config security waf exception
Use this command to create exception configuration objects. WAF exceptions identify specific patterns that are not subject to processing by WAF rules. Use WAF exception rules to reduce false-positives triggered by legitimate HTTP requests that match an attack signature rule.
Before you begin:
- You must have read-write permission for security settings.
FortiADC supports the following exception rule types.
Each exception rule type requires specific parameters to be applied. Use the links above to navigate to the CLI commands for each exception rule type.
After you have created an exception object, you can specify it in WAF profiles and individual WAF feature rules.
|
For optimal functionality, we recommend keeping the number of WAF exception rules configured to a minimum. If a large number of WAF exception rules are configured, none may work effectively due to limitations of the shared memory (maximum total is 256.0 MBs in the VM platform). |
URL
Use this command to create a URL exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type URL
set host-status {enable|disable}
set host-pattern <string>
set url-pattern <string>
next
end
next
end
|
host-status |
Enable/disable the setting exceptions by host pattern. |
|
host-pattern |
The host-pattern option is configurable if host-status is enabled. Specify the matching string. Regular expressions are supported. Maximum length is 128 characters. For example, you can specify |
|
url-pattern |
Specify the matching string. Must begin with a URL path separator (/). Regular expressions are supported. Maximum length is 128 characters. For example, you can specify path names and files with expressions like |
Example
config security waf exception
edit "url"
config exception-rule
edit 1
set type URL
set host-status disable
set url-pattern /url1
next
end
next
end
Source IP
Use this command to create a Source IP exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type source-ip
set ip-netmask <ip&netmask>
next
end
next
end
|
ip-netmask |
Specify the IPv4 address with netmask. For example: 192.0.2.5/24 |
Example
config security waf exception
edit "source-ip"
config exception-rule
edit 2
set type source-ip
set ip-netmask 192.0.2.0/24
next
end
next
end
Source IPv6
Use this command to create a Source IPv6 exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type source-ipv6
set ipv6-netmask <ip&netmask>
next
end
next
end
|
ipv6-netmask |
Specify the IPv6 address with netmask. For example: 2001:0db8:85a3::8a2e:0370:7334/64 |
Example
config security waf exception
edit "source-ipv6"
config exception-rule
edit 3
set type source-ipv6
set ipv6-netmask 2001:1::50:1:0:20/128
next
end
next
end
HTTP Method
Use this command to create an HTTP method exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type http-method
set methods [GET|POST|HEAD|TRACE|CONNECT|DELETE|PUT|PATCH|OPTIONS|OTHERS]
next
end
next
end
|
methods |
Select the HTTP method(s):
|
Example
config security waf exception
edit "http-method"
config exception-rule
edit 4
set type http-method
set methods HEAD TRACE CONNECT DELETE PUT PATCH OPTIONS OTHERS
next
end
next
end
HTTP Header
Use this command to create an HTTP Header exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type http-header
set value-check {enable|disable}
set name-pattern <string>
set value-pattern <string>
next
end
next
end
|
value-check |
Enable/disable value checking for the specified element. |
|
name-pattern |
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters. For example: Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters. |
|
value-pattern |
The value-pattern option is required if value-check is enabled. Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters. For example: Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters. |
Example
config security waf exception
edit "http-header"
config exception-rule
edit 5
set type http-header
set value-check enable
set name-pattern h_name1
set value-pattern h_value1
next
end
next
end
Cookie
Use this command to create a Cookie exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type cookie
set value-check {enable|disable}
set name-pattern <string>
set value-pattern <string>
next
end
next
end
|
value-check |
Enable/disable value checking for the specified element. |
|
name-pattern |
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters. For example: Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters. |
|
value-pattern |
The value-pattern option is required if value-check is enabled. Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters. For example: Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters. |
Example
config security waf exception
edit "cookie"
config exception-rule
edit 6
set type cookie
set value-check enable
set name-pattern c_name1
set value-pattern c_value1
next
end
next
end
Parameter
Use this command to create a Parameter exception rule.
Syntax
config security waf exception
edit <name>
config exception-rule
edit <No.>
set type parameter
set value-check {enable|disable}
set name-pattern <string>
set value-pattern <string>
next
end
next
end
|
value-check |
Enable/disable value checking for the specified element. |
|
name-pattern |
Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters. For example: Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters. |
|
value-pattern |
The value-pattern option is required if value-check is enabled. Specify the matching string. Regular expressions are supported. Maximum length is 1024 characters. For example: Note: Some characters must be escaped to be a valid regular expression or be functional as an exception rule. For details, see Limitations: Escaped Characters. |
Example
config security waf exception
edit "parameter"
config exception-rule
edit 7
set type parameter
set value-check enable
set name-pattern p_name1
set value-pattern p_value1
next
end
next
end
Limitations: Escaped Characters
All name-pattern and value-pattern support regular expression. However, some characters must be escaped to be a valid regular expression or be functional as an exception rule. If your expression contains characters that require escaping, an error message may be triggered to reject the invalid expression. However, it is also possible that an error may not be triggered by unescaped characters if it is considered syntactically correct — in which case these expressions would not function as exception rules since they will not match any user traffic.
This section lists the most commonly used special characters that need to be escaped to make an input valid or functional as an exception rule.
Brackets: []
Brackets ([]) require other characters between the brackets to be a valid exception rule regular expression.
For example:
Invalid: []
Valid: [123] — Valid
[] is an invalid exception rule regular expression because the input only contain brackets with no other characters in between. Whereas [123] is valid because there are number characters between the brackets.
Parentheses: ()
Parentheses (()) require a backslash (\) before each parenthesis to be a valid exception rule regular expression — () → \(\)
For example:
Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')
Valid: http://x.x.x.x/login?link=mocha:alert\('attack success'\)
Focusing on the parameter value, mocha:alert('attack%20success') is invalid because there is no backslash before each parenthesis. Whereas mocha:alert\('attack success'\) is valid with the backslash inserted before each parenthesis.
Asterisk: *
Asterisks (*) require a backslash (\) before each asterisk to be a valid and functional exception rule — * → \*
For example:
curl -vv -X POST --cookie "Cookie123=abcd"
"http://x.x.x.x/index.php?n123=v123&p_name1=p_value1"
Where the cookie name is "cookie" and the cookie value is "a*"
Invalid: a*
Valid: a\*"
In this case, both a* and a\* are both correct in syntax. However, a* would not be functional as an exception rule because it would not match any user traffic.
Space: %20
Spaces (%20) in URLs must be replaced with spaces to be a valid exception rule regular expression.
For example:
Invalid: http://x.x.x.x/login?link=mocha:alert('attack%20success')
Valid: http://x.x.x.x/login?link=mocha:alert(\'attack success'\)
Focusing on the parameter value, the invalid expression becomes valid when the %20 is replaced with the space: mocha:alert('attack%20success') → mocha:alert(\'attack success'\)
Single Quotes: ''
When the name-pattern or value-pattern contain single quotes, it will be automatically escaped.
For example:
You may enter the parameter value-pattern as: alert\('attack%20success'\)
The value-pattern will appear as: alert\\(\'attack success\'\\)