waf web-protection-profile inline-protection
Use this command to configure inline protection profiles.
Inline protection profiles are a set of attack protection settings. The FortiWeb appliance applies the profile when a connection matches a server policy that includes the protection profile. You can use inline protection profiles in server policies for any mode except Offline Protection.
To apply protection profiles, select them within a server policy. For details, see server-policy policy.
Before configuring an inline protection profile, first configure any of the following that you want to include in the profile:
- Parameter validation rule (see waf parameter-validation-rule)
- Start pages (see waf start-pages)
- Caching of back-end server responses (see waf web-cache-policy)
- URL access policy (see waf url-access url-access-policy
- Hidden field rule group (see waf hidden-fields-protection)
- Parameter restriction constraint (see waf http-protocol-parameter-restriction)
- Authentication policy and/or site publisher (see waf http-authen http-authen-policy and waf site-publish-helper policy)
- Brute force login attack sensor (see waf brute-force-login)
- Allowed method exception (see waf allow-method-exceptions)
- List of manually trusted and black-listed IPs, FortiGuard IP reputation category-based blacklisted IPs, and/or a geographically-based IP blacklist (see waf ip-intelligence, server-policy custom-application application-policy, and waf geo-block-list)
- Page order rule (see waf page-access-rule)
- Attack signatures (see waf signature)
- File security policy (see server-policy custom-application application-policy)
- URL rewriting policy (see waf url-rewrite url-rewrite-policy)
- XML protection policy (waf xml-validation)
- DoS protection policy (see waf application-layer-dos-prevention)
- Compression rules (see waf file-compress-rule)
- Policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without using HTTPS (waf padding-oracle)
- FortiGate that provides a list of quarantined source IPs (system fortigate-integration)
- Cross-site request forgery (CSRF) protection rule (see waf csrf-protection)
- Cookie security policy (see waf cookie-security)
- User tracking policy (see waf user-tracking policy)
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf web-protection-profile inline-protection
edit "<inline-protection-profile_name>"
set http-session-management {enable | disable}
set http-session-timeout <seconds_int>
set x-forwarded-for-rule "<x-forwarded-for_name>"
set amf3-protocol-detection {enable | disable}
set custom-access-policy "<combo-access_name>"
set padding-oracle "<rule_name>"
set csrf-protection "<rule_name>"
set cookie-security-policy "<cookie-security_name>"
set parameter-validation-rule "<rule_name>"
set hidden-fields-protection "<group_name>"
set file-upload-policy "<policy_name>"
set http-protocol-parameter-restriction "<constraint_name>"
set brute-force-login "<sensor_name>"
set url-access-policy "<policy_name>"
set page-access-rule "<rule_name>"
set allow-method-policy "<policy_name>"
set ip-list-policy "<policy_name>"
set geo-block-list-policy "<policy_name>"
set application-layer-dos-prevention "<policy_name>"
set ip-intelligence {enable | disable}
set fortigate-quarantined-ips {enable | disable}
set quarantined-ip-action {alert | alert_deny}
set quarantined-ip-severity {High | Medium | Low}
set quarantined-ip-trigger "<trigger-policy_name>"
set known-search-engine {enable | disable}
set url-rewrite-policy "<group_name>"
set http-authen-policy "<policy_name>"
set http-header-security "<policy_name>"
set site-publisher-helper "<policy_name>"
set file-compress-rule "<rule_name>"
set waf web-protection-profile inline-protection
set web-cache-policy "<web-cache-policy_name>"
set user-tracking-policy "<user-tracking-policy_name>"
set redirect-url "<redirect_fqdn>"
set rdt-reason {enable | disable}
set data-analysis {enable | disable}
set device-tracking {enable | disable}
set device-reputation-security-policy "<drs_policy_name>"
set profile-id "<profile-id_str>"
set mitb-protection "<mitb-protection_name>"
set openapi-validation-policy "<openapi-validation-policy_name>"
set websocket-security-policy "<websocket-security-policy_name>"
set json-validation-policy "<json-validation-policy_name>"
set cors-protection-policy "<cors-protection-policy>"
next
end
Variable | Description | Default |
Enter the name of the inline protection profile. The maximum length is 63 characters. To display the list of existing profiles, enter:
|
No default. | |
Enable to add an implementation of HTTP sessions, and track their states, using a cookie such as Although HTTP has no inherent support for sessions, a notion of individual HTTP client sessions, rather than simply the source IP address and/or timestamp, is required by some features. For example, you might want to require that a client’s first HTTP request always be a login page: the rest of the web pages should be inaccessible if they have not authenticated. Out-of-order requests could represent an attempt to bypass the web application’s native authentication mechanism. How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat each request independently, without knowledge of anything previous, it could not, by definition, enforce page order. Therefore FortiWeb must keep some record of the first request from that client (the session initiation). It also must record their previous HTTP request(s), until a span of time (the session timeout) has elapsed during which there were no more subsequent requests, after which it would require that the session be initiated again. The session management feature provides such FortiWeb session support. This feature requires that the client support cookies. Note: You must enable this option:
