Fortinet black logo

Handbook

Configuring an HTTP Protocol Constraint policy

Configuring an HTTP Protocol Constraint policy

The HTTP Protocol Constraint policy includes the following rules:

  • HTTP request parameters—Limit the length of URIs, headers, and body to prevent several types of attacks, such as buffer overflow and denial of service.
  • HTTP request methods—Restrict HTTP methods allowed in HTTP requests. For example, do not allow the PUT method in HTTP requests to prevent attackers from uploading malicious files.
  • HTTP response codes—Drop response traffic containing HTTP response codes that might contain information attackers can use to craft attacks. For example, some HTTP response codes include fingerprint data like web server version, database version, OS, and so on.

Predefined HTTP protocol constraint policies describes the predefined policies.

Predefined HTTP protocol constraint policies

Predefined Rules Description

High-Level-Security

Protocol constraints enabled with default values. Action is set to deny. Severity is set to high.

Medium-Level-Security

Protocol constraints enabled with default values. Action is set to alert. Severity is set to medium.

Alert-Only

Protocol constraints enabled with default values. Action is set to alert. Severity is set to low.

If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.

Before you begin:

  • You should have a sense of legitimate URI lengths and HTTP request methods for the destination resources.
  • You should know whether your servers include application fingerprint information in HTTP response codes.
  • You must have Read-Write permission for Security settings.
To configure an HTTP Protocol Constraint policy:
  1. Go to Web Application Firewall > Common Attacks Detection.
  2. Click the HTTP Protocol Constraint tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in HTTP Protocol Constraint configuration.
  5. Save the configuration.

HTTP Protocol Constraint configuration

Settings Guidelines

Name

Enter a unique HTTP protocol constraint policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

Note: Once saved, the name of an HTTP protocol constraint policy cannot be changed.

Request Parameters

Maximum URI Length

Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192.

Illegal Host Name Enable/disable hostname checks. A domain name must consist of only the ASCII alphabetic and numeric characters, plus the hyphen. The hostname is checked against the set of characters allowed by the RFC 2616. Disallowed characters, such as non-printable ASCII characters or other special characters (for example, '<', '>', and the like), are a symptom of an attack.
Illegal HTTP Version Enable/disable the HTTP version check. Well-formed requests include the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). Malformed requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.
Illegal HTTP Multipart Enable/Disable the HTTP body multipart check. If the content-type is multipart media type, the HTTP body must contain one or more body parts, each preceded by a boundary delimiter line and the last one followed by a closing boundary delimiter line. After its boundary delimiter line, each body part then consists of a header area, a blank line, and a body area. Malformed HTTP requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.
Maximum Cookie Number In Request Maximum number of cookie headers in an HTTP request. The default is 16. The valid range is 1-32.
Maximum Header Number In Request Maximum number of headers in an HTTP request. The default is 50. Requests with more headers are a symptom of a buffer overflow attack or an attempt to evade detection mechanisms. The valid configuration range is 1-100.
Maximum Request Header Name Length Maximum characters in an HTTP request header name. The default is 1024. The valid range is 1-8192.
Maximum Request Header Value Length Maximum characters in an HTTP request header value. The default is 4096. Longer headers might be a symptom of a buffer overflow attack. The valid configuration range is 1-8192.
Maximum URL Parameter Name Length Maximum characters in a URL parameter name. The default is 1024. The valid range is 1-2048.
Maximum URL Parameter Value Length Maximum characters in a URL parameter value. The default is 4096. The valid range is 1-8192.
Maximum Request Header Length Maximum length of the HTTP request header. The default is 8192. The valid range is 1-16384.
Maximum Request Body Length Maximum length of the HTTP body. The default is 67108864. The valid range is 1-67108864.

Constraint Method Override

Enable/Disable to scan request method and try to match it in request method rule in following override headers:

  • X-HTTP-Method
  • X-Method-Override
  • X-HTTP-Method-Override

Request Method Rule

Method

Select one or more methods to match in the HTTP request line:

  • CONNECT
  • DELETE
  • GET
  • HEAD
  • OPTIONS
  • POST
  • PUT
  • TRACE
  • Others

Note: The first 8 methods are described in RFC 2616. The group Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions.

Action

Select the action profile that you want to apply. See Configuring WAF Action objects.

The default is alert.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low.

Exception Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Response Code Rule

Minimum Status Code / Maximum Status Code

Start/end of a range of status codes to match. You can specify codes 400 to 599.

Action

  • Alert—Allow the traffic and log the event.
  • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

The default is alert.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low.

