Fortinet black logo

Administration Guide

Creating JSON protection rules

Creating JSON protection rules

JSON protection rules define and enforce acceptable JSON content, including:

  • Limits for data size, key, and value, etc.
  • Preventing forbidden JSON from making requests

FortiWeb responds to rule violations of JSON protection rules according to the response action specified in a rule that a request has violated. Multiple JSON protection rules can be organized into policies that FortiWeb enforces. You can create up to 256 rules per policy.

This section provides instructions to:

  • Create a JSON protection rule
  • Add a JSON protection rule to a JSON protection policy
To create a JSON protection rule
  1. Go to JSON > JSON Protection Rule.
  2. Click Create New.
  3. Configure these settings:
  4. Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy. The maximum length is 63 characters.

    Host status

    Enable to compare the JSON rule to the Host: field in the HTTP header. If enabled, also configure Host.

    Host

    Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.

    Request URL type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Request URL type, enter either:

    • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Creating JSON protection rules.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    JSON Limits

    Enable to define limits for data size, key, and value, etc.

    Total Size of JSON Data

    Enter the total size of JSON data in the JSON file. The valid range is 0–10240. The default value is 1024.

    Key Size

    Enter the key size of each object. The valid range is 0–10240. The default value is 64.

    Total Key Number

    Enter the total key number of each JSON file. The valid range is 0–2147483647. The default value is 256.

    Value Size

    Enter the value size of each key. The valid range is 0–10240. The default value is 128.

    Total Value Number

    Enter the total value number of each JSON file. The valid range is 0–2147483647. The default value is 256.

    Value Number in an Array

    Enter the total value number in an array. The valid range is 0–2147483647. The default value is 256.

    Object Depth

    Enter the number of the nested objects. The valid range is 0–2147483647. The default value is 32.

    Schema Validation

    Optionally, select a JSON schema file. For details, see Importing JSON schema files.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).
    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    The default value is Alert. See also Reducing false positives.

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

    The valid range is 1–3,600 seconds (1 hour).

    For details about tracking blocked clients, see Monitoring currently blocked IPs.

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated:

    • Low
    • Medium
    • High
    • Informative

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

  5. Click OK.
To add a JSON protection rule to a JSON protection policy

For details about creating a JSON protection policy, see Creating JSON protection policy.

  1. Go to JSON Protection > JSON Protection Policy.
  2. Select the existing JSON protection policy to which you want to add the JSON protection rule.
  3. Click Edit.
  4. Click Create New.
  5. For Rule, select the JSON protection rule that you want to include in the JSON protection policy.

    Note: To view details about a selected JSON protection rule, click the view icon next to the drop down list.

  6. Click OK.
  7. Repeat Steps 4-6 for as many JSON protection rules as you want to add to the JSON protection policy.

Creating JSON protection rules

JSON protection rules define and enforce acceptable JSON content, including:

  • Limits for data size, key, and value, etc.
  • Preventing forbidden JSON from making requests

FortiWeb responds to rule violations of JSON protection rules according to the response action specified in a rule that a request has violated. Multiple JSON protection rules can be organized into policies that FortiWeb enforces. You can create up to 256 rules per policy.

This section provides instructions to:

  • Create a JSON protection rule
  • Add a JSON protection rule to a JSON protection policy
To create a JSON protection rule
  1. Go to JSON > JSON Protection Rule.
  2. Click Create New.
  3. Configure these settings:
  4. Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy. The maximum length is 63 characters.

    Host status

    Enable to compare the JSON rule to the Host: field in the HTTP header. If enabled, also configure Host.

    Host

    Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.

    Request URL type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.
    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Request URL type, enter either:

    • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

    Do not include the domain name, such as www.example.com, which is configured separately in Creating JSON protection rules.

    To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

    JSON Limits

    Enable to define limits for data size, key, and value, etc.

    Total Size of JSON Data

    Enter the total size of JSON data in the JSON file. The valid range is 0–10240. The default value is 1024.

    Key Size

    Enter the key size of each object. The valid range is 0–10240. The default value is 64.

    Total Key Number

    Enter the total key number of each JSON file. The valid range is 0–2147483647. The default value is 256.

    Value Size

    Enter the value size of each key. The valid range is 0–10240. The default value is 128.

    Total Value Number

    Enter the total value number of each JSON file. The valid range is 0–2147483647. The default value is 256.

    Value Number in an Array

    Enter the total value number in an array. The valid range is 0–2147483647. The default value is 256.

    Object Depth

    Enter the number of the nested objects. The valid range is 0–2147483647. The default value is 32.

    Schema Validation

    Optionally, select a JSON schema file. For details, see Importing JSON schema files.

    Action

    Select which action FortiWeb will take when it detects a violation of the rule:

    • Alert—Accept the connection and generate an alert email and/or log message.
    • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

    • Deny (no log)—Block the request (or reset the connection).
    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

    • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
    • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

    The default value is Alert. See also Reducing false positives.

    Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

    Block Period

    Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

    The valid range is 1–3,600 seconds (1 hour).

    For details about tracking blocked clients, see Monitoring currently blocked IPs.

    Severity

    When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated:

    • Low
    • Medium
    • High
    • Informative

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

  5. Click OK.
To add a JSON protection rule to a JSON protection policy

For details about creating a JSON protection policy, see Creating JSON protection policy.

  1. Go to JSON Protection > JSON Protection Policy.
  2. Select the existing JSON protection policy to which you want to add the JSON protection rule.
  3. Click Edit.
  4. Click Create New.
  5. For Rule, select the JSON protection rule that you want to include in the JSON protection policy.

    Note: To view details about a selected JSON protection rule, click the view icon next to the drop down list.

  6. Click OK.
  7. Repeat Steps 4-6 for as many JSON protection rules as you want to add to the JSON protection policy.