config security waf http-protocol-constraint
Use this command to configure HTTP protocol checks: HTTP request parameter lengths, HTTP request method, and HTTP response code.
Table 15 describes the three predefined policies.
| Predefined Rules | Description |
|---|---|
|
High-Level-Security |
Maximum URI length is 2048 characters. Action is set to deny. Severity is set to high. |
|
Medium-Level-Security |
Maximum URI length is 2048 characters. Action is set to alert. Severity is set to medium. |
|
Alert-Only |
Maximum URI length is 2048 characters. Action is set to alert. Severity is set to low. |
The configurations for these rules are shown in the examples that follow. If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.
Before you begin:
- You must have read-write permission for security settings.
After you have created an HTTP protocol constraint policy, you can specify it in a WAF profile configuration.
Syntax
config security waf http-protocol-constraint
edit <name>
set exception <datasource>
set illegal-host-name-check {enable|disable}
set illegal-host-name-check-action {datasource}
set illegal-host-name-check-severity {high|medium|low}
set illegal-http-version-check {enable|disable}
set illegal-http-version-check-action {datasource}
set illegal-http-version-check-severity {high|medium|low}
set max-cookie-number-in-request <integer>
set max-cookie-number-in-request-action {datasource}
set max-cookie-number-in-request-severity {high|medium|low}
set max-header-number-in-request <integer>
set max-header-number-in-request-action {datasource}
set max-header-number-in-request-severity {high|medium|low}
set max-request-body-length <integer>
set max-request-body-length-action {datasource}
set max-request-body-length-severity {high|medium|low}
set max-request-header-length <integer>
set max-request-header-length-action {datasource}
set max-request-header-length-severity {high|medium|low}
set max-request-header-name-length <integer>
set max-request-header-name-length-action {datasource}
set max-request-header-name-length-severity {high|medium|low}
set max-request-header-value-length <integer>
set max-request-header-value-length-action {datasource}
set max-request-header-value-length-severity {high|medium|low}
set max-uri-length <integer>
set max-uri-length-action {datasource}
set max-uri-length-severity {high|medium|low}
set max-url-parameter-name-length <integer>
set max-url-parameter-name-length-action {datasource}
set max-url-parameter-name-length-severity {high|medium|low}
set max-url-parameter-value-length <integer>
set max-url-parameter-value-length-action {datasource}
set max-url-parameter-value-length-severity {high|medium|low}
config request-method-rule
edit <No.>
set exception <datasource>
set action {datasource}
set severity {high|medium|low}
set method {CONNECT DELETE GET HEAD OPTIONS OTHERS POST PUT TRACE }
next
end
config response-code-rule
edit <No.>
set exception <datasource>
set action {datasource}
set severity {high|medium|low}
set code-min <400-599>
set code-max <400-599>
next
end
next
end
|
exception |
Specify an exception configuration object. |
|
illegal-host-name-check |
Enable/disable hostname checks. A domain name must consist of only the ASCII alphabetic and numeric characters, plus the hyphen. The hostname is checked against the set of characters allowed by the RFC 2616. Disallowed characters, such as non-printable ASCII characters or other special characters (for example, '<', '>', and the like), are a symptom of an attack. |
|
illegal-host-name-check-action |
Specify a WAF action object. |
|
illegal-host-name-check-severity |
|
|
illegal-http-version-check |
Enable/disable the HTTP version check. Well-formed requests include the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). Malformed requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack. |
|
illegal-http-version-check-action |
Specify a WAF action object. |
|
illegal-http-version-check-severity |
|
|
max-cookie-number-in-request |
Maximum number of cookie headers in an HTTP request. The default is 16. The valid range is 1-32. |
|
max-cookie-number-in-request-action |
Specify a WAF action object. |
|
max-cookie-number-in-request-severity |
|
|
max-header-number-in-request |
Maximum number of headers in an HTTP request. The default is 50. Requests with more headers are a symptom of a buffer overflow attack or an attempt to evade detection mechanisms. The valid configuration range is 1-100. |
|
max-header-number-in-request-action |
Specify a WAF action object. |
|
max-header-number-in-request-severity |
|
|
max-request-body-length |
Maximum length of the HTTP body. The default is 67108864. The valid range is 1-67108864. |
|
max-request-body-length-action |
Specify a WAF action object. |
|
max-request-body-length-severity |
|
|
max-request-header-length |
Maximum length of the HTTP request header. The default is 8192. The valid range is 1-16384. |
|
max-request-header-action |
Specify a WAF action object. |
|
max-request-header-severity |
|
|
max-request-header-name-length |
Maximum characters in an HTTP request header name. The default is 1024. The valid range is 1-8192. |
|
max-request-header-name-length-action |
Specify a WAF action object. |
|
max-request-header-name-length-severity |
|
|
max-request-header-value-length |
Maximum characters in an HTTP request header value. The default is 4096. Longer headers might be a symptom of a buffer overflow attack. The valid configuration range is 1-8192. |
|
