Fortinet white logo
Fortinet white logo

CLI Reference

waf syntax-based-attack-detection

waf syntax-based-attack-detection

Using regular expression-based signatures to detect SQL/XSS injection attacks is core to a WAF solution. However, it is a continuous and tedious process to maintain and update the signatures to address new evasion techniques and to tune false positives and negatives for some attacks. To address this, syntax-based SQL/XSS injection detection is introduced.

Syntax

config waf syntax-based-attack-detection

edit "<policy_name>"

set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

set sql-arithmetic-operation-block-period <period_int>

set sql-arithmetic-operation-severity {High | Medium | Low | Info}

set sql-arithmetic-operation-status {enable | disable}

set sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-arithmetic-operation-trigger <trigger_policy_name>

set sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-condition-based-block-period <period_int>

set sql-condition-based-severity {High | Medium | Low | Info}

set sql-condition-based-status {enable | disable}

set sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-condition-based-trigger <trigger_policy_name>

set sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-embeded-queries-block-period <period_int>

set sql-embeded-queries-severity {High | Medium | Low | Info}

set sql-embeded-queries-status {enable | disable}

set sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-embeded-queries-trigger <trigger_policy_name>

set sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-function-based-block-period <period_int>

set sql-function-based-severity {High | Medium | Low | Info}

set sql-function-based-status {enable | disable}

set sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-function-based-trigger <trigger_policy_name>

set sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-line-comments-block-period <period_int>

set sql-line-comments-severity {High | Medium | Low | Info}

set sql-line-comments-status {enable | disable}

set sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-line-comments-trigger <trigger_policy_name>

set sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-stacked-queries-block-period <period_int>

set sql-stacked-queries-severity {High | Medium | Low | Info}

set sql-stacked-queries-status {enable | disable}

set sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-stacked-queries-trigger <trigger_policy_name>

set xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

set xss-html-attribute-based-block-period <period_int>

set xss-html-attribute-based-severity {High | Medium | Low | Info}

set xss-html-attribute-based-status {enable | disable}

set xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-attribute-based-trigger <trigger_policy_name>

set xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-css-based-block-period <period_int>

set xss-html-css-based-severity {High | Medium | Low | Info}

set xss-html-css-based-status {enable | disable}

set xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-css-based-trigger <trigger_policy_name>

set xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-tag-based-block-period <period_int>

set xss-html-tag-based-check-level {strict | moderate}

set xss-html-tag-based-severity {High | Medium | Low | Info}

set xss-html-tag-based-status {enable | disable}

set xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-tag-based-trigger <trigger_policy_name>

set xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-javascript-function-based-block-period <period_int>

set xss-javascript-function-based-severity {High | Medium | Low | Info}

set xss-javascript-function-based-status {enable | disable}

set xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-javascript-function-based-trigger <trigger_policy_name>

set xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-javascript-variable-based-block-period <period_int>

set xss-javascript-variable-based-severity {High | Medium | Low | Info}

set xss-javascript-variable-based-status {enable | disable}

set xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-javascript-variable-based-trigger <trigger_policy_name>

config exception-element-list

edit "<list-id>"

set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

set operator {STRING_MATCH| REGEXP_MATCH}

set value-name <name_str>

set value-check {enable | disable}

set value <value_str>

set concatenate-type {AND | OR}

set attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

next

end

next

end

Variable

Description

Default

"<policy_name>"

Enter a name for the syntax based detection policy.

No default

sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-arithmetic-operation-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

Select the elements in the request that you want FortiWeb to scan:

  • Parameter Name

  • Parameter Value

  • Request Cookie

  • Request User-Agent

  • Request Referer

  • Other Request Header

You can select multiple elements, for example, set detection-target-sql ARGS_NAMES REQUEST_COOKIES ARGS_VALUE.

