Fortinet black logo

CLI Reference

waf http-constraints-exceptions

waf http-constraints-exceptions

Use set statements under this command to configure exceptions to existing HTTP protocol parameter constraints for specific hosts.

Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint policy.

For example, if you enable max-http-header-length in a HTTP protocol constraint exception for a specific host, FortiWeb ignores the HTTP header length check when executing the web protection profile for that host.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set request-file "<url_pattern>"

set request-type {plain | regular}

set host-status {enable | disable}

set block-malformed-request {enable | disable}

set Illegal-content-length-check {enable | disable}

set Illegal-content-type-check {enable | disable}

set Illegal-header-name-check {enable | disable}

set Illegal-header-value-check {enable | disable}

set Illegal-host-name-check {enable | disable}

set Illegal-http-request-method-check {enable | disable}

set Internal-resource-limits-check {enable | disable}

set max-cookie-in-request {enable | disable}

set max-header-line-request {enable | disable}

set max-http-body-length {enable | disable}

set max-http-body-parameter-length {enable | disable}

set max-http-content-length {enable | disable}

set max-http-header-length {enable | disable}

set max-http-header-line-length {enable | disable}

set max-http-header-name-length {enable | disable}

set max-http-header-value-length {enable | disable}

set max-http-parameter-length {enable | disable}

set max-http-request-filename-length {enable | disable}

set max-http-request-length {enable | disable}

set max-url-param-name-len {enable | disable}

set max-url-param-value-len {enable | disable}

set max-url-parameter {enable | disable}

set max-url-parameter-length {enable | disable}

set number-of-ranges-in-range-header {enable | disable}

set parameter-name-check {enable | disable}

set parameter-value-check {enable | disable}

set redundant-header-check {enable | disable}

set source-ip-status {enable|disable}

set source-ip "<ip_range>"

set url-param-name-check {enable | disable}

set url-param-value-check {enable | disable}

set redundant-header-check {enable | disable}

set duplicate-parameter-check {enable | disable}

set null-byte-in-url-check {enable | disable}

set Illegal-byte-in-url-check {enable | disable}

set web-socket-protocol-check {enable | disable}

set odd-and-even-space-attack-check {enable | disable}

set rpc-protocol-check {enable | disable}

set

next

end

next

end

Variable Description Default

"<http-exception_name>"

Enter the name of a new or existing HTTP protocol constraint exception. The maximum length is 63 characters.

To display the list of existing exceptions, enter:

edit ?

No default

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default

request-file "<url_pattern>"

Enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in host. The maximum length is 256 characters.

No default

request-type {plain | regular}

Enter either plain or regular (for a regular expression) to match the string entered in request-file "<url_pattern>". No default

host-status {enable | disable}

Enable to apply this exception only to HTTP requests for specific web hosts. Also configure analyzer-policy "<fortianalyzer-policy_name>".

Disable to match the exception based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

block-malformed-request {enable | disable}

Enable to omit the constraint on syntax and FortiWeb parsing errors.

Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.

Illegal-content-length-check {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of the request body. disable

Illegal-content-type-check {enable | disable}

Enable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>. disable

Illegal-header-name-check {enable | disable}

Enable to omit the constraint on whether the HTTP header name contains illegal characters. disable

Illegal-header-value-check {enable | disable}

Enable to omit the constraint on whether the HTTP header value contains illegal characters. disable

Illegal-host-name-check {enable | disable}

Enable to omit the constraint on host names with illegal characters. disable

Illegal-http-request-method-check {enable | disable}

Enable to omit the constraint on illegal HTTP request methods. disable

Illegal-responese-code-check {enable | disable}

Enable to omit the constraint on whether the HTTP response code is a 3-digit number. disable

Internal-resource-limits-check {enable | disable}

Enable to omit the constraint on the maximum number of limits allowed by HTTP parser.

