Fortinet black logo

CLI Reference

waf json-validation

waf json-validation

Use this command to create JSON protection rules and configure JSON protection policies.

Syntax

config waf json-validation rule

edit "<json_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-file "<file_str>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set schema-file "<schema_file_name>"

set json-limits {enable | disable}

set json-data-size "<json-data-size_int>"

set key-size "<key-size_int>"

set key-number "<key-number_int>"

set value-size "<value-size_int>"

set value-number-in-array "<value-number-in-array _int>"

set object-depth "<object-depth_int>"

next

end

config waf json-validation policy

edit "<json_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit "<input-rule-list_id>"

set json_input_rule "<json_input_rule_str>"

next

end

next

end

Variable Description Default

"<json_rule_name>"

Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy.

No default.
host-status {enable | disable}

Enable to compare the JSON rule to the Host: field in the HTTP header. If enabled, also configure host "<host_name_str>".

disable

host "<host_name_str>"

Enter the name of a protected host that the Host: field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.

No default.

request-type {plain | regular}

Select whether request-type {plain | regular} must contain either:

  • plain—The field is a string that the request URL must match exactly.
  • regular—The field is a regular expression that defines a set of matching URLs.

No default.

request-file "<file_str>"

Depending on your selection for request-type {plain | regular}, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in host "<host_name_str>".

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that FortiWeb performs when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

alert

block-period <period_int>

Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period.

The valid range is 1–3,600.

60

severity {High Low | Medium | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger_policy_name>"

Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy.

To display a list of existing triggers, enter:

set trigger ?

No default.

schema-file "<schema_file_name>"

Select a JSON schema file.

To display a list of existing JSON schema files, enter:

set schema-file ?

Note, if you select a JSON schema file that references other JSON schema files, the other JSON schema files must also be uploaded to FortiWeb.

No default.

json-limits {enable | disable}

Enable to define limits for data size, key, and value, etc.

disable

json-data-size "<json-data-size_int>"

Enter the total size of JSON data in the JSON file. The valid range is 0–10240.

1024

key-size "<key-size_int>"

Enter the key size of each object. The valid range is 0–10240. The

64

key-number "<key-number_int>"

Enter the total key number of each JSON file. The valid range is 0–2147483647.

256

value-size "<value-size_int>"

Enter the value size of each key. The valid range is 0–10240.

128

value-number-in-array "<value-number-in-array _int>"

Enter the total value number in an array. The valid range is 0–2147483647.

256

object-depth "<object-depth_int>"

Enter the number of the nested objects. The valid range is 0–2147483647.

32

"<json_policy_name>" Enter the name of a JSON protection policy. You will use the name to select the policy in other parts of the configuration. No default.
"<input-rule-list_id>" Enter the index number of an entry to create or modify a rule for the policy. No default.
enable-signature-detection {enable | disable} Enable to scan for matches with attack and data leak signatures in JSON data submitted by clients in HTTP requests with Content-Type: values application/json or text/json. disable
json_input_rule "<json_input_rule_str>" Enter the sequence number of a JSON protection rule to add to the JSON protection policy. No default.

Example

The below example creates a JSON protection rule and applies the rule to a new JSON protection policy.

config waf json-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set json-limits enable

set json-data-size 1030

set key-size 100

set key-number 300

set value-size 200

set object-depth 60

next

end

config waf json-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

next

end

next

end

Related topics

waf json-validation

Use this command to create JSON protection rules and configure JSON protection policies.

Syntax

config waf json-validation rule

edit "<json_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-file "<file_str>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set schema-file "<schema_file_name>"

set json-limits {enable | disable}

set json-data-size "<json-data-size_int>"

set key-size "<key-size_int>"

set key-number "<key-number_int>"

set value-size "<value-size_int>"

set value-number-in-array "<value-number-in-array _int>"

set object-depth "<object-depth_int>"

next

end

config waf json-validation policy

edit "<json_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit "<input-rule-list_id>"

set json_input_rule "<json_input_rule_str>"

next

end

next

end

Variable Description Default

"<json_rule_name>"

Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy.

No default.
host-status {enable | disable}

Enable to compare the JSON rule to the Host: field in the HTTP header. If enabled, also configure host "<host_name_str>".

disable

host "<host_name_str>"

Enter the name of a protected host that the Host: field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.

No default.

request-type {plain | regular}

Select whether request-type {plain | regular} must contain either:

  • plain—The field is a string that the request URL must match exactly.
  • regular—The field is a regular expression that defines a set of matching URLs.

No default.

request-file "<file_str>"

Depending on your selection for request-type {plain | regular}, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in host "<host_name_str>".

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that FortiWeb performs when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

alert

block-period <period_int>

Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is block-period.

The valid range is 1–3,600.

60

severity {High Low | Medium | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger_policy_name>"

Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy.

To display a list of existing triggers, enter:

set trigger ?

No default.

schema-file "<schema_file_name>"

Select a JSON schema file.

To display a list of existing JSON schema files, enter:

set schema-file ?

Note, if you select a JSON schema file that references other JSON schema files, the other JSON schema files must also be uploaded to FortiWeb.

No default.

json-limits {enable | disable}

Enable to define limits for data size, key, and value, etc.

disable

json-data-size "<json-data-size_int>"

Enter the total size of JSON data in the JSON file. The valid range is 0–10240.

1024

key-size "<key-size_int>"

Enter the key size of each object. The valid range is 0–10240. The

64

key-number "<key-number_int>"

Enter the total key number of each JSON file. The valid range is 0–2147483647.

256

value-size "<value-size_int>"

Enter the value size of each key. The valid range is 0–10240.

128

value-number-in-array "<value-number-in-array _int>"

Enter the total value number in an array. The valid range is 0–2147483647.

256

object-depth "<object-depth_int>"

Enter the number of the nested objects. The valid range is 0–2147483647.

32

"<json_policy_name>" Enter the name of a JSON protection policy. You will use the name to select the policy in other parts of the configuration. No default.
"<input-rule-list_id>" Enter the index number of an entry to create or modify a rule for the policy. No default.
enable-signature-detection {enable | disable} Enable to scan for matches with attack and data leak signatures in JSON data submitted by clients in HTTP requests with Content-Type: values application/json or text/json. disable
json_input_rule "<json_input_rule_str>" Enter the sequence number of a JSON protection rule to add to the JSON protection policy. No default.

Example

The below example creates a JSON protection rule and applies the rule to a new JSON protection policy.

config waf json-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set json-limits enable

set json-data-size 1030

set key-size 100

set key-number 300

set value-size 200

set object-depth 60

next

end

config waf json-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

next

end

next

end

Related topics