Fortinet black logo

CLI Reference

waf custom-access rule

waf custom-access rule

Use this command to configure custom access rules.

What if you want to allow a web crawler, but only if it is not too demanding, and comes from a source IP that is known to be legitimate for that crawler? What if you want to allow only a client that is a senior manager’s IP, and only if it hasn’t been infected by malware whose access rate is contributing to a DoS?

Advanced access control rules provide a degree of flexibility for these types of complex conditions. You can combine any or all of these criteria:

  • Source IP
  • User
  • HTTP Session
  • Rate limit (including rate limiting for specific types of content)
  • HTTP header or response code
  • URL
  • Predefined or custom attack or data leak signature violation
  • Transaction or packet interval timeout
  • Real browser enforcement
  • CAPTCHA enforcement

In the rule, add all criteria that you require allowed traffic to match.

Before you can apply a custom access rule, you must first group it with any others that you want to apply in a custom access policy. For details, see waf custom-access policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf custom-access rule

edit "<custom-access_name>"

set action {alert | alert_deny | block-period | deny_no_log | redirect}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

set recaptcha <recaptcha_server_name>

set max-attempt-times <attempts_int>

set validation-timeout <seconds_int>

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

config access-limit-filter

edit <entry_index>

set access-rate-limit <rate_int>

end

config HTTP-header-filter

edit <entry_index>

set header-name-type {custom | predefined}

set header-field-check {enable | disable}

set predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept}

set pre-header-type {plain | regular}

set pre-header-rev-match {enable | disable}

set custom-header-name "<key_str>"

set cus-header-type {plain | regular}

set cus-header-name-type {plain | regular}

set cus-header-rev-match {enable | disable}

set header-value "<value_str>"

set HTTP-hline-missing-check {enable | disable}

set HTTP-hline-empty-check {enable | disable}

set basic-scheme-check {enable | disable}

set HTTP-method-check {enable | disable}

set HTTP-method-value-type {plain | regular}

set HTTP-method-value "<HTTP-method-value_str>"

set HTTP-method-rev-match {enable | disable}

end

config source-ip-filter

edit <entry_index>

set source-ip <ip_range>

set exclusive-match {no | yes}

end

config user-filter

edit <entry_index>

set reverse-match {no | yes}

set user-name "<user-name_str>"

end

config geo-filter

edit <entry_index>

set match-exclusive {yes | no}

set country-list <country-list_str>

end

config url-filter

edit <entry_index>

set request-file "<url_str>"

set reverse-match {no | yes}

end

config HTTP-transaction

edit <entry_index>

set HTTP-transation-timeout "<timeout_int>"

end

config response-code

edit <entry_index>

set <response-code_int>

set response-code-max <response-code_int>

set response-code-rev-match {enable | disable}

end

config content-type

edit <entry_index>

set {text/html text/plain text/xml application/xml application/soap+xml application/json application/octet-stream text/javascript text/}

set content-type-rev-match {enable | disable}

end

config packet-interval

edit <entry_index>

set packet-interval-timeout <timeout_int>

end

config signature-class

edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000| 100000000 | 110000000 | 120000000}

set status {enable | disable}

end

config custom-signature

edit <entry_index>

set custom-signature-enable {enable | disable}

set {custom-signature-group | custom-signature}

set "<custom-signature-name_str>"

end

config ftp-security

edit <entry_index>

set custom-signature-enable {enable | disable}

set {custom-signature-group | custom-signature}

set "<custom-signature-name_str>"

end

config occurrence

edit <entry_index>

set occurrence-num "<occurrence_int>"

set within "<within_int>"

set percentage-flag {enable | disable}

set percentage "<percentage_int>"

set traced-by {Source-IP | User | Http-Session}

end

next

end

Variable Description Default

"<custom-access_name>"

Enter the name of a new or existing custom access rule. The maximum length is 63 characters.

To display a list of the existing rule, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log | redirect}

Select the specific action to be taken when the request matches the signature.

