Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.3.5 CLI Reference
    6.3.5
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf input-rule

    waf input-rule

    Use this command to configure input rules.

    Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests matching the host and URL defined in the input rule.

    Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.

    For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.

    To apply input rules, select them within a parameter validation rule. For details, see waf parameter-validation-rule.

    Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf input-rule

    edit "<input-rule_name>"

    set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

    set block-period <seconds_int>

    set host "<protected-host_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    set severity {High | Medium | Low | Info}

    set trigger "<trigger-policy_name>"

    config rule-list

    edit <entry_index>

    set type-checked (enable | disable}

    set argument-type <custom-data-type | data-type | regular-expression}

    set argument-name-type {plain | regular}

    set argument-name "<input_name>"

    set argument-expression "<regex_pattern>"

    set custom-data-type "<custom-data-type_name>"

    set data-type "<predefined_name>"

    set is-essential {yes | no}

    set max-length <limit_int>

    next

    end

    next

    end

    Variable Description Default

    "<input-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry:

    • alert—Accept the request and generate an alert email and/or log message.
    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.
    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.
    • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 alert

    block-period <seconds_int>

    Enter the number of seconds to block the source IP. The valid range is 1–3,600 seconds.

    This setting applies only if action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} is block-period.

    		600

    host "<protected-host_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host "<protected-host_name>".

    Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, enter either:

    • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-host_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    		 Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain

    severity {High | Medium | Low | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

    trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    is-essential {yes | no}

    		 Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no. no

    max-length <limit_int>

    Enter the maximum allowed length of the parameter value.

    The valid range is 0–1,024. To disable the limit, enter 0.

    		 0

    type-checked (enable | disable}

    Enable to use predefined or configured data types when validating parameters. Also configure argument-type <custom-data-type | data-type | regular-expression}.

    Disable to ignore data-type and custom-data-type settings.

    		 enable

    argument-type <custom-data-type | data-type | regular-expression}

    		 Specify the type of argument. No default.

    argument-name-type {plain | regular}

    Specify one of the following options:

    • plainargument-name is the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
    • regularargument-name is a regular expression designed to match the name attribute of the parameter’s input tag.

    argument-name "<input_name>"

    If argument-name-type {plain | regular} is plain, specify the name of the input as it appears in the HTTP content, such as username. The maximum length is 63 characters.

    If argument-name-type is regular, specify a regular expression designed to match the name attribute of the parameter’s input tag.

    		 No default.

    argument-expression "<regex_pattern>"

    Enter a regular expression that matches all valid values, and no invalid values, for this input.

    The maximum length is 2,071 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported.

    custom-data-type "<custom-data-type_name>"

    Enter the name of a custom data type, if any. The maximum length is 63 characters.

    To display the list of custom data types, enter:

    set custom-data-type ?

    This setting applies only if type-checked (enable | disable} is enable.

    		 No default.

    data-type "<predefined_name>"

    Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates).

    To display available options, enter:

    set data type ?

    For match descriptions of each option, see "server-policy pattern data-type-group" on page 1.

    Alternatively, configure argument-type <custom-data-type | data-type | regular-expression}. This option is ignored if you configure argument-type, which also defines parameters to which the input rule applies, but supersedes this option.

    		 No default.

    Example

    This example blocks and logs requests for the file named login.php that do not include a user name and password, both of which are required, or whose user name and password exceed the 64-character limit.

    config waf input-rule

    edit "input_rule1"

    set action alert_deny

    set request-file "/login.php?*"

    request-type regular

    config rule-list

    edit 1

    set argument-name "username"

    set argument-type data-type

    set data-type Email

    set is-essential yes

    set max-length 64

    next

    edit 2

    set argument-name "password"

    set data-type String

    set is-essential yes

    set max-length 64

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf input-rule

    waf input-rule

    Use this command to configure input rules.

    Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests matching the host and URL defined in the input rule.

    Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.

    For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.

