Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

waf http-request-flood-prevention-rule

Use this command to limit the maximum number of HTTP requests per second coming from any client to a specific URL on one of your protected servers.

The FortiWeb appliance tracks the requests using a session cookie. If the count exceeds the request limit, FortiWeb performs the specified action.

To apply this rule, include it in an application-layer DoS-prevention policy. This feature is effective only when client-management {enable | disable} is enabled in the inline protection profile that uses the parent DoS-prevention policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf http-request-flood-prevention-rule

edit "<rule_name>"

set access-limit-in-http-session <limit_int>

set action {alert | alert_deny | block-period | deny_no_log}

set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

set recaptcha <recaptcha_server_name>

set max-attempt-times <attempts_int>

set validation-timeout <seconds_int>

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger-policy "<trigger-policy_name>"

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

 

next

end

Variable Description Default

"<rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

access-limit-in-http-session <limit_int>

Enter the maximum number of HTTP connections allowed per second from the same client. The valid range is 0–4,096. To disable the limit, enter 0. 0

action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when the count exceeds the limit:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit.

If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to exceed the rate limit.

Disable this option to apply the rate limit regardless of whether the client is a web browser (for example, Firefox) or an automated tool (for example, wget).

disable

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

No default.

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

3

validation-timeout <seconds_int>

Specify the maximum amount of time (in seconds) that FortiWeb waits for results from the client for Real Browser Enforcement. The valid range is 5–30.

20

block-period <seconds_int>

If action is block-period, type the number of seconds that the connection will be blocked.

This setting applies only if action is block-period. The valid is from 1 to 10,000 seconds.

600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Medium

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

mobile-app-identification {disabled | mobile-token-validation}

Disabled: Disable not to carry out the mobile token verification.

Mobile Token Validation: Requires the client to use mobile token for verification.

To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection

Disabled

bot-confirmation {enable | disable}

Enable to choose how to verify users when the rules of bot detection are triggered.

Disabled

Example

This example illustrates a rule that imposes a two-minute blocking period on clients that exceed the set request limit.

config waf http-request-flood-prevention-rule

edit "Web Portal HTTP Request Limit"

set access-limit-in-http-session 10

set action block-period

set block-period 120

set severity Medium

set trigger-policy "Server_Policy_Trigger"

next

end

Related topics

waf http-request-flood-prevention-rule

Use this command to limit the maximum number of HTTP requests per second coming from any client to a specific URL on one of your protected servers.

The FortiWeb appliance tracks the requests using a session cookie. If the count exceeds the request limit, FortiWeb performs the specified action.

To apply this rule, include it in an application-layer DoS-prevention policy. This feature is effective only when client-management {enable | disable} is enabled in the inline protection profile that uses the parent DoS-prevention policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf http-request-flood-prevention-rule

edit "<rule_name>"

set access-limit-in-http-session <limit_int>

set action {alert | alert_deny | block-period | deny_no_log}

set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

set recaptcha <recaptcha_server_name>

set max-attempt-times <attempts_int>

set validation-timeout <seconds_int>

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger-policy "<trigger-policy_name>"

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

 

next

end

Variable Description Default

"<rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

access-limit-in-http-session <limit_int>

Enter the maximum number of HTTP connections allowed per second from the same client. The valid range is 0–4,096. To disable the limit, enter 0. 0

action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when the count exceeds the limit:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit.

If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to exceed the rate limit.

Disable this option to apply the rate limit regardless of whether the client is a web browser (for example, Firefox) or an automated tool (for example, wget).

disable

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

No default.

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

3

validation-timeout <seconds_int>

Specify the maximum amount of time (in seconds) that FortiWeb waits for results from the client for Real Browser Enforcement. The valid range is 5–30.

20

block-period <seconds_int>

If action is block-period, type the number of seconds that the connection will be blocked.

This setting applies only if action is block-period. The valid is from 1 to 10,000 seconds.

600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Medium

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

mobile-app-identification {disabled | mobile-token-validation}

Disabled: Disable not to carry out the mobile token verification.

Mobile Token Validation: Requires the client to use mobile token for verification.

To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection

Disabled

bot-confirmation {enable | disable}

Enable to choose how to verify users when the rules of bot detection are triggered.

Disabled

Example

This example illustrates a rule that imposes a two-minute blocking period on clients that exceed the set request limit.

config waf http-request-flood-prevention-rule

edit "Web Portal HTTP Request Limit"

set access-limit-in-http-session 10

set action block-period

set block-period 120

set severity Medium

set trigger-policy "Server_Policy_Trigger"

next

end

Related topics