disable

max-cookie-in-request {enable | disable}

Enable to omit the constraint on the maximum number of cookies per request. disable

max-header-line-request {enable | disable}

Enable to omit the constraint on the maximum number of HTTP header lines. disable

max-http-body-length {enable | disable}

Enable to omit the constraint on the maximum HTTP body length. disable

max-http-body-parameter-length {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of all parameters in the HTTP body of HTTP POST requests. disable

max-http-content-length {enable | disable}

Enable to omit the constraint on the maximum HTTP content length. disable

max-http-header-length {enable | disable}

Enable to omit the constraint on the maximum HTTP header length. disable

max-http-header-line-length {enable | disable}

Enable to omit the constraint on the maximum HTTP header line length. disable

max-http-header-name-length {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header name. disable

max-http-header-value-length {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header value. disable

max-http-request-filename-length {enable | disable}

Enable to omit the constraint on the maximum HTTP request filename length. disable

max-http-parameter-length {enable | disable}

Enable to omit the constraint on the maximum HTTP parameter length. disable

max-http-request-length {enable | disable}

Enable to omit the constraint on the maximum HTTP request length. disable

max-url-param-name-len {enable | disable}

Enable to omit the constraint on the maximum acceptable length in bytes of the parameter name. disable

max-url-param-value-len {enable | disable}

Enable to omit the constraint on the maximum acceptable length in bytes of the parameter value. disable

max-url-parameter {enable | disable}

Enable to omit the constraint on the maximum number of parameters in the URL. disable

max-url-parameter-length {enable | disable}

Enable to omit the constraint on the maximum length of parameters in the URL. disable

number-of-ranges-in-range-header {enable | disable}

Enable to omit the constraint on the maximum acceptable number of Range: fields of an HTTP header. disable

parameter-name-check {enable | disable}

Enable to omit the constraint on null characters in parameter names. disable

parameter-value-check {enable | disable}

Enable to omit the constraint on null characters in parameter values. disable

Post-request-ctype-check {enable | disable}

Enable to omit the constraint on whether the Content-Type: header is available. disable

redundant-header-check {enable | disable}

Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields. disable

source-ip-status {enable|disable}

Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses. disable

source-ip "<ip_range>"

Enter the source IP of the protected requests to which this exception applies. Only a single IPv4/IPv6 address, or a IPv4/IPv6 range is acceptable.

For example:

  • 1.2.3.4
  • 2001::1
  • 1.2.3.4-1.2.3.40
  • 2001::1-2001::100

Available only when source-ip-status {enable|disable} is enable.

No default.

url-param-name-check {enable | disable}

Enable to omit the constraint on illegal characters in the parameter name. disable

url-param-value-check {enable | disable}

Enable to omit the constraint on illegal characters in the parameter value. disable

redundant-header-check {enable | disable}

Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields. disable

duplicate-parameter-check {enable | disable}

Enable to omit the constraint on duplicate parameter names. disable

null-byte-in-url-check {enable | disable}

Enable to omit the constraint on null bytes in URL. disable

Illegal-byte-in-url-check {enable | disable}

Enable to omit the constraint on illegal bytes in URL. disable

web-socket-protocol-check {enable | disable}

Enable to omit detecting traffic that uses the WebSocket TCP-based protocol. disable

odd-and-even-space-attack-check {enable | disable}

Enable to omit the constraint on detecting Odd and Even Space Attack. disable

rpc-protocol-check {enable | disable}

Enable to omit detecting traffic that uses the PRC protocol.

disable

Example

This example omits header length limits for HTTP requests to www.example.com and 192.0.2.1 for /login.asp.

config waf http-constraints-exceptions

edit "exception1"

config http_constraints-exception-list

edit 1

set host "www.example.com"

set host-status enable

set max-http-header-length enable

set request-file "/login.asp"

next

edit 2

set host "192.0.2.1"

set host-status enable

set max-http-body-length enable

set request-file "/login.asp"

next

end

next

end

Related topics

waf http-constraints-exceptions

Use set statements under this command to configure exceptions to existing HTTP protocol parameter constraints for specific hosts.

Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint policy.

For example, if you enable max-http-header-length in a HTTP protocol constraint exception for a specific host, FortiWeb ignores the HTTP header length check when executing the web protection profile for that host.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf http-constraints-exceptions

edit "<http-exception_name>"

config http_constraints-exception-list

edit <entry_index>

set request-file "<url_pattern>"

set request-type {plain | regular}

set host-status {enable | disable}

set block-malformed-request {enable | disable}

set Illegal-content-length-check {enable | disable}

set Illegal-content-type-check {enable | disable}

set Illegal-header-name-check {enable | disable}

set Illegal-header-value-check {enable | disable}

set Illegal-host-name-check {enable | disable}

set Illegal-http-request-method-check {enable | disable}

set Internal-resource-limits-check {enable | disable}

set max-cookie-in-request {enable | disable}

set max-header-line-request {enable | disable}

set max-http-body-length {enable | disable}

set max-http-body-parameter-length {enable | disable}

set max-http-content-length {enable | disable}

set max-http-header-length {enable | disable}

set max-http-header-line-length {enable | disable}

set max-http-header-name-length {enable | disable}

set max-http-header-value-length {enable | disable}

set max-http-parameter-length {enable | disable}

set max-http-request-filename-length {enable | disable}

set max-http-request-length {enable | disable}

set max-url-param-name-len {enable | disable}

set max-url-param-value-len {enable | disable}

set max-url-parameter {enable | disable}

set max-url-parameter-length {enable | disable}

set number-of-ranges-in-range-header {enable | disable}

set parameter-name-check {enable | disable}

set parameter-value-check {enable | disable}

set redundant-header-check {enable | disable}

set source-ip-status {enable|disable}

set source-ip "<ip_range>"

set url-param-name-check {enable | disable}

set url-param-value-check {enable | disable}

set redundant-header-check {enable | disable}

set duplicate-parameter-check {enable | disable}

set null-byte-in-url-check {enable | disable}

set Illegal-byte-in-url-check {enable | disable}

set web-socket-protocol-check {enable | disable}

set odd-and-even-space-attack-check {enable | disable}

set rpc-protocol-check {enable | disable}

set

next

end

next

end

Variable Description Default

"<http-exception_name>"

Enter the name of a new or existing HTTP protocol constraint exception. The maximum length is 63 characters.

To display the list of existing exceptions, enter:

edit ?

No default

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default

request-file "<url_pattern>"

Enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in host. The maximum length is 256 characters.

No default

request-type {plain | regular}

Enter either plain or regular (for a regular expression) to match the string entered in request-file "<url_pattern>". No default

host-status {enable | disable}

Enable to apply this exception only to HTTP requests for specific web hosts. Also configure analyzer-policy "<fortianalyzer-policy_name>".

Disable to match the exception based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

block-malformed-request {enable | disable}

Enable to omit the constraint on syntax and FortiWeb parsing errors.

Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.

Illegal-content-length-check {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of the request body. disable

Illegal-content-type-check {enable | disable}

Enable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>. disable

Illegal-header-name-check {enable | disable}

Enable to omit the constraint on whether the HTTP header name contains illegal characters. disable

Illegal-header-value-check {enable | disable}

Enable to omit the constraint on whether the HTTP header value contains illegal characters. disable

Illegal-host-name-check {enable | disable}

Enable to omit the constraint on host names with illegal characters. disable

Illegal-http-request-method-check {enable | disable}

Enable to omit the constraint on illegal HTTP request methods. disable

Illegal-responese-code-check {enable | disable}

Enable to omit the constraint on whether the HTTP response code is a 3-digit number. disable

Internal-resource-limits-check {enable | disable}

Enable to omit the constraint on the maximum number of limits allowed by HTTP parser.

