config security waf profile
Use this command to configure web application firewall (WAF) profiles. A WAF profile references the WAF policies that are to be enforced.
In many cases, you can use predefined profiles to get started. Table 16 describes the three predefined policies.
Predefined Rules | Description |
---|---|
High-Level-Security |
HTTP protocol constraints policy: High-Level-Security SQL injection and XSS detection policy: High-Level-Security |
Medium-Level-Security |
HTTP protocol constraints policy: Medium-Level-Security SQL injection and XSS detection policy: Medium-Level-Security |
Alert-Only |
HTTP protocol constraints policy: Alert-Only SQL injection and XSS detection policy: Alert-Only |
The configurations for these profiles are shown in the examples that follow. If desired, you can create user-defined profiles.
Before you begin:
- You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this command to add them to a WAF profile.
- You must have read-write permission for security settings.
After you have created a WAF profile, you can specify it in a virtual server configuration.
Syntax
config security waf profile
edit <name>
set adaptive-learning <datasource>
set advanced-bot-protection <datasource>
set advanced-protection <datasource>
set api-discovery <datasource>
set api-gateway <datasource>
set biometrics-based-detection <datasource>
set body-decode-length <integer>
set body-decode-type {xml|html|json}
set bot-detection <datasource>
set brute-force-login <datasource>
set cookie-security <datasource>
set cors-protection <datasource>
set csrf-protection <datasource>
set data-leak-prevention <datasource>
set description <string>
set exception <datasource>
set fingerprint-based-detection <datasource>
set heuristic-sql-xss-injection-detection <datasource>
set http-header-cache {enable|disable}
set http-protocol-constraint <datasource>
set input-validation-policy <datasource>
set json-validation <datasource>
set multiple-decode-loop <integer>
set openapi-validation <datasource>
set rule-match-record {enable|disable}
set threshold-based-detection <datasource>
set url-protection <datasource>
set use-original-ip {enable|disable}
set web-attack-signature <datasource>
set xml-validation <datasource>
next
end
adaptive-learning |
Specify a predefined or user-defined configuration object. |
advanced-bot-protection |
Specify a user-defined configuration object. |
advanced-protection |
Specify a user-defined configuration object. |
api-discovery |
Specify a user-defined configuration object. |
api-gateway |
Specify a user-defined configuration object. |
biometrics-based-detection |
Specify a user-defined configuration object. |
body-decode-length |
Specify a body decode length in byte. (Range: 0 - 4194304 B, default: 1024 B). |
body-decode-type |
Specify the body decode type. Note: This only applies when the corresponding validation function is enabled. |
bot-detection |
Specify a user-defined configuration object. |
brute-force-login |
Specify a user-defined configuration object. |
cookie-security |
Specify a user-defined configuration object. |
cors-protection |
Specify a predefined or user-defined configuration object. |
csrf-protection |
Specify a user-defined configuration object. |
data-leak-prevention |
Specify a user-defined configuration object. |
description |
A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use. |
exception |
Specify an exception configuration object. |
fingerprint-based-detection |
Specify a user-defined configuration object. |
heuristic-sql-xss-injection-detection |
Specify a predefined or user-defined configuration object. |
http-protocol-constraint |
Specify a predefined or user-defined configuration object. |
http-header-cache |
Enable/disable caching HTTP headers. Enabled by default. If you experience performance issues, you can disable. However, the cached HTTP headers are used to populate fields in logs resulting from HTTP body scanning. Can only be set with the CLI. |
input-validation-policy |
Specify a predefined or user-defined configuration object. |
json-validation |
Specify a predefined or user-defined configuration object. |
multiple-decode-loop |
Specify the number of times for the multiple decode loop. (Range: 0 - 16, default: 6). |
openapi-validation |
Specify a predefined or user-defined configuration object. |
rule-match-record |
Enable to allow the Security Log to display the part of the rule that is matched when the security event is logged. This is disabled by default. |
threshold-based-detection |
Specify a predefined or user-defined configuration object. |
url-protection |
Specify a predefined or user-defined configuration object. |
use-original-ip |
Enable to use the client's original IP address instead of the source IP for attack identification. This is disabled by default. When enabled, the client’s original IP address from the "X-Forwarded-For" header is used in place of the standard source IP, impacting specific WAF functions. This setting affects WAF Blocked IP matching, Known Good Bots in Bot Detection, and source IP-based rules in the Exception feature. Log records are updated with the original client IP for detected attacks, ensuring accurate logging. This feature applies to both HTTP and HTTPS traffic and supports IPv4 and IPv6 addressing. Note: If the HTTP request packet does not contain the "X-Forwarded-For" information or contains invalid data, the system will default to using the HTTP source IP address instead. |
web-attack-signature |
Specify a predefined or user-defined configuration object. |
xml-validation |
Specify a predefined or user-defined configuration object. |
Example
FortiADC-docs # get security waf profile High-Level-Security
web-attack-signature : High-Level-Security
url-protection :
http-protocol-constraint : High-Level-Security
heuristic-sql-xss-injection-detect: High-Level-Security
description :
http-header-cache : enable
exception :
FortiADC-docs # get security waf profile Medium-Level-Security
web-attack-signature : Medium-Level-Security
url-protection :
http-protocol-constraint : Medium-Level-Security
heuristic-sql-xss-injection-detect: Medium-Level-Security
description :
http-header-cache : enable
exception :
FortiADC-docs # get security waf profile Alert-Only
web-attack-signature : Alert-Only
threshold-based-detection :
url-protection :
http-protocol-constraint : Alert-Only
heuristic-sql-xss-injection-detect : Alert-Only
description :
http-header-cache : enable
exception :
FortiADC-docs # config security waf profile
FortiADC-docs (profile) # edit eval
Add new entry 'eval' for node 3000
FortiADC-docs (eval) # get
web-attack-signature :
url-protection :
http-protocol-constraint :
heuristic-sql-xss-injection-detect:
bot-detection :
biometrics-based-detection :
fingerprint-based-detection :
advanced-bot-protection :
description :
http-header-cache : enable
exception :
FortiADC-docs (eval) # set web-attack-signature Alert-Only
FortiADC-docs (eval) # set http-protocol-constraint Alert-Only
FortiADC-docs (eval) # set heuristic-sql-xss-injection-detect Alert-Only
FortiADC-docs (eval) # set exception exception-group
FortiADC-docs (eval) # set description "evaluate alert-only and exception list"
FortiADC-docs (eval-alert-onl~-) # end