Exception Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Configuring an HTTP Protocol Constraint policy

The HTTP Protocol Constraint policy includes the following rules:

  • HTTP request parameters—Limit the length of URIs, headers, and body to prevent several types of attacks, such as buffer overflow and denial of service.
  • HTTP request methods—Restrict HTTP methods allowed in HTTP requests. For example, do not allow the PUT method in HTTP requests to prevent attackers from uploading malicious files.
  • HTTP response codes—Drop response traffic containing HTTP response codes that might contain information attackers can use to craft attacks. For example, some HTTP response codes include fingerprint data like web server version, database version, OS, and so on.

Predefined HTTP protocol constraint policies describes the predefined policies.

Predefined HTTP protocol constraint policies

Predefined Rules Description

High-Level-Security

Protocol constraints enabled with default values. Action is set to deny. Severity is set to high.

Medium-Level-Security

Protocol constraints enabled with default values. Action is set to alert. Severity is set to medium.

Alert-Only

Protocol constraints enabled with default values. Action is set to alert. Severity is set to low.

If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.

Before you begin:

  • You should have a sense of legitimate URI lengths and HTTP request methods for the destination resources.
  • You should know whether your servers include application fingerprint information in HTTP response codes.
  • You must have Read-Write permission for Security settings.
To configure an HTTP Protocol Constraint policy:
  1. Go to Web Application Firewall > Common Attacks Detection.
  2. Click the HTTP Protocol Constraint tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in HTTP Protocol Constraint configuration.
  5. Save the configuration.

HTTP Protocol Constraint configuration

Settings Guidelines

Name

Enter a unique HTTP protocol constraint policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

Note: Once saved, the name of an HTTP protocol constraint policy cannot be changed.

Request Parameters

Maximum URI Length

Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192.

Illegal Host Name Enable/disable hostname checks. A domain name must consist of only the ASCII alphabetic and numeric characters, plus the hyphen. The hostname is checked against the set of characters allowed by the RFC 2616. Disallowed characters, such as non-printable ASCII characters or other special characters (for example, '<', '>', and the like), are a symptom of an attack.
Illegal HTTP Version Enable/disable the HTTP version check. Well-formed requests include the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). Malformed requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.
Illegal HTTP Multipart Enable/Disable the HTTP body multipart check. If the content-type is multipart media type, the HTTP body must contain one or more body parts, each preceded by a boundary delimiter line and the last one followed by a closing boundary delimiter line. After its boundary delimiter line, each body part then consists of a header area, a blank line, and a body area. Malformed HTTP requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.
Maximum Cookie Number In Request Maximum number of cookie headers in an HTTP request. The default is 16. The valid range is 1-32.
Maximum Header Number In Request Maximum number of headers in an HTTP request. The default is 50. Requests with more headers are a symptom of a buffer overflow attack or an attempt to evade detection mechanisms. The valid configuration range is 1-100.
Maximum Request Header Name Length Maximum characters in an HTTP request header name. The default is 1024. The valid range is 1-8192.
Maximum Request Header Value Length Maximum characters in an HTTP request header value. The default is 4096. Longer headers might be a symptom of a buffer overflow attack. The valid configuration range is 1-8192.
Maximum URL Parameter Name Length Maximum characters in a URL parameter name. The default is 1024. The valid range is 1-2048.
Maximum URL Parameter Value Length Maximum characters in a URL parameter value. The default is 4096. The valid range is 1-8192.
Maximum Request Header Length Maximum length of the HTTP request header. The default is 8192. The valid range is 1-16384.
Maximum Request Body Length Maximum length of the HTTP body. The default is 67108864. The valid range is 1-67108864.

Constraint Method Override

Enable/Disable to scan request method and try to match it in request method rule in following override headers:

  • X-HTTP-Method
  • X-Method-Override
  • X-HTTP-Method-Override

Request Method Rule

Method

Select one or more methods to match in the HTTP request line:

  • CONNECT
  • DELETE
  • GET
  • HEAD
  • OPTIONS
  • POST
  • PUT
  • TRACE
  • Others

Note: The first 8 methods are described in RFC 2616. The group Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions.

Action

Select the action profile that you want to apply. See Configuring WAF Action objects.

The default is alert.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low.

Exception Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Response Code Rule

Minimum Status Code / Maximum Status Code

Start/end of a range of status codes to match. You can specify codes 400 to 599.

Action

  • Alert—Allow the traffic and log the event.
  • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

The default is alert.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low.

Exception Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.