waf ftp-command-restriction-rule

Use this command to create FTP command restriction rules to specify acceptable FTP commands that clients can use to communicate with your server(s). Certain FTP commands can expose your server(s) to attack. For example, because attackers can exploit the PORT command to carry out FTP bounce attacks, restricting the PORT command can harden your network's security if you're using FTP.

For details about applying an FTP command restriction rule to an FTP server policy, see waf ftp-protection-profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

If ftp-security isn't enabled in feature-visibility, you must enable it before you can create an FTP command restriction rule. To enable ftp-security, see system feature-visibility.

Syntax

config waf ftp-command-restriction-rule

edit "<rule_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block_period_int>

set severity {High | Info | Low | Medium}

set trigger "<policy_name>"

end

config command-types

edit <entry_index>

set command-type <ftp_command>

end

Variable Description Default

"<rule_name>"

Enter a unique name that can be referenced in other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

No default.

<entry_index>

Enter an index number of the individual entry in the table. The valid range is 1–999,999,999,999,999,999.

You must create an entry index for each FTP command that you plan to include in the rule.

No default.

command-type <ftp_command>

Enter an FTP command that you want to include in the rule. You can include these FTP commands in the rule:

ABOR
ACCT
ALLO
APPE
AUTH
CDUP
CWD
DELE
EPRT
EPSV
FEAT
HELP
LIST
MDTM
MKD

MLSD
MODE
NLST
OPTS
PASS
PASV
PORT
PROT
PWD
QUIT
REIN
REST
RETR
RMD
RNFR

RNTO
SITE
SIZE
SMNT
STAT
STOR
STOU
STRU
SYST
TYPE
USER
XCUP
XMKD
XPWD
XRMD

No default.

action {alert | alert_deny | block-period | deny_no_log}

Select which action FortiWeb will take when it detects a violation of the rule:

alert—Accept the connection and generate an alert email and/or log message.
alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
deny_no_log—Block the request (or reset the connection).
block-period—Block subsequent requests from the client for a number of seconds. Also configure waf ftp-command-restriction-rule.

Note: This setting will be ignored if monitor-mode {enable | disable}is enabled in a server policy.

alert

block-period <block_period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the rule. The valid range is 1–3,600 seconds.

This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is set to block-period.

600

severity {High | Info | Low | Medium}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the rule:

Info
Low
Medium
High

Medium

trigger "<policy_name>"

Enter the name of a trigger policy, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the rule.

No default.