waf http-request-flood-prevention-rule
Use this command to limit the maximum number of HTTP requests per second coming from any client to a specific URL on one of your protected servers.
The FortiWeb appliance tracks the requests using a session cookie. If the count exceeds the request limit, FortiWeb performs the specified action.
To apply this rule, include it in an application-layer DoS-prevention policy. This feature is effective only when http-session-management {enable | disable} is enabled in the inline protection profile that uses the parent DoS-prevention policy.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf http-request-flood-prevention-rule
edit "<rule_name>"
set access-limit-in-http-session <limit_int>
set action {alert | alert_deny | block-period | deny_no_log}
set bot-recognition {captcha-enforcement | real-browser-enforcement | disable}
set max-attempt-times <attempts_int>
set validation-timeout <seconds_int>
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger-policy "<trigger-policy_name>"
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Enter the maximum number of HTTP connections allowed per second from the same client. The valid range is 0–4,096. To disable the limit, enter 0 . |
0 | |
Select one of the following actions that the FortiWeb appliance will perform when the count exceeds the limit:
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select |
alert
|
|
bot-recognition {captcha-enforcement | real-browser-enforcement | disable} |
Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit. If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to exceed the rate limit. Disable this option to apply the rate limit regardless of whether the client is a web browser (for example, Firefox) or an automated tool (for example, |
disable
|
If Available only when |
3 |
|
Specify the maximum amount of time (in seconds) that FortiWeb waits for results from the client for Real Browser Enforcement. The valid range is 5–30. |
20 |
|
If This setting applies only if |
60
|
|
Select the severity level to use in logs and reports generated when a violation of the rule occurs. | Medium | |
Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
mobile-app-identification {disabled | mobile-token-validation} |
Disabled: Disable not to carry out the mobile token verification. Mobile Token Validation: Requires the client to use mobile token for verification. To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection |
|
Enable to choose how to verify users when the rules of bot detection are triggered. |
|
Example
This example illustrates a rule that imposes a two-minute blocking period on clients that exceed the set request limit.
config waf http-request-flood-prevention-rule
edit "Web Portal HTTP Request Limit"
set access-limit-in-http-session 10
set action block-period
set block-period 120
set severity Medium
set trigger-policy "Server_Policy_Trigger"
next
end