max-request-header-value-length-action |
Specify a WAF action object. |
|
max-request-header-value-length-severity |
|
|
max-uri-length |
Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192. |
|
max-uri-length-action |
Specify a WAF action object. |
|
max-uri-length-severity |
|
|
max-url-parameter-name-length |
Maximum characters in a URL parameter name. The default is 1024. The valid range is 1-2048. |
|
max-url-parameter-name-length-action |
Specify a WAF action object. |
|
max-url-parameter-name-length-severity |
|
|
max-url-parameter-value-length |
Maximum characters in a URL parameter value. The default is 4096. The valid range is 1-8192. |
|
max-url-parameter-value-length-action |
Specify a WAF action object. |
|
max-url-parameter-value-length-severity |
|
|
config request-method-rule |
|
|
exception |
Specify an exception configuration object. |
|
action |
Specify a WAF action object. |
|
severity |
|
|
method |
Specify a space-separated list of methods to match in the HTTP request line:
Note: The first 8 methods are described in RFC 2616. Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions. |
|
config response-code-rule |
|
|
exception |
Specify an exception configuration object. |
|
action |
Specify a WAF action object. |
|
severity |
|
|
code-min |
Start of the range. |
|
code-max |
End of the range. |
Example
FortiADC-docs # get security waf http-protocol-constraint High-Level-Security
max-uri-length : 2048
max-uri-length-action : deny
max-uri-length-severity : high
max-request-header-name-length: 1024
max-request-header-name-length-action: deny
max-request-header-name-length-severity: high
max-request-header-value-length: 4096
max-request-header-value-length-action: deny
max-request-header-value-length-severity: high
max-url-parameter-name-length : 1024
max-url-parameter-name-length-action: deny
max-url-parameter-name-length-severity: high
max-url-parameter-value-length: 4096
max-url-parameter-value-length-action: deny
max-url-parameter-value-length-severity: high
illegal-http-version-check : enable
illegal-http-version-check-action: deny
illegal-http-version-check-severity: high
illegal-host-name-check : enable
illegal-host-name-check-action: deny
illegal-host-name-check-severity: high
max-cookie-number-in-request : 16
max-cookie-number-in-request-action: deny
max-cookie-number-in-request-severity: high
max-header-number-in-request : 50
max-header-number-in-request-action: deny
max-header-number-in-request-severity: high
max-request-header-length : 8192
max-request-header-length-action: deny
max-request-header-length-severity: high
max-request-body-length : 67108864
max-request-body-length-action: deny
max-request-body-length-severity: high
exception :
FortiADC-docs # get security waf http-protocol-constraint Medium-Level-Security
max-uri-length : 2048
max-uri-length-action : alert
max-uri-length-severity : medium
max-request-header-name-length: 1024
max-request-header-name-length-action: alert
max-request-header-name-length-severity: medium
max-request-header-value-length: 4096
max-request-header-value-length-action: alert
max-request-header-value-length-severity: medium
max-url-parameter-name-length : 1024
max-url-parameter-name-length-action: alert
max-url-parameter-name-length-severity: medium
max-url-parameter-value-length: 4096
max-url-parameter-value-length-action: alert
max-url-parameter-value-length-severity: medium
illegal-http-version-check : enable
illegal-http-version-check-action: alert
illegal-http-version-check-severity: medium
illegal-host-name-check : enable
illegal-host-name-check-action: alert
illegal-host-name-check-severity: medium
max-cookie-number-in-request : 16
max-cookie-number-in-request-action: alert
max-cookie-number-in-request-severity: medium
max-header-number-in-request : 50
max-header-number-in-request-action: alert
max-header-number-in-request-severity: medium
max-request-header-length : 8192
max-request-header-length-action: alert
max-request-header-length-severity: medium
max-request-body-length : 67108864
max-request-body-length-action: alert
max-request-body-length-severity: medium
exception :
FortiADC-docs # get security waf http-protocol-constraint Alert-Only
max-uri-length : 2048
max-uri-length-action : alert
max-uri-length-severity : low
max-request-header-name-length: 1024
max-request-header-name-length-action: alert
max-request-header-name-length-severity: low
max-request-header-value-length: 4096
max-request-header-value-length-action: alert
max-request-header-value-length-severity: low
max-url-parameter-name-length : 1024
max-url-parameter-name-length-action: alert
max-url-parameter-name-length-severity: low
max-url-parameter-value-length: 4096
max-url-parameter-value-length-action: alert
max-url-parameter-value-length-severity: low
illegal-http-version-check : enable
illegal-http-version-check-action: alert
illegal-http-version-check-severity: low
illegal-host-name-check : enable
illegal-host-name-check-action: alert
illegal-host-name-check-severity: low
max-cookie-number-in-request : 16
max-cookie-number-in-request-action: alert
max-cookie-number-in-request-severity: low
max-header-number-in-request : 50
max-header-number-in-request-action: alert
max-header-number-in-request-severity: low
max-request-header-length : 8192
max-request-header-length-action: alert
max-request-header-length-severity: low
max-request-body-length : 67108864
max-request-body-length-action: alert
max-request-body-length-severity: low
exception :