config security waf web-attack-signature
Use this command to configure web attack signature policies. The attack signature policy includes rules to enable scanning of HTTP headers and HTTP body content in HTTP requests, HTTP responses, or both.
Table 17 describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.
Policy | Status | Action |
---|---|---|
High-Level-Security |
|
|
Medium-Level-Security |
|
|
Alert-Only |
|
|
Before you begin:
- You must have read-write permission for security settings.
After you have created a web attack signature policy, you can specify it in a WAF profile configuration.
Syntax
config security waf web-attack-signature
edit <name>
set exception <datasource>
set high-severity-action {datasource}
set request-body-detection {enable|disable}
set response-body-detection {enable|disable}
set medium-severity-action {datasource}
set low-severity-action {datasource}
set body-length-limit <integer>
set body-type-limit <string>
config category
edit <category-id>
set action [ alert | deny | block | silent-deny ]
set status [ enable | disable ]
end
config sub-category
edit <sub-category-id>
set status {enable|disable}
next
end
config signature
edit <datasource>
set status
set exception
next
end
next
end
exception |
Specify an exception configuration object. |
request-body-detection |
Enable/disable scanning against HTTP request body signatures. |
response-body-detection |
Enable/disable against HTTP response body signatures. |
high-severity-action |
Specify a WAF action object. |
medium-severity-action |
Specify a WAF action object. |
low-severity-action |
Specify a WAF action object. |
body-length-limit |
Integer input. HTTP request/response body length limitation, in bytes. Default 1024, range 0-1048576. Can only be enabled when request-body-detection or response-body-detection is enabled. |
body-type-limit |
String input. HTTP request/response body type limitation, reserved “default” provides default limits, “all” means no limit. More than one custom Content-Type is separated by ‘;’, total maximum length is 1024. Can only be enabled when request-body-detection or response-body-detection is enabled. |
config signature |
|
status |
Enable/disable the signature. |
exception |
Specify an exception configuration object. |
config category |
|
|
Enable/disable the category status. |
|
Specify an action configuration object. |
|
|
|
Enable/disable the sub-category status. |
Example
FortiADC-VM # get security waf web-attack-signature High-Level-Security
status : enable
request-body-detection : enable
response-body-detection : disable
high-severity-action : deny
medium-severity-action : deny
low-severity-action : alert
exception:
FortiADC-VM # get security waf web-attack-signature Medium-Level-Security
status : enable
request-body-detection : enable
response-body-detection : disable
high-severity-action : deny
medium-severity-action : alert
low-severity-action : alert
exception:
FortiADC-VM # get security waf web-attack-signature Alert-Only
status : enable
request-body-detection : disable
response-body-detection : disable
high-severity-action : alert
medium-severity-action : alert
low-severity-action : alert
exception:
FortiADC-docs # config security waf web-attack-signature
FortiADC-docs (web-attack-sig~a) # edit eval
FortiADC-docs (eval) # config signature
FortiADC-docs (signature) # edit 1002010728
FortiADC-docs (1002010728) # get
status : enable
description :
exception :
FortiADC-docs (1002010728) # set status disable
FortiADC-docs (1002010728) # set description "investigate false positive"
FortiADC-docs (1002010728) # end
FortiADC-docs (eval)# config category
FortiADC-docs (category)# edit 1
FortiADC-docs (1)# set action alert
FortiADC-docs (1)# set status enable
FortiADC-docs (1)# end