waf layer4-access-limit-rule
Use this command to limit the number of HTTP requests per second from any IP address to your web server. The FortiWeb appliance tracks the number of requests. If the count of HTTP GET
or POST
requests exceeds the request limit, FortiWeb performs the action you specified.
To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection profile. For details, see waf application-layer-dos-prevention.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf layer4-access-limit-rule
edit "<rule_name>"
set access-limit-standalone-ip <limit_int>
set access-limit-share-ip <limit_int>
set action {alert | alert_deny | block-period | deny_no_log}
set bot-recognition {captcha-enforcement | real-browser-enforcement}
set max-attempt-times <attempts_int>
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger-policy "<trigger-policy_name>"
set validation-timeout <seconds_int>
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Enter the maximum number of HTTP requests allowed per second from any source IP address representing a single client. The valid range is 0–65,536. To disable the limit, enter 0 . |
0 | |
Enter the maximum number of HTTP requests allowed per second from any source IP address shared by multiple clients behind a network address translation (NAT) device, such as a firewall or router. The valid range is 0–65,536. To disable the limit, enter 0 . |
0 | |
Select one of the following actions that the FortiWeb appliance will perform when the count exceeds either threshold limit:
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select |
alert
|
|
bot-recognition {captcha-enforcement | real-browser-enforcement} |
Select between:
Disable this option to simply apply the access rule. |
disable |
If Available only when |
3 |
|
Enter the number of seconds to block access to the client. This applies only when the action {alert | alert_deny | block-period | deny_no_log} setting is block-period. The valid range is 0–10,000. To disable the limit, enter 0 . |
0 | |
Select the severity level to use in logs and reports generated when a violation of the rule occurs. |
Medium
|
|
Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client for bot-recognition. The valid range is 5–30. |
20 |
|
mobile-app-identification {disabled | mobile-token-validation} |
Disabled: Disable not to carry out the mobile token verification. Mobile Token Validation: Requires the client to use mobile token for verification. To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection |
|
Enable to choose how to verify users when the rules of bot detection are triggered. |
|
Example
This examples includes two rules. One blocks connections for two minutes while the other creates an alert and denies the connection.
config waf layer4-access-limit-rule
edit "Web Portal HTTP Request Limit"
set access-limit-share-ip 10
set access-limit-standalone-ip 10
set action block-period
set block-period 120
set severity Medium
set trigger-policy "Web_Protection_Trigger"
next
edit "Online Store HTTP Request Limit"
set access-limit-share-ip 5
set access-limit-standalone-ip 5
set action alert_deny
set severity High
set trigger-policy "Web_Protection_Trigger"
next
end