Fortinet black logo

CLI Reference

waf webshell-detection-policy

waf webshell-detection-policy

Use this command to set Web Shell Detection policies that FortiWeb will use to Trojans in the files that can be uploaded to your web servers.

Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.

Web Shell Detection detects Trojan in the uploaded files. In addition to the traditional method which detects Trojan based on tags and keywords, Web Shell Detection can perform fuzzy hash based detection as well, where it determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

Web Shell Detection is divided into two categories: Fuzzy Hash Based Detection and Known Web Shells. And each category is divided into five categories according to the type, namely PHP, ASP, JSP, Perl, and Python.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf webshell-detection-policy

edit "<file-upload-restriction-policy_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger <trigger-policy_name>

set fuzzy-similarity-threshold <threshold>

set fuzzy-asp-status {enable | disable}

set fuzzy-jsp-status {enable | disable}

set fuzzy-php-status {enable | disable}

set fuzzy-perl-status {enable | disable}

set fuzzy-python-status {enable | disable}

set known-asp-status {enable | disable}

set known-jsp-status {enable | disable}

set known-php-status {enable | disable}

set known-perl-status {enable | disable}

set known-python-status {enable | disable}

config fuzzy-disable-list

edit edit <webshell-name>

end

end

end

Variable Description Default

"<file-upload-restriction-policy_name>"

Enter the name of an existing or new Web Shell Detection policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log}

Enter the action you want FortiWeb to perform when the policy is violated:

  • alert—Accept the request and generate an alert and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg and the FortiWeb Administration Guide:

    HTTP://docs.fortinet.com/fortiweb/admin-guides

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert_deny

block-period <seconds_int>

If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600 seconds. 600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. medium

trigger <trigger-policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

No default

fuzzy-similarity-threshold <threshold>

Web Shell Detection can perform fuzzy hash based detection to determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

Specify the Fuzzy Similarity Threshold. A file will be identified as a Trojan when it resembles the Trojan sample library by the specified percentage.

The valid range is 1-100 (%).

80
fuzzy-asp-status {enable | disable} Enable or disable fuzzy hash based detection for ASP script type. enable
fuzzy-jsp-status {enable | disable} Enable or disable fuzzy hash based detection for JSP script type. enable

fuzzy-php-status {enable | disable}

Enable or disable fuzzy hash based detection for PHP script type. enable
fuzzy-perl-status {enable | disable} Enable or disable fuzzy hash based detection for Perl script type. enable
fuzzy-python-status {enable | disable} Enable or disable fuzzy hash based detection for Python script type. enable
known-asp-status {enable | disable} Enable or disable FortiWeb to detect ASP script type according to known signatures. enable
known-jsp-status {enable | disable} Enable or disable FortiWeb to detect JSP script type according to known signatures. enable
known-php-status {enable | disable} Enable or disable FortiWeb to detect PHP script type according to known signatures. enable
known-perl-status {enable | disable} Enable or disable FortiWeb to detect Perl script type according to known signatures. enable
known-python-status {enable | disable} Enable or disable FortiWeb to detect Python script type according to known signatures. enable

edit <webshell-name>

Enter the web shell name to exclude it. The uploaded file containing the specified script will not be identified as an attack.

No default

Related topics

waf webshell-detection-policy

Use this command to set Web Shell Detection policies that FortiWeb will use to Trojans in the files that can be uploaded to your web servers.

Attackers may attempt to upload Trojan horse code (written in scripting languages such as PHP and ASP) to the back-end web servers. The Trojan then infects clients who access an infected web page.

Web Shell Detection detects Trojan in the uploaded files. In addition to the traditional method which detects Trojan based on tags and keywords, Web Shell Detection can perform fuzzy hash based detection as well, where it determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

Web Shell Detection is divided into two categories: Fuzzy Hash Based Detection and Known Web Shells. And each category is divided into five categories according to the type, namely PHP, ASP, JSP, Perl, and Python.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf webshell-detection-policy

edit "<file-upload-restriction-policy_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <seconds_int>

set severity {High | Medium | Low | Info}

set trigger <trigger-policy_name>

set fuzzy-similarity-threshold <threshold>

set fuzzy-asp-status {enable | disable}

set fuzzy-jsp-status {enable | disable}

set fuzzy-php-status {enable | disable}

set fuzzy-perl-status {enable | disable}

set fuzzy-python-status {enable | disable}

set known-asp-status {enable | disable}

set known-jsp-status {enable | disable}

set known-php-status {enable | disable}

set known-perl-status {enable | disable}

set known-python-status {enable | disable}

config fuzzy-disable-list

edit edit <webshell-name>

end

end

end

Variable Description Default

"<file-upload-restriction-policy_name>"

Enter the name of an existing or new Web Shell Detection policy. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log}

Enter the action you want FortiWeb to perform when the policy is violated:

  • alert—Accept the request and generate an alert and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg and the FortiWeb Administration Guide:

    HTTP://docs.fortinet.com/fortiweb/admin-guides

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select alert. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert_deny

block-period <seconds_int>

If action {alert | alert_deny | block-period | deny_no_log} is block-period, type the number of seconds that violating requests will be blocked. The valid range is 1–3,600 seconds. 600

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. medium

trigger <trigger-policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

No default

fuzzy-similarity-threshold <threshold>

Web Shell Detection can perform fuzzy hash based detection to determines the similarity by comparing the hash value of the file and the Trojan sample library. In this way, no matter how the attacker modifies the script, as long as the similarity meets the threshold, it can be identified as a Trojan.

Specify the Fuzzy Similarity Threshold. A file will be identified as a Trojan when it resembles the Trojan sample library by the specified percentage.

The valid range is 1-100 (%).

80
fuzzy-asp-status {enable | disable} Enable or disable fuzzy hash based detection for ASP script type. enable
fuzzy-jsp-status {enable | disable} Enable or disable fuzzy hash based detection for JSP script type. enable

fuzzy-php-status {enable | disable}

Enable or disable fuzzy hash based detection for PHP script type. enable
fuzzy-perl-status {enable | disable} Enable or disable fuzzy hash based detection for Perl script type. enable
fuzzy-python-status {enable | disable} Enable or disable fuzzy hash based detection for Python script type. enable
known-asp-status {enable | disable} Enable or disable FortiWeb to detect ASP script type according to known signatures. enable
known-jsp-status {enable | disable} Enable or disable FortiWeb to detect JSP script type according to known signatures. enable
known-php-status {enable | disable} Enable or disable FortiWeb to detect PHP script type according to known signatures. enable
known-perl-status {enable | disable} Enable or disable FortiWeb to detect Perl script type according to known signatures. enable
known-python-status {enable | disable} Enable or disable FortiWeb to detect Python script type according to known signatures. enable

edit <webshell-name>

Enter the web shell name to exclude it. The uploaded file containing the specified script will not be identified as an attack.

No default

Related topics