Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

waf file-upload-restriction-policy

Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to your web servers.

The policies are composed of individual rules set using the server-policy custom-application application-policy command. Each rule identifies the host and/or URL to which the restriction applies and the types of files allowed. To apply a file security policy, select it within an inline or Offline Protection profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf file-upload-restriction-policy

edit "<file-upload-restriction-policy_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger <trigger-policy_name>

set trojan-detection {enable | disable}

set av-scan {enable | disable}

set fortisandbox-check {enable | disable}

set hold-session-while-scanning-file {enable | disable}

set icap-server-check {enable | disable}

set exchange-mail-detection {enable | disable}

set owa-protocol {enable | disable}

set activesync-protocol {enable | disable}

set mapi-protocol {enable | disable}

config rule

edit <entry_index>

set file-upload-restriction-rule <rule_name>

next

end

next

end

Variable Description Default

"<file-upload-restriction-policy_name>"

Enter the name of an existing or new file security policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log}

Enter the action you want FortiWeb to perform when the policy is violated:

  • alert—Accept the request and generate an alert and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg and the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <seconds_int>

If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600 seconds. 600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger <trigger-policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

No default.

trojan-detection {enable | disable}

Enter enable to scan for Trojans.

Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.
disable

av-scan {enable | disable}

Enter enable to scan for viruses, malware, and greyware.

disable

fortisandbox-check {enable | disable}

Enter enable to send matching files to FortiSandbox for evaluation.

Also specify the FortiSandbox settings for your FortiWeb. For details, see system fortisandbox.

FortiSandbox evaluates the file and returns the results to FortiWeb.

If trojan-detection {enable | disable} is enable and FortiWeb detects a virus, it does not send the file to FortiSandbox.
disable

exchange-mail-detection {enable | disable}

Enter enable so that FortiWeb will scan email attachments in applications using OWA or ActiveSync protocols. If enabled, FortiWeb will perform Trojan detection, an antivirus scan, and will send the attachments to FortiSandbox.

Note: To perform Trojan detection, an antivirus scan, and send attachments to FortiSandbox, you must enable trojan-detection {enable | disable}, trojan-detection {enable | disable}, and fortisandbox-check {enable | disable}, respectively, in the file security policy.

disable

owa-protocol {enable | disable}

Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a web browser login. disable

activesync-protocol {enable | disable}

Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a mobile phone login. disable

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

file-upload-restriction-rule <rule_name>

Enter the name of an upload restriction rule to use with the policy, if any. For details, see server-policy custom-application application-policy. The maximum length is 63 characters.

To display the list of existing rules, enter:

set file-upload-restriction-rule ?

No default.
hold-session-while-scanning-file

{enable | disable}

Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds the session for over 30 minutes while FortiSandbox scans the file in the request, FortiWeb will forward the session without taking any other actions.
This option is available only when you enable Send files to FortiSandbox.
disable
mapi-protocol {enable | disable} FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), a new transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).
Available only when Scan attachments in Email is enabled.
disable
icap-server-check {enable | disable} Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading direction. disable

Related topics

waf file-upload-restriction-policy

Use this command to set file security policies that FortiWeb will use to manage the types of files that can be uploaded to your web servers.

The policies are composed of individual rules set using the server-policy custom-application application-policy command. Each rule identifies the host and/or URL to which the restriction applies and the types of files allowed. To apply a file security policy, select it within an inline or Offline Protection profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf file-upload-restriction-policy

edit "<file-upload-restriction-policy_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger <trigger-policy_name>

set trojan-detection {enable | disable}

set av-scan {enable | disable}

set fortisandbox-check {enable | disable}

set hold-session-while-scanning-file {enable | disable}

set icap-server-check {enable | disable}

set exchange-mail-detection {enable | disable}

set owa-protocol {enable | disable}

set activesync-protocol {enable | disable}

set mapi-protocol {enable | disable}

config rule

edit <entry_index>

set file-upload-restriction-rule <rule_name>

next

end

next

end

Variable Description Default

"<file-upload-restriction-policy_name>"

Enter the name of an existing or new file security policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log}

Enter the action you want FortiWeb to perform when the policy is violated:

  • alert—Accept the request and generate an alert and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg and the FortiWeb Administration Guide:

    http://docs.fortinet.com/fortiweb/admin-guides

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <seconds_int>

If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600 seconds. 600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger <trigger-policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

No default.

trojan-detection {enable | disable}

Enter enable to scan for Trojans.

Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.
disable

av-scan {enable | disable}

Enter enable to scan for viruses, malware, and greyware.

disable

fortisandbox-check {enable | disable}

Enter enable to send matching files to FortiSandbox for evaluation.

Also specify the FortiSandbox settings for your FortiWeb. For details, see system fortisandbox.

FortiSandbox evaluates the file and returns the results to FortiWeb.

If trojan-detection {enable | disable} is enable and FortiWeb detects a virus, it does not send the file to FortiSandbox.
disable

exchange-mail-detection {enable | disable}

Enter enable so that FortiWeb will scan email attachments in applications using OWA or ActiveSync protocols. If enabled, FortiWeb will perform Trojan detection, an antivirus scan, and will send the attachments to FortiSandbox.

Note: To perform Trojan detection, an antivirus scan, and send attachments to FortiSandbox, you must enable trojan-detection {enable | disable}, trojan-detection {enable | disable}, and fortisandbox-check {enable | disable}, respectively, in the file security policy.

disable

owa-protocol {enable | disable}

Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a web browser login. disable

activesync-protocol {enable | disable}

Available only when exchange-mail-detection {enable | disable} is set to enable. If enabled, FortiWeb will scan attachments in Exchange Email sent and received via a mobile phone login. disable

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

file-upload-restriction-rule <rule_name>

Enter the name of an upload restriction rule to use with the policy, if any. For details, see server-policy custom-application application-policy. The maximum length is 63 characters.

To display the list of existing rules, enter:

set file-upload-restriction-rule ?

No default.
hold-session-while-scanning-file

{enable | disable}

Enable it, and FortiWeb waits for up to 30 minutes. If FortiWeb holds the session for over 30 minutes while FortiSandbox scans the file in the request, FortiWeb will forward the session without taking any other actions.
This option is available only when you enable Send files to FortiSandbox.
disable
mapi-protocol {enable | disable} FortiWeb will scan attachments in Email sent and received via the Messaging Application Programming Interface (MAPI), a new transport protocol implemented in Microsoft Exchange Server 2013 Service Pack 1 (SP1).
Available only when Scan attachments in Email is enabled.
disable
icap-server-check {enable | disable} Enable so that FortiWeb sends files to ICAP server that matches the uploading or downloading direction. disable

Related topics