    To apply input rules, select them within a parameter validation rule. For details, see waf parameter-validation-rule.

    Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf input-rule

    edit "<input-rule_name>"

    set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

    set block-period <seconds_int>

    set host "<protected-host_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set request-type {plain | regular}

    set severity {High | Medium | Low | Info}

    set trigger "<trigger-policy_name>"

    config rule-list

    edit <entry_index>

    set type-checked (enable | disable}

    set argument-type <custom-data-type | data-type | regular-expression}

    set argument-name-type {plain | regular}

    set argument-name "<input_name>"

    set argument-expression "<regex_pattern>"

    set custom-data-type "<custom-data-type_name>"

    set data-type "<predefined_name>"

    set is-essential {yes | no}

    set max-length <limit_int>

    next

    end

    next

    end

    Variable Description Default

    "<input-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry:

    • alert—Accept the request and generate an alert email and/or log message.
    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.
    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.
    • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 alert

    block-period <seconds_int>

    Enter the number of seconds to block the source IP. The valid range is 1–3,600 seconds.

    This setting applies only if action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} is block-period.

    		600

    host "<protected-host_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host "<protected-host_name>".

    Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Depending on your selection in request-type {plain | regular}, enter either:

    • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

    Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-host_name>". The maximum length is 256 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/fortiweb/admin-guides

    		No default.

    request-type {plain | regular}

    		 Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain

    severity {High | Medium | Low | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

    trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    is-essential {yes | no}

    		 Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no. no

    max-length <limit_int>

    Enter the maximum allowed length of the parameter value.

    The valid range is 0–1,024. To disable the limit, enter 0.

    		 0

    type-checked (enable | disable}

    Enable to use predefined or configured data types when validating parameters. Also configure argument-type <custom-data-type | data-type | regular-expression}.

    Disable to ignore data-type and custom-data-type settings.

    		 enable

    argument-type <custom-data-type | data-type | regular-expression}

    		 Specify the type of argument. No default.

    argument-name-type {plain | regular}

    Specify one of the following options:

    • plainargument-name is the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
    • regularargument-name is a regular expression designed to match the name attribute of the parameter’s input tag.

    argument-name "<input_name>"

    If argument-name-type {plain | regular} is plain, specify the name of the input as it appears in the HTTP content, such as username. The maximum length is 63 characters.

    If argument-name-type is regular, specify a regular expression designed to match the name attribute of the parameter’s input tag.

    		 No default.

    argument-expression "<regex_pattern>"

    Enter a regular expression that matches all valid values, and no invalid values, for this input.

    The maximum length is 2,071 characters.

    Note: Regular expressions beginning with an exclamation point ( ! ) are not supported.

    custom-data-type "<custom-data-type_name>"

    Enter the name of a custom data type, if any. The maximum length is 63 characters.

    To display the list of custom data types, enter:

    set custom-data-type ?

    This setting applies only if type-checked (enable | disable} is enable.

    		 No default.

    data-type "<predefined_name>"

    Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates).

    To display available options, enter:

    set data type ?

    For match descriptions of each option, see "server-policy pattern data-type-group" on page 1.

    Alternatively, configure argument-type <custom-data-type | data-type | regular-expression}. This option is ignored if you configure argument-type, which also defines parameters to which the input rule applies, but supersedes this option.

    		 No default.

    Example

    This example blocks and logs requests for the file named login.php that do not include a user name and password, both of which are required, or whose user name and password exceed the 64-character limit.

    config waf input-rule

    edit "input_rule1"

    set action alert_deny

    set request-file "/login.php?*"

    request-type regular

    config rule-list

    edit 1

    set argument-name "username"

    set argument-type data-type

    set data-type Email

    set is-essential yes

    set max-length 64

    next

    edit 2

    set argument-name "password"

    set data-type String

    set is-essential yes

    set max-length 64

    next

    end

    next

    end

    Related topics

    Previous
    Next