Fortinet black logo

CLI Reference

log custom-sensitive-rule

log custom-sensitive-rule

Use this command to configure custom rules to obscure sensitive information that is not obscured in log message packet payloads by the predefined sensitivity rules.

Use this command in conjunction with log sensitive.

If enabled to do so, a FortiWeb appliance will obscure predefined data types, including user names and passwords in log message packet payloads. If other sensitive data in the packet payload is not obscured by the predefined data types, you can create your own data type sensitivity rules, such as ages or other identifying numbers.

Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing log messages.

This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their associated log messages, and have selected to obscure logs according to custom data types. For details, see log attack-log and log sensitive.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log custom-sensitive-rule

edit "<custom-sensitive-rule_name>"

set expression "<sensitive-type_pattern>"

set field-name "<parameter-name_pattern>"

set field-value "<parameter-value_pattern>"

set type {field-mas-rule | general-mask-rule}

next

end

Variable Description Default

"<custom-sensitive-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

expression "<sensitive-type_pattern>"

Enter a regular expression that matches all and only the strings or numbers that you want to obscure in the packet payloads.

For example, to hide a parameter that contains the age of users under 13, you could enter:

age\=[1-13]

Expressions must not start with an asterisk ( * ). The maximum length is 256 characters.

No default.

type {field-mas-rule | general-mask-rule}

Select either general-mask-rule (a regular expression that will match any substring in the packet payload) or field-mask-rule (a regular expression that will match only the value of a specific form input).

If you select general-mask-rule, configure expression "<sensitive-type_pattern>".

If you select field-mask-rule, configure field-name "<parameter-name_pattern>" and field-value "<parameter-value_pattern>".

general-mask-rule

field-name "<parameter-name_pattern>"

Enter a regular expression that matches all and only the input names whose values you want to obscure. The input name itself will not be obscured. If you wish to do this, use general-mask-rule instead. The maximum length is 256 characters. No default.

field-value "<parameter-value_pattern>"

Enter a regular expression that matches all and only the input values that you want to obscure. The maximum length is 256 characters.

For example, to hide a parameter that contains the age of users under 13, for field-name "<parameter-name_pattern>", enter age, and for field-value "<parameter-value_pattern>", enter [1-13].

Valid expressions must not start with an asterisk ( * ).

Caution: Field masks using asterisks are greedy: a match for the parameter’s value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator.

For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the field name username but not any of the parameters that follow it, you could enter the field value:

.*?(?=\&)

This would result in:

username****&age=13&origurl=%2Flogin

No default.

Example

This example enables the FortiWeb appliance to keep all types of packet payloads with their associated log messages. It also enables and defines a custom sensitive data type (applies to age 13 or less) that will be obscured in logs.

config log attack-log

set status enable

set packet-log anti-virus-detection cookie-poison custom-access custom-protection-rule hidden-fields-failed http-protocol-constraints illegal-file-type illegal-xml-format ip-intelligence padding-oracle parameter-rule-failed signature-detection

end

config log sensitive

set type custom-rule

end

config log custom-sensitive-rule

edit rule1

set type general-mask-rule

set expression "age\\=[1-13]*$"

next

end

Related topics

log custom-sensitive-rule

Use this command to configure custom rules to obscure sensitive information that is not obscured in log message packet payloads by the predefined sensitivity rules.

Use this command in conjunction with log sensitive.

If enabled to do so, a FortiWeb appliance will obscure predefined data types, including user names and passwords in log message packet payloads. If other sensitive data in the packet payload is not obscured by the predefined data types, you can create your own data type sensitivity rules, such as ages or other identifying numbers.

Sensitive data definitions are not retroactive. They will hide strings in subsequent log messages, but will not affect existing log messages.

This command is relevant only if you have enabled the FortiWeb appliance to keep packet payloads along with their associated log messages, and have selected to obscure logs according to custom data types. For details, see log attack-log and log sensitive.

To use this command, your administrator account’s access control profile must have either w or rw permission to the loggrp area. For details, see Permissions.

Syntax

config log custom-sensitive-rule

edit "<custom-sensitive-rule_name>"

set expression "<sensitive-type_pattern>"

set field-name "<parameter-name_pattern>"

set field-value "<parameter-value_pattern>"

set type {field-mas-rule | general-mask-rule}

next

end

Variable Description Default

"<custom-sensitive-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

expression "<sensitive-type_pattern>"

Enter a regular expression that matches all and only the strings or numbers that you want to obscure in the packet payloads.

For example, to hide a parameter that contains the age of users under 13, you could enter:

age\=[1-13]

Expressions must not start with an asterisk ( * ). The maximum length is 256 characters.

No default.

type {field-mas-rule | general-mask-rule}

Select either general-mask-rule (a regular expression that will match any substring in the packet payload) or field-mask-rule (a regular expression that will match only the value of a specific form input).

If you select general-mask-rule, configure expression "<sensitive-type_pattern>".

If you select field-mask-rule, configure field-name "<parameter-name_pattern>" and field-value "<parameter-value_pattern>".

general-mask-rule

field-name "<parameter-name_pattern>"

Enter a regular expression that matches all and only the input names whose values you want to obscure. The input name itself will not be obscured. If you wish to do this, use general-mask-rule instead. The maximum length is 256 characters. No default.

field-value "<parameter-value_pattern>"

Enter a regular expression that matches all and only the input values that you want to obscure. The maximum length is 256 characters.

For example, to hide a parameter that contains the age of users under 13, for field-name "<parameter-name_pattern>", enter age, and for field-value "<parameter-value_pattern>", enter [1-13].

Valid expressions must not start with an asterisk ( * ).

Caution: Field masks using asterisks are greedy: a match for the parameter’s value will obscure it, but will also obscure the rest of the parameters in the line. To avoid this, enter an expression whose match terminates with, but does not consume, the parameter separator.

For example, if parameters are separated with an ampersand ( & ), and you want to obscure the value of the field name username but not any of the parameters that follow it, you could enter the field value:

.*?(?=\&)

This would result in:

username****&age=13&origurl=%2Flogin

No default.

Example

This example enables the FortiWeb appliance to keep all types of packet payloads with their associated log messages. It also enables and defines a custom sensitive data type (applies to age 13 or less) that will be obscured in logs.

config log attack-log

set status enable

set packet-log anti-virus-detection cookie-poison custom-access custom-protection-rule hidden-fields-failed http-protocol-constraints illegal-file-type illegal-xml-format ip-intelligence padding-oracle parameter-rule-failed signature-detection

end

config log sensitive

set type custom-rule

end

config log custom-sensitive-rule

edit rule1

set type general-mask-rule

set expression "age\\=[1-13]*$"

next

end

Related topics