Parameter Name/Parameter Value/Request Cookie

sql-arithmetic-operation-block-period <period_int> Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600
sql-arithmetic-operation-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-arithmetic-operation-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Arithmetic Operation Based Boolean Injection attack.

severe

sql-arithmetic-operation-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-condition-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-condition-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-condition-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-condition-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Arithmetic Operation Based Boolean Injection attack.

severe

sql-condition-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-embeded-queries-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-embeded-queries-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-embeded-queries-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-embeded-queries-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Embedded Queries SQL Injection attack.

severe

sql-embeded-queries-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-function-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-function-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-function-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-function-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for SQL Function Based Boolean Injection attack.

severe

sql-function-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-line-comments-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-line-comments-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-line-comments-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-line-comments-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Line Comments attack.

severe

sql-line-comments-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-stacked-queries-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-stacked-queries-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-stacked-queries-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-stacked-queries-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Stacked Queries SQL Injection attack.

severe

sql-stacked-queries-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-html-attribute-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

Select the elements in the request that you want FortiWeb to scan:

  • Parameter Name

  • Parameter Value

  • Request Cookie

  • Request User-Agent

  • Request Referer

  • Other Request Header

You can select multiple elements, for example, set detection-target-xss ARGS_NAMES REQUEST_COOKIES ARGS_VALUE.

Parameter Name/Parameter Value/Request Cookie

xss-html-attribute-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-html-attribute-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-html-attribute-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTML Attribute Based XSS Injection attack.

severe

xss-html-attribute-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-html-css-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-html-css-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-html-css-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-html-css-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTML CSS Based XSS Injection attack.

severe

xss-html-css-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-html-tag-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-html-tag-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-html-tag-based-check-level {strict | moderate}

  • moderate—An injection attack will be reported when tags besides body/head/html are detected.
  • strict—No injection attack will be reported when tags besides body/head/html are detected.

Note: It is not advised to set it as moderate as false positves may occur.

strict

xss-html-tag-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-html-tag-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTML Tag Based XSS Injection attack.

severe

xss-html-tag-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-javascript-function-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-javascript-function-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-javascript-function-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-javascript-function-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Javascript Function Based XSS Injection attack.

severe

xss-javascript-function-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-javascript-variable-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-javascript-variable-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-javascript-variable-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-javascript-variable-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Javascript Variable Based XSS Injection attack.

severe

xss-javascript-variable-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

"<list-id>"

Enter an ID for the exception list.

No default

match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

Select the type of request element to exempt from this rule.

URI

operator {STRING_MATCH | REGEXP_MATCH}

  • STRING_MATCH—Name is the literal name of a parameter.
  • REGEXP_MATCH— Name is a regular expression that matches all and only the name of the parameter that the exception applies to.

REGEXP_MATCH

value-name <name_str>

Specify the name of the parameter to match.

value-check {enable | disable}

Enable to specify a parameter value to match in addition to the parameter name.

disable

value <value_str>

Specify a HOST/URI/FULL-URL/PARAMETER/COOKIE value to match.

No default

concatenate-type {AND | OR}

  • AND—A matching request matches this entry in addition to other entries in the exemption list.
  • OR—A matching request matches this entry instead of other entries in the exemption list.

Later, you can use the exception list options to adjust the

matching sequence for entries.

AND

attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

Select the attack type you want to create the exception for.

No default

Related topics

waf syntax-based-attack-detection

waf syntax-based-attack-detection

Using regular expression-based signatures to detect SQL/XSS injection attacks is core to a WAF solution. However, it is a continuous and tedious process to maintain and update the signatures to address new evasion techniques and to tune false positives and negatives for some attacks. To address this, syntax-based SQL/XSS injection detection is introduced.

