Fortinet black logo

CLI Reference

waf custom-protection-rule

waf custom-protection-rule

Use this command to configure custom data leak and attack signatures.

Before you enter custom signatures via the CLI, first enable it.

To use your custom signatures, you must first group them so that they can be included in a rule. For details, see waf custom-protection-group.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf custom-protection-rule

edit "<custom-protection rule_name>"

set type {request | response}

set action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_"name>

config meet-condition

edit <entry_index>

set operator {RE | GT | LT | NE | EQ}

set request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD HTTP_METHOD}

set response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

set threshold <threshold_int>

set case-sensitive {enable | disable}

set expression <regex_pattern>

next

end

next

end

Variable Description Default

"<custom-protection rule_name>"

Enter the name of the new or existing custom signature. The maximum length is 63 characters.

To display a list of the existing rules, enter:

edit ?

No default.

type {request | response}

Specify the type of regular expression:

  • request—The expression is an attack signature.

  • response—The expression is a server information disclosure signature.

request

action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log}

Select the specific action to be taken when the request matches the this signature.

  • alert—Accept the request and generate an alert email and/or log message.

    Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code.

  • alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

    If the sensitive information is a status code, you can customize the web page that FortiWeb returns to the client with the HTTP status code.

    Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_HTTP_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both.

  • only_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information without generating an alert email and/or log message. This option is applicable only if type is response; and this option is not supported in Offline Protection mode.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • deny_no_log—Deny a request. Do not generate a log message.

alert

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

block-period <seconds_int>

If action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log} is block-period, enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. For details about viewing the list of currently blocked clients, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides

The valid range is 1–3,600 seconds.

600

severity {High | Medium | Low | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule. Medium

trigger "<trigger-policy_"name>

Select which trigger policy, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table.

The valid range is from 1–9,999,999,999,999,999,999.

No default.

operator {RE | GT | LT | NE | EQ}

  • RE—The signature matches when the value of a selected target in the request or response matches the value of expression.
  • GT—The signature matches when specified target has a value greater than the value of threshold.
  • LT—The signature matches when specified target has a value less than the value of threshold.
  • NE— The signature matches when specified target has a different value than threshold.
  • EQ— The signature matches when specified target has the same value as threshold.

RE

request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD HTTP_METHOD}

Enter the name of one or more locations in the HTTP request to scan for a signature match.

For example, ARGS_NAMES for the names of parameters or REQUEST_COOKIES for strings in the HTTP Cookie: header.

No default.

response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

Enter the name of one or more locations in the HTTP response to scan for a signature match. No default.

threshold <threshold_int>

Enter the value that FortiWeb compares to the target value to determine if a request or response matches. No default.

case-sensitive {enable | disable}

Enable to differentiate upper case and lower case letters when evaluating the web server’s response for data leaks according to expression <regex_pattern>.

For example, when enabled, an HTTP reply containing the phrase Credit card would not match an expression that looks for the phrase credit card (difference highlighted in bold).

disable

expression <regex_pattern>

When operator {RE | GT | LT | NE | EQ} is RE, type a regular expression that matches either an attack from a client or a data leak from the server.

If action is Alert & Erase, enclose the portion of the regular expression to erase in brackets.

For example, the following command erases the expression "webattack" from the response packet:

config waf custom-protection-rule

edit "test"

set type response

set action alert_erase

config meet-condition

edit 1

set response-target RESPONSE_BODY

set expression "(webattack)"

next

end

next

end

To prevent false positives, it should not match anything else. The maximum length is 2,071 characters.

No default.

Example

This example configures a signature to detect and block an LFI attack that uses directory traversal through an unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named notification-servers1 sends an alert email and attack log messages whose severity level is High.

config waf custom-protection-rule

edit "Joomla_controller_LFI"

set type request

set action alert_deny

set severity High

set trigger "notification-servers1"

config meet-condition

edit 1

set request-target REQUEST_RAW_URI

set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"

next

end

next

end

Related topics

waf custom-protection-rule

Use this command to configure custom data leak and attack signatures.

