Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.0.0 Handbook
    6.0.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring Input Validation

    Configuring Input Validation

    An Input Validation policy can prevent suspicious HTTP requests. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, and upload file. If the format isn't correct or FortiADC detects other attacks, the request will be blocked.

    To configure an Input Validation policy:
    1. Go to Web Application Firewall>Input Validation.
    2. Click the Parameter Validation tab.

    3. Click Create New to display the configuration editor. See Parameter Validation.

      Name

      Enter a unique Input Validation policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of an Input Validation policy cannot be changed.

      Host Status

      Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

      Host

      Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      Note: Optional. Only available when Host Status is enabled.

      Request URL

      The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

      Action

      Select the action profile that you want to apply. See Configuring WAF Action objects.

      The default value is Alert.

      Severity

      When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

      • Low
      • Medium
      • High

      The default value is Low.
    4. Click Save.

    5. Edit the newly created Parameter Validation. Under Parameter Validation Rule Element, click Create New.

      Name

      Enter a unique Parameter Validation Rule Element name. It must match the value of the name in the input type of the HTML request.

      Max Length

      The maximum length of the Parameter Validation Rule Element name's value.

      User Type Check

      Enable/Disable to check user type

      Argument Type

      Select to use predefined data type or customized regular expression

      Data Type

      Match the string by predefined data type

      Regular Expression

      Matching the string by regular expression

    6. Click Save.

    7. Click the Hidden Field tab.

    8. Click Create New to display the configuration editor. See Hidden Fields.

      Name

      Enter a unique Hidden Fields policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of a Hidden Field policy cannot be changed.

      Host Status

      Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

      Host

      Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      Note: Optional. Only available when Host Status is enabled.

      Request URL

      The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

      Action

      Select the action profile that you want to apply. See Configuring WAF Action objects.

      The default value is Alert.

      Severity

      When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

      • Low
      • Medium
      • High

      The default value is Low.
    9. Click Save.

    10. Edit the newly created Hidden Field. Under Post URL, click Create New.

      URL

      The hidden fields function only works on the configured Post URL.
    11. Click Save.

    12. Edit the newly created Hidden Field. Under Hidden Fields, click Create New.

      Caution

      To apply this feature, you must enable Session Management in your protection profile.

      Name

      Enter a unique Parameter Validation Rule Element name. It must match the value of the name in the input type of the HTML request.

    13. Click Save.
    14. Click the File Restriction tab.

    15. Click Create New to display the configuration editor. See File Restriction

      Name

      Enter a unique File Restriction policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of a File Restriction policy cannot be changed.

      Host Status

      Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

      Host

      Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      Note: Optional. Only available when Host Status is enabled.

      Request URL

      The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

      Action

      Select the action profile that you want to apply. See Configuring WAF Action objects.

      The default value is Alert.

      Severity

      When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

      • Low
      • Medium
      • High

      The default value is Low.

      Upload File Status

      Allow: Only allow the selected file type to upload.

      Block: Block any upload of the selected file type.

      Upload File Size

      The maximum size of the uploaded file.

    16. Click Save.

    17. Edit the newly created File Restriction. Under Upload File Type, click Create New.

      File Type

      The supported file types for the uploaded file.

    18. Click save.

    19. Go to the Input Validation Policy tab. Click Create New.

      Name

      Enter a unique Input Validation policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of an Input Validation policy cannot be changed.

      Parameter Validation Rule

      The Parameter Validation rule created previously.

      Hidden Field Rule

      The Hidden Field rule created previously.

      File Restriction Rule

      The File Restriction rule created previously.

    20. Click Save. You have successfully created an Input Validation policy.

    Parameter Validation

    Inputs are typically the <input> tags in an HTML form. Input rules define whether or not parameters are required, and their maximum allowed length. Input rules are for visible inputs only, such as buttons and text areas. This function will do the following:

    1. Check HOST by simple string or regular expression matching.
    2. Check URL by simple string or regular expression matching.
    3. Check the parameter name of inputs filed by matching simple string or regular express. Will also restrict the length of the name.

    If the conditions are successfully matched, it will execute the specified action.

    Hidden Fields

    The Hidden Fields rules are for hidden parameters only, from <input type="hidden"> HTML tags. It is often written into an HTML page by the web server when it serves that page to the client, and isnot visible on the rendered web page. This function will do the following:

    1. Check HOST by simple string or regular expression matching .
    2. Check URL by simple string or regular expression matching.
    3. Match the configuration of the fetched URL.

    If the conditions are successfully matched, it will execute the specified action.

    File Restriction

    The File Restriction rule is for restricting file uploads based on file type and size. This function will do the following:

    1. Check HOST by simple string or regular expression matching.
    2. Check URL by simple string or regular expression matching .
    3. Check the uploaded file type and file size by simple string or regular expression matching.

    If the conditions are successfully matched, it will execute the specified action.

