waf allow-method-policy
Use this command to allow only specific HTTP request methods.
To define specific exceptions to this policy, use waf allow-method-exceptions.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf allow-method-policy
set allow-method {get post head options trace connect delete put patch webdav rpc}
set severity {High | Medium | Low | Info}
set triggered-action "<trigger-policy_name>"
set allow-method-exception "<method-exception_name>"
next
end
Variable | Description | Default |
Enter the name of a new or existing allowed methods policy. This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name. The maximum length is 63 characters. To display a list of the existing policies, enter:
|
No default. | |
allow-method {get post head options trace connect delete put patch webdav rpc} |
Select one or more HTTP request methods that you want to allow for this specific policy. Methods that you do not select will be denied, unless specifically allowed for a host and/or URL in analyzer-policy "<fortianalyzer-policy_name>". The Note: If a WAF Auto Learning Profile is used in the server policy where the HTTP request method is applied (via the Web Protection Profile), you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session. |
No default. |
Select the severity level to use in logs and reports generated when a violation of the policy occurs. |
High
|
|
Enter the name of the trigger policy you want FortiWeb to apply when a violation of the HTTP request method policy occurs. Trigger policies determine who will be notified by email when the policy violation occurs, and whether the log message associated with the violation are recorded. The maximum length is 63 characters. To display a list of the existing policies, enter:
|
No default. | |
Enter the name of an existing HTTP request method exception, if any, to apply to it. The maximum length is 63 characters. To display a list of the existing policy, enter:
|
No default. |
Example
This example allows the HTTP GET
and POST
methods and rejects others, except according to the exceptions defined in MethodExceptions1
.
config waf allow-method-policy
edit "allowpolicy1"
set allow-method get post
set triggered-action "TriggerActionPolicy1"
set allow-method-exception "MethodExceptions1"
next
end