Syntax

config waf syntax-based-attack-detection

edit "<policy_name>"

set sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

set sql-arithmetic-operation-block-period <period_int>

set sql-arithmetic-operation-severity {High | Medium | Low | Info}

set sql-arithmetic-operation-status {enable | disable}

set sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-arithmetic-operation-trigger <trigger_policy_name>

set sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-condition-based-block-period <period_int>

set sql-condition-based-severity {High | Medium | Low | Info}

set sql-condition-based-status {enable | disable}

set sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-condition-based-trigger <trigger_policy_name>

set sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-embeded-queries-block-period <period_int>

set sql-embeded-queries-severity {High | Medium | Low | Info}

set sql-embeded-queries-status {enable | disable}

set sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-embeded-queries-trigger <trigger_policy_name>

set sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-function-based-block-period <period_int>

set sql-function-based-severity {High | Medium | Low | Info}

set sql-function-based-status {enable | disable}

set sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-function-based-trigger <trigger_policy_name>

set sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-line-comments-block-period <period_int>

set sql-line-comments-severity {High | Medium | Low | Info}

set sql-line-comments-status {enable | disable}

set sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-line-comments-trigger <trigger_policy_name>

set sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set sql-stacked-queries-block-period <period_int>

set sql-stacked-queries-severity {High | Medium | Low | Info}

set sql-stacked-queries-status {enable | disable}

set sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

set sql-stacked-queries-trigger <trigger_policy_name>

set xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

set xss-html-attribute-based-block-period <period_int>

set xss-html-attribute-based-severity {High | Medium | Low | Info}

set xss-html-attribute-based-status {enable | disable}

set xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-attribute-based-trigger <trigger_policy_name>

set xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-css-based-block-period <period_int>

set xss-html-css-based-severity {High | Medium | Low | Info}

set xss-html-css-based-status {enable | disable}

set xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-css-based-trigger <trigger_policy_name>

set xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-html-tag-based-block-period <period_int>

set xss-html-tag-based-check-level {strict | moderate}

set xss-html-tag-based-severity {High | Medium | Low | Info}

set xss-html-tag-based-status {enable | disable}

set xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-html-tag-based-trigger <trigger_policy_name>

set xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-javascript-function-based-block-period <period_int>

set xss-javascript-function-based-severity {High | Medium | Low | Info}

set xss-javascript-function-based-status {enable | disable}

set xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-javascript-function-based-trigger <trigger_policy_name>

set xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

set xss-javascript-variable-based-block-period <period_int>

set xss-javascript-variable-based-severity {High | Medium | Low | Info}

set xss-javascript-variable-based-status {enable | disable}

set xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe}

set xss-javascript-variable-based-trigger <trigger_policy_name>

config exception-element-list

edit "<list-id>"

set match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

set operator {STRING_MATCH| REGEXP_MATCH}

set value-name <name_str>

set value-check {enable | disable}

set value <value_str>

set concatenate-type {AND | OR}

set attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

next

end

next

end

Variable

Description

Default

"<policy_name>"

Enter a name for the syntax based detection policy.

No default

sql-arithmetic-operation-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-arithmetic-operation-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

detection-target-sql { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

Select the elements in the request that you want FortiWeb to scan:

  • Parameter Name

  • Parameter Value

  • Request Cookie

  • Request User-Agent

  • Request Referer

  • Other Request Header

You can select multiple elements, for example, set detection-target-sql ARGS_NAMES REQUEST_COOKIES ARGS_VALUE.

Parameter Name/Parameter Value/Request Cookie

sql-arithmetic-operation-block-period <period_int> Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600
sql-arithmetic-operation-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-arithmetic-operation-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-arithmetic-operation-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Arithmetic Operation Based Boolean Injection attack.

severe

sql-arithmetic-operation-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-condition-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-condition-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-condition-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-condition-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-condition-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-condition-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Arithmetic Operation Based Boolean Injection attack.

severe

sql-condition-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-embeded-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-embeded-queries-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-embeded-queries-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-embeded-queries-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-embeded-queries-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-embeded-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Embedded Queries SQL Injection attack.

severe

sql-embeded-queries-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-function-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-function-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-function-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-function-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for SQL Function Based Boolean Injection attack.

severe

sql-function-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-line-comments-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-line-comments-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-line-comments-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-line-comments-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-line-comments-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-line-comments-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Line Comments attack.