|
disable
|
|
Enter the HTTP session timeout in seconds. The valid range is 20–3,600. This setting is available only if http-session-management {enable | disable} is enabled. |
1200
|
|
Specify the name of a rule that configures FortiWeb’s use of X-Forwarded-For: and X-Real-IP. The maximum length is 63 characters. For details, see waf x-forwarded-for. To display the list of existing rules, enter:
|
No default. | |
signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>} |
Specify a signature policy to include in the profile. The maximum length is 63 characters. For details, see waf signature. To display the list of existing rules, enter:
The type of attack that FortiWeb detects determines the attack log messages for this feature. For a list, see waf signature. |
No default. |
Enable to scan requests that use action message format 3.0 (AMF3) for these attacks if you have enabled those in the signature set specified by signature-rule {"High Level Security" | "Medium Level Security" | "Alert Only" | <signature-set_name>}:
AMF3 is a binary format that Adobe Flash clients can use to send input to server-side software. Caution: To scan for attacks or enforce input rules on AMF3, you must enable this option. Failure to enable the option will make the FortiWeb appliance unable to scan AMF3 requests for attacks. |
disable
|
|
Enter the JSON protection policy name. | No default. | |
Enter the CORS protection policy name. | No default. | |
Enter the name of a custom access policy. The maximum length is 63 characters. For details, see waf custom-access policy. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a padding oracle protection rule. The maximum length is 63 characters. For details, see waf padding-oracle. To display the list of existing rules, enter:
|
No default. | |
Select the name of cross-site request forgery protection rule, if any, to apply to matching requests. For details, see waf csrf-protection. Available only when http-session-management {enable | disable} is enabled . |
No default. | |
Enter the name of a cookie security policy. For details, see waf cookie-security. To display the list of existing policies, enter:
|
||
Enter the name of a parameter validation rule. The maximum length is 63 characters. For details, see waf parameter-validation-rule. To display the list of existing rules, enter:
|
No default. | |
Enter the name of a hidden field rule group that you want to apply, if any. The maximum length is 63 characters. For details, see waf hidden-fields-protection. To display the list of existing groups, enter:
|
No default. | |
Enter the name of a file upload security policy to use, if any. The maximum length is 63 characters. For details, see server-policy custom-application application-policy. To display the list of existing policies, enter:
|
No default. | |
Enter the name of an HTTP protocol constraint that you want to apply, if any. The maximum length is 63 characters. For details, see waf http-protocol-parameter-restriction. To display the list of existing profiles, enter:
|
No default. | |
Enter the name of a brute force login attack sensor. The maximum length is 63 characters. For details, see waf brute-force-login. To display the list of existing sensors, enter:
|
No default. | |
Enter the name of a URL access policy. The maximum length is 63 characters. For details, see waf url-access url-access-policy. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a page order rule. The maximum length is 63 characters. For details, see waf page-access-rule. To display the list of existing rule, enter:
|
No default. | |
Enter the name of a start page rule. The maximum length is 63 characters. For details, see waf start-pages. To display the list of existing rules, enter:
This setting is available only if http-session-management {enable | disable} is enabled. |
No default. | |
Enter the name of an allowed method policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a trusted IP or blacklisted IP policy. The maximum length is 63 characters. For details, see server-policy custom-application application-policy. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a geographically-based client IP black list that you want to apply, if any. The maximum length is 63 characters. For details, see waf geo-block-list. To display the list of existing groups, enter:
|
No default. | |
Enter the name of an existing DoS protection policy to use with this profile, if any. The maximum length is 63 characters. For details, see waf application-layer-dos-prevention. To display the list of existing profiles, enter:
|
No default. | |
Enable to apply intelligence about the reputation of the client’s source IP. Blocking and logging behavior is configured in waf ip-intelligence. |
disable
|
|
Enable to detect source IP addresses that a FortiGate unit is currently preventing from interacting with the network and protected systems. To configure communication between the FortiOS and FortiWeb, see system fortigate-integration. |
disable
|
|
Specify the action that FortiWeb takes if it detects a quarantined IP address:
|
alert
|
|
Specify the severity that FortiWeb assigns to quarantined IP log messages. |
High
|
|
Enter the name of the trigger to apply when FortiWeb detects a quarantined IP. For deails, see log trigger-policy. To display the list of existing trigger policies, enter:
|
No default. | |
Enable to allow or block predefined search engines, robots, spiders, and web crawlers according to your settings in the global list. Enable to exempt popular search engines’ robots, spiders, and web crawlers from DoS sensors, brute force login sensors, HTTP protocol constraints, and combination rate & access control (called “advanced protection” and “custom policies” in the web UI). This option improves access for search engines. Rapid access rates, unusual HTTP usage, and other characteristics that may be suspicious for web browsers are often normal with search engines. If you block them, your websites’ rankings and visibility may be affected. By default, this option allows all popular predefined search engines. Known search engine indexer source IPs are updated via FortiGuard Security Service. To specify which search engines will be exempt, enable or disable each search engine in server-policy pattern custom-global-white-list-group. Note: X-header-derived client source IPs do not support this feature in this release. If FortiWeb is deployed behind a load balancer or other web proxy that applies source NAT, this feature will not work. For details, see waf x-forwarded-for. |
disable
|
|
Enter the name of a URL rewriting rule set, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. To display the list of existing policies, enter:
For details, see waf url-access url-access-policy. |
No default. | |
Enter the name of an HTTP authentication policy, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. For details, see waf http-authen http-authen-policy. To display the list of existing profiles, enter:
If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message. |
No default. | |
Enter the name of an HTTP Header Security Policy, if any. For details, see waf http-header-security. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a site publishing policy, if any, that will be applied to matching HTTP requests. The maximum length is 63 characters. For details, see waf site-publish-helper policy. To display the list of existing profiles, enter:
If the HTTP client fails to authenticate, it will receive an HTTP 403 (Access Forbidden) error message. |
No default. | |
Enter the name of an existing file compression rule to use with this profile, if any. The maximum length is 63 characters. For details, see waf file-compress-rule. To display the list of existing rules, enter:
|
No default. | |
Enter the name of content caching policy. The maximum length is 63 characters. For details, see waf web-cache-policy. To display the list of existing policies, enter:
|
No default. | |
Enter the name of a user tracking policy. The maximum length is 63 characters. For details, see waf user-tracking policy. To display the list of existing policies, enter:
|
No default. | |
Enter a URL, including the FQDN/IP and path, if any, to which an HTTP client will be redirected if their HTTP request violates any of the rules in this profile. For example, you could enter If you do not enter a URL, depending on the type of violation and the configuration, the FortiWeb appliance will log the violation, may attempt to remove the offending parts, and could either reset the connection or return an HTTP 403 (Access Forbidden) or 404 (File Not Found) error message. The maximum length is 256 characters. |
No default. | |
Enable to include the reason for URL redirection as a parameter in the URL, such as The FortiWeb appliance also adds Caution: If you specify a redirect URL that is protected by the FortiWeb appliance, you should enable this option to prevent infinite redirect loops. |
No default. | |
Enable this to collect data for servers covered by this profile. To view the statistics for collected data, in the web UI, go to Log&Report > Monitor > Data Analytics. |
disable
|
|
Enter a description or other comment. If the comment contains more than one word or contains an apostrophe, surround the comment in double quotes ( " ). The maximum length is 199 characters. |
No default. | |
Enter to enable Device Tracking. When this feature is enabled, if a device triggers a security violation, FortiWeb generates a unique device ID according to a set of the device's characteristics, including the time zone, source IP, operating system, browser, language, CPU, color depth, and screen size. For details, see system device-tracking. |
disable
|
|
Enter the name of a device reputation security policy, if any. The maximum length is 63 characters. For details, see system device-tracking. To display the list of existing policies, enter:
|
No default. | |
Enter the name of an XML protection policy, if any. The maximum length is 63 characters. For details, see waf xml-validation. To display the list of existing policies, enter:
|
No default. | |
Enter the inline profile ID. | No default. | |
Enter the MiTB protection policy name. | No default. | |
openapi-validation-policy "<openapi-validation-policy_name>" |
Enter the openapi validation policy name. | No default. |
websocket-security-policy "<websocket-security-policy_name>" |
Enter the websocket security policy name. | No default. |
Related topics
- log trigger-policy
- server-policy pattern custom-global-white-list-group
- server-policy policy
- waf signature
- waf start-pages
- waf padding-oracle
- waf page-access-rule
- waf parameter-validation-rule
- waf http-protocol-parameter-restriction
- waf url-access url-access-policy
- waf allow-method-exceptions
- waf application-layer-dos-prevention
- waf file-compress-rule
- waf brute-force-login
- waf geo-block-list
- waf hidden-fields-protection
- waf http-authen http-authen-policy
- waf http-protocol-parameter-restriction
- waf ip-intelligence
- server-policy custom-application application-policy
- waf web-cache-exception
- waf web-cache-policy
- system device-tracking