Fortinet black logo

CLI Reference

waf layer4-access-limit-rule

waf layer4-access-limit-rule

Use this command to limit the number of HTTP requests per second from any IP address to your web server. The FortiWeb appliance tracks the number of requests. If the count of HTTP GET or POST requests exceeds the request limit, FortiWeb performs the action you specified.

To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection profile. For details, see waf application-layer-dos-prevention.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf layer4-access-limit-rule

edit "<rule_name>"

set access-limit-standalone-ip <limit_int>

set access-limit-share-ip <limit_int>

set action {alert | alert_deny | block-period | deny_no_log}

set bot-recognition {captcha-enforcement | real-browser-enforcement}

set max-attempt-times <attempts_int>

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger-policy "<trigger-policy_name>"

set validation-timeout <seconds_int>

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

next

end

Variable Description Default

"<rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

access-limit-standalone-ip <limit_int>

Enter the maximum number of HTTP requests allowed per second from any source IP address representing a single client. The valid range is 0–65,536. To disable the limit, enter 0. 0

access-limit-share-ip <limit_int>

Enter the maximum number of HTTP requests allowed per second from any source IP address shared by multiple clients behind a network address translation (NAT) device, such as a firewall or router. The valid range is 0–65,536. To disable the limit, enter 0. 0

action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when the count exceeds either threshold limit:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

bot-recognition {captcha-enforcement | real-browser-enforcement}

Select between:

  • captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page.
  • real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

Disable this option to simply apply the access rule.

disable

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

3

block-period <seconds_int>

Enter the number of seconds to block access to the client. This applies only when the action {alert | alert_deny | block-period | deny_no_log} setting is block-period. The valid range is 0–10,000. To disable the limit, enter 0. 0

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Medium

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

validation-timeout <seconds_int>

Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client for bot-recognition. The valid range is 5–30.

20

mobile-app-identification {disabled | mobile-token-validation}

Disabled: Disable not to carry out the mobile token verification.

Mobile Token Validation: Requires the client to use mobile token for verification.

To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection

Disabled

bot-confirmation {enable | disable}

Enable to choose how to verify users when the rules of bot detection are triggered.

Disabled

Example

This examples includes two rules. One blocks connections for two minutes while the other creates an alert and denies the connection.

config waf layer4-access-limit-rule

edit "Web Portal HTTP Request Limit"

set access-limit-share-ip 10

set access-limit-standalone-ip 10

set action block-period

set block-period 120

set severity Medium

set trigger-policy "Web_Protection_Trigger"

next

edit "Online Store HTTP Request Limit"

set access-limit-share-ip 5

set access-limit-standalone-ip 5

set action alert_deny

set severity High

set trigger-policy "Web_Protection_Trigger"

next

end

Related topics

waf layer4-access-limit-rule

Use this command to limit the number of HTTP requests per second from any IP address to your web server. The FortiWeb appliance tracks the number of requests. If the count of HTTP GET or POST requests exceeds the request limit, FortiWeb performs the action you specified.

To apply this rule, include it in an application-layer DoS-prevention policy and include that policy in an inline protection profile. For details, see waf application-layer-dos-prevention.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf layer4-access-limit-rule

edit "<rule_name>"

set access-limit-standalone-ip <limit_int>

set access-limit-share-ip <limit_int>

set action {alert | alert_deny | block-period | deny_no_log}

set bot-recognition {captcha-enforcement | real-browser-enforcement}

set max-attempt-times <attempts_int>

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger-policy "<trigger-policy_name>"

set validation-timeout <seconds_int>

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

next

end

Variable Description Default

"<rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

access-limit-standalone-ip <limit_int>

Enter the maximum number of HTTP requests allowed per second from any source IP address representing a single client. The valid range is 0–65,536. To disable the limit, enter 0. 0

access-limit-share-ip <limit_int>

Enter the maximum number of HTTP requests allowed per second from any source IP address shared by multiple clients behind a network address translation (NAT) device, such as a firewall or router. The valid range is 0–65,536. To disable the limit, enter 0. 0

action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when the count exceeds either threshold limit:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

bot-recognition {captcha-enforcement | real-browser-enforcement}

Select between:

  • captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page.
  • real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

Disable this option to simply apply the access rule.

disable

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

3

block-period <seconds_int>

Enter the number of seconds to block access to the client. This applies only when the action {alert | alert_deny | block-period | deny_no_log} setting is block-period. The valid range is 0–10,000. To disable the limit, enter 0. 0

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Medium

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

validation-timeout <seconds_int>

Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client for bot-recognition. The valid range is 5–30.

20

mobile-app-identification {disabled | mobile-token-validation}

Disabled: Disable not to carry out the mobile token verification.

Mobile Token Validation: Requires the client to use mobile token for verification.

To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection

Disabled

bot-confirmation {enable | disable}

Enable to choose how to verify users when the rules of bot detection are triggered.

Disabled

Example

This examples includes two rules. One blocks connections for two minutes while the other creates an alert and denies the connection.

config waf layer4-access-limit-rule

edit "Web Portal HTTP Request Limit"

set access-limit-share-ip 10

set access-limit-standalone-ip 10

set action block-period

set block-period 120

set severity Medium

set trigger-policy "Web_Protection_Trigger"

next

edit "Online Store HTTP Request Limit"

set access-limit-share-ip 5

set access-limit-standalone-ip 5

set action alert_deny

set severity High

set trigger-policy "Web_Protection_Trigger"

next

end

Related topics