"<padding-oracle_rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

action {alert | alert_deny | block-period | deny_no_log}

Specify the action that FortiWeb takes when a request violates the rule:

• alert—Accept the request and generate an alert email and/or log message.

• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

• block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <block-period_int>.

• deny_no_log—Deny a request. Do not generate a log message.

Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Attack log messages contain Padding Oracle Attack when this feature detects a possible attack. Because this attack involves some repeated brute force, the attack log may not appear immediately, but should occur within 2 minutes, depending on your configured DoS alert interval.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email occur only when the these features are enabled and configured. For details, see log attack-log and log alertMail.

Note: To use this rule set with auto-learning, select alert. If action is alert_deny or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the session information for auto-learning will be incomplete.

block-period <block-period_int>

Enter the number of seconds that FortiWeb blocks subsequent requests from the client after it detects that the client has violated the rule.

This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is block-period.

The valid range is 1–36,000 seconds.

severity {High | Medium | Low | Info}

trigger "<trigger-policy_name>"

Enter the name of the trigger policy, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

<entry_index>

host-status {enable | disable}

Specify enable to apply this rule only to HTTP requests for specific web hosts. Also specify host "<host_str>".

Specify disable to match the rule based on the other criteria, such as the URL, but regardless of the Host: field.

host "<host_str>"

Specify which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule.

This option is available only if the value of host-status {enable | disable} is enabled.

Maximum length is 256 characters.

url-type {plain | regular}

Enter to determine how the value of protected-url "<protected-url_str>" is specified:

• plain—A literal URL.
• regular—A regular expression designed to match multiple URLs.

protected-url "<protected-url_str>"

If the value of url-type {plain | regular} is plain, enter the literal URL that HTTP requests that match the rule contain.

For example:

/profile.jsp

The URL must begin with a backslash ( / ).

If the value of url-type is regular, specify a regular expression matching all and only the URLs to which the rule should apply.

For example:

^/*\.jsp\?uid\=(.*)

The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /profile.cfm.

Do not include the domain name, such as www.example.com, which is specified by host.

Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides