waf url-access url-access-rule
Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on their host name and URL.
Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.
To apply URL access rules, first group them within a URL access policy. For details see, waf url-access url-access-policy.
You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf url-access url-access-rule
set action {alert_deny | continue | pass | deny_no_log}
set host "<protected-hosts_name>"
set host-status {enable | disable}
set severity {Informative | Low | Medium | High | Info}
set trigger "<trigger-policy_name>"
config match-condition
edit <entry_index>
set sip-address-check {enable | disable}
set sip-address-type {sip | sdomain | source-domain}
set sip-address-value "<client_ip>"
set sdomain-type {"<ipv4>" | "<ipv6>"}
set sip-address-domain "<fqdn_str>"
set source-domain-type {simple-string | regex-expression}
set source-domain "<source-domain_str>"
set type {regex-expression | simple-string}
set reg-exp "<object_pattern>"
set only-protocol {http | https | ws | wss}
next
end
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Select which action the FortiWeb appliance will take when a request matches the URL access rule.
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select |
pass
|
|
Enter the name of a protected host that the This setting is used only if host-status {enable | disable} is |
No default. | |
Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host "<protected-hosts_name>". |
disable
|
|
When rule violations are recorded in the attack log, each log message contains a Severity Level (
|
Low |
|
Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blocklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy. To display the list of existing trigger policies, enter:
|
No default. | |
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sip | sdomain | source-domain} and the specific settings for each source address type. |
disable
|
|
|
sip
|
|
Enter one of the following values:
Available only if sip-address-type {sip | sdomain | source-domain} is |
0.0.0.0
|
|
Specifies the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by sip-address-domain "<fqdn_str>". Available only if sip-address-type {sip | sdomain | source-domain} is |
No default. | |
Specifies the domain to match the client source IP after DNS lookup. Available only if sip-address-type {sip | sdomain | source-domain} is |
No default. | |
Available only if sip-address-type {sip | sdomain | source-domain} is |
simple-string | |
Enter a literal domain or a regular expression that is designed to match multiple URLs. Available only if sip-address-type {sip | sdomain | source-domain} is |
No default. | |
Select how to use the text in reg-exp "<object_pattern>" to determine whether or not a request URL meets the conditions for this rule.
|
No default. | |
Depending on your selection in type {regex-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}. For example, for the URL access rule to match all URLs that begin with The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters. Note: Regular expressions beginning with an exclamation point ( |
No default. | |
Enter the URL Access Parameter rule you have created by |
No default. |
|
only-method {get | post | head | options | trace | connect | delete | put | patch | webdav | rpc | others} |
Select the HTTP methods. Only the requests with the specified HTTP methods will match. |
No default. |
Select the HTTP protocols. Only the requests with the specified HTTP protocols will match. |
No default. |
|
Indicate how to use reg-exp "<object_pattern>" when determining whether or not this rule’s condition has been met.
|
no
|
Example
This example defines two sets of URL access rules.
The first set, Blocked URL
, defines two URL match conditions: one uses a simple string to match an administrative page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.
The second set, Allowed URL
, defines a single match condition that uses a regular expression to match all dynamic forms of the index page.
Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.
config waf url-access url-access-rule
edit "Blocked URL"
config match-condition
edit 1
set type simple-string
set reg-exp "/admin.php"
next
edit 2
set type regular-expression
set reverse-match no
set reg-exp "statistics.php*"
next
end
next
edit "Allowed URL"
config match-condition
edit 1
set type regular-expression
set reverse-match no
set reg-exp "index.php*"
next
end
next
end