Fortinet black logo

CLI Reference

waf ftp-command-restriction-rule

waf ftp-command-restriction-rule

Use this command to create FTP command restriction rules to specify acceptable FTP commands that clients can use to communicate with your server(s). Certain FTP commands can expose your server(s) to attack. For example, because attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden your network's security if you're using FTP.

For details about applying an FTP command restriction rule to an FTP server policy, see waf ftp-propredefined-global-white-listtection-profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

tooltip icon

If ftp-security isn't enabled in feature-visibility, you must enable it before you can create an FTP command restriction rule. To enable ftp-security, see system feature-visibility.

Syntax

config waf ftp-command-restriction-rule

edit "<rule_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set severity {High | Info | Low | Medium}

set trigger "<policy_name>"

next

end

config command-types

edit <entry_index>

set command-type <ftp_command>

next

end

Variable Description Default

"<rule_name>"

Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

<entry_index>

Enter an index number of the individual entry in the table. The valid range is 1–999,999,999,999,999,999.

You must create an entry index for each FTP command that you plan to include in the rule.

No default.

command-type <ftp_command>

Enter an FTP command that you want to include in the rule. You can include these FTP commands in the rule:

  • ABOR

  • ACCT

  • ALLO

  • APPE

  • AUTH

  • CDUP

  • CWD

  • DELE

  • EPRT

  • EPSV

  • FEAT

  • HELP

  • LIST

  • MDTM

  • MKD

  • MLSD

  • MODE

  • NLST

  • OPTS

  • PASS

  • PASV

  • PORT

  • PROT

  • PWD

  • QUIT

  • REIN

  • REST

  • RETR

  • RMD

  • RNFR

  • RNTO

  • SITE

  • SIZE

  • SMNT

  • STAT

  • STOR

  • STOU

  • STRU

  • SYST

  • TYPE

  • USER

  • XCUP

  • XMKD

  • XPWD

  • XRMD

No default.

action {alert | alert_deny | block-period | deny_no_log}

Select which action FortiWeb will take when it detects a violation of the rule:

  • alert—Accept the connection and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

  • deny_no_log—Block the request (or reset the connection).

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure waf ftp-command-restriction-rule.

Note: This setting will be ignored if monitor-mode {enable | disable}is enabled in a server policy.

alert

block-period <block_period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600.

This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is set to block-period.

60

severity {High | Info | Low | Medium}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Info
  • Low
  • Medium
  • High

Medium

trigger "<policy_name>"

Enter the name of a trigger policy, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule.

No default.

Related Topic

waf ftp-command-restriction-rule

Use this command to create FTP command restriction rules to specify acceptable FTP commands that clients can use to communicate with your server(s). Certain FTP commands can expose your server(s) to attack. For example, because attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden your network's security if you're using FTP.

For details about applying an FTP command restriction rule to an FTP server policy, see waf ftp-propredefined-global-white-listtection-profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

tooltip icon

If ftp-security isn't enabled in feature-visibility, you must enable it before you can create an FTP command restriction rule. To enable ftp-security, see system feature-visibility.

Syntax

config waf ftp-command-restriction-rule

edit "<rule_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set severity {High | Info | Low | Medium}

set trigger "<policy_name>"

next

end

config command-types

edit <entry_index>

set command-type <ftp_command>

next

end

Variable Description Default

"<rule_name>"

Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

<entry_index>

Enter an index number of the individual entry in the table. The valid range is 1–999,999,999,999,999,999.

You must create an entry index for each FTP command that you plan to include in the rule.

No default.

command-type <ftp_command>

Enter an FTP command that you want to include in the rule. You can include these FTP commands in the rule:

  • ABOR

  • ACCT

  • ALLO

  • APPE

  • AUTH

  • CDUP

  • CWD

  • DELE

  • EPRT

  • EPSV

  • FEAT

  • HELP

  • LIST

  • MDTM

  • MKD

  • MLSD

  • MODE

  • NLST

  • OPTS

  • PASS

  • PASV

  • PORT

  • PROT

  • PWD

  • QUIT

  • REIN

  • REST

  • RETR

  • RMD

  • RNFR

  • RNTO

  • SITE

  • SIZE

  • SMNT

  • STAT

  • STOR

  • STOU

  • STRU

  • SYST

  • TYPE

  • USER

  • XCUP

  • XMKD

  • XPWD

  • XRMD

No default.

action {alert | alert_deny | block-period | deny_no_log}

Select which action FortiWeb will take when it detects a violation of the rule:

  • alert—Accept the connection and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

  • deny_no_log—Block the request (or reset the connection).

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure waf ftp-command-restriction-rule.

Note: This setting will be ignored if monitor-mode {enable | disable}is enabled in a server policy.

alert

block-period <block_period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600.

This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is set to block-period.

60

severity {High | Info | Low | Medium}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Info
  • Low
  • Medium
  • High

Medium

trigger "<policy_name>"

Enter the name of a trigger policy, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule.

No default.

Related Topic