Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.4.2 CLI Reference
    7.4.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf xml-validation-detection

    config security waf xml-validation-detection

    Use this command to configure XML validation detection.

    Note: This command only checks HTTP requests with content type being application/xml and text/xml.

    Predefined WAF profiles
    Predefined Rules Required settings

    High-Level-Security

    format-checks — enable

    set soap-format-checks— disable

    set schema-checks — disable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity —high

    action — deny

    Medium-Level-Security

    format-checks — enable

    set soap-format-checks— disable

    set schema-checks — disable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity — mdeium

    action — alert

    Alert-Only

    format-checks — enable

    set soap-format-checks— disable

    set schema-checks — disable

    set xss-checks — disable

    set sql-injection-checks — disable

    severity — low

    action — alert

    Syntax

    config security waf xml-validation-detection

    edit <name>

    set format-checks enable/disable

    set soap-format-checks enable/disable

    set wsdl-checks enable/disable

    set soap_wsdl_id <datasource>

    set schema-checks enable/disable

    set xml-schema-id <datasource>

    set limit-checks enable/disable

    set limit-max-attr-num <1-256>

    set limit-max-attr-name-len <1-2048>

    set limit-max-attr-value-len <1-2048>

    set limit-max-cdata-len <1-65535>

    set limit-max-elem-child-num <1-65535>

    set limit-max-elem-depth-num <1-65535>

    set limit-max-elem-name-len <1-65535>

    set limit-max-namespace-num <0-256>

    set limit-max-namespace-url-len <0-1024>

    set xss-checks enable/disable

    set sql-injection-checks enable/disable

    set exception <datasource>

    set severity low/medium/high

    set action <datasource>

    next

    end

    name

    		 Specify the name of the XML detection profile.

    format-checks

    		 Enable or disable XML format detection.

    schema-checks

    Enable or disable XML schema validation detection.

    Note:Before enabling XML schema checks, you must upload an XML schema file to check whether XML content is well-formed.

    xml-schema-id

    Select the XML schema file that you want to use.

    soap-format-checks

    Enable or disable soap-format-checks.
    wsdl-checks

    Enable or disable WSDL validation detection.

    Note: Before enabling WSDL checks, you must upload an WSDL file to check whether SOAP content is well-formed.

    soap_wsdl_id

    Select the desired WSDL file.

    limit-checks

    Enable or disable XML limit checks.

    Note: If enabled, you must can configure the following parameters:

    • limit-max-attr-num
    • limit-max-attr-name-len
    • limit-max-attr-value-len
    • limit-max-cdata-len
    • limit-max-elem-child-num
    • limit-max-elem-depth-num
    • limit-max-elem-name-len
    • limit-max-namespace-num
    • limit-max-namespace-url-len

    limit-max-attr-num

    Specify the maximum number of attributes each individual element is allowed to have. The default value is 256. Valid values range from 1 to 256.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-attr-name-len

    Specify the maximum length of each attribute name. The default value is 128. Valid values range from 1 to 2,048.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-attr-value-len

    Specify the maximum length of each attribute value. The default value is 128. Valid values range from 1 to 2,048.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-cdata-len

    Specify the length of the Cdata for each element. The default value is 65,535. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-elem-child-num

    Specify the maximum number of children each element is allowed, including other elements and character information. The default value is 65,535. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-elem-depth-num

    Specify the maximum number of nested levels in each element. The default value is 256. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-elem-name-len

    Specify the maximum length of the name of each element. The default value is 128. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-namespace-num

    Specify the number of namespace declarations in the XML document. The default value is 16. Valid values range from 0 to 256.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-namespace-url-len

    Specify the URL length for each namespace declaration. The default value is 256. Valid values range from 0 to 1,024.

    Note: This option is available only when XML limit-checks is enabled.

    xss-checks

    Enable to examine the bodies of incoming XML requests that might indicate possible cross-site scripting attacks.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

    sql-injection-checks

    Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

    exception

    		 Optional. Select the exception profile to be applied to the XML detection profile.

    severity

    Set the severity level in WAF logs for potential attacks detected by the XML detection profile by selecting one of the following:

    • High
    • Medium
    • Low

    action

    Specify the action that FortiADC will take upon detecting a potential attack. You can choose a WAF action object.

    Example

    config security waf xml-validation-detection

    edit "all"

    set format-checks enable

    set soap-format-checks enable

    set wsdl-checks enable

    unset soap_wsdl_id

    set schema-checks enable

    unset xml-schema-id

    set limit-checks enable

    set limit-max-attr-num 100

    set limit-max-attr-name-len 100

    set limit-max-attr-value-len 100

    set limit-max-cdata-len 1

    set limit-max-elem-child-num 100

    set limit-max-elem-depth-num 100

    set limit-max-elem-name-len 100

    set limit-max-namespace-num 1

    set limit-max-namespace-url-len 1

    set xss-checks enable

    set sql-injection-checks enable

    unset exception

    set severity medium

    set action alert

    next

    end

    Previous
    Next

    config security waf xml-validation-detection

    config security waf xml-validation-detection

    Use this command to configure XML validation detection.