Before you enter custom signatures via the CLI, first enable it.

To use your custom signatures, you must first group them so that they can be included in a rule. For details, see waf custom-protection-group.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf custom-protection-rule

edit "<custom-protection rule_name>"

set type {request | response}

set action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_"name>

config meet-condition

edit <entry_index>

set operator {RE | GT | LT | NE | EQ}

set request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD HTTP_METHOD}

set response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

set threshold <threshold_int>

set case-sensitive {enable | disable}

set expression <regex_pattern>

next

end

next

end

Variable Description Default

"<custom-protection rule_name>"

Enter the name of the new or existing custom signature. The maximum length is 63 characters.

To display a list of the existing rules, enter:

edit ?

No default.

type {request | response}

Specify the type of regular expression:

  • request—The expression is an attack signature.

  • response—The expression is a server information disclosure signature.

request

action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log}

Select the specific action to be taken when the request matches the this signature.

  • alert—Accept the request and generate an alert email and/or log message.

    Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code.

  • alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

    If the sensitive information is a status code, you can customize the web page that FortiWeb returns to the client with the HTTP status code.

    Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_HTTP_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both.

  • only_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information without generating an alert email and/or log message. This option is applicable only if type is response; and this option is not supported in Offline Protection mode.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • deny_no_log—Deny a request. Do not generate a log message.

alert

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

block-period <seconds_int>

If action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log} is block-period, enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. For details about viewing the list of currently blocked clients, see the FortiWeb Administration Guide:

HTTPs://docs.fortinet.com/fortiweb/admin-guides

The valid range is 1–3,600 seconds.

600

severity {High | Medium | Low | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule. Medium

trigger "<trigger-policy_"name>

Select which trigger policy, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table.

The valid range is from 1–9,999,999,999,999,999,999.

No default.

operator {RE | GT | LT | NE | EQ}

  • RE—The signature matches when the value of a selected target in the request or response matches the value of expression.
  • GT—The signature matches when specified target has a value greater than the value of threshold.
  • LT—The signature matches when specified target has a value less than the value of threshold.
  • NE— The signature matches when specified target has a different value than threshold.
  • EQ— The signature matches when specified target has the same value as threshold.

RE

request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD HTTP_METHOD}

Enter the name of one or more locations in the HTTP request to scan for a signature match.

For example, ARGS_NAMES for the names of parameters or REQUEST_COOKIES for strings in the HTTP Cookie: header.

No default.

response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE}

Enter the name of one or more locations in the HTTP response to scan for a signature match. No default.

threshold <threshold_int>

Enter the value that FortiWeb compares to the target value to determine if a request or response matches. No default.

case-sensitive {enable | disable}

Enable to differentiate upper case and lower case letters when evaluating the web server’s response for data leaks according to expression <regex_pattern>.

For example, when enabled, an HTTP reply containing the phrase Credit card would not match an expression that looks for the phrase credit card (difference highlighted in bold).

disable

expression <regex_pattern>

When operator {RE | GT | LT | NE | EQ} is RE, type a regular expression that matches either an attack from a client or a data leak from the server.

If action is Alert & Erase, enclose the portion of the regular expression to erase in brackets.

For example, the following command erases the expression "webattack" from the response packet:

config waf custom-protection-rule

edit "test"

set type response

set action alert_erase

config meet-condition

edit 1

set response-target RESPONSE_BODY

set expression "(webattack)"

next

end

next

end

To prevent false positives, it should not match anything else. The maximum length is 2,071 characters.

No default.

Example

This example configures a signature to detect and block an LFI attack that uses directory traversal through an unsanitized controller parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named notification-servers1 sends an alert email and attack log messages whose severity level is High.

config waf custom-protection-rule

edit "Joomla_controller_LFI"

set type request

set action alert_deny

set severity High

set trigger "notification-servers1"

config meet-condition

edit 1

set request-target REQUEST_RAW_URI

set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"

next

end

next

end

Related topics