  • alert—Accept the request and generate an alert email and/or log message.
    Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  • deny_no_log—Deny a request. Do not generate a log message.
  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

alert

block-period <seconds_int>

Enter the length of time (in seconds) for which the FortiWeb appliance will block additional requests after a source IP address violates this rule.

The block period is shared by all clients whose traffic originates from the source IP address.

The valid range is 1–3,600 seconds.

600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

Select between:

  • captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page.

  • recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.

  • real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

  • disable—Disable this option to simply apply the access rule.

disable

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

No default.

mobile-app-identification {disabled | mobile-token-validation}

For mobile clients that cannot execute Java script or CAPTCHA, FortiWeb can verify the request is legitimate by verifying the JTW-token a mobile application carries when it access a web server. Disabled

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

disable

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

3

validation-timeout <seconds_int>

Specifies the maximum amount of time that FortiWeb waits for results from the web browser test. The valid range is 5–30. 20

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

access-rate-limit <rate_int>

Enter the rate threshold for source IP addresses.

The valid range is 1–65535. To disable the rate limit, enter 0.

Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client.

1

header-name-type {custom | predefined}

Select whether to define the HTTP header filter by selecting a predefined HTTP header name, or by typing the name of a custom HTTP header. Also configure header-value "<value_str>" and, depending on which you indicate in this option, either:

predefined

header-field-check {enable | disable}

Enable/disable checking the HTTP header field. No default.

predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept}

Select the name (key) of the HTTP header such as Accept: that must be present in order for the request to be allowed.

This field appears only if header-name-type {custom | predefined} is predefined.

host

pre-header-type {plain | regular}

Indicate whether header-value "<value_str>" is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular). plain

pre-header-rev-match {enable | disable}

Indicate how to use predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept} and header-value "<value_str>" when determining whether or not this condition has been met.

  • no—If the regular expression does match the request object, the condition is met.
  • yes—If the regular expression does not match the request object, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will allow access.

disable

custom-header-name "<key_str>"

Enter the name (key) without the trailing colon ( : ), such as X-Real-IP, of the HTTP header that must be present in order for the request to be allowed.

This field appears only if header-name-type {custom | predefined} is custom.

No default.

cus-header-type {plain | regular}

Indicate whether header-value "<value_str>" is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular).

plain

cus-header-name-type {plain | regular}

Indicate whether custom-header-name "<key_str>"is a literal header name (plain) or a regular expression that indicates multiple possible valid header names (regular).

plain

cus-header-rev-match {enable | disable}

Indicate how to use custom-header-name "<key_str>" and header-value "<value_str>" when determining whether or not this condition has been met.

  • no—If the regular expression does match the request object, the condition is met.
  • yes—If the regular expression does not match the request object, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will allow access.

disable

HTTP-hline-empty-check {enable | disable}

If you enable Header Empty Value Check, the request matches the condition if it contains the specified header but the value of the matched header is empty.

The HTTP-hline-empty-check checks whether a certain header has empty value.

disable

basic-scheme-check {enable | disable}

Enable to check the Misformatted Basic Scheme.

This field appears only when:

  • header-name-type is predefined.

  • predefined-header is authorization

  • HTTP-hline-missing-check is disable

  • HTTP-hline-empty-check is disable

disable

HTTP-hline-missing-check {enable | disable}

If you enable HTTP-hline-missing-check, the request matches the condition if it does not contain the specified header name.

The HTTP-hline-missing-check checks whether a certain header is missing.

HTTP-hline-empty-check and HTTP-hline-missing-check can't be enabled at the same time.

This setting does not take effect for HTTP2 packets without the following headers:

  • :method
  • :scheme
  • :path
  • :authority
  • :status

HTTP2 packets without the above headers will not go far to be scanned against the HTTP-hline-missing-check setting. It will be considered as illegitimate and be abandoned directly when it arrives at FortiWeb at the first place.

disable

HTTP-method-check {enable | disable} Enable HTTP Method Check and configure a plain string or regular expression for the HTTP method that FortiWeb will search for in the header field. disable
HTTP-method-value-type {plain | regular} Select a plain string or regular string. No default.
HTTP-method-value "<HTTP-method-value_str>" To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring. No default.
HTTP-method-rev-match {enable | disable} When you enable HTTP Method Check, you can also enable HTTP Method Reverse Match so that the request matches the condition if the header does not contain the HTTP method's exact value or regular expression. disable

header-value "<value_str>"

