Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.2.5 CLI Reference
    6.2.5
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf http-protocol-parameter-restriction

    waf http-protocol-parameter-restriction

    Use this command to configure HTTP protocol constraints.

    HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the content payload.

    Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.

    You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, enable waf http-protocol-parameter-restriction to harden your configuration. To configure the buffer size, see system advanced.

    You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that determines how an attack on that parameter is handled. For example, you can set the action for header constraints to alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol parameters.

    To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf http-protocol-parameter-restriction

    edit "<http-constraint_name>"

    set <constraint_name>-check {enable | disable}

    set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

    set <constraint_name>-block-period <seconds_int>

    set <parameter_name>-threat-weight {off | low | med | high | crit}

    set <constraint_name>-severity {High | Medium | Low | Info}

    set <constraint_name>-trigger "<trigger-policy_name>"

    next

    end

    Variable Description Default

    "<http-constraint_name>"

    Enter the name of a new or existing HTTP protocol constraint. The maximum length is 63 characters.

    To display the list of existing constraints, enter:

    edit ?

    		No default.

    <constraint_name>-check {enable | disable}

    		 Specify whether FortiWeb includes the specified constraint when it applies this set of constraints.

    <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules:

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

      • You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure <constraint_name>-block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

    Caution: This setting is ignored when the value of monitor-mode {enable | disable} is enable.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types.

    For example, for maximum HTTP header length violations, you might type the accompanying setting:

    set max-http-header-length-action alert

    Note: Available actions vary depending on operating mode and protocol parameter.

    		 alert

    <constraint_name>-severity {High | Medium | Low | Info}

    Select the severity level to use in logs and reports generated when a violation of the rule occurs.

    Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types.

    For example, for maximum HTTP header length violations, you might type the accompanying setting:

    set max-http-header-length-severity High

    		Medium

    <constraint_name>-trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated (see log trigger-policy). The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types.
    For example, for maximum HTTP header length violations, you might type accompanying setting:

    set max-http-header-length-trigger trigger-policy1

    		No default.

    <constraint_name>-block-period <seconds_int>

    		 If action is block-period, type the number of seconds that the connection will be blocked. The valid range is 1–3,600. 0

    <parameter_name>-threat-weight {off | low | med | high | crit}

    Set the threat weight for an event when FortiWeb detects a violation of a parameter restriction rule. For details, see the FortiWeb Administration Guide: https://docs.fortinet.com/fortiweb/admin-guides.

    		 No default.

    Example

    This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.

    config waf http-protocol-parameter-restriction

    edit "http-constraint1"

    set max-http-header-length 2048

    set max-http-header-length-action alert

    set max-http-header-length-severity Medium

    set max-http-header-length-trigger email-admin

    next

    end

    Related topics

    Previous
    Next

    waf http-protocol-parameter-restriction

    waf http-protocol-parameter-restriction

    Use this command to configure HTTP protocol constraints.

    HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the content payload.

    Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.

    You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, enable waf http-protocol-parameter-restriction to harden your configuration. To configure the buffer size, see system advanced.

    You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that determines how an attack on that parameter is handled. For example, you can set the action for header constraints to alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol parameters.

    To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf http-protocol-parameter-restriction

    edit "<http-constraint_name>"

    set <constraint_name>-check {enable | disable}

    set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

    set <constraint_name>-block-period <seconds_int>

    set <parameter_name>-threat-weight {off | low | med | high | crit}

    set <constraint_name>-severity {High | Medium | Low | Info}

    set <constraint_name>-trigger "<trigger-policy_name>"

    next

    end

    Variable Description Default

    "<http-constraint_name>"

    Enter the name of a new or existing HTTP protocol constraint. The maximum length is 63 characters.

    To display the list of existing constraints, enter:

    edit ?

    		No default.

    <constraint_name>-check {enable | disable}

    		 Specify whether FortiWeb includes the specified constraint when it applies this set of constraints.

    <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules:

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

      • You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure <constraint_name>-block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

    Caution: This setting is ignored when the value of monitor-mode {enable | disable} is enable.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types.

    For example, for maximum HTTP header length violations, you might type the accompanying setting:

    set max-http-header-length-action alert

    Note: Available actions vary depending on operating mode and protocol parameter.

    		 alert

    <constraint_name>-severity {High | Medium | Low | Info}

    Select the severity level to use in logs and reports generated when a violation of the rule occurs.

    Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types.

    For example, for maximum HTTP header length violations, you might type the accompanying setting:

    set max-http-header-length-severity High

    		Medium

    <constraint_name>-trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated (see log trigger-policy). The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types.
    For example, for maximum HTTP header length violations, you might type accompanying setting:

    set max-http-header-length-trigger trigger-policy1

    		No default.

    <constraint_name>-block-period <seconds_int>

    		 If action is block-period, type the number of seconds that the connection will be blocked. The valid range is 1–3,600. 0

    <parameter_name>-threat-weight {off | low | med | high | crit}

    Set the threat weight for an event when FortiWeb detects a violation of a parameter restriction rule. For details, see the FortiWeb Administration Guide: https://docs.fortinet.com/fortiweb/admin-guides.

    		 No default.

    Example

    This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.

    config waf http-protocol-parameter-restriction

    edit "http-constraint1"

    set max-http-header-length 2048

    set max-http-header-length-action alert

    set max-http-header-length-severity Medium

    set max-http-header-length-trigger email-admin

    next

    end

    Related topics

    Previous
    Next