waf xml-validation
Use this command to create XML protection rules and configure XML protection policies. You can create up to 256 rules per policy.
XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML to attack web servers. Using this command, you can configure FortiWeb to examine lcient requests for anomalies in XML. Configuring XML protection can help ensure that the content of HTTP requests containing XML does not contain any potential attacks.
XML protection is available in Reverse Proxy, True Transparent Proxy, and WCCP operating modes.
Syntax
config waf xml-validation rule
edit "<xml_rule_name>"
set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}
set expansion-entity-check {enable | disable}
set external-entity-check {enable | disable}
set host-status {enable | disable}
set request-type {plain | regular}
set schema-file "<schema_file_name>"
set severity {High Low | Medium | Info}
set trigger "<trigger_policy_name>"
set xml-attributes-check {enable | disable}
set xml-limit-attr-num <limit_int>
set xml-limit-attrname-len <limit_int>
set xml-limit-attrvalue-len <limit_int>
set xml-limit-cdata-len <limit_int>
set xml-limit-check {enable | disable}
set xml-limit-element-depth <limit_int>
set xml-limit-element-name-len <limit_int>
set wsdl-file <wsdl-file_name>
set validate-soapaction {enable | disable}
set validate-soap-headers {enable | disable}
set allow-additional-soap-headers {enable | disable}
set validate-soap-body {enable | disable}
set x-include-check {enable | disable}
set schema-location-check {enable | disable}
set schema-location-exempted-urls <schema-location-exempted-urls_str>
set soap-attachment {allow | disallow}
set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}
next
end
config waf xml-validation policy
edit "<xml_policy_name>"
set enable-signature-detection {enable | disable}
config input-rule-list
edit <entry_index>
set "<xml_rule_1>"
next
end
next
end
Variable | Description | Default |
---|---|---|
Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection policy. The maximum length is 63 characters. |
No default. |
|
action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} |
Select one of the following actions that FortiWeb performs when a request violates the rule:
Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. |
alert |
Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when waf xml-validation is The valid range is 1–3,600. |
60 |
|
Enable to trigger the waf xml-validation if an HTTP request contains an XML recursive entity expansion. To enable this option, you must first enable waf xml-validation. |
disable |
|
Enable to trigger the waf xml-validation if an HTTP request contains an external entity in XML. To enable this option, you must first enable waf xml-validation. |
disable |
|
Enter the name of a protected host that the |
No default. |
|
Enable to compare the XML rule to the Host: field in the HTTP header. If enabled, also configure waf xml-validation. |
disable |
|
Depending on your selection for waf xml-validation, enter either:
Do not include the domain name, such as |
No default. |
|
Select whether waf xml-validation must contain either:
|
No default. |
|
Select an XML schema file. To display a list of existing XML schema files, enter: set schema-file ?
Note, if you select an XML schema file that references other XML schema files, the other XML schema files must also be uploaded to FortiWeb. |
No default. |
|
When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:
|
Low |
|
Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ? |
No default. |
|
Enable to configure waf xml-validation and waf xml-validation. |
disable |
|
Enter the maximum number of attributes for each element. The valid range is 1–256. To configure this option, you must first enable waf xml-validation. |
20 |
|
Enter the maximum attribute name length (in bytes) of each element. The valid range is 1–1,024. To configure this option, you must first enable waf xml-validation. |
64 |
|
Enter the maximum attribute value length (in bytes) of each element. The valid range is 1–2,048. To configure this option, you must first enable waf xml-validation. |
1,024 |
|
Enter the maximum Character Data (CDATA) length (in bytes) in XML. The valid range is 1–4,096. To configure this option, you must first enable waf xml-validation. |
4,096 |
|
Enable to configure XML limits. |
disable |
|
Enter the maximum element depth in XML. The valid range is 1–256. To configure this option, you must first enable waf xml-validation. |
20 |
|
Enter the maximum element name length (in bytes) in XML. The valid range is 1–1,024. To configure this option, you must first enable waf xml-validation. |
64 |
|
Enter the name of an XML protection policy. You will use the name to select the policy in other parts of the configuration. The maximum length is 63 characters. |
No default. |
|
Enter the index number of an entry to create or modify a rule for the policy. The valid range is 1–9,999,999,999,999,999,999. |
No default. |
|
Enter the sequence number of an XML protection rule to add to the XML protection policy. The maximum length is 63 characters. |
No default. |
|
data-format {xml | soap} | Select the XML protection rule format. | No default. |
wsdl-file <wsdl-file_name> | This field applies When the Data Format is SOAP. Enter a name for the WSDL file. | No default. |
validate-soapaction {enable | disable} | Enable to validate whether the soapAction in SOAP protocol complies with that in WSDL file. | No default. |
validate-soap-headers {enable | disable} | Enable to validate whether the header elements in SOAP protocol comply with those in WSDL file. | No default. |
allow-additional-soap-headers {enable | disable} | Enable not to validate additional header elements. | No default. |
validate-soap-body {enable | disable} | Enable to validate whether the body elements in SOAP protocol comply with those in WSDL file. | No default. |
x-include-check {enable | disable} | Enable to trigger the action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} if other XML contents are included in XML. | No default. |
schema-location-check {enable | disable} | Enable to forbid using location field to perform malicious requests. | No default. |
schema-location-exempted-urls <schema-location-exempted-urls_str> | Select the exempted URL you have created to configure allowed location URLs. Available only when schema-location-check {enable | disable} is enabled. |
No default. |
enable-signature-detection {enable | disable} | Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests. | disable |
Specify whether the SOAP message can carry attachments. Available only when the data-format {xml | soap} is SOAP. |
Allow |
|
ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701} |
Select WSI rules that SOAP messages will adhere to. Available only when the data-format {xml | soap} is SOAP. |
No default |
ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211} |
If you select these three rules, configure WSDL files first. Available only when the data-format {xml | soap} is SOAP. |
No default |
Example
The below example creates an XML protection rule and applies the rule to a new XML protection policy.
config waf xml-validation rule
edit "example_rule_name_1"
set action block-period
set block-period 3000
set severity Medium
set trigger "example_trigger_policy_name"
set host-status enable
set host "example_host_name"
set request-type plain
set request-file "/index.php"
set schema-file "example_schema_file_name"
set xml-limit-check enable
set xml-limit-attr-num 64
set xml-limit-attrname-len 256
set xml-limit-attrvalue-len 1024
set xml-limit-cdata-len 2096
set xml-limit-element-depth 128
set xml-limit-element-name-len 128
set xml-entity-check enable
set expansion-entity-check enable
set external-entity-check enable
next
end
config waf xml-validation policy
edit "example_policy_name"
config input-rule-list
edit "example_rule_1"
set "example_rule_1"
next
end
next
end