Depending on your selection in pre-header-type {plain | regular}, either:

  • Type the literal header value, such as 192.0.2.80, your specified HTTP header must contain in order to match the filter. Value matching is case sensitive. (If you require a filter based upon more than one HTTP header, create multiple entries in the set, one for each HTTP header.).
  • Type a regular expression, such as 192\.0\.2\.*, matching all and only the header values which accepted HTTP header values must match.

For details about language and regular expression matching, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides

Tip: To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring.

For example, entering the value 192.0.2.1 would also match the IPs 192.0.2.10-19 and 192.0.2.100-199. This result may be unintended. The better solution would be to configure either:

  • A regular expression such as ^192.0.2.1$ or
  • A source IP condition instead of an HTTP header condition
No default.

source-ip <ip_range>

Enter the IP address or IP address range that specifies the clients that FortiWeb allows.

For example:

  • 1.2.3.4
  • 2001::1
  • 1.2.3.4-1.2.3.40
  • 2001::1-2001::100

Depending on your configuration of how FortiWeb will derive the client’s IP (see waf x-forwarded-for), this may be the IP address that is indicated in an HTTP header rather than the IP header.

No default.
exclusive-match {no | yes} Set whether the condition can be met when source IP does not match. No

reverse-match {no | yes}

Indicate how to use user-name "<user-name_str>" when determining whether or not this rule’s condition has been met.

  • no—If the regular expression does match the user name, the condition is met.
  • yes—If the regular expression does not match the user name, the condition is met.

The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

no

user-name "<user-name_str>"

Enter the user name to match.

No default.

request-file "<url_str>"

Enter a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {no | yes}.

For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

No default.

reverse-match {no | yes}

Indicate how to use request-file "<url_str>" when determining whether or not this rule’s condition has been met.

  • no—If the regular expression does match the request URL, the condition is met.
  • yes—If the regular expression does not match the request URL, the condition is met.

    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
no

HTTP-transation-timeout "<timeout_int>"

Enter a timeout value of 1–3600 seconds.

If the lifetime of a HTTP transaction exceeds this value, the transaction matches this condition.

5

<response-code_int>

Specify the start and end code in a range of HTTP response codes.

To specify a single code, enter the same value for the start and end codes (for example, 404-404 or 500-503).

If its HTTP response code is within this range, the HTTP transaction matches this condition.

404

response-code-max <response-code_int>

Specify the maximum start and end code in a range of HTTP response codes. No default.

response-code-rev-match {enable | disable}

Enable it so that the response matches the condition if the code is not in the specified range.

disable

{text/html text/plain text/xml application/xml application/soap+xml application/json application/octet-stream text/javascript text/}

Specify a file content type to match.

Use with occurrence to detect and control web scraping (content scraping) activity.

application/soap+xml application/xml(or)text/xml text/html text/plain application/json application/octet-stream text/javascript text/css

content-type-rev-match {enable | disable}

Enable it so that the content type matches the condition if it's not the specified type.

disable

packet-interval-timeout <timeout_int>

Specify the maximum number of seconds allowed between packets arriving from either the client or server (request or response packets), in seconds. Enter a value from 1 to 60.

If the interval exceeds this value, the HTTP transaction matches this condition.

1

{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000| 100000000 | 110000000 | 120000000}

Specify the ID of a signature class.

Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature.

No default.

status {enable | disable}

Specify whether the HTTP transaction matches this condition if it matches the specified signature. disable

custom-signature-enable {enable | disable}

Specify whether the current custom signature filter is enabled. disable

{custom-signature-group | custom-signature}

Specify whether "<custom-signature-name_str>" specifies a custom signature group or an individual signature. custom-signature-group

"<custom-signature-name_str>"

Specify the custom signature group or individual signature to match.

Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature.

