Fortinet black logo

Administration Guide

Creating OpenAPI validation policies

Creating OpenAPI validation policies

This section provides instructions to:

  • Create an OpenAPI validation policy
  • Edit an existing OpenAPI validation policy
  • Apply an OpenAPI validation policy in a web protection profile

To create an OpenAPI validation policy

  1. Go to Web Protection > OpenAPI Validation > OpenAPI Validation Policy.
  2. Click Create New.
  3. Configure these settings:
    NameType a name that can be referenced by other parts of the configuration. Do not use spaces or special characters.

    Action

    Select which action FortiWeb will take when it detects a violation of the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message.

    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    The default value is Alert.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block PeriodEnter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3,600. The default value is 60.

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger PolicySelect the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.
  4. Click OK.
  5. Click Add OpenAPI File.
  6. Select the OpenAPI file from the drop-down list. See Creating OpenAPI files for how to upload OpenAPI files.
  7. Click OK.

To edit an exisitng OpenAPI validation policy

  1. Go to Web Protection > OpenAPI Validation > OpenAPI Validation Policy.
  2. Select the existing OpenAPI validation policy to which you want to edit.
  3. Click Edit.
  4. Change the settings for this policy accordingly.
  5. From the OpenAPI File list, you can add or remove OpenAPI files.

To apply an OpenAPI validation policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Server Policy.
  2. Select an existing web protection profile to which you want to include the OpenAPI validation policy.
  3. Click Edit.
  4. Go to Security Configuration > Web Protection Profile.
  5. Click to enter the Edit Inline Protection Profile page.
  6. For OpenAPI Validation, select the OpenAPI policy from the drop down list.
    You can also click to open the Edit OpenAPI Validation Policy page.
  7. Click OK.

To view the OpenAPI validation related logs

  1. Go to Log&Report > Log Config > Other Log Settings.
  2. From Retain Packet Payload For, enable OpenAPI Validation.
  3. Go to Log&Report > Log Access > Attack.
  4. Click one attack log. From the right bottom, you can see the log information.

Creating OpenAPI validation policies

This section provides instructions to:

  • Create an OpenAPI validation policy
  • Edit an existing OpenAPI validation policy
  • Apply an OpenAPI validation policy in a web protection profile

To create an OpenAPI validation policy

  1. Go to Web Protection > OpenAPI Validation > OpenAPI Validation Policy.
  2. Click Create New.
  3. Configure these settings:
    NameType a name that can be referenced by other parts of the configuration. Do not use spaces or special characters.

    Action

    Select which action FortiWeb will take when it detects a violation of the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message.

    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    The default value is Alert.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see Logging and Alert email.

    Block PeriodEnter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3,600. The default value is 60.

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger PolicySelect the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.
  4. Click OK.
  5. Click Add OpenAPI File.
  6. Select the OpenAPI file from the drop-down list. See Creating OpenAPI files for how to upload OpenAPI files.
  7. Click OK.

To edit an exisitng OpenAPI validation policy

  1. Go to Web Protection > OpenAPI Validation > OpenAPI Validation Policy.
  2. Select the existing OpenAPI validation policy to which you want to edit.
  3. Click Edit.
  4. Change the settings for this policy accordingly.
  5. From the OpenAPI File list, you can add or remove OpenAPI files.

To apply an OpenAPI validation policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Server Policy.
  2. Select an existing web protection profile to which you want to include the OpenAPI validation policy.
  3. Click Edit.
  4. Go to Security Configuration > Web Protection Profile.
  5. Click to enter the Edit Inline Protection Profile page.
  6. For OpenAPI Validation, select the OpenAPI policy from the drop down list.
    You can also click to open the Edit OpenAPI Validation Policy page.
  7. Click OK.

To view the OpenAPI validation related logs

  1. Go to Log&Report > Log Config > Other Log Settings.
  2. From Retain Packet Payload For, enable OpenAPI Validation.
  3. Go to Log&Report > Log Access > Attack.
  4. Click one attack log. From the right bottom, you can see the log information.