Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

XML Protection

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. XML Protection examines client requests for anomalies in XML code, and also attempts to validate the structure of XML code in client requests using trusted XML schema files.

If your API interfaces are implemented using XML, you can configure XML protection rules to ensure that the content of XML API requests does not contain any potential attacks.

To create an XML protection rule

  1. Go to API PROTECTION > XML Protection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create XML Protection Rule.
  3. Configure these settings.

    Name

    Enter a name for the XML protection rule.

    Request URL

    Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply XML Validation rule on them.

    XML Limits

    Enable to define limits for attributes, CDATA, and elements.

    Schema Validation

    Enable to import XML schema files to check XML contents in HTTP requests.

    XML schema files specify the acceptable structure of and elements in an XML document.

    Make sure the schema file doesn't contain any structural error, otherwise the XML Protection Rule will not take effect.

    Schema File

    Upload an acceptable XML schema file.

    Available only when Schema Validation is enabled.

    Forbid XML Entities

    Enable to configure limits for the XML entities.

  4. Click OK.
  5. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  6. Click SAVE.

 

XML Protection

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. XML Protection examines client requests for anomalies in XML code, and also attempts to validate the structure of XML code in client requests using trusted XML schema files.

If your API interfaces are implemented using XML, you can configure XML protection rules to ensure that the content of XML API requests does not contain any potential attacks.

To create an XML protection rule

  1. Go to API PROTECTION > XML Protection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create XML Protection Rule.
  3. Configure these settings.

    Name

    Enter a name for the XML protection rule.

    Request URL

    Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply XML Validation rule on them.

    XML Limits

    Enable to define limits for attributes, CDATA, and elements.

    Schema Validation

    Enable to import XML schema files to check XML contents in HTTP requests.

    XML schema files specify the acceptable structure of and elements in an XML document.

    Make sure the schema file doesn't contain any structural error, otherwise the XML Protection Rule will not take effect.

    Schema File

    Upload an acceptable XML schema file.

    Available only when Schema Validation is enabled.

    Forbid XML Entities

    Enable to configure limits for the XML entities.

  4. Click OK.
  5. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  6. Click SAVE.