No default.

occurrence-num "<occurrence_int>"

Specify the maximum number of times a transaction can match other filter types in the current rule during the time period specified by within.

Enter a value between 1–100,000.

If the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition.

1

within "<within_int>"

Specify the time period during which FortiWeb counts the number of times transactions match other filter types in the current rule.

Enter a value between 1–600.

1

percentage-flag {enable | disable}

Specify whether the current filter matches when the rate of matches with other filter types in the current rule exceeds the percentage "<percentage_int>". disable

percentage "<percentage_int>"

The maximum rate of matches with other filter types in the current rule, expressed as percent of hits.

If percentage-flag {enable | disable} is enabled and the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition.

No default.

traced-by {Source-IP | User | Http-Session}

Specify whether FortiWeb determines the rate at which a transaction matches other filter types in the current rule by counting matches by source client IP address or by client.

To specify user, ensure that the value of client-management {enable | disable} is enable.

source-ip

<entry_index>

Enter the index number of the individual entry in the table.

No default.

match-exclusive {yes | no}

If you select yes, FortiWeb matches the traffic from all countries except the ones you select. If you select no, FortiWeb matches the traffic from the countries you select.

No

country-list <country-list_str>

Enter the countries you select.

No default.

Example

This example allows access to URLs beginning with “/admin”, but only if they originate from 192.0.2.5, and only if the client does not exceed 5 requests per second.

Clients that violate this rule will be blocked for 60 seconds (the default duration). The violation will be logged in the attack log using severity_level=High, and all servers configured in notification-servers1 will be used to notify the network administrator.

config waf custom-access rule

edit "combo-IP-rate-URL-rule1"

set action block-period

set severity High

set trigger "notification-servers1"

config access-limit-filter

edit 1

set access-rate-limit 5

next

end

config source-ip-filter

edit 1

set source-ip "192.0.2.5"

next

end

config url-filter

edit 1

set request-file "/admin*"

next

end

next

end

config waf custom-access policy

edit "combo-IP-rate-URL-policy1"

config rule

edit 1

set rule-name "combo-access-rate-rule1"

next

end

next

end

Related topics

waf custom-access rule

Use this command to configure custom access rules.

What if you want to allow a web crawler, but only if it is not too demanding, and comes from a source IP that is known to be legitimate for that crawler? What if you want to allow only a client that is a senior manager’s IP, and only if it hasn’t been infected by malware whose access rate is contributing to a DoS?

Advanced access control rules provide a degree of flexibility for these types of complex conditions. You can combine any or all of these criteria:

  • Source IP
  • User
  • HTTP Session
  • Rate limit (including rate limiting for specific types of content)
  • HTTP header or response code
  • URL
  • Predefined or custom attack or data leak signature violation
  • Transaction or packet interval timeout
  • Real browser enforcement
  • CAPTCHA enforcement

In the rule, add all criteria that you require allowed traffic to match.

Before you can apply a custom access rule, you must first group it with any others that you want to apply in a custom access policy. For details, see waf custom-access policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf custom-access rule

edit "<custom-access_name>"

set action {alert | alert_deny | block-period | deny_no_log | redirect}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

set recaptcha <recaptcha_server_name>

set max-attempt-times <attempts_int>

set validation-timeout <seconds_int>

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

config access-limit-filter

edit <entry_index>

set access-rate-limit <rate_int>

end

config HTTP-header-filter

edit <entry_index>

set header-name-type {custom | predefined}

set header-field-check {enable | disable}

set predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept}

set pre-header-type {plain | regular}

set pre-header-rev-match {enable | disable}

set custom-header-name "<key_str>"

set cus-header-type {plain | regular}

set cus-header-name-type {plain | regular}

set cus-header-rev-match {enable | disable}

set header-value "<value_str>"

set HTTP-hline-missing-check {enable | disable}

set HTTP-hline-empty-check {enable | disable}

set basic-scheme-check {enable | disable}

set HTTP-method-check {enable | disable}

set HTTP-method-value-type {plain | regular}

set HTTP-method-value "<HTTP-method-value_str>"

