waf json-validation

Variable	Description	Default
"<json_rule_name>"	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy.	No default.
`host-status {enable \| disable}`	Enable to compare the JSON rule to the `Host: field` in the HTTP header. If enabled, also configure host "<host_name_str>".	disable
`host "<host_name_str>"`	Enter the name of a protected host that the `Host:` field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.	No default.
request-type {plain \| regular}	Select whether request-type {plain \| regular} must contain either: `plain`—The field is a string that the request URL must match exactly. `regular`—The field is a regular expression that defines a set of matching URLs.	No default.
request-file "<file_str>"	Depending on your selection for request-type {plain \| regular}, enter either: `plain`—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( `/` ). `regular`—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in host "<host_name_str>".	No default.
action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log}	Select one of the following actions that FortiWeb performs when a request violates the rule: `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. `block-period`—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>. `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `send_403_forbidden`—Reply to the client with an HTTP `403 Access Forbidden` error message and generate an alert email and/or log message. `deny_no_log`—Deny a request. Do not generate a log message. Caution:FortiWeb ignores this setting when monitor-mode {enable \| disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.	alert
block-period <period_int>	Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log} is `block-period`. The valid range is 1–3,600 seconds.	`600`
severity {High Low \| Medium \| Info}	When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule: `Low` `Medium` `High` `Info`	Low
trigger "<trigger_policy_name>"	Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ?	No default.
schema-file "<schema_file_name>"	Select a JSON schema file. To display a list of existing JSON schema files, enter: set schema-file ? Note, if you select a JSON schema file that references other JSON schema files, the other JSON schema files must also be uploaded to FortiWeb.	No default.
json-limits {enable \| disable}	Enable to define limits for data size, key, and value, etc.	`disable`
json-data-size "<json-data-size_int>"	Enter the total size of JSON data in the JSON file. The valid range is 0–10240.	`1024`
key-size "<key-size_int>"	Enter the key size of each object. The valid range is 0–10240. The	`64`
key-number "<key-number_int>"	Enter the total key number of each JSON file. The valid range is 0–2147483647.	`256`
value-size "<value-size_int>"	Enter the value size of each key. The valid range is 0–10240.	`128`
value-number-in-array "<value-number-in-array _int>"	Enter the total value number in an array. The valid range is 0–2147483647.	`256`
object-depth "<object-depth_int>"	Enter the number of the nested objects. The valid range is 0–2147483647.	`32`
`"<json_policy_name>"`	Enter the name of a JSON protection policy. You will use the name to select the policy in other parts of the configuration.	No default.
`"<input-rule-list_id>"`	Enter the index number of an entry to create or modify a rule for the policy.	No default.
`enable-signature-detection {enable \| disable}`	Enable to scan for matches with attack and data leak signatures in JSON data submitted by clients in HTTP requests with Content-Type: `values application/json or text/json`.	`disable`
`json_input_rule "<json_input_rule_str>"`	Enter the sequence number of a JSON protection rule to add to the JSON protection policy.	No default.

Example

The below example creates a JSON protection rule and applies the rule to a new JSON protection policy.

config waf json-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set json-limits enable

set json-data-size 1030

set key-size 100

set key-number 300

set value-size 200

set object-depth 60

end

config waf json-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

end

Syntax

config waf json-validation rule

edit "<json_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-file "<file_str>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set schema-file "<schema_file_name>"

set json-limits {enable | disable}

set json-data-size "<json-data-size_int>"

set key-size "<key-size_int>"

set key-number "<key-number_int>"

set value-size "<value-size_int>"

set value-number-in-array "<value-number-in-array _int>"

set object-depth "<object-depth_int>"

end

config waf json-validation policy

edit "<json_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit "<input-rule-list_id>"

set json_input_rule "<json_input_rule_str>"

end

Variable	Description	Default
"<json_rule_name>"	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy.	No default.
`host-status {enable \| disable}`	Enable to compare the JSON rule to the `Host: field` in the HTTP header. If enabled, also configure host "<host_name_str>".	disable
`host "<host_name_str>"`	Enter the name of a protected host that the `Host:` field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.	No default.
request-type {plain \| regular}	Select whether request-type {plain \| regular} must contain either: `plain`—The field is a string that the request URL must match exactly. `regular`—The field is a regular expression that defines a set of matching URLs.	No default.
request-file "<file_str>"	Depending on your selection for request-type {plain \| regular}, enter either: `plain`—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( `/` ). `regular`—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in host "<host_name_str>".	No default.
action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log}	Select one of the following actions that FortiWeb performs when a request violates the rule: `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. `block-period`—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>. `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `send_403_forbidden`—Reply to the client with an HTTP `403 Access Forbidden` error message and generate an alert email and/or log message. `deny_no_log`—Deny a request. Do not generate a log message. Caution:FortiWeb ignores this setting when monitor-mode {enable \| disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.	alert
block-period <period_int>	Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log} is `block-period`. The valid range is 1–3,600 seconds.	`600`
severity {High Low \| Medium \| Info}	When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule: `Low` `Medium` `High` `Info`	Low
trigger "<trigger_policy_name>"	Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ?	No default.
schema-file "<schema_file_name>"	Select a JSON schema file. To display a list of existing JSON schema files, enter: set schema-file ? Note, if you select a JSON schema file that references other JSON schema files, the other JSON schema files must also be uploaded to FortiWeb.	No default.
json-limits {enable \| disable}	Enable to define limits for data size, key, and value, etc.	`disable`
json-data-size "<json-data-size_int>"	Enter the total size of JSON data in the JSON file. The valid range is 0–10240.	`1024`
key-size "<key-size_int>"	Enter the key size of each object. The valid range is 0–10240. The	`64`
key-number "<key-number_int>"	Enter the total key number of each JSON file. The valid range is 0–2147483647.	`256`
value-size "<value-size_int>"	Enter the value size of each key. The valid range is 0–10240.	`128`
value-number-in-array "<value-number-in-array _int>"	Enter the total value number in an array. The valid range is 0–2147483647.	`256`
object-depth "<object-depth_int>"	Enter the number of the nested objects. The valid range is 0–2147483647.	`32`
`"<json_policy_name>"`	Enter the name of a JSON protection policy. You will use the name to select the policy in other parts of the configuration.	No default.
`"<input-rule-list_id>"`	Enter the index number of an entry to create or modify a rule for the policy.	No default.
`enable-signature-detection {enable \| disable}`	Enable to scan for matches with attack and data leak signatures in JSON data submitted by clients in HTTP requests with Content-Type: `values application/json or text/json`.	`disable`
`json_input_rule "<json_input_rule_str>"`	Enter the sequence number of a JSON protection rule to add to the JSON protection policy.	No default.

Example

The below example creates a JSON protection rule and applies the rule to a new JSON protection policy.

config waf json-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set json-limits enable

set json-data-size 1030

set key-size 100

set key-number 300

set value-size 200

set object-depth 60

end

config waf json-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

end

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference