Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Custom Rule

Custom Rule provides advanced access control capabilities to match complex conditions specific to your web application.

You use the rule's filters to specify all criteria that you require allowed traffic to match.

The filters apply to request traffic only, with the following exceptions:

  • HTTP Response Code and Content Type apply to responses.
  • Signature Violation applies to either requests or responses, depending on which signatures you enable.
  • Occurrence applies to either requests or responses.

 

To create a custom rule

  1. Go to ADVANCED APPLICATIONS > Custom Rule.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create Rule.
  3. Configure these settings.

    Name

    Type a unique name for the custom rule.

    Operation

    Select which action the FortiWeb Cloud will take when it detects a violation of the rule:

    • Deny—Block the request (or reset the connection).
    • Deny (no log)—Block the request (or reset the connection) without generating a log message.
    • Period Block—Block subsequent requests from the client for 10 minutes. Configure the second value when this operation is selected.

    Challenge

    Choose how to challenge users when a custom rule is triggered.

    • Disable—Disable this option to not to challenge users when a rule is triggered.

    • Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results in 20 seconds, FortiWeb Cloud applies specified actions. If the client appears to be a web browser, FortiWeb Cloud allows the client to exceed the action.
    • CAPTCHA Enforcement—Require the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within 3 times or doesn't fulfill the request within 20 seconds, FortiWeb Cloud applies related actions and sends the CAPTCHA block page.

  4. Click ADD FILTER to select the filter types.
  5. Configure these settings.

    Filter Type

    Select the filter types that a request must match in order not to be allowed, and configure their settings respectively.

    Source IP

    The request containing the IP/IP Range will not be allowed.

    • IP/IP Range—Type the IP address of a client that is not allowed.
      You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.
    • Reverse Matching—Once enabled, only the specified IP/IP range will be allowed by FortiWeb Cloud.

    User

    The request containing the user name will not be allowed.

    • User Name—Enter a user name captured in Account Takeover module to match. You must enable Account Takeover module for this user type.
    • Reverse Matching—Once enabled, the request containing the specified user name will be allowed by FortiWeb Cloud.
    URL

    The request matching the specified URL will not be handled.

    • URL Pattern—Type a regular expression that matches one or more URLs, such as /index\.jsp.
    • Reverse Matching—Once enabled, only the specified URL will be handled.

    Parameter

    The request containing specified Name Pattern and Value Pattern will not be handled.

    • Name Pattern—Define the name pattern of a parameter using regular expression.
    • Value Pattern—Define the value pattern of a parameter using regular expression.
    HTTP Header

    The request matching all or part of the specified HTTP header name values will not be handled.

    • HTTP Header—Indicate a single HTTP Header Name such as Accept:, and all or part of its value in Value Pattern.
      • Predefined Header
        Header Name—Select a single HTTP header name from the drop down list.
        Value Pattern—Define the value pattern using regular expression.
        Reverse Matching—Once enabled, the request that matches the specified value pattern will be handled.
      • Custom Header
        Name Pattern—Define the name pattern of a single HTTP header name.
        Value Pattern—Define the value pattern using regular expression.
        Reverse Matching—Once enabled, the request will be handled if the HTTP header contains the regular expression.

    • HTTP Method
      • Method Pattern—Configure a regular expression for the HTTP method that FortiWeb Cloud will search for in the header field.
      • Reverse Matching—Once enabled, the request will be handled if the HTTP header contains the HTTP method's regular expression.

    Content Type

    The request will not be handled if an HTTP response for a file matches one of the specified types.

    Use icons and to add or remove the content types to or from the Allow Content Types list.

    HTTP Response Code

    The request will not be handled if a HTTP response code matches the specified code or range of codes.

    • Code—Enter a response code or code range. For example, 404 or 500-503.

    Known Attacks

    The request will not be handled if FortiWeb Cloud detects selected attack signature categories in the request or response.

    • Cross Site Scripting
    • SQL Injection
    • Generic Attacks
    • Known Exploits
    • Trojans
    • Refer to Known Attacks for information about the attacks above.
    Access Rate Limit

    The request will not be handled if the number of requests per second per client IP exceeds the specified value.

    • Request per Second—Enter a value to indicate the number of requests per second per client IP.

    Packet Interval Timeout

    The request will not be handled if the time period between packets arriving from either the client or server (request or response packets) exceeds the specified value in seconds.

    • Timeout—Enter a value to indicate the time period between packets arriving from either the client or server.
    Transaction Timeout

    The request will not be handled if the lifetime of a HTTP transaction exceeds the specified transaction timeout.

    • Timeout—Enter a value in seconds to indicate the lifetime of a HTTP transaction.

    Occurrence

    The request will not be handled if a transaction matches other filter types in the current rule at a rate that exceeds the specified threshold.

    • Occurrence—Enter a rate that a transaction matches other filter types.
    • Within—Enter a time period in seconds for the occurrence.

    Time Period

    The request will not be handled if the time period of the request matches what you specify.

    • Type—Select Daily or Once for the time period.
    • Time Period—Enter a time period.

    Note: Two colors green and yellow are adapted to classify the filter types; green means filtering HTTP traffic, include Source IP, URL, Parameter, HTTP Header, HTTP Response Code, and Content Type; while yellow is related to security, including Security Rules, Packet Interval Timeout, Transaction Timeout, and Occurrence.

  6. Click OK.
    You can continue creating at most 12 custom rules for an application.
  7. You can click to edit or remove each created rule.

Custom Rule

Custom Rule provides advanced access control capabilities to match complex conditions specific to your web application.

You use the rule's filters to specify all criteria that you require allowed traffic to match.

The filters apply to request traffic only, with the following exceptions:

  • HTTP Response Code and Content Type apply to responses.
  • Signature Violation applies to either requests or responses, depending on which signatures you enable.
  • Occurrence applies to either requests or responses.

 

To create a custom rule

  1. Go to ADVANCED APPLICATIONS > Custom Rule.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Click +Create Rule.
  3. Configure these settings.

    Name

    Type a unique name for the custom rule.

    Operation

    Select which action the FortiWeb Cloud will take when it detects a violation of the rule:

    • Deny—Block the request (or reset the connection).
    • Deny (no log)—Block the request (or reset the connection) without generating a log message.
    • Period Block—Block subsequent requests from the client for 10 minutes. Configure the second value when this operation is selected.

    Challenge

    Choose how to challenge users when a custom rule is triggered.

    • Disable—Disable this option to not to challenge users when a rule is triggered.

    • Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results in 20 seconds, FortiWeb Cloud applies specified actions. If the client appears to be a web browser, FortiWeb Cloud allows the client to exceed the action.
    • CAPTCHA Enforcement—Require the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within 3 times or doesn't fulfill the request within 20 seconds, FortiWeb Cloud applies related actions and sends the CAPTCHA block page.

  4. Click ADD FILTER to select the filter types.
  5. Configure these settings.

    Filter Type

    Select the filter types that a request must match in order not to be allowed, and configure their settings respectively.

    Source IP

    The request containing the IP/IP Range will not be allowed.

    • IP/IP Range—Type the IP address of a client that is not allowed.
      You can enter either a single IP address or a range of addresses (for example, 172.22.14.1-172.22.14.255 or 10:200::10:1-10:200:10:100). Each entry should contain only one IP address or IP range. Both IPv4 and IPv6 addresses are supported only on AWS platform currently.
    • Reverse Matching—Once enabled, only the specified IP/IP range will be allowed by FortiWeb Cloud.

    User

    The request containing the user name will not be allowed.

    • User Name—Enter a user name captured in Account Takeover module to match. You must enable Account Takeover module for this user type.
    • Reverse Matching—Once enabled, the request containing the specified user name will be allowed by FortiWeb Cloud.
    URL

    The request matching the specified URL will not be handled.

    • URL Pattern—Type a regular expression that matches one or more URLs, such as /index\.jsp.
    • Reverse Matching—Once enabled, only the specified URL will be handled.

    Parameter

    The request containing specified Name Pattern and Value Pattern will not be handled.

    • Name Pattern—Define the name pattern of a parameter using regular expression.
    • Value Pattern—Define the value pattern of a parameter using regular expression.
    HTTP Header

    The request matching all or part of the specified HTTP header name values will not be handled.

    • HTTP Header—Indicate a single HTTP Header Name such as Accept:, and all or part of its value in Value Pattern.
      • Predefined Header
        Header Name—Select a single HTTP header name from the drop down list.
        Value Pattern—Define the value pattern using regular expression.
        Reverse Matching—Once enabled, the request that matches the specified value pattern will be handled.
      • Custom Header
        Name Pattern—Define the name pattern of a single HTTP header name.
        Value Pattern—Define the value pattern using regular expression.
        Reverse Matching—Once enabled, the request will be handled if the HTTP header contains the regular expression.

    • HTTP Method
      • Method Pattern—Configure a regular expression for the HTTP method that FortiWeb Cloud will search for in the header field.
      • Reverse Matching—Once enabled, the request will be handled if the HTTP header contains the HTTP method's regular expression.

    Content Type

    The request will not be handled if an HTTP response for a file matches one of the specified types.

    Use icons and to add or remove the content types to or from the Allow Content Types list.

    HTTP Response Code

    The request will not be handled if a HTTP response code matches the specified code or range of codes.

    • Code—Enter a response code or code range. For example, 404 or 500-503.

    Known Attacks

    The request will not be handled if FortiWeb Cloud detects selected attack signature categories in the request or response.

    • Cross Site Scripting
    • SQL Injection
    • Generic Attacks
    • Known Exploits
    • Trojans
    • Refer to Known Attacks for information about the attacks above.
    Access Rate Limit

    The request will not be handled if the number of requests per second per client IP exceeds the specified value.

    • Request per Second—Enter a value to indicate the number of requests per second per client IP.

    Packet Interval Timeout

    The request will not be handled if the time period between packets arriving from either the client or server (request or response packets) exceeds the specified value in seconds.

    • Timeout—Enter a value to indicate the time period between packets arriving from either the client or server.
    Transaction Timeout

    The request will not be handled if the lifetime of a HTTP transaction exceeds the specified transaction timeout.

    • Timeout—Enter a value in seconds to indicate the lifetime of a HTTP transaction.

    Occurrence

    The request will not be handled if a transaction matches other filter types in the current rule at a rate that exceeds the specified threshold.

    • Occurrence—Enter a rate that a transaction matches other filter types.
    • Within—Enter a time period in seconds for the occurrence.

    Time Period

    The request will not be handled if the time period of the request matches what you specify.

    • Type—Select Daily or Once for the time period.
    • Time Period—Enter a time period.

    Note: Two colors green and yellow are adapted to classify the filter types; green means filtering HTTP traffic, include Source IP, URL, Parameter, HTTP Header, HTTP Response Code, and Content Type; while yellow is related to security, including Security Rules, Packet Interval Timeout, Transaction Timeout, and Occurrence.

  6. Click OK.
    You can continue creating at most 12 custom rules for an application.
  7. You can click to edit or remove each created rule.