waf custom-access rule
Use this command to configure custom access rules.
What if you want to allow a web crawler, but only if it is not too demanding, and comes from a source IP that is known to be legitimate for that crawler? What if you want to allow only a client that is a senior manager’s IP, and only if it hasn’t been infected by malware whose access rate is contributing to a DoS?
Advanced access control rules provide a degree of flexibility for these types of complex conditions. You can combine any or all of these criteria:
- Source IP
- User
- HTTP Session
- Rate limit (including rate limiting for specific types of content)
- HTTP header or response code
- URL
- Predefined or custom attack or data leak signature violation
- Transaction or packet interval timeout
- Real browser enforcement
- CAPTCHA enforcement
In the rule, add all criteria that you require allowed traffic to match.
Before you can apply a custom access rule, you must first group it with any others that you want to apply in a custom access policy. For details, see waf custom-access policy.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf custom-access rule
set action {alert | alert_deny | block-period | deny_no_log | redirect}
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
set bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}
set recaptcha <recaptcha_server_name>
set max-attempt-times <attempts_int>
set validation-timeout <seconds_int>
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
config access-limit-filter
edit <entry_index>
set access-rate-limit <rate_int>
end
config HTTP-header-filter
edit <entry_index>
set header-name-type {custom | predefined}
set header-field-check {enable | disable}
set pre-header-type {plain | regular}
set pre-header-rev-match {enable | disable}
set custom-header-name "<key_str>"
set cus-header-type {plain | regular}
set cus-header-name-type {plain | regular}
set cus-header-rev-match {enable | disable}
set header-value "<value_str>"
set HTTP-hline-missing-check {enable | disable}
set HTTP-hline-empty-check {enable | disable}
set basic-scheme-check {enable | disable}
set HTTP-method-check {enable | disable}
set HTTP-method-value-type {plain | regular}
set HTTP-method-value "<HTTP-method-value_str>"
set HTTP-method-rev-match {enable | disable}
end
config source-ip-filter
edit <entry_index>
set exclusive-match {no | yes}
end
config user-filter
edit <entry_index>
set user-name "<user-name_str>"
end
config geo-filter
edit <entry_index>
set match-exclusive {yes | no}
set country-list <country-list_str>
end
config url-filter
edit <entry_index>
end
config HTTP-transaction
edit <entry_index>
set HTTP-transation-timeout "<timeout_int>"
end
config response-code
edit <entry_index>
set response-code-max <response-code_int>
set response-code-rev-match {enable | disable}
end
config content-type
edit <entry_index>
set content-type-rev-match {enable | disable}
end
config packet-interval
edit <entry_index>
set packet-interval-timeout <timeout_int>
end
config signature-class
end
config custom-signature
edit <entry_index>
set custom-signature-enable {enable | disable}
set {custom-signature-group | custom-signature}
set "<custom-signature-name_str>"
end
config ftp-security
edit <entry_index>
set custom-signature-enable {enable | disable}
set {custom-signature-group | custom-signature}
set "<custom-signature-name_str>"
end
config occurrence
edit <entry_index>
set occurrence-num "<occurrence_int>"
set percentage-flag {enable | disable}
set percentage "<percentage_int>"
set traced-by {Source-IP | User | Http-Session}
end
next
end
Variable | Description | Default |
Enter the name of a new or existing custom access rule. The maximum length is 63 characters. To display a list of the existing rule, enter:
|
No default. | |
action {alert | alert_deny | block-period | deny_no_log | redirect} |
Select the specific action to be taken when the request matches the signature.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for. |
alert
|
Enter the length of time (in seconds) for which the FortiWeb appliance will block additional requests after a source IP address violates this rule. The block period is shared by all clients whose traffic originates from the source IP address. The valid range is 1–3,600 seconds. |
600
|
|
Select the severity level to use in logs and reports generated when a violation of the rule occurs. | High
|
|
Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable} |
Select between:
|
disable |
Enter the reCAPTCHA server you have created through user recaptcha-user |
No default. |
|
mobile-app-identification {disabled | mobile-token-validation} |
For mobile clients that cannot execute Java script or CAPTCHA, FortiWeb can verify the request is legitimate by verifying the JTW-token a mobile application carries when it access a web server. | Disabled |
Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot. |
disable |
|
If Available only when |
3 |
|
Specifies the maximum amount of time that FortiWeb waits for results from the web browser test. The valid range is 5–30. | 20
|
|
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enter the rate threshold for source IP addresses. The valid range is 1–65535. To disable the rate limit, enter Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client. |
1
|
|
Select whether to define the HTTP header filter by selecting a predefined HTTP header name, or by typing the name of a custom HTTP header. Also configure header-value "<value_str>" and, depending on which you indicate in this option, either: |
predefined
|
|
Enable/disable checking the HTTP header field. | No default. | |
predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept} |
Select the name (key) of the HTTP header such as This field appears only if header-name-type {custom | predefined} is |
host
|
Indicate whether header-value "<value_str>" is a literal header value (plain ) or a regular expression that indicates multiple possible valid header values (regular ). |
plain
|
|
Indicate how to use predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept} and header-value "<value_str>" when determining whether or not this condition has been met.
If all conditions are met, the FortiWeb appliance will allow access. |
disable
|
|
Enter the name (key) without the trailing colon ( This field appears only if header-name-type {custom | predefined} is |
No default. | |
Indicate whether header-value "<value_str>" is a literal header value ( |
plain
|
|
Indicate whether custom-header-name "<key_str>"is a literal header name ( |
plain
|
|
Indicate how to use custom-header-name "<key_str>" and header-value "<value_str>" when determining whether or not this condition has been met.
