Fortinet white logo
Fortinet white logo

CLI Reference

waf http-protocol-parameter-restriction

waf HTTP-protocol-parameter-restriction

Use this command to configure HTTP protocol constraints.

HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the content payload.

Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.

You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, enable waf HTTP-protocol-parameter-restriction to harden your configuration. To configure the buffer size, see system advanced.

You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that determines how an attack on that parameter is handled. For example, you can set the action for header constraints to alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol parameters.

To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf HTTP-protocol-parameter-restriction

edit "<HTTP-constraint_name>"

set <constraint_name>-check {enable | disable}

set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

set <constraint_name>-block-period <seconds_int>

set <parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}

set <constraint_name>-severity {High | Medium | Low | Info}

set <constraint_name>-trigger "<trigger-policy_name>"

next

end

Variable Description Default

"<HTTP-constraint_name>"

Enter the name of a new or existing HTTP protocol constraint. The maximum length is 63 characters.

To display the list of existing constraints, enter:

edit ?

No default.

<constraint_name>-check {enable | disable}

Specify whether FortiWeb includes the specified constraint when it applies this set of constraints.

<constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

  • You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure <constraint_name>-block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

Caution: This setting is ignored when the value of monitor-mode {enable | disable} is enable.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types.

For example, for maximum HTTP header length violations, you might type the accompanying setting:

set max-HTTP-header-length-action alert

Note: Available actions vary depending on operating mode and protocol parameter.

alert

<constraint_name>-severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs.

Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types.

For example, for maximum HTTP header length violations, you might type the accompanying setting:

set max-HTTP-header-length-severity High

Medium

<constraint_name>-trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated (see log trigger-policy). The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types.
For example, for maximum HTTP header length violations, you might type accompanying setting:

set max-HTTP-header-length-trigger trigger-policy1

No default.

<constraint_name>-block-period <seconds_int>

If action is block-period, type the number of seconds that the connection will be blocked. 600

<parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for an event when FortiWeb detects a violation of a parameter restriction rule. For details, see the FortiWeb Administration Guide: HTTPs://docs.fortinet.com/fortiweb/admin-guides.

No default.

Example

This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.

config waf HTTP-protocol-parameter-restriction

edit "HTTP-constraint1"

set max-HTTP-header-length 2048

set max-HTTP-header-length-action alert

set max-HTTP-header-length-severity Medium

set max-HTTP-header-length-trigger email-admin

next

end

Related topics

waf http-protocol-parameter-restriction

waf HTTP-protocol-parameter-restriction

Use this command to configure HTTP protocol constraints.

HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the content payload.

Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.

You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, enable waf HTTP-protocol-parameter-restriction to harden your configuration. To configure the buffer size, see system advanced.

You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that determines how an attack on that parameter is handled. For example, you can set the action for header constraints to alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol parameters.

To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf HTTP-protocol-parameter-restriction

edit "<HTTP-constraint_name>"

set <constraint_name>-check {enable | disable}

set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

set <constraint_name>-block-period <seconds_int>

set <parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}

set <constraint_name>-severity {High | Medium | Low | Info}

set <constraint_name>-trigger "<trigger-policy_name>"

next

end

Variable Description Default

"<HTTP-constraint_name>"

Enter the name of a new or existing HTTP protocol constraint. The maximum length is 63 characters.

To display the list of existing constraints, enter:

edit ?

No default.

<constraint_name>-check {enable | disable}

Specify whether FortiWeb includes the specified constraint when it applies this set of constraints.

<constraint_name>-action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

  • You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure <constraint_name>-block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

Caution: This setting is ignored when the value of monitor-mode {enable | disable} is enable.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types.

For example, for maximum HTTP header length violations, you might type the accompanying setting:

set max-HTTP-header-length-action alert

Note: Available actions vary depending on operating mode and protocol parameter.

alert

<constraint_name>-severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs.

Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types.

For example, for maximum HTTP header length violations, you might type the accompanying setting:

set max-HTTP-header-length-severity High

Medium

<constraint_name>-trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated (see log trigger-policy). The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types.
For example, for maximum HTTP header length violations, you might type accompanying setting:

set max-HTTP-header-length-trigger trigger-policy1

No default.

<constraint_name>-block-period <seconds_int>

If action is block-period, type the number of seconds that the connection will be blocked. 600

<parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for an event when FortiWeb detects a violation of a parameter restriction rule. For details, see the FortiWeb Administration Guide: HTTPs://docs.fortinet.com/fortiweb/admin-guides.

No default.

Example

This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert), identifying the violation as medium severity, and sends an email to the administrators defined within the trigger policy email-admin.

config waf HTTP-protocol-parameter-restriction

edit "HTTP-constraint1"

set max-HTTP-header-length 2048

set max-HTTP-header-length-action alert

set max-HTTP-header-length-severity Medium

set max-HTTP-header-length-trigger email-admin

next

end

Related topics