-protection :
http-protocol-constraint : Medium-Level-Security
heuristic-sql-xss-injection-detect: Medium-Level-Security
description :
http-header-cache : enable
exception :
FortiADC-docs # get security waf profile Alert-Only
web-attack-signature : Alert-Only
url-protection :
http-protocol-constraint : Alert-Only
heuristic-sql-xss-injection-detect: Alert-Only
description :
http-header-cache : enable
exception :
FortiADC-docs # config security waf profile
FortiADC-docs (profile) # edit eval
Add new entry 'eval' for node 3000
FortiADC-docs (eval) # get
web-attack-signature :
url-protection :
http-protocol-constraint :
heuristic-sql-xss-injection-detect:
bot-detection:
description :
http-header-cache : enable
exception :
FortiADC-docs (eval) # set web-attack-signature Alert-Only
FortiADC-docs (eval) # set http-protocol-constraint Alert-Only
FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only
FortiADC-docs (eval) # set exception exception-group
FortiADC-docs (eval) # set description "evaluate alert-only and exception list"
FortiADC-docs (eval-alert-onl~-) # end