Custom Rule
Custom Rule provides advanced access control capabilities to match complex conditions specific to your web application.
You use the rule's filters to specify all criteria that you require allowed traffic to match.
The filters apply to request traffic only, with the following exceptions:
- HTTP Response Code and Content Type apply to responses.
- Signature Violation applies to either requests or responses, depending on which signatures you enable.
- Occurrence applies to either requests or responses.
To create a custom rule
- Go to ADVANCED APPLICATIONS > Custom Rule.
You must have already enabled this module in Add Modules. See How to add or remove a module. - Click +Create Rule.
- Configure these settings.
Name
Type a unique name for the custom rule.
Operation
Select which action the FortiWeb Cloud will take when it detects a violation of the rule:
- Deny—Block the request (or reset the connection).
- Deny (no log)—Block the request (or reset the connection) without generating a log message.
Period Block—Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.
Challenge
Choose how to challenge users when a custom rule is triggered.
Disable—Disable this option to not to challenge users when a rule is triggered.
- Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results in 20 seconds, FortiWeb Cloud applies specified actions. If the client appears to be a web browser, FortiWeb Cloud allows the client to exceed the action.
CAPTCHA Enforcement—Require the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within 3 times or doesn't fulfill the request within 20 seconds, FortiWeb Cloud applies related actions and sends the CAPTCHA block page.
- Click ADD FILTER to select the filter types.
- Configure these settings.
Filter Type
Select the filter types that a request must match in order not to be allowed, and configure their settings respectively.
Source IP
The request containing the IP/IP Range will not be allowed.
- IP/IP Range—Type the IP address of a client that is not allowed.
You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently. - Reverse Matching—Once enabled, only the specified IP/IP range will be allowed by FortiWeb Cloud.
User
The request containing the user name will not be allowed.
- User Name—Enter a user name captured in Account Takeover module to match. You must enable Account Takeover module for this user type.
- Reverse Matching—Once enabled, the request containing the specified user name will be allowed by FortiWeb Cloud.
URL The request matching the specified URL will not be handled.
- URL Pattern—Type a regular expression that matches one or more URLs, such as
/index\.jsp
. - Reverse Matching—Once enabled, only the specified URL will be handled.
Parameter
The request containing specified Name Pattern and Value Pattern will not be handled.
- Name Pattern—Define the name pattern of a parameter using regular expression.
- Value Pattern—Define the value pattern of a parameter using regular expression.
HTTP Header The request matching all or part of the specified HTTP header name values will not be handled.
- HTTP Header—Indicate a single HTTP Header Name such as
Accept:
, and all or part of its value in Value Pattern. - Predefined Header
Header Name—Select a single HTTP header name from the drop down list.
Value Pattern—Define the value pattern using regular expression.
Reverse Matching—Once enabled, the request that matches the specified value pattern will be handled.
Missing Header Name—Once enabled, the request matches the condition if it does not contain the specified header. This setting cannot be enabled at the same time as Empty Header Value Check. Please note that this setting does not take effect for HTTP2 packets without the following headers::method
:scheme
:path
:authority
:status HTTP2 packets without the above headers will not go far to be scanned against the custom rule settings. It will be considered as illegitimate and be abandoned directly when it arrives at FortiWeb at the first place.
Custom Header
Name Pattern—Define the name pattern of a single HTTP header name.
Value Pattern—Define the value pattern using regular expression.
Reverse Matching—Once enabled, the request will be handled if the HTTP header contains the regular expression.
Missing Header Name—Once enabled, the request matches the condition if it does not contain the specified header. This setting cannot be enabled at the same time as Empty Header Value Check. Please note that this setting does not take effect for HTTP2 packets without the following headers::method
:scheme
:path
:authority
:status HTTP2 packets without the above headers will not go far to be scanned against the custom rule settings. It will be considered as illegitimate and be abandoned directly when it arrives at FortiWeb at the first place.
Empty Header Value Check—Once enabled, the request matches the condition if it contains the specified header but the value of the matched header is empty. This setting cannot be enabled at the same time as Missing Header Name.
- HTTP Method
- Method Pattern—Configure a regular expression for the HTTP method that FortiWeb Cloud will search for in the header field.
- Reverse Matching—Once enabled, the request will be handled if the HTTP header contains the HTTP method's regular expression.
Content Type
The request will not be handled if an HTTP response for a file matches one of the specified types.
Use icons and to add or remove the content types to or from the Allow Content Types list.
HTTP Response Code
The request will not be handled if a HTTP response code matches the specified code or range of codes.
- Code—Enter a response code or code range. For example,
404
or500-503
.
Known Attacks
The request will not be handled if FortiWeb Cloud detects selected attack signature categories in the request or response.
- Cross Site Scripting
- SQL Injection
- Generic Attacks
- Known Exploits
- Trojans
Access Rate Limit The request will not be handled if the number of requests per second per client IP exceeds the specified value.
- Request per Second—Enter a value to indicate the number of requests per second per client IP.
Packet Interval Timeout
The request will not be handled if the time period between packets arriving from either the client or server (request or response packets) exceeds the specified value in seconds.
- Timeout—Enter a value to indicate the time period between packets arriving from either the client or server.
Transaction Timeout The request will not be handled if the lifetime of a HTTP transaction exceeds the specified transaction timeout.
- Timeout—Enter a value in seconds to indicate the lifetime of a HTTP transaction.
Occurrence
The request will not be handled if a transaction matches other filter types in the current rule at a rate that exceeds the specified threshold.
- Occurrence—Enter a rate that a transaction matches other filter types.
- Within—Enter a time period in seconds for the occurrence.
Time Period
The request will not be handled if the time period of the request matches what you specify.
- Type—Select Daily or Once for the time period.
- Time Period—Enter a time period.
Note: Two colors green and yellow are adapted to classify the filter types; green means filtering HTTP traffic, include Source IP, URL, Parameter, HTTP Header, HTTP Response Code, and Content Type; while yellow is related to security, including Security Rules, Packet Interval Timeout, Transaction Timeout, and Occurrence.
- IP/IP Range—Type the IP address of a client that is not allowed.
- Click OK.
You can continue creating at most 12 custom rules for an application. - You can click to edit, reorder, or remove each created rule.