Fortinet black logo

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

waf xml-validation

Use this command to create XML protection rules and configure XML protection policies. You can create up to 256 rules per policy.

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML to attack web servers. Using this command, you can configure FortiWeb to examine lcient requests for anomalies in XML. Configuring XML protection can help ensure that the content of HTTP requests containing XML does not contain any potential attacks.

XML protection is available in Reverse Proxy, True Transparent Proxy, and WCCP operating modes.

Syntax

config waf xml-validation rule

edit "<xml_rule_name>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set expansion-entity-check {enable | disable}

set external-entity-check {enable | disable}

set host "<host_name_str>"

set host-status {enable | disable}

set request-file "<file_str>"

set request-type {plain | regular}

set schema-file "<schema_file_name>"

set severity {High  Low | Medium | Info}

set trigger "<trigger_policy_name>"

set xml-attributes-check {enable | disable}

set xml-limit-attr-num <limit_int>

set xml-limit-attrname-len <limit_int>

set xml-limit-attrvalue-len <limit_int>

set xml-limit-cdata-len <limit_int>

set xml-limit-check {enable | disable}

set xml-limit-element-depth <limit_int>

set xml-limit-element-name-len <limit_int>

set data-format {xml | soap}

set

set wsdl-file <wsdl-file_name>

set validate-soapaction {enable | disable}

set validate-soap-headers {enable | disable}

set allow-additional-soap-headers {enable | disable}

set validate-soap-body {enable | disable}

set x-include-check {enable | disable}

set schema-location-check {enable | disable}

set schema-location-exempted-urls <schema-location-exempted-urls_str>

set soap-attachment {allow | disallow}

set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

next

end

config waf xml-validation policy

edit "<xml_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit <entry_index>

set "<xml_rule_1>"

next

end

next

end

 

Variable Description Default

"<xml_rule_name>"

Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection policy. The maximum length is 63 characters.

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that FortiWeb performs when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure waf xml-validation.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

alert

block-period <period_int>

Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when waf xml-validation is block-period.

The valid range is 1–3,600 seconds.

600

expansion-entity-check {enable | disable}

Enable to trigger the waf xml-validation if an HTTP request contains an XML recursive entity expansion.

To enable this option, you must first enable waf xml-validation.

disable

external-entity-check {enable | disable}

Enable to trigger the waf xml-validation if an HTTP request contains an external entity in XML.

To enable this option, you must first enable waf xml-validation.

disable

host "<host_name_str>"

Enter the name of a protected host that the Host: field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.

No default.

host-status {enable | disable}

Enable to compare the XML rule to the Host: field in the HTTP header. If enabled, also configure waf xml-validation.

disable

request-file "<file_str>"

Depending on your selection for waf xml-validation, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in waf xml-validation.

No default.

request-type {plain | regular}

Select whether waf xml-validation must contain either:

  • Simple String—The field is a string that the request URL must match exactly.
  • Regular Expression—The field is a regular expression that defines a set of matching URLs.

No default.

schema-file "<schema_file_name>"

Select an XML schema file.

To display a list of existing XML schema files, enter:

set schema-file ?

 

Note, if you select an XML schema file that references other XML schema files, the other XML schema files must also be uploaded to FortiWeb.

No default.

severity {High  Low | Medium | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger_policy_name>"

Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy.

To display a list of existing triggers, enter:

set trigger ?

No default.

xml-attributes-check {enable | disable}

Enable to configure waf xml-validation and waf xml-validation.

disable

xml-limit-attr-num <limit_int>

Enter the maximum number of attributes for each element. The valid range is 1–256.

To configure this option, you must first enable waf xml-validation.

20

xml-limit-attrname-len <limit_int>

Enter the maximum attribute name length (in bytes) of each element. The valid range is 1–1,024.

To configure this option, you must first enable waf xml-validation.

64

xml-limit-attrvalue-len <limit_int>

Enter the maximum attribute value length (in bytes) of each element. The valid range is 1–2,048.

To configure this option, you must first enable waf xml-validation.

1,024

xml-limit-cdata-len <limit_int>

Enter the maximum Character Data (CDATA) length (in bytes) in XML. The valid range is 1–4,096.

To configure this option, you must first enable waf xml-validation.

4,096

xml-limit-check {enable | disable}

Enable to configure XML limits.

disable

xml-limit-element-depth <limit_int>

Enter the maximum element depth in XML. The valid range is 1–256.

To configure this option, you must first enable waf xml-validation.

20

xml-limit-element-name-len <limit_int>

Enter the maximum element name length (in bytes) in XML. The valid range is 1–1,024.

To configure this option, you must first enable waf xml-validation.

64

"<xml_policy_name>"

Enter the name of an XML protection policy. You will use the name to select the policy in other parts of the configuration. The maximum length is 63 characters.

No default.

<entry_index>

Enter the index number of an entry to create or modify a rule for the policy. The valid range is 1–9,999,999,999,999,999,999.

No default.

"<xml_rule_1>"

Enter the sequence number of an XML protection rule to add to the XML protection policy. The maximum length is 63 characters.

No default.

data-format {xml | soap} Select the XML protection rule format. No default.

wsdl-ip-port-override {enable | disable}

When enabled, only the URL will be used to match the service in WSDL. If a URL corresponds to multiple services, the first service will be matched.

disable

wsdl-file <wsdl-file_name> This field applies When the Data Format is SOAP. Enter a name for the WSDL file. No default.
validate-soapaction {enable | disable} Enable to validate whether the soapAction in SOAP protocol complies with that in WSDL file. No default.
validate-soap-headers {enable | disable} Enable to validate whether the header elements in SOAP protocol comply with those in WSDL file. No default.
allow-additional-soap-headers {enable | disable} Enable not to validate additional header elements. No default.
validate-soap-body {enable | disable} Enable to validate whether the body elements in SOAP protocol comply with those in WSDL file. No default.
x-include-check {enable | disable} Enable to trigger the action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} if other XML contents are included in XML. No default.
schema-location-check {enable | disable} Enable to forbid using location field to perform malicious requests. No default.
schema-location-exempted-urls <schema-location-exempted-urls_str> Select the exempted URL you have created to configure allowed location URLs.
Available only when schema-location-check {enable | disable} is enabled.
No default.
enable-signature-detection {enable | disable} Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests. disable

soap-attachment {allow | disallow}

Specify whether the SOAP message can carry attachments.

Available only when the data-format {xml | soap} is SOAP.

Allow

ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

Select WSI rules that SOAP messages will adhere to.

Available only when the data-format {xml | soap} is SOAP.

No default

ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

If you select these three rules, configure WSDL files first.

Available only when the data-format {xml | soap} is SOAP.

No default

Example

The below example creates an XML protection rule and applies the rule to a new XML protection policy.

config waf xml-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set xml-limit-check enable

set xml-limit-attr-num 64

set xml-limit-attrname-len 256

set xml-limit-attrvalue-len 1024

set xml-limit-cdata-len 2096

set xml-limit-element-depth 128

set xml-limit-element-name-len 128

set xml-entity-check enable

set expansion-entity-check enable

set external-entity-check enable

next

end

config waf xml-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

next

end

next

end

 

Related topics

waf xml-validation

Use this command to create XML protection rules and configure XML protection policies. You can create up to 256 rules per policy.

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML to attack web servers. Using this command, you can configure FortiWeb to examine lcient requests for anomalies in XML. Configuring XML protection can help ensure that the content of HTTP requests containing XML does not contain any potential attacks.

XML protection is available in Reverse Proxy, True Transparent Proxy, and WCCP operating modes.

Syntax

config waf xml-validation rule

edit "<xml_rule_name>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set expansion-entity-check {enable | disable}

set external-entity-check {enable | disable}

set host "<host_name_str>"

set host-status {enable | disable}

set request-file "<file_str>"

set request-type {plain | regular}

set schema-file "<schema_file_name>"

set severity {High  Low | Medium | Info}

set trigger "<trigger_policy_name>"

set xml-attributes-check {enable | disable}

set xml-limit-attr-num <limit_int>

set xml-limit-attrname-len <limit_int>

set xml-limit-attrvalue-len <limit_int>

set xml-limit-cdata-len <limit_int>

set xml-limit-check {enable | disable}

set xml-limit-element-depth <limit_int>

set xml-limit-element-name-len <limit_int>

set data-format {xml | soap}

set

set wsdl-file <wsdl-file_name>

set validate-soapaction {enable | disable}

set validate-soap-headers {enable | disable}

set allow-additional-soap-headers {enable | disable}

set validate-soap-body {enable | disable}

set x-include-check {enable | disable}

set schema-location-check {enable | disable}

set schema-location-exempted-urls <schema-location-exempted-urls_str>

set soap-attachment {allow | disallow}

set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

next

end

config waf xml-validation policy

edit "<xml_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit <entry_index>

set "<xml_rule_1>"

next

end

next

end

 

Variable Description Default

"<xml_rule_name>"

Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection policy. The maximum length is 63 characters.

No default.

action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

Select one of the following actions that FortiWeb performs when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure waf xml-validation.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

alert

block-period <period_int>

Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when waf xml-validation is block-period.

The valid range is 1–3,600 seconds.

600

expansion-entity-check {enable | disable}

Enable to trigger the waf xml-validation if an HTTP request contains an XML recursive entity expansion.

To enable this option, you must first enable waf xml-validation.

disable

external-entity-check {enable | disable}

Enable to trigger the waf xml-validation if an HTTP request contains an external entity in XML.

To enable this option, you must first enable waf xml-validation.

disable

host "<host_name_str>"

Enter the name of a protected host that the Host: field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.

