Fortinet black logo

Administration Guide

Creating XML protection policies

Creating XML protection policies

You can configure an XML protection policy so that FortiWeb will:

  • Enforce customizable rules for acceptable XML content in HTTP requests, including limits for names, values, depth, and other attributes
  • Prevent forbidden XML entities from making requests

Each policy can contain up to 256 XML protection rules.

Optionally, policies can also include XML schema files to describe the acceptable structure of an XML document that FortiWeb can use to enforce XML protection policies.

XML Protection Policies are enforced by selecting them in an active inline Web Protection Profile.

This section provides instructions to:

  • Create an XML protection policy
  • Select an XML protection policy in a web protection profile
To create an XML protection policy
  1. Go to XML Protection > XML Protection Policy.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile. The maximum length is 63 characters.
  4. The Signature Detection option is disabled by default. Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests.
  5. Click OK.
  6. To add XML protection rules to the policy, see To add an XML protection rule to an XML protection policy.
To select an XML protection policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Web Protection Profile.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Select the Inline Protection Profile tab.
  3. Select an existing web protection profile to which you want to include the XML protection policy.
  4. Click Edit.
  5. For XML Protection, select the XML protection policy from the drop down list.
    Note: To view details about a selected XML protection policy, click the view icon next to the drop down list.
  6. Click OK.

Creating XML protection policies

You can configure an XML protection policy so that FortiWeb will:

  • Enforce customizable rules for acceptable XML content in HTTP requests, including limits for names, values, depth, and other attributes
  • Prevent forbidden XML entities from making requests

Each policy can contain up to 256 XML protection rules.

Optionally, policies can also include XML schema files to describe the acceptable structure of an XML document that FortiWeb can use to enforce XML protection policies.

XML Protection Policies are enforced by selecting them in an active inline Web Protection Profile.

This section provides instructions to:

  • Create an XML protection policy
  • Select an XML protection policy in a web protection profile
To create an XML protection policy
  1. Go to XML Protection > XML Protection Policy.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Click Create New.
  3. For Name, enter a name for the policy. You will use the Name to select the policy in a web protection profile. The maximum length is 63 characters.
  4. The Signature Detection option is disabled by default. Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests.
  5. Click OK.
  6. To add XML protection rules to the policy, see To add an XML protection rule to an XML protection policy.
To select an XML protection policy in a web protection profile

For details about creating a web protection profile, see Configuring a protection profile for inline topologies.

  1. Go to Policy > Web Protection Profile.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  2. Select the Inline Protection Profile tab.
  3. Select an existing web protection profile to which you want to include the XML protection policy.
  4. Click Edit.
  5. For XML Protection, select the XML protection policy from the drop down list.
    Note: To view details about a selected XML protection policy, click the view icon next to the drop down list.
  6. Click OK.