waf file-upload-restriction-policy
Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to your web servers.
The policies are composed of individual rules set using the server-policy custom-application application-policy command. Each rule identifies the host and/or URL to which the restriction applies and the types of files allowed. To apply a file security policy, select it within an inline or Offline Protection profile.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf file-upload-restriction-policy
edit "<file-upload-restriction-policy_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger <trigger-policy_name>
set trojan-detection {enable | disable}
set av-scan {enable | disable}
set fortisandbox-check {enable | disable}
set hold-session-while-scanning-file {enable | disable}
set icap-server-check {enable | disable}
set exchange-mail-detection {enable | disable}
set owa-protocol {enable | disable}
set activesync-protocol {enable | disable}
set mapi-protocol {enable | disable}
config rule
edit <entry_index>
set file-upload-restriction-rule <rule_name>
next
end
next
end
Variable | Description | Default |
Enter the name of an existing or new file security policy. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default. | |
Enter the action you want FortiWeb to perform when the policy is violated:
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for. Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select |
alert
|
|
If action {alert | alert_deny | block-period | deny_no_log} is block-period , type the number of seconds that violating requests will be blocked. The valid range is 1–3,600 seconds. |
600
|
|
Select the severity level to use in logs and reports generated when a violation of the rule occurs. |
Low
|
|
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing triggers, enter:
|
No default. | |
Enter enable to scan for Trojans.
Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page. |
disable
|
|
Enter |
disable
|
|
Enter enable to send matching files to FortiSandbox for evaluation.Also specify the FortiSandbox settings for your FortiWeb. For details, see system fortisandbox. FortiSandbox evaluates the file and returns the results to FortiWeb. If trojan-detection {enable | disable} is enable and FortiWeb detects a virus, it does not send the file to FortiSandbox. |
disable
|
|
Enter Note: To perform Trojan detection, an antivirus scan, and send attachments to FortiSandbox, you must enable trojan-detection {enable | disable}, trojan-detection {enable | disable}, and fortisandbox-check {enable | disable}, respectively, in the file security policy. |
disable
|
|
Available only when exchange-mail-detection {enable | disable} is set to enable . If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a web browser login. |
disable
|
|
Available only when exchange-mail-detection {enable | disable} is set to enable . If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a mobile phone login. |
disable
|
|
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enter the name of an upload restriction rule to use with the policy, if any. For details, see server-policy custom-application application-policy. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
hold-session-while-scanning-file
{enable | disable} |
Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds
the session for over 30 minutes while FortiSandbox scans the file in
the request, FortiWeb will forward the session without taking any
other actions. This option is available only when you enable Send files to FortiSandbox. |
disable
|
mapi-protocol {enable | disable}
|
FortiWeb will scan attachments in Email sent and received
via the Messaging Application Programming Interface (MAPI), a
new transport protocol implemented in Microsoft Exchange Server
2013 Service Pack 1 (SP1). Available only when Scan attachments in Email is enabled. |
disable
|
icap-server-check {enable | disable}
|
Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading direction. |
disable
|