No default.

host-status {enable | disable}

Enable to compare the XML rule to the Host: field in the HTTP header. If enabled, also configure waf xml-validation.

disable

request-file "<file_str>"

Depending on your selection for waf xml-validation, enter either:

  • plain—The literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( / ).
  • regular—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

Do not include the domain name, such as www.example.com, which is configured separately in waf xml-validation.

No default.

request-type {plain | regular}

Select whether waf xml-validation must contain either:

  • Simple String—The field is a string that the request URL must match exactly.
  • Regular Expression—The field is a regular expression that defines a set of matching URLs.

No default.

schema-file "<schema_file_name>"

Select an XML schema file.

To display a list of existing XML schema files, enter:

set schema-file ?

 

Note, if you select an XML schema file that references other XML schema files, the other XML schema files must also be uploaded to FortiWeb.

No default.

severity {High  Low | Medium | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:

  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger_policy_name>"

Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy.

To display a list of existing triggers, enter:

set trigger ?

No default.

xml-attributes-check {enable | disable}

Enable to configure waf xml-validation and waf xml-validation.

disable

xml-limit-attr-num <limit_int>

Enter the maximum number of attributes for each element. The valid range is 1–256.

To configure this option, you must first enable waf xml-validation.

20

xml-limit-attrname-len <limit_int>

Enter the maximum attribute name length (in bytes) of each element. The valid range is 1–1,024.

To configure this option, you must first enable waf xml-validation.

64

xml-limit-attrvalue-len <limit_int>

Enter the maximum attribute value length (in bytes) of each element. The valid range is 1–2,048.

To configure this option, you must first enable waf xml-validation.

1,024

xml-limit-cdata-len <limit_int>

Enter the maximum Character Data (CDATA) length (in bytes) in XML. The valid range is 1–4,096.

To configure this option, you must first enable waf xml-validation.

4,096

xml-limit-check {enable | disable}

Enable to configure XML limits.

disable

xml-limit-element-depth <limit_int>

Enter the maximum element depth in XML. The valid range is 1–256.

To configure this option, you must first enable waf xml-validation.

20

xml-limit-element-name-len <limit_int>

Enter the maximum element name length (in bytes) in XML. The valid range is 1–1,024.

To configure this option, you must first enable waf xml-validation.

64

"<xml_policy_name>"

Enter the name of an XML protection policy. You will use the name to select the policy in other parts of the configuration. The maximum length is 63 characters.

No default.

<entry_index>

Enter the index number of an entry to create or modify a rule for the policy. The valid range is 1–9,999,999,999,999,999,999.

No default.

"<xml_rule_1>"

Enter the sequence number of an XML protection rule to add to the XML protection policy. The maximum length is 63 characters.

No default.

data-format {xml | soap} Select the XML protection rule format. No default.

wsdl-ip-port-override {enable | disable}

When enabled, only the URL will be used to match the service in WSDL. If a URL corresponds to multiple services, the first service will be matched.

disable

wsdl-file <wsdl-file_name> This field applies When the Data Format is SOAP. Enter a name for the WSDL file. No default.
validate-soapaction {enable | disable} Enable to validate whether the soapAction in SOAP protocol complies with that in WSDL file. No default.
validate-soap-headers {enable | disable} Enable to validate whether the header elements in SOAP protocol comply with those in WSDL file. No default.
allow-additional-soap-headers {enable | disable} Enable not to validate additional header elements. No default.
validate-soap-body {enable | disable} Enable to validate whether the body elements in SOAP protocol comply with those in WSDL file. No default.
x-include-check {enable | disable} Enable to trigger the action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} if other XML contents are included in XML. No default.
schema-location-check {enable | disable} Enable to forbid using location field to perform malicious requests. No default.
schema-location-exempted-urls <schema-location-exempted-urls_str> Select the exempted URL you have created to configure allowed location URLs.
Available only when schema-location-check {enable | disable} is enabled.
No default.
enable-signature-detection {enable | disable} Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests. disable

soap-attachment {allow | disallow}

Specify whether the SOAP message can carry attachments.

Available only when the data-format {xml | soap} is SOAP.

Allow

ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

Select WSI rules that SOAP messages will adhere to.

Available only when the data-format {xml | soap} is SOAP.

No default

ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

If you select these three rules, configure WSDL files first.

Available only when the data-format {xml | soap} is SOAP.

No default

Example

The below example creates an XML protection rule and applies the rule to a new XML protection policy.

config waf xml-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set xml-limit-check enable

set xml-limit-attr-num 64

set xml-limit-attrname-len 256

set xml-limit-attrvalue-len 1024

set xml-limit-cdata-len 2096

set xml-limit-element-depth 128

set xml-limit-element-name-len 128

set xml-entity-check enable

set expansion-entity-check enable

set external-entity-check enable

next

end

config waf xml-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

next

end

next

end

 

Related topics