Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.4.1 CLI Reference
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf json-validation-detection

    config security waf json-validation-detection

    Use this command to set JSON validation detection.

    Note: This command only checks HTTP requests with content-type being application/json.

    Predefined WAF profiles
    Predefined Rules Required settings

    High-Level-Security

    format-checks — enable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity —high

    action — deny

    Medium-Level-Security

    format-checks — enable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity — medium

    action — alert

    Alert-Only

    format-checks — enable

    set xss-checks — disable

    set sql-injection-checks — disable

    severity — low

    action — alert

    Syntax

    config security waf json-validation-detection

    edit <name>

    set format-checks enable/disable

    set limit-checks enable/disable

    set limit-max-array-value-num <0-4096>

    set limit-max-depth-num <0-4096>

    set limit-max-object-num <0-4096>

    set limit-max-string-len <0-4096>

    set xss-checks enable/disable

    set sql-injection-checks enable/disable

    set exception <datasource>

    set severity low/medium/high

    set action <datasource>

    set schema-checks <enable/disable>

    set json-schema-id <datasource>

    next

    end

    name

    		 Specify the name of the JSON detection profile.

    format-checks

    Enable or disable JSON format checks, which are security checks for incoming HTTP requests to determine whether they are well-formed.

    Note: If enabled, you must specify FortiADC response actions to malformed HTTP requests, as discussed below.

    limit-checks

    Enable or disable parsing limits to protect web servers from attacks, such as DDOS attacks.

    Note: If enabled, you must change the configuration for the following parameters:

    • Limit max array value
    • Limit max depth
    • Limit max object member
    • Limit max string

    limit-max-array-value-num

    Specify the maximum value within a single array. The default value is 256. Valid values range from 0 to 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    limit-max-depth-num

    Specify the maximum depth in a JSON value. The default value is 16. Valid values range from 0 to 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    limit-max-object-num

    Specify the maximum number of members in a JSON object. The default value is 64. Valid values range from 0 fro 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    limit-max-string-len

    Specify the maximum length of a string in a JSON request for a name or a value. The default value is 64. Valid values range from 0 to 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    xss-checks

    Enable to examine the bodies of incoming JSON requests that might indicate possible cross-site scripting attacks.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

    sql-injection-checks

    Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

    exception

    		 Optional. Select the exception profile to be applied to the JSON detection profile.

    severity

    Set the severity level in WAF logs for potential attacks detected by the JSON detection profile by selecting one of the following:

    • High
    • Medium
    • Low

    action

    Specify the action that FortiADC will take upon detecting a potential attack:

    You can choose a WAF action object.

    schema-checks

    Enable or disable JSON schema validation detection.

    Note:Before enabling JSON schema checks, you must upload a JSON schema file to check whether JSON content is well-formed.

    json-schema-id

    Select the JSON schema file that you want to use.

    Example

    config security waf json-validation-detection

    edit "all"

    set format-checks enable

    set meta-os-checks disable

    set limit-checks enable

    set limit-max-array-value-num 1

    set limit-max-depth-num 0

    set limit-max-object-num 0

    set limit-max-string-len 0

    set xss-checks enable

    set sql-injection-checks enable

    unset exception

    set severity high

    set action alert

    next

    end

    Previous
    Next

    config security waf json-validation-detection

    config security waf json-validation-detection

    Use this command to set JSON validation detection.

    Note: This command only checks HTTP requests with content-type being application/json.

    Predefined WAF profiles
    Predefined Rules Required settings

    High-Level-Security

    format-checks — enable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity —high

    action — deny

    Medium-Level-Security

    format-checks — enable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity — medium

    action — alert

    Alert-Only

    format-checks — enable

    set xss-checks — disable

    set sql-injection-checks — disable

    severity — low

    action — alert

    Syntax

    config security waf json-validation-detection

    edit <name>

    set format-checks enable/disable

    set limit-checks enable/disable

    set limit-max-array-value-num <0-4096>

    set limit-max-depth-num <0-4096>

    set limit-max-object-num <0-4096>

    set limit-max-string-len <0-4096>

    set xss-checks enable/disable

    set sql-injection-checks enable/disable

    set exception <datasource>

    set severity low/medium/high

    set action <datasource>

    set schema-checks <enable/disable>

    set json-schema-id <datasource>

    next

    end

    name

    		 Specify the name of the JSON detection profile.

    format-checks

    Enable or disable JSON format checks, which are security checks for incoming HTTP requests to determine whether they are well-formed.

    Note: If enabled, you must specify FortiADC response actions to malformed HTTP requests, as discussed below.

    limit-checks

    Enable or disable parsing limits to protect web servers from attacks, such as DDOS attacks.

    Note: If enabled, you must change the configuration for the following parameters:

    • Limit max array value
    • Limit max depth
    • Limit max object member
    • Limit max string

    limit-max-array-value-num

    Specify the maximum value within a single array. The default value is 256. Valid values range from 0 to 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    limit-max-depth-num

    Specify the maximum depth in a JSON value. The default value is 16. Valid values range from 0 to 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    limit-max-object-num

    Specify the maximum number of members in a JSON object. The default value is 64. Valid values range from 0 fro 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    limit-max-string-len

    Specify the maximum length of a string in a JSON request for a name or a value. The default value is 64. Valid values range from 0 to 4,096.

    Note: This option is available only when JSON limit-checks is enabled.

    xss-checks

    Enable to examine the bodies of incoming JSON requests that might indicate possible cross-site scripting attacks.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

    sql-injection-checks

    Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

    exception

    		 Optional. Select the exception profile to be applied to the JSON detection profile.

    severity

    Set the severity level in WAF logs for potential attacks detected by the JSON detection profile by selecting one of the following:

    • High
    • Medium
    • Low

    action

    Specify the action that FortiADC will take upon detecting a potential attack:

    You can choose a WAF action object.

    schema-checks

    Enable or disable JSON schema validation detection.

    Note:Before enabling JSON schema checks, you must upload a JSON schema file to check whether JSON content is well-formed.

    json-schema-id

    Select the JSON schema file that you want to use.

    Example

    config security waf json-validation-detection

    edit "all"

    set format-checks enable

    set meta-os-checks disable

    set limit-checks enable

    set limit-max-array-value-num 1

    set limit-max-depth-num 0

    set limit-max-object-num 0

    set limit-max-string-len 0

    set xss-checks enable

    set sql-injection-checks enable

    unset exception

    set severity high

    set action alert

    next

    end

    Previous
    Next