Fortinet white logo
Fortinet white logo

User Guide

Parameter Validation

Parameter Validation

Define validation rules to only permit requests that meet specific parameter (input) requirements to your web applications. According to the defined rules, FortiWeb Cloud can deny any invalid requests or block the request's IP for a period of time, as well as record the invalid requests in the attack log.

A parameter validation rule is composed of a validation operation that will be applied to a URL and one or more validation restrictions to limit parameters, such as to specify whether or not the parameter is required, its maximum allowed length, or its data type.

note icon

FortiWeb Cloud requires at least one parameter rule to be added for each request URL to successfully apply parameter validations. Otherwise, FortiWeb Cloud will accept all requests if there are no restrictions placed on any parameters.

To create a parameter validation rule:
  1. Go to Security Rules > Parameter Validation.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Enable Parameter Validation.
  3. Click +Create Rule.
  4. Configure the following to set the validation operation.
    Name

    Enter a name for the parameter validation rule.

    Request URL

    Enter the URL to which the validation rule will be applied.

    Operation

    Select the action that will be triggered by the validation rule:

    • AlertFortiWeb Cloud will record the invalid request in the attack log.

    • DenyFortiWeb Cloud will block the invalid request and send a "block page" back to the browser, as well as record the request in the attack log.

    • Deny (no log)FortiWeb Cloud will block the invalid request and send a "block page" back to the browser.

    • Period Block – Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.

    If Period Block is selected, specify the time period between 1 to 3600 seconds.

  5. Click Add Rule.
  6. Configure the following to define the parameter restriction rule.
    Parameter Name

    Type a regular expression that matches the parameter whose values you want to validate. To create a regular expression, see Frequently used regular expressions.

    Max Length

    Specify the maximum allowed length of the parameter between 0 to 1024 characters.

    Required

    Specify whether or not the parameter is required.

    Note: If there isn't any parameter in the request URL, the parameter validation will not be triggered, which means the traffic will let go even if you have configured required parameters in the parameter restriction rule.

    Parameter validation takes effect only when there is at least one parameter in the request URL.

    Use Type Check

    Specify whether or not to check the data-type of the parameter.

    Argument Type

    Specify the argument type of the parameter:

    • Data Type

    • Regular Expression

    Available only if you enabled Use Type Check.

    Data Type

    Select a predefined data type from the drop-down list to limit the format of the parameter value.

    Available only if you enabled Use Type Check and selected Data Type as the Argument Type.

    Regular Expression

    Type a regular expression to limit the format of the parameter value. To create a regular expression, see Frequently used regular expressions.

    Available only if you enabled Use Type Check and selected Regular Expression as the Argument Type.

  7. Click Save Rule.

Parameter Validation

Parameter Validation

Define validation rules to only permit requests that meet specific parameter (input) requirements to your web applications. According to the defined rules, FortiWeb Cloud can deny any invalid requests or block the request's IP for a period of time, as well as record the invalid requests in the attack log.

A parameter validation rule is composed of a validation operation that will be applied to a URL and one or more validation restrictions to limit parameters, such as to specify whether or not the parameter is required, its maximum allowed length, or its data type.

note icon

FortiWeb Cloud requires at least one parameter rule to be added for each request URL to successfully apply parameter validations. Otherwise, FortiWeb Cloud will accept all requests if there are no restrictions placed on any parameters.

To create a parameter validation rule:
  1. Go to Security Rules > Parameter Validation.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Enable Parameter Validation.
  3. Click +Create Rule.
  4. Configure the following to set the validation operation.
    Name

    Enter a name for the parameter validation rule.

    Request URL

    Enter the URL to which the validation rule will be applied.

    Operation

    Select the action that will be triggered by the validation rule:

    • AlertFortiWeb Cloud will record the invalid request in the attack log.

    • DenyFortiWeb Cloud will block the invalid request and send a "block page" back to the browser, as well as record the request in the attack log.

    • Deny (no log)FortiWeb Cloud will block the invalid request and send a "block page" back to the browser.

    • Period Block – Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.

    If Period Block is selected, specify the time period between 1 to 3600 seconds.

  5. Click Add Rule.
  6. Configure the following to define the parameter restriction rule.
    Parameter Name

    Type a regular expression that matches the parameter whose values you want to validate. To create a regular expression, see Frequently used regular expressions.

    Max Length

    Specify the maximum allowed length of the parameter between 0 to 1024 characters.

    Required

    Specify whether or not the parameter is required.

    Note: If there isn't any parameter in the request URL, the parameter validation will not be triggered, which means the traffic will let go even if you have configured required parameters in the parameter restriction rule.

    Parameter validation takes effect only when there is at least one parameter in the request URL.

    Use Type Check

    Specify whether or not to check the data-type of the parameter.

    Argument Type

    Specify the argument type of the parameter:

    • Data Type

    • Regular Expression

    Available only if you enabled Use Type Check.

    Data Type

    Select a predefined data type from the drop-down list to limit the format of the parameter value.

    Available only if you enabled Use Type Check and selected Data Type as the Argument Type.

    Regular Expression

    Type a regular expression to limit the format of the parameter value. To create a regular expression, see Frequently used regular expressions.

    Available only if you enabled Use Type Check and selected Regular Expression as the Argument Type.

  7. Click Save Rule.