Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.2.6 CLI Reference
    6.2.6
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf custom-protection-rule

    waf custom-protection-rule

    Use this command to configure custom data leak and attack signatures.

    Before you enter custom signatures via the CLI, first enable .

    To use your custom signatures, you must first group them so that they can be included in a rule. For details, see waf custom-protection-group.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf custom-protection-rule

    edit "<custom-protection rule_name>"

    set type {request | response}

    set action {alert | alert_deny | alert_erase | redirect | block-period | send_http_response | only_erase | deny_no_log}

    set block-period <seconds_int>

    set severity {High | Medium | Low | Info}

    set trigger "<trigger-policy_"name>

    config meet-condition

    edit <entry_index>

    set operator {RE | GT | LT | NE | EQ}

    set request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD}

    set response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

    set threshold <threshold_int>

    set case-sensitive {enable | disable}

    set expression <regex_pattern>

    next

    end

    next

    end

    Variable Description Default

    "<custom-protection rule_name>"

    Enter the name of the new or existing custom signature. The maximum length is 63 characters.

    To display a list of the existing rules, enter:

    edit ?

    		No default.

    type {request | response}

    Specify the type of regular expression:

    • request—The expression is an attack signature.

    • response—The expression is a server information disclosure signature.

    		 request

    action {alert | alert_deny | alert_erase | redirect | block-period | send_http_response | only_erase | deny_no_log}

    Select the specific action to be taken when the request matches the this signature.

    • alert—Accept the request and generate an alert email and/or log message.

      Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code.

    • alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

      If the sensitive information is a status code, you can customize the web page that FortiWeb returns to the client with the HTTP status code.

      Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

    • send_http_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both.

    • only_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information without generating an alert email and/or log message. This option is applicable only if type is response; and this option is not supported in Offline Protection mode.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • deny_no_log—Deny a request. Do not generate a log message.

    		alert

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    block-period <seconds_int>

    If action {alert | alert_deny | alert_erase | redirect | block-period | send_http_response | only_erase | deny_no_log} is block-period, enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. For details about viewing the list of currently blocked clients, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    The valid range is 1–3,600.

    		 1

    severity {High | Medium | Low | Info}

    		 When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule. Medium

    trigger "<trigger-policy_"name>

    Select which trigger policy, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

    The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    Enter the index number of the individual entry in the table.

    The valid range is from 1–9,999,999,999,999,999,999.

    		 No default.

    operator {RE | GT | LT | NE | EQ}
    • RE—The signature matches when the value of a selected target in the request or response matches the value of expression.
    • GT—The signature matches when specified target has a value greater than the value of threshold.
    • LT—The signature matches when specified target has a value less than the value of threshold.
    • NE— The signature matches when specified target has a different value than threshold.
    • EQ— The signature matches when specified target has the same value as threshold.

    		 RE

    request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD}

    Enter the name of one or more locations in the HTTP request to scan for a signature match.

    For example, ARGS_NAMES for the names of parameters or REQUEST_COOKIES for strings in the HTTP Cookie: header.

    		 No default.

    response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

    		 Enter the name of one or more locations in the HTTP response to scan for a signature match. No default.

    threshold <threshold_int>

    		 Enter the value that FortiWeb compares to the target value to determine if a request or response matches. No default.

    case-sensitive {enable | disable}

    Enable to differentiate upper case and lower case letters when evaluating the web server’s response for data leaks according to expression <regex_pattern>.

    For example, when enabled, an HTTP reply containing the phrase Credit card would not match an expression that looks for the phrase credit card (difference highlighted in bold).

    		 disable

    expression <regex_pattern>

    When operator {RE | GT | LT | NE | EQ} is RE, type a regular expression that matches either an attack from a client or a data leak from the server.

    If action is Alert & Erase, enclose the portion of the regular expression to erase in brackets.

    For example, the following command erases the expression "webattack" from the response packet:

    config waf custom-protection-rule

    edit "test"

    set type response

    set action alert_erase

    config meet-condition

    edit 1

    set response-target RESPONSE_BODY

    set expression "(webattack)"

    next

    end

    next

    end

    To prevent false positives, it should not match anything else. The maximum length is 2,071 characters.

    		 No default.

    Example

    This example configures a signature to detect and block an LFI attack that uses directory traversal through an unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named notification-servers1 sends an alert email and attack log messages whose severity level is High.

    config waf custom-protection-rule

    edit "Joomla_controller_LFI"

    set type request

    set action alert_deny

    set severity High

    set trigger "notification-servers1"

    config meet-condition

    edit 1

    set request-target REQUEST_RAW_URI

    set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf custom-protection-rule

    waf custom-protection-rule

    Use this command to configure custom data leak and attack signatures.

    Before you enter custom signatures via the CLI, first enable .

    To use your custom signatures, you must first group them so that they can be included in a rule. For details, see waf custom-protection-group.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf custom-protection-rule

    edit "<custom-protection rule_name>"

    set type {request | response}

    set action {alert | alert_deny | alert_erase | redirect | block-period | send_http_response | only_erase | deny_no_log}

    set block-period <seconds_int>

    set severity {High | Medium | Low | Info}

    set trigger "<trigger-policy_"name>

    config meet-condition

    edit <entry_index>

    set operator {RE | GT | LT | NE | EQ}

    set request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD}

    set response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

    set threshold <threshold_int>

    set case-sensitive {enable | disable}

    set expression <regex_pattern>

    next

    end

    next

    end

    Variable Description Default

    "<custom-protection rule_name>"

    Enter the name of the new or existing custom signature. The maximum length is 63 characters.

    To display a list of the existing rules, enter:

    edit ?

    		No default.

    type {request | response}

    Specify the type of regular expression:

    • request—The expression is an attack signature.

    • response—The expression is a server information disclosure signature.

    		 request

    action {alert | alert_deny | alert_erase | redirect | block-period | send_http_response | only_erase | deny_no_log}

    Select the specific action to be taken when the request matches the this signature.

    • alert—Accept the request and generate an alert email and/or log message.

      Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code.

    • alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

      If the sensitive information is a status code, you can customize the web page that FortiWeb returns to the client with the HTTP status code.

      Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

    • send_http_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both.

    • only_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information without generating an alert email and/or log message. This option is applicable only if type is response; and this option is not supported in Offline Protection mode.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • deny_no_log—Deny a request. Do not generate a log message.

    		alert

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    block-period <seconds_int>

    If action {alert | alert_deny | alert_erase | redirect | block-period | send_http_response | only_erase | deny_no_log} is block-period, enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. For details about viewing the list of currently blocked clients, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    The valid range is 1–3,600.

    		 1

    severity {High | Medium | Low | Info}

    		 When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule. Medium

    trigger "<trigger-policy_"name>

    Select which trigger policy, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

    The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    Enter the index number of the individual entry in the table.

    The valid range is from 1–9,999,999,999,999,999,999.

    		 No default.

    operator {RE | GT | LT | NE | EQ}
    • RE—The signature matches when the value of a selected target in the request or response matches the value of expression.
    • GT—The signature matches when specified target has a value greater than the value of threshold.
    • LT—The signature matches when specified target has a value less than the value of threshold.
    • NE— The signature matches when specified target has a different value than threshold.
    • EQ— The signature matches when specified target has the same value as threshold.

    		 RE

    request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD}

    Enter the name of one or more locations in the HTTP request to scan for a signature match.

    For example, ARGS_NAMES for the names of parameters or REQUEST_COOKIES for strings in the HTTP Cookie: header.

    		 No default.

    response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

    		 Enter the name of one or more locations in the HTTP response to scan for a signature match. No default.

    threshold <threshold_int>

    		 Enter the value that FortiWeb compares to the target value to determine if a request or response matches. No default.

    case-sensitive {enable | disable}

    Enable to differentiate upper case and lower case letters when evaluating the web server’s response for data leaks according to expression <regex_pattern>.

    For example, when enabled, an HTTP reply containing the phrase Credit card would not match an expression that looks for the phrase credit card (difference highlighted in bold).

    		 disable

    expression <regex_pattern>

    When operator {RE | GT | LT | NE | EQ} is RE, type a regular expression that matches either an attack from a client or a data leak from the server.

    If action is Alert & Erase, enclose the portion of the regular expression to erase in brackets.

    For example, the following command erases the expression "webattack" from the response packet:

    config waf custom-protection-rule

    edit "test"

    set type response

    set action alert_erase

    config meet-condition

    edit 1

    set response-target RESPONSE_BODY

    set expression "(webattack)"

    next

    end

    next

    end

    To prevent false positives, it should not match anything else. The maximum length is 2,071 characters.

    		 No default.

    Example

    This example configures a signature to detect and block an LFI attack that uses directory traversal through an unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named notification-servers1 sends an alert email and attack log messages whose severity level is High.

    config waf custom-protection-rule

    edit "Joomla_controller_LFI"

    set type request

    set action alert_deny

    set severity High

    set trigger "notification-servers1"

    config meet-condition

    edit 1

    set request-target REQUEST_RAW_URI

    set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"

    next

    end

    next

    end

    Related topics

    Previous
    Next