waf profile
Use this command to configure web application firewall options.
| Command | Description |
|---|---|
|
set extended-log {enable | disable} |
When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens. Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for. |
config waf profile
edit {name}
# Web application firewall configuration.
set name {string} WAF Profile name. size[35]
set external {disable | enable} Disable/Enable external HTTP Inspection.
set extended-log {enable | disable} Enable/disable extended logging.
config signature
config main-class
edit {id}
# Main signature class.
set id {integer} Main signature class ID. range[0-4294967295] - datasource(s): waf.main-class.id
set status {enable | disable} Status.
set action {allow | block | erase} Action.
allow Allow.
block Block.
erase Erase credit card numbers.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
next
config disabled-sub-class
edit {id}
# Disabled signature subclasses.
set id {integer} Signature subclass ID. range[0-4294967295] - datasource(s): waf.sub-class.id
next
config disabled-signature
edit {id}
# Disabled signatures
set id {integer} Signature ID. range[0-4294967295] - datasource(s): waf.signature.id
next
set credit-card-detection-threshold {integer} The minimum number of Credit cards to detect violation. range[0-128]
config custom-signature
edit {name}
# Custom signature.
set name {string} Signature name. size[35]
set status {enable | disable} Status.
set action {allow | block | erase} Action.
allow Allow.
block Block.
erase Erase credit card numbers.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
set direction {request | response} Traffic direction.
request Match HTTP request.
response Match HTTP response.
set case-sensitivity {disable | enable} Case sensitivity in pattern.
set pattern {string} Match pattern. size[511]
set target {option} Match HTTP target.
arg HTTP arguments.
arg-name Names of HTTP arguments.
req-body HTTP request body.
req-cookie HTTP request cookies.
req-cookie-name HTTP request cookie names.
req-filename HTTP request file name.
req-header HTTP request headers.
req-header-name HTTP request header names.
req-raw-uri Raw URI of HTTP request.
req-uri URI of HTTP request.
resp-body HTTP response body.
resp-hdr HTTP response headers.
resp-status HTTP response status.
next
config constraint
config header-length
set status {enable | disable} Enable/disable the constraint.
set length {integer} Length of HTTP header in bytes (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config content-length
set status {enable | disable} Enable/disable the constraint.
set length {integer} Length of HTTP content in bytes (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config param-length
set status {enable | disable} Enable/disable the constraint.
set length {integer} Maximum length of parameter in URL, HTTP POST request or HTTP body in bytes (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config line-length
set status {enable | disable} Enable/disable the constraint.
set length {integer} Length of HTTP line in bytes (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config url-param-length
set status {enable | disable} Enable/disable the constraint.
set length {integer} Maximum length of URL parameter in bytes (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config version
set status {enable | disable} Enable/disable the constraint.
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config method
set status {enable | disable} Enable/disable the constraint.
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config hostname
set status {enable | disable} Enable/disable the constraint.
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config malformed
set status {enable | disable} Enable/disable the constraint.
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config max-cookie
set status {enable | disable} Enable/disable the constraint.
set max-cookie {integer} Maximum number of cookies in HTTP request (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config max-header-line
set status {enable | disable} Enable/disable the constraint.
set max-header-line {integer} Maximum number HTTP header lines (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config max-url-param
set status {enable | disable} Enable/disable the constraint.
set max-url-param {integer} Maximum number of parameters in URL (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config max-range-segment
set status {enable | disable} Enable/disable the constraint.
set max-range-segment {integer} Maximum number of range segments in HTTP range line (0 to 2147483647). range[0-2147483647]
set action {allow | block} Action.
allow Allow.
block Block.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config exception
edit {id}
# HTTP constraint exception.
set id {integer} Exception ID. range[0-4294967295]
set pattern {string} URL pattern. size[511]
set regex {enable | disable} Enable/disable regular expression based pattern match.
set address {string} Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set header-length {enable | disable} HTTP header length in request.
set content-length {enable | disable} HTTP content length in request.
set param-length {enable | disable} Maximum length of parameter in URL, HTTP POST request or HTTP body.
set line-length {enable | disable} HTTP line length in request.
set url-param-length {enable | disable} Maximum length of parameter in URL.
set version {enable | disable} Enable/disable HTTP version check.
set method {enable | disable} Enable/disable HTTP method check.
set hostname {enable | disable} Enable/disable hostname check.
set malformed {enable | disable} Enable/disable malformed HTTP request check.
set max-cookie {enable | disable} Maximum number of cookies in HTTP request.
set max-header-line {enable | disable} Maximum number of HTTP header line.
set max-url-param {enable | disable} Maximum number of parameters in URL.
set max-range-segment {enable | disable} Maximum number of range segments in HTTP range line.
next
config method
set status {enable | disable} Status.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity
medium medium severity
low low severity
set default-allowed-methods {option} Methods.
get HTTP GET method.
post HTTP POST method.
put HTTP PUT method.
head HTTP HEAD method.
connect HTTP CONNECT method.
trace HTTP TRACE method.
options HTTP OPTIONS method.
delete HTTP DELETE method.
others Other HTTP methods.
config method-policy
edit {id}
# HTTP method policy.
set id {integer} HTTP method policy ID. range[0-4294967295]
set pattern {string} URL pattern. size[511]
set regex {enable | disable} Enable/disable regular expression based pattern match.
set address {string} Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set allowed-methods {option} Allowed Methods.
get HTTP GET method.
post HTTP POST method.
put HTTP PUT method.
head HTTP HEAD method.
connect HTTP CONNECT method.
trace HTTP TRACE method.
options HTTP OPTIONS method.
delete HTTP DELETE method.
others Other HTTP methods.
next
config address-list
set status {enable | disable} Status.
set blocked-log {enable | disable} Enable/disable logging on blocked addresses.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config trusted-address
edit {name}
# Trusted address.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
config blocked-address
edit {name}
# Blocked address.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
config url-access
edit {id}
# URL access list
set id {integer} URL access ID. range[0-4294967295]
set address {string} Host address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set action {bypass | permit | block} Action.
bypass Allow the HTTP request, also bypass further WAF scanning.
permit Allow the HTTP request, and continue further WAF scanning.
block Block HTTP request.
set log {enable | disable} Enable/disable logging.
set severity {high | medium | low} Severity.
high High severity.
medium Medium severity.
low Low severity.
config access-pattern
edit {id}
# URL access pattern.
set id {integer} URL access pattern ID. range[0-4294967295]
set srcaddr {string} Source address. size[63] - datasource(s): firewall.address.name,firewall.addrgrp.name
set pattern {string} URL pattern. size[511]
set regex {enable | disable} Enable/disable regular expression based pattern match.
set negate {enable | disable} Enable/disable match negation.
next
next
set comment {string} Comment. size[1023]
next
end