    Note: This command only checks HTTP requests with content type being application/xml and text/xml.

    Predefined WAF profiles
    Predefined Rules Required settings

    High-Level-Security

    format-checks — enable

    set soap-format-checks— disable

    set schema-checks — disable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity —high

    action — deny

    Medium-Level-Security

    format-checks — enable

    set soap-format-checks— disable

    set schema-checks — disable

    set xss-checks — enable

    set sql-injection-checks — enable

    severity — mdeium

    action — alert

    Alert-Only

    format-checks — enable

    set soap-format-checks— disable

    set schema-checks — disable

    set xss-checks — disable

    set sql-injection-checks — disable

    severity — low

    action — alert

    Syntax

    config security waf xml-validation-detection

    edit <name>

    set format-checks enable/disable

    set soap-format-checks enable/disable

    set wsdl-checks enable/disable

    set soap_wsdl_id <datasource>

    set schema-checks enable/disable

    set xml-schema-id <datasource>

    set limit-checks enable/disable

    set limit-max-attr-num <1-256>

    set limit-max-attr-name-len <1-2048>

    set limit-max-attr-value-len <1-2048>

    set limit-max-cdata-len <1-65535>

    set limit-max-elem-child-num <1-65535>

    set limit-max-elem-depth-num <1-65535>

    set limit-max-elem-name-len <1-65535>

    set limit-max-namespace-num <0-256>

    set limit-max-namespace-url-len <0-1024>

    set xss-checks enable/disable

    set sql-injection-checks enable/disable

    set exception <datasource>

    set severity low/medium/high

    set action <datasource>

    next

    end

    name

    		 Specify the name of the XML detection profile.

    format-checks

    		 Enable or disable XML format detection.

    schema-checks

    Enable or disable XML schema validation detection.

    Note:Before enabling XML schema checks, you must upload an XML schema file to check whether XML content is well-formed.

    xml-schema-id

    Select the XML schema file that you want to use.

    soap-format-checks

    Enable or disable soap-format-checks.
    wsdl-checks

    Enable or disable WSDL validation detection.

    Note: Before enabling WSDL checks, you must upload an WSDL file to check whether SOAP content is well-formed.

    soap_wsdl_id

    Select the desired WSDL file.

    limit-checks

    Enable or disable XML limit checks.

    Note: If enabled, you must can configure the following parameters:

    • limit-max-attr-num
    • limit-max-attr-name-len
    • limit-max-attr-value-len
    • limit-max-cdata-len
    • limit-max-elem-child-num
    • limit-max-elem-depth-num
    • limit-max-elem-name-len
    • limit-max-namespace-num
    • limit-max-namespace-url-len

    limit-max-attr-num

    Specify the maximum number of attributes each individual element is allowed to have. The default value is 256. Valid values range from 1 to 256.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-attr-name-len

    Specify the maximum length of each attribute name. The default value is 128. Valid values range from 1 to 2,048.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-attr-value-len

    Specify the maximum length of each attribute value. The default value is 128. Valid values range from 1 to 2,048.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-cdata-len

    Specify the length of the Cdata for each element. The default value is 65,535. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-elem-child-num

    Specify the maximum number of children each element is allowed, including other elements and character information. The default value is 65,535. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-elem-depth-num

    Specify the maximum number of nested levels in each element. The default value is 256. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-elem-name-len

    Specify the maximum length of the name of each element. The default value is 128. Valid values range from 1 to 65,535.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-namespace-num

    Specify the number of namespace declarations in the XML document. The default value is 16. Valid values range from 0 to 256.

    Note: This option is available only when XML limit-checks is enabled.

    limit-max-namespace-url-len

    Specify the URL length for each namespace declaration. The default value is 256. Valid values range from 0 to 1,024.

    Note: This option is available only when XML limit-checks is enabled.

    xss-checks

    Enable to examine the bodies of incoming XML requests that might indicate possible cross-site scripting attacks.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

    sql-injection-checks

    Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

    Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

    exception

    		 Optional. Select the exception profile to be applied to the XML detection profile.

    severity

    Set the severity level in WAF logs for potential attacks detected by the XML detection profile by selecting one of the following:

    • High
    • Medium
    • Low

    action

    Specify the action that FortiADC will take upon detecting a potential attack. You can choose a WAF action object.

    Example

    config security waf xml-validation-detection

    edit "all"

    set format-checks enable

    set soap-format-checks enable

    set wsdl-checks enable

    unset soap_wsdl_id

    set schema-checks enable

    unset xml-schema-id

    set limit-checks enable

    set limit-max-attr-num 100

    set limit-max-attr-name-len 100

    set limit-max-attr-value-len 100

    set limit-max-cdata-len 1

    set limit-max-elem-child-num 100

    set limit-max-elem-depth-num 100

    set limit-max-elem-name-len 100

    set limit-max-namespace-num 1

    set limit-max-namespace-url-len 1

    set xss-checks enable

    set sql-injection-checks enable

    unset exception

    set severity medium

    set action alert

    next

    end

    Previous
    Next