disable

max-cookie-in-request {enable | disable}

Enable to omit the constraint on the maximum number of cookies per request. disable

max-header-line-request {enable | disable}

Enable to omit the constraint on the maximum number of HTTP header lines. disable

max-http-body-length {enable | disable}

Enable to omit the constraint on the maximum HTTP body length. disable

max-http-body-parameter-length {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of all parameters in the HTTP body of HTTP POST requests. disable

max-http-content-length {enable | disable}

Enable to omit the constraint on the maximum HTTP content length. disable

max-http-header-length {enable | disable}

Enable to omit the constraint on the maximum HTTP header length. disable

max-http-header-line-length {enable | disable}

Enable to omit the constraint on the maximum HTTP header line length. disable

max-http-header-name-length {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header name. disable

max-http-header-value-length {enable | disable}

Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header value. disable

max-http-request-filename-length {enable | disable}

Enable to omit the constraint on the maximum HTTP request filename length. disable

max-http-parameter-length {enable | disable}

Enable to omit the constraint on the maximum HTTP parameter length. disable

max-http-request-length {enable | disable}

Enable to omit the constraint on the maximum HTTP request length. disable

max-url-param-name-len {enable | disable}

Enable to omit the constraint on the maximum acceptable length in bytes of the parameter name. disable

max-url-param-value-len {enable | disable}

Enable to omit the constraint on the maximum acceptable length in bytes of the parameter value. disable

max-url-parameter {enable | disable}

Enable to omit the constraint on the maximum number of parameters in the URL. disable

max-url-parameter-length {enable | disable}

Enable to omit the constraint on the maximum length of parameters in the URL. disable

number-of-ranges-in-range-header {enable | disable}

Enable to omit the constraint on the maximum acceptable number of Range: fields of an HTTP header. disable

parameter-name-check {enable | disable}

Enable to omit the constraint on null characters in parameter names. disable

parameter-value-check {enable | disable}

Enable to omit the constraint on null characters in parameter values. disable

Post-request-ctype-check {enable | disable}

Enable to omit the constraint on whether the Content-Type: header is available. disable

redundant-header-check {enable | disable}

Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields. disable

source-ip-status {enable|disable}

Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses. disable

source-ip "<ip_range>"

Enter the source IP of the protected requests to which this exception applies. Only a single IPv4/IPv6 address, or a IPv4/IPv6 range is acceptable.

For example:

  • 1.2.3.4
  • 2001::1
  • 1.2.3.4-1.2.3.40
  • 2001::1-2001::100

Available only when source-ip-status {enable|disable} is enable.

No default.

url-param-name-check {enable | disable}

Enable to omit the constraint on illegal characters in the parameter name. disable

url-param-value-check {enable | disable}

Enable to omit the constraint on illegal characters in the parameter value. disable

redundant-header-check {enable | disable}

Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields. disable

duplicate-parameter-check {enable | disable}

Enable to omit the constraint on duplicate parameter names. disable

null-byte-in-url-check {enable | disable}

Enable to omit the constraint on null bytes in URL. disable

Illegal-byte-in-url-check {enable | disable}

Enable to omit the constraint on illegal bytes in URL. disable

web-socket-protocol-check {enable | disable}

Enable to omit detecting traffic that uses the WebSocket TCP-based protocol. disable

odd-and-even-space-attack-check {enable | disable}

Enable to omit the constraint on detecting Odd and Even Space Attack. disable

rpc-protocol-check {enable | disable}

Enable to omit detecting traffic that uses the PRC protocol.

disable

Example

This example omits header length limits for HTTP requests to www.example.com and 192.0.2.1 for /login.asp.

config waf http-constraints-exceptions

edit "exception1"

config http_constraints-exception-list

edit 1

set host "www.example.com"

set host-status enable

set max-http-header-length enable

set request-file "/login.asp"

next

edit 2

set host "192.0.2.1"

set host-status enable

set max-http-body-length enable

set request-file "/login.asp"

next

end

next

end

Related topics