waf profile
Use this command to configure web application firewall options.
Command | Description |
---|---|
set extended-log {enable | disable} |
When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens. Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for. |
config waf profile edit {name} # Web application firewall configuration. set name {string} WAF Profile name. size[35] set external {disable | enable} Disable/Enable external HTTP Inspection. set extended-log {enable | disable} Enable/disable extended logging. config signature config main-class edit {id} # Main signature class. set id {integer} Main signature class ID. range[0-4294967295] - datasource(s): waf.main-class.id set status {enable | disable} Status. set action {allow | block | erase} Action. allow Allow. block Block. erase Erase credit card numbers. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. next config disabled-sub-class edit {id} # Disabled signature subclasses. set id {integer} Signature subclass ID. range[0-4294967295] - datasource(s): waf.sub-class.id next config disabled-signature edit {id} # Disabled signatures set id {integer} Signature ID. range[0-4294967295] - datasource(s): waf.signature.id next set credit-card-detection-threshold {integer} The minimum number of Credit cards to detect violation. range[0-128] config custom-signature edit {name} # Custom signature. set name {string} Signature name. size[35] set status {enable | disable} Status. set action {allow | block | erase} Action. allow Allow. block Block. erase Erase credit card numbers. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. set direction {request | response} Traffic direction. request Match HTTP request. response Match HTTP response. set case-sensitivity {disable | enable} Case sensitivity in pattern. set pattern {string} Match pattern. size[511] set target {option} Match HTTP target. arg HTTP arguments. arg-name Names of HTTP arguments. req-body HTTP request body. req-cookie HTTP request cookies. req-cookie-name HTTP request cookie names. req-filename HTTP request file name. req-header HTTP request headers. req-header-name HTTP request header names. req-raw-uri Raw URI of HTTP request. req-uri URI of HTTP request. resp-body HTTP response body. resp-hdr HTTP response headers. resp-status HTTP response status. next config constraint config header-length set status {enable | disable} Enable/disable the constraint. set length {integer} Length of HTTP header in bytes (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config content-length set status {enable | disable} Enable/disable the constraint. set length {integer} Length of HTTP content in bytes (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config param-length set status {enable | disable} Enable/disable the constraint. set length {integer} Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config line-length set status {enable | disable} Enable/disable the constraint. set length {integer} Length of HTTP line in bytes (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config url-param-length set status {enable | disable} Enable/disable the constraint. set length {integer} Maximum length of URL parameter in bytes (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config version set status {enable | disable} Enable/disable the constraint. set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config method set status {enable | disable} Enable/disable the constraint. set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config hostname set status {enable | disable} Enable/disable the constraint. set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config malformed set status {enable | disable} Enable/disable the constraint. set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config max-cookie set status {enable | disable} Enable/disable the constraint. set max-cookie {integer} Maximum number of cookies in HTTP request (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config max-header-line set status {enable | disable} Enable/disable the constraint. set max-header-line {integer} Maximum number HTTP header lines (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config max-url-param set status {enable | disable} Enable/disable the constraint. set max-url-param {integer} Maximum number of parameters in URL (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config max-range-segment set status {enable | disable} Enable/disable the constraint. set max-range-segment {integer} Maximum number of range segments in HTTP range line (0 to 2147483647). range[0-2147483647] set action {allow | block} Action. allow Allow. block Block. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config exception edit {id} # HTTP constraint exception. set id {integer} Exception ID. range[0-4294967295] set pattern {string} URL pattern. size[511] set regex {enable | disable} Enable/disable regular expression based pattern match. set address {string} Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set header-length {enable | disable} HTTP header length in request. set content-length {enable | disable} HTTP content length in request. set param-length {enable | disable} Maximum length of parameter in URL, HTTP POST request or HTTP body. set line-length {enable | disable} HTTP line length in request. set url-param-length {enable | disable} Maximum length of parameter in URL. set version {enable | disable} Enable/disable HTTP version check. set method {enable | disable} Enable/disable HTTP method check. set hostname {enable | disable} Enable/disable hostname check. set malformed {enable | disable} Enable/disable malformed HTTP request check. set max-cookie {enable | disable} Maximum number of cookies in HTTP request. set max-header-line {enable | disable} Maximum number of HTTP header line. set max-url-param {enable | disable} Maximum number of parameters in URL. set max-range-segment {enable | disable} Maximum number of range segments in HTTP range line. next config method set status {enable | disable} Status. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity medium medium severity low low severity set default-allowed-methods {option} Methods. get HTTP GET method. post HTTP POST method. put HTTP PUT method. head HTTP HEAD method. connect HTTP CONNECT method. trace HTTP TRACE method. options HTTP OPTIONS method. delete HTTP DELETE method. others Other HTTP methods. config method-policy edit {id} # HTTP method policy. set id {integer} HTTP method policy ID. range[0-4294967295] set pattern {string} URL pattern. size[511] set regex {enable | disable} Enable/disable regular expression based pattern match. set address {string} Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set allowed-methods {option} Allowed Methods. get HTTP GET method. post HTTP POST method. put HTTP PUT method. head HTTP HEAD method. connect HTTP CONNECT method. trace HTTP TRACE method. options HTTP OPTIONS method. delete HTTP DELETE method. others Other HTTP methods. next config address-list set status {enable | disable} Status. set blocked-log {enable | disable} Enable/disable logging on blocked addresses. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config trusted-address edit {name} # Trusted address. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config blocked-address edit {name} # Blocked address. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config url-access edit {id} # URL access list set id {integer} URL access ID. range[0-4294967295] set address {string} Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set action {bypass | permit | block} Action. bypass Allow the HTTP request, also bypass further WAF scanning. permit Allow the HTTP request, and continue further WAF scanning. block Block HTTP request. set log {enable | disable} Enable/disable logging. set severity {high | medium | low} Severity. high High severity. medium Medium severity. low Low severity. config access-pattern edit {id} # URL access pattern. set id {integer} URL access pattern ID. range[0-4294967295] set srcaddr {string} Source address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name set pattern {string} URL pattern. size[511] set regex {enable | disable} Enable/disable regular expression based pattern match. set negate {enable | disable} Enable/disable match negation. next next set comment {string} Comment. size[1023] next end