If all conditions are met, the FortiWeb appliance will allow access. |
disable
|
|
If you enable Header Empty Value Check, the request matches the condition if it contains the specified header but the value of the matched header is empty. The |
|
|
Enable to check the Misformatted Basic Scheme. This field appears only when:
|
|
|
If you enable HTTP-hline-missing-check, the request matches the condition if it does not contain the specified header name. The This setting does not take effect for HTTP2 packets without the following headers:
HTTP2 packets without the above headers will not go far to be scanned against the |
|
|
HTTP-method-check {enable | disable}
|
Enable HTTP Method Check and configure a plain string or regular expression for the HTTP method that FortiWeb will search for in the header field. | disable
|
HTTP-method-value-type {plain | regular}
|
Select a plain string or regular string. | No default. |
HTTP-method-value "<HTTP-method-value_str>"
|
To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring. | No default. |
HTTP-method-rev-match {enable | disable}
|
When you enable HTTP Method Check, you can also enable HTTP Method Reverse Match so that the request matches the condition if the header does not contain the HTTP method's exact value or regular expression. | disable
|
Depending on your selection in pre-header-type {plain | regular}, either:
For details about language and regular expression matching, see the FortiWeb Administration Guide: HTTPs://docs.fortinet.com/fortiweb/admin-guides Tip: To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring. For example, entering the value
|
No default. | |
Enter the IP address or IP address range that specifies the clients that FortiWeb allows. For example:
Depending on your configuration of how FortiWeb will derive the client’s IP (see waf x-forwarded-for), this may be the IP address that is indicated in an HTTP header rather than the IP header. |
No default. | |
exclusive-match {no | yes}
|
Set whether the condition can be met when source IP does not match. | No
|
Indicate how to use user-name "<user-name_str>" when determining whether or not this rule’s condition has been met.
The effect is equivalent to preceding a regular expression with an exclamation point ( |
no
|
|
Enter the user name to match. |
No default. | |
Enter a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {no | yes}. For example, for the URL access rule to match all URLs that begin with The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters. Note: Regular expressions beginning with an exclamation point ( |
No default. | |
Indicate how to use request-file "<url_str>" when determining whether or not this rule’s condition has been met.
|
no
|
|
Enter a timeout value of 1–3600 seconds. If the lifetime of a HTTP transaction exceeds this value, the transaction matches this condition. |
5
|
|
Specify the start and end code in a range of HTTP response codes. To specify a single code, enter the same value for the start and end codes (for example, If its HTTP response code is within this range, the HTTP transaction matches this condition. |
404
|
|
Specify the maximum start and end code in a range of HTTP response codes. | No default. | |
Enable it so that the response matches the condition if the code is not in the specified range. |
disable |
|
{text/html text/plain text/xml application/xml application/soap+xml application/json application/octet-stream text/javascript text/} |
Specify a file content type to match. Use with |
application/soap+xml application/xml(or)text/xml text/html text/plain application/json application/octet-stream text/javascript text/css |
Enable it so that the content type matches the condition if it's not the specified type. |
disable |
|
Specify the maximum number of seconds allowed between packets arriving from either the client or server (request or response packets), in seconds. Enter a value from 1 to 60. If the interval exceeds this value, the HTTP transaction matches this condition. |
1
|
|
{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000| 100000000 | 110000000 | 120000000} |
Specify the ID of a signature class. Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature. |
No default. |
Specify whether the HTTP transaction matches this condition if it matches the specified signature. | disable
|
|
Specify whether the current custom signature filter is enabled. | disable
|
|
Specify whether "<custom-signature-name_str>" specifies a custom signature group or an individual signature. | custom-signature-group | |
Specify the custom signature group or individual signature to match. Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature. |
No default. | |
Specify the maximum number of times a transaction can match other filter types in the current rule during the time period specified by Enter a value between 1–100,000. If the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition. |
1
|
|
Specify the time period during which FortiWeb counts the number of times transactions match other filter types in the current rule. Enter a value between 1–600. |
1
|
|
Specify whether the current filter matches when the rate of matches with other filter types in the current rule exceeds the percentage "<percentage_int>". | disable
|
|
The maximum rate of matches with other filter types in the current rule, expressed as percent of hits. If percentage-flag {enable | disable} is enabled and the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition. |
No default. | |
Specify whether FortiWeb determines the rate at which a transaction matches other filter types in the current rule by counting matches by source client IP address or by client. To specify |
source-ip
|
|
Enter the index number of the individual entry in the table. |
No default. | |
If you select yes, FortiWeb matches the traffic from all countries except the ones you select. If you select no, FortiWeb matches the traffic from the countries you select. |
No
|
|
Enter the countries you select. |
No default. |
Example
This example allows access to URLs beginning with “/admin”, but only if they originate from 192.0.2.5
, and only if the client does not exceed 5 requests per second.
Clients that violate this rule will be blocked for 60 seconds (the default duration). The violation will be logged in the attack log using severity_level=High
, and all servers configured in notification-servers1
will be used to notify the network administrator.
config waf custom-access rule
edit "combo-IP-rate-URL-rule1"
set action block-period
set severity High
set trigger "notification-servers1"
config access-limit-filter
edit 1
set access-rate-limit 5
next
end
config source-ip-filter
edit 1
set source-ip "192.0.2.5"
next
end
config url-filter
edit 1
set request-file "/admin*"
next
end
next
end
config waf custom-access policy
edit "combo-IP-rate-URL-policy1"
config rule
edit 1
set rule-name "combo-access-rate-rule1"
next
end
next
end