severe

sql-line-comments-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

sql-stacked-queries-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure sql-stacked-queries-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

sql-stacked-queries-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

sql-stacked-queries-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

sql-stacked-queries-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

sql-stacked-queries-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Stacked Queries SQL Injection attack.

severe

sql-stacked-queries-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-html-attribute-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-html-attribute-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

detection-target-xss { ARGS_NAMES | ARGS_VALUE | REQUEST_COOKIES | REQUEST_USER_AGENT | REQUEST_REFERER | OTHER_REQUEST_HEADERS }

Select the elements in the request that you want FortiWeb to scan:

  • Parameter Name

  • Parameter Value

  • Request Cookie

  • Request User-Agent

  • Request Referer

  • Other Request Header

You can select multiple elements, for example, set detection-target-xss ARGS_NAMES REQUEST_COOKIES ARGS_VALUE.

Parameter Name/Parameter Value/Request Cookie

xss-html-attribute-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-html-attribute-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-html-attribute-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-html-attribute-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTML Attribute Based XSS Injection attack.

severe

xss-html-attribute-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-html-css-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-html-css-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-html-css-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-html-css-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-html-css-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-html-css-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTML CSS Based XSS Injection attack.

severe

xss-html-css-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-html-tag-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-html-tag-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-html-tag-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-html-tag-based-check-level {strict | moderate}

  • moderate—An injection attack will be reported when tags besides body/head/html are detected.
  • strict—No injection attack will be reported when tags besides body/head/html are detected.

Note: It is not advised to set it as moderate as false positves may occur.

strict

xss-html-tag-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-html-tag-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-html-tag-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTML Tag Based XSS Injection attack.

severe

xss-html-tag-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-javascript-function-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-javascript-function-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-javascript-function-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-javascript-function-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-javascript-function-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-javascript-function-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Javascript Function Based XSS Injection attack.

severe

xss-javascript-function-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

xss-javascript-variable-based-action {alert | redirect | deny_no_log | alert_deny | block_period | send_http_response}

Select the action FortiWeb takes when this injection type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure xss-javascript-variable-based-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_http_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

xss-javascript-variable-based-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this injection type attack. 600

xss-javascript-variable-based-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an injection attack:

  • High
  • Medium
  • Low
  • Info
High

xss-javascript-variable-based-status {enable | disable}

Enable or disable the attack type detection for this rule.

enable

xss-javascript-variable-based-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Javascript Variable Based XSS Injection attack.

severe

xss-javascript-variable-based-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

"<list-id>"

Enter an ID for the exception list.

No default

match-target {HOST | URI | FULL-URL | PARAMETER | COOKIE}

Select the type of request element to exempt from this rule.

URI

operator {STRING_MATCH | REGEXP_MATCH}

  • STRING_MATCH—Name is the literal name of a parameter.
  • REGEXP_MATCH— Name is a regular expression that matches all and only the name of the parameter that the exception applies to.

REGEXP_MATCH

value-name <name_str>

Specify the name of the parameter to match.

value-check {enable | disable}

Enable to specify a parameter value to match in addition to the parameter name.

disable

value <value_str>

Specify a HOST/URI/FULL-URL/PARAMETER/COOKIE value to match.

No default

concatenate-type {AND | OR}

  • AND—A matching request matches this entry in addition to other entries in the exemption list.
  • OR—A matching request matches this entry instead of other entries in the exemption list.

Later, you can use the exception list options to adjust the

matching sequence for entries.

AND

attack-type {arithmetic_operation_based_boolean_injection | condition_based_boolean_injection | embeded_queries_sql_injection | html_attr_based_xss_injection | html_css_based_xss_injection | html_tag_based_xss_injection | js_func_based_xss_injection | js_var_based_xss_injection | line_comments | invalid | sql_function_based_boolean_injection | stacked_queries_sql_injection}

Select the attack type you want to create the exception for.

No default

Related topics