    Previous
    Next

    Configuring Input Validation

    Configuring Input Validation

    An Input Validation policy can prevent suspicious HTTP requests. This function will verify the user input from scan points like URL parameter, HTML form, hidden fields, and upload file. If the format isn't correct or FortiADC detects other attacks, the request will be blocked.

    To configure an Input Validation policy:
    1. Go to Web Application Firewall>Input Validation.
    2. Click the Parameter Validation tab.

    3. Click Create New to display the configuration editor. See Parameter Validation.

      Name

      Enter a unique Input Validation policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of an Input Validation policy cannot be changed.

      Host Status

      Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

      Host

      Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      Note: Optional. Only available when Host Status is enabled.

      Request URL

      The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

      Action

      Select the action profile that you want to apply. See Configuring WAF Action objects.

      The default value is Alert.

      Severity

      When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

      • Low
      • Medium
      • High

      The default value is Low.
    4. Click Save.

    5. Edit the newly created Parameter Validation. Under Parameter Validation Rule Element, click Create New.

      Name

      Enter a unique Parameter Validation Rule Element name. It must match the value of the name in the input type of the HTML request.

      Max Length

      The maximum length of the Parameter Validation Rule Element name's value.

      User Type Check

      Enable/Disable to check user type

      Argument Type

      Select to use predefined data type or customized regular expression

      Data Type

      Match the string by predefined data type

      Regular Expression

      Matching the string by regular expression

    6. Click Save.

    7. Click the Hidden Field tab.

    8. Click Create New to display the configuration editor. See Hidden Fields.

      Name

      Enter a unique Hidden Fields policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of a Hidden Field policy cannot be changed.

      Host Status

      Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

      Host

      Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      Note: Optional. Only available when Host Status is enabled.

      Request URL

      The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

      Action

      Select the action profile that you want to apply. See Configuring WAF Action objects.

      The default value is Alert.

      Severity

      When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

      • Low
      • Medium
      • High

      The default value is Low.
    9. Click Save.

    10. Edit the newly created Hidden Field. Under Post URL, click Create New.

      URL

      The hidden fields function only works on the configured Post URL.
    11. Click Save.

    12. Edit the newly created Hidden Field. Under Hidden Fields, click Create New.

      Caution

      To apply this feature, you must enable Session Management in your protection profile.

      Name

      Enter a unique Parameter Validation Rule Element name. It must match the value of the name in the input type of the HTML request.

    13. Click Save.
    14. Click the File Restriction tab.

    15. Click Create New to display the configuration editor. See File Restriction

      Name

      Enter a unique File Restriction policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of a File Restriction policy cannot be changed.

      Host Status

      Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

      Host

      Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

      Note: Optional. Only available when Host Status is enabled.

      Request URL

      The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

      Action

      Select the action profile that you want to apply. See Configuring WAF Action objects.

      The default value is Alert.

      Severity

      When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

      • Low
      • Medium
      • High

      The default value is Low.

      Upload File Status

      Allow: Only allow the selected file type to upload.

      Block: Block any upload of the selected file type.

      Upload File Size

      The maximum size of the uploaded file.

    16. Click Save.

    17. Edit the newly created File Restriction. Under Upload File Type, click Create New.

      File Type

      The supported file types for the uploaded file.

    18. Click save.

    19. Go to the Input Validation Policy tab. Click Create New.

      Name

      Enter a unique Input Validation policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

      Note: Once saved, the name of an Input Validation policy cannot be changed.

      Parameter Validation Rule

      The Parameter Validation rule created previously.

      Hidden Field Rule

      The Hidden Field rule created previously.

      File Restriction Rule

      The File Restriction rule created previously.

    20. Click Save. You have successfully created an Input Validation policy.

    Parameter Validation

    Inputs are typically the <input> tags in an HTML form. Input rules define whether or not parameters are required, and their maximum allowed length. Input rules are for visible inputs only, such as buttons and text areas. This function will do the following:

    1. Check HOST by simple string or regular expression matching.
    2. Check URL by simple string or regular expression matching.
    3. Check the parameter name of inputs filed by matching simple string or regular express. Will also restrict the length of the name.

    If the conditions are successfully matched, it will execute the specified action.

    Hidden Fields

    The Hidden Fields rules are for hidden parameters only, from <input type="hidden"> HTML tags. It is often written into an HTML page by the web server when it serves that page to the client, and isnot visible on the rendered web page. This function will do the following:

    1. Check HOST by simple string or regular expression matching .
    2. Check URL by simple string or regular expression matching.
    3. Match the configuration of the fetched URL.

    If the conditions are successfully matched, it will execute the specified action.

    File Restriction

    The File Restriction rule is for restricting file uploads based on file type and size. This function will do the following:

    1. Check HOST by simple string or regular expression matching.
    2. Check URL by simple string or regular expression matching .
    3. Check the uploaded file type and file size by simple string or regular expression matching.

    If the conditions are successfully matched, it will execute the specified action.

    Previous
    Next