set HTTP-method-rev-match {enable | disable}

end

config source-ip-filter

edit <entry_index>

set source-ip <ip_range>

set exclusive-match {no | yes}

end

config user-filter

edit <entry_index>

set reverse-match {no | yes}

set user-name "<user-name_str>"

end

config geo-filter

edit <entry_index>

set match-exclusive {yes | no}

set country-list <country-list_str>

end

config url-filter

edit <entry_index>

set request-file "<url_str>"

set reverse-match {no | yes}

end

config HTTP-transaction

edit <entry_index>

set HTTP-transation-timeout "<timeout_int>"

end

config response-code

edit <entry_index>

set <response-code_int>

set response-code-max <response-code_int>

set response-code-rev-match {enable | disable}

end

config content-type

edit <entry_index>

set {text/html text/plain text/xml application/xml application/soap+xml application/json application/octet-stream text/javascript text/}

set content-type-rev-match {enable | disable}

end

config packet-interval

edit <entry_index>

set packet-interval-timeout <timeout_int>

end

config signature-class

edit {010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000| 100000000 | 110000000 | 120000000}

set status {enable | disable}

end

config custom-signature

edit <entry_index>

set custom-signature-enable {enable | disable}

set {custom-signature-group | custom-signature}

set "<custom-signature-name_str>"

end

config ftp-security

edit <entry_index>

set custom-signature-enable {enable | disable}

set {custom-signature-group | custom-signature}

set "<custom-signature-name_str>"

end

config occurrence

edit <entry_index>

set occurrence-num "<occurrence_int>"

set within "<within_int>"

set percentage-flag {enable | disable}

set percentage "<percentage_int>"

set traced-by {Source-IP | User | Http-Session}

end

next

end

Variable Description Default

"<custom-access_name>"

Enter the name of a new or existing custom access rule. The maximum length is 63 characters.

To display a list of the existing rule, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log | redirect}

Select the specific action to be taken when the request matches the signature.

  • alert—Accept the request and generate an alert email and/or log message.
    Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  • deny_no_log—Deny a request. Do not generate a log message.
  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

alert

block-period <seconds_int>

Enter the length of time (in seconds) for which the FortiWeb appliance will block additional requests after a source IP address violates this rule.

The block period is shared by all clients whose traffic originates from the source IP address.

The valid range is 1–3,600 seconds.

600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

Select between:

  • captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page.

  • recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.

  • real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

  • disable—Disable this option to simply apply the access rule.

disable

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

No default.

mobile-app-identification {disabled | mobile-token-validation}

For mobile clients that cannot execute Java script or CAPTCHA, FortiWeb can verify the request is legitimate by verifying the JTW-token a mobile application carries when it access a web server. Disabled

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

disable

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

3

validation-timeout <seconds_int>

Specifies the maximum amount of time that FortiWeb waits for results from the web browser test. The valid range is 5–30. 20

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

access-rate-limit <rate_int>

Enter the rate threshold for source IP addresses.

The valid range is 1–65535. To disable the rate limit, enter 0.

Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client.

1

header-name-type {custom | predefined}

Select whether to define the HTTP header filter by selecting a predefined HTTP header name, or by typing the name of a custom HTTP header. Also configure header-value "<value_str>" and, depending on which you indicate in this option, either:

predefined

header-field-check {enable | disable}

Enable/disable checking the HTTP header field. No default.

predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept}

Select the name (key) of the HTTP header such as Accept: that must be present in order for the request to be allowed.

This field appears only if header-name-type {custom | predefined} is predefined.

host

pre-header-type {plain | regular}

Indicate whether header-value "<value_str>" is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular). plain

pre-header-rev-match {enable | disable}

Indicate how to use predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept} and header-value "<value_str>" when determining whether or not this condition has been met.

  • no—If the regular expression does match the request object, the condition is met.
  • yes—If the regular expression does not match the request object, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will allow access.

disable

custom-header-name "<key_str>"

Enter the name (key) without the trailing colon ( : ), such as X-Real-IP, of the HTTP header that must be present in order for the request to be allowed.

This field appears only if header-name-type {custom | predefined} is custom.

No default.

cus-header-type {plain | regular}

Indicate whether header-value "<value_str>" is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular).

plain

cus-header-name-type {plain | regular}

Indicate whether custom-header-name "<key_str>"is a literal header name (plain) or a regular expression that indicates multiple possible valid header names (regular).

plain

cus-header-rev-match {enable | disable}

Indicate how to use custom-header-name "<key_str>" and header-value "<value_str>" when determining whether or not this condition has been met.

  • no—If the regular expression does match the request object, the condition is met.
  • yes—If the regular expression does not match the request object, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will allow access.

disable

HTTP-hline-empty-check {enable | disable}

If you enable Header Empty Value Check, the request matches the condition if it contains the specified header but the value of the matched header is empty.

The HTTP-hline-empty-check checks whether a certain header has empty value.

disable

basic-scheme-check {enable | disable}

Enable to check the Misformatted Basic Scheme.

This field appears only when:

  • header-name-type is predefined.

  • predefined-header is authorization

  • HTTP-hline-missing-check is disable

  • HTTP-hline-empty-check is disable

disable

HTTP-hline-missing-check {enable | disable}

If you enable HTTP-hline-missing-check, the request matches the condition if it does not contain the specified header name.

The HTTP-hline-missing-check checks whether a certain header is missing.

HTTP-hline-empty-check and HTTP-hline-missing-check can't be enabled at the same time.

This setting does not take effect for HTTP2 packets without the following headers:

  • :method
  • :scheme
  • :path
  • :authority
  • :status

HTTP2 packets without the above headers will not go far to be scanned against the HTTP-hline-missing-check setting. It will be considered as illegitimate and be abandoned directly when it arrives at FortiWeb at the first place.

disable

HTTP-method-check {enable | disable} Enable HTTP Method Check and configure a plain string or regular expression for the HTTP method that FortiWeb will search for in the header field. disable
HTTP-method-value-type {plain | regular} Select a plain string or regular string. No default.
HTTP-method-value "<HTTP-method-value_str>" To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring. No default.
HTTP-method-rev-match {enable | disable} When you enable HTTP Method Check, you can also enable HTTP Method Reverse Match so that the request matches the condition if the header does not contain the HTTP method's exact value or regular expression. disable

header-value "<value_str>"

Depending on your selection in pre-header-type {plain | regular}, either:

  • Type the literal header value, such as 192.0.2.80, your specified HTTP header must contain in order to match the filter. Value matching is case sensitive. (If you require a filter based upon more than one HTTP header, create multiple entries in the set, one for each HTTP header.).
  • Type a regular expression, such as 192\.0\.2\.*, matching all and only the header values which accepted HTTP header values must match.

For details about language and regular expression matching, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides

Tip: To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring.

For example, entering the value 192.0.2.1 would also match the IPs 192.0.2.10-19 and 192.0.2.100-199. This result may be unintended. The better solution would be to configure either:

  • A regular expression such as ^192.0.2.1$ or
  • A source IP condition instead of an HTTP header condition
No default.

source-ip <ip_range>

Enter the IP address or IP address range that specifies the clients that FortiWeb allows.

For example:

  • 1.2.3.4
  • 2001::1
  • 1.2.3.4-1.2.3.40
  • 2001::1-2001::100

Depending on your configuration of how FortiWeb will derive the client’s IP (see waf x-forwarded-for), this may be the IP address that is indicated in an HTTP header rather than the IP header.

No default.
exclusive-match {no | yes} Set whether the condition can be met when source IP does not match. No

reverse-match {no | yes}

Indicate how to use user-name "<user-name_str>" when determining whether or not this rule’s condition has been met.

  • no—If the regular expression does match the user name, the condition is met.
  • yes—If the regular expression does not match the user name, the condition is met.

The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

no

user-name "<user-name_str>"

Enter the user name to match.

No default.

request-file "<url_str>"

Enter a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {no | yes}.

For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

No default.

reverse-match {no | yes}

Indicate how to use request-file "<url_str>" when determining whether or not this rule’s condition has been met.

  • no—If the regular expression does match the request URL, the condition is met.
  • yes—If the regular expression does not match the request URL, the condition is met.

    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
no

HTTP-transation-timeout "<timeout_int>"

Enter a timeout value of 1–3600 seconds.

If the lifetime of a HTTP transaction exceeds this value, the transaction matches this condition.

5

<response-code_int>

Specify the start and end code in a range of HTTP response codes.

To specify a single code, enter the same value for the start and end codes (for example, 404-404 or 500-503).

If its HTTP response code is within this range, the HTTP transaction matches this condition.

404

response-code-max <response-code_int>

Specify the maximum start and end code in a range of HTTP response codes. No default.

response-code-rev-match {enable | disable}

Enable it so that the response matches the condition if the code is not in the specified range.

disable

{text/html text/plain text/xml application/xml application/soap+xml application/json application/octet-stream text/javascript text/}

Specify a file content type to match.

Use with occurrence to detect and control web scraping (content scraping) activity.

application/soap+xml application/xml(or)text/xml text/html text/plain application/json application/octet-stream text/javascript text/css

content-type-rev-match {enable | disable}

Enable it so that the content type matches the condition if it's not the specified type.

disable

packet-interval-timeout <timeout_int>

Specify the maximum number of seconds allowed between packets arriving from either the client or server (request or response packets), in seconds. Enter a value from 1 to 60.

If the interval exceeds this value, the HTTP transaction matches this condition.

1

{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000| 100000000 | 110000000 | 120000000}

Specify the ID of a signature class.

Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature.

No default.

status {enable | disable}

Specify whether the HTTP transaction matches this condition if it matches the specified signature. disable

custom-signature-enable {enable | disable}

Specify whether the current custom signature filter is enabled. disable

{custom-signature-group | custom-signature}

Specify whether "<custom-signature-name_str>" specifies a custom signature group or an individual signature. custom-signature-group

"<custom-signature-name_str>"

Specify the custom signature group or individual signature to match.

Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature.

No default.

occurrence-num "<occurrence_int>"

Specify the maximum number of times a transaction can match other filter types in the current rule during the time period specified by within.

Enter a value between 1–100,000.

If the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition.

1

within "<within_int>"

Specify the time period during which FortiWeb counts the number of times transactions match other filter types in the current rule.

Enter a value between 1–600.

1

percentage-flag {enable | disable}

Specify whether the current filter matches when the rate of matches with other filter types in the current rule exceeds the percentage "<percentage_int>". disable

percentage "<percentage_int>"

The maximum rate of matches with other filter types in the current rule, expressed as percent of hits.

If percentage-flag {enable | disable} is enabled and the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition.

No default.

traced-by {Source-IP | User | Http-Session}

Specify whether FortiWeb determines the rate at which a transaction matches other filter types in the current rule by counting matches by source client IP address or by client.

To specify user, ensure that the value of client-management {enable | disable} is enable.

source-ip

<entry_index>

Enter the index number of the individual entry in the table.

No default.

match-exclusive {yes | no}

If you select yes, FortiWeb matches the traffic from all countries except the ones you select. If you select no, FortiWeb matches the traffic from the countries you select.

No

country-list <country-list_str>

Enter the countries you select.

No default.

Example

This example allows access to URLs beginning with “/admin”, but only if they originate from 192.0.2.5, and only if the client does not exceed 5 requests per second.

Clients that violate this rule will be blocked for 60 seconds (the default duration). The violation will be logged in the attack log using severity_level=High, and all servers configured in notification-servers1 will be used to notify the network administrator.

config waf custom-access rule

edit "combo-IP-rate-URL-rule1"

set action block-period

set severity High

set trigger "notification-servers1"

config access-limit-filter

edit 1

set access-rate-limit 5

next

end

config source-ip-filter

edit 1

set source-ip "192.0.2.5"

next

end

config url-filter

edit 1

set request-file "/admin*"

next

end

next

end

config waf custom-access policy

edit "combo-IP-rate-URL-policy1"

config rule

edit 1

set rule-name "combo-access-rate-rule1"

next

end

next

end

Related topics