Fortinet white logo
Fortinet white logo

CLI Reference

waf url-access url-access-rule

waf url-access url-access-rule

Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on their host name and URL.

Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

To apply URL access rules, first group them within a URL access policy. For details see, waf url-access url-access-policy.

You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf url-access url-access-rule

edit "<url-access-rule_name>"

set action {alert_deny | continue | pass | deny_no_log}

set host "<protected-hosts_name>"

set host-status {enable | disable}

set severity {Informative | Low | Medium | High | Info}

set trigger "<trigger-policy_name>"

config match-condition

edit <entry_index>

set sip-address-check {enable | disable}

set sip-address-type {sip | sdomain | source-domain}

set sip-address-value "<client_ip>"

set sdomain-type {"<ipv4>" | "<ipv6>"}

set sip-address-domain "<fqdn_str>"

set source-domain-type {simple-string | regex-expression}

set source-domain "<source-domain_str>"

set type {regex-expression | simple-string}

set reg-exp "<object_pattern>"

set url-access-parameter

set only-method {get | post | head | options | trace | connect | delete | put | patch | webdav | rpc | others}

set only-protocol {http | https | ws | wss}

set reverse-match {yes | no}

next

end

next

end

Variable Description Default

"<url-access-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert_deny | continue | pass | deny_no_log}

Select which action the FortiWeb appliance will take when a request matches the URL access rule.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • continue—Generate an alert and/or log message, then continue by evaluating any subsequent rules defined in the web protection profile. If no other rules are violated, allow the request. If multiple rules are violated, a single request will generate multiple attack log messages. For details, see debug flow trace.

  • pass—Allow the request. Do not generate an alert and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select pass. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

pass

host "<protected-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

This setting is used only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host "<protected-hosts_name>". disable

severity {Informative | Low | Medium | High | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blocklisted IP address attempts to connect to your web servers:

  • Informative
  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger-policy_name>"

Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blocklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

sip-address-check {enable | disable}

Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sip | sdomain | source-domain} and the specific settings for each source address type. disable

sip-address-type {sip | sdomain | source-domain}

sip

sip-address-value "<client_ip>"

Enter one of the following values:

  • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
  • A range or addresses (e.g., 172.22.14.1-172.22.14.256 or 10:200::10:1-10:200:10:100).

Available only if sip-address-type {sip | sdomain | source-domain} is sip.

0.0.0.0

sdomain-type {"<ipv4>" | "<ipv6>"}

Specifies the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by sip-address-domain "<fqdn_str>".

Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

No default.

sip-address-domain "<fqdn_str>"

Specifies the domain to match the client source IP after DNS lookup.

Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

No default.

source-domain-type {simple-string | regex-expression}

  • simple-stringsource-domain specifies a literal domain.
  • regex-expressionsource-domain specifies a regular expression that is designed to match multiple URLs.

Available only if sip-address-type {sip | sdomain | source-domain} is source-domain.

simple-string

source-domain "<source-domain_str>"

Enter a literal domain or a regular expression that is designed to match multiple URLs.

Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

No default.

type {regex-expression | simple-string}

Select how to use the text in reg-exp "<object_pattern>" to determine whether or not a request URL meets the conditions for this rule.

  • simple-string—The text is a string that request URLs must match exactly.
  • regular-expression—The text is a regular expression that defines a set of matching URLs.
No default.

reg-exp "<object_pattern>"

Depending on your selection in type {regex-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}.

For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, for reverse-match, enter no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

No default.

url-access-parameter

Enter the URL Access Parameter rule you have created by config waf url-access-parameter.

No default.

only-method {get | post | head | options | trace | connect | delete | put | patch | webdav | rpc | others}

Select the HTTP methods. Only the requests with the specified HTTP methods will match.

No default.

only-protocol {http | https | ws | wss}

Select the HTTP protocols. Only the requests with the specified HTTP protocols will match.

No default.

reverse-match {yes | no}

Indicate how to use reg-exp "<object_pattern>" when determining whether or not this rule’s condition has been met.

  • no—If the simple string or regular expression does match the request URL, the condition is met.
  • yes—If the simple string or regular expression does not match the request URL, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
no

Example

This example defines two sets of URL access rules.

The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.

The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic forms of the index page.

Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.

config waf url-access url-access-rule

edit "Blocked URL"

config match-condition

edit 1

set type simple-string

set reg-exp "/admin.php"

next

edit 2

set type regular-expression

set reverse-match no

set reg-exp "statistics.php*"

next

end

next

edit "Allowed URL"

config match-condition

edit 1

set type regular-expression

set reverse-match no

set reg-exp "index.php*"

next

end

next

end

Related topics

waf url-access url-access-rule

waf url-access url-access-rule

Use this command to configure URL access rules that define the HTTP requests that are allowed or denied based on their host name and URL.

Typically, for example, access to administrative panels for your web application should only be allowed if the client’s source IP address is an administrator’s computer on your private management network. Unauthenticated access from unknown locations increases risk of compromise. Best practice dictates that such risk should be minimized.

To apply URL access rules, first group them within a URL access policy. For details see, waf url-access url-access-policy.

You can use SNMP traps to notify you when a URL access rule is enforced. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf url-access url-access-rule

edit "<url-access-rule_name>"

set action {alert_deny | continue | pass | deny_no_log}

set host "<protected-hosts_name>"

set host-status {enable | disable}

set severity {Informative | Low | Medium | High | Info}

set trigger "<trigger-policy_name>"

config match-condition

edit <entry_index>

set sip-address-check {enable | disable}

set sip-address-type {sip | sdomain | source-domain}

set sip-address-value "<client_ip>"

set sdomain-type {"<ipv4>" | "<ipv6>"}

set sip-address-domain "<fqdn_str>"

set source-domain-type {simple-string | regex-expression}

set source-domain "<source-domain_str>"

set type {regex-expression | simple-string}

set reg-exp "<object_pattern>"

set url-access-parameter

set only-method {get | post | head | options | trace | connect | delete | put | patch | webdav | rpc | others}

set only-protocol {http | https | ws | wss}

set reverse-match {yes | no}

next

end

next

end

Variable Description Default

"<url-access-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert_deny | continue | pass | deny_no_log}

Select which action the FortiWeb appliance will take when a request matches the URL access rule.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • continue—Generate an alert and/or log message, then continue by evaluating any subsequent rules defined in the web protection profile. If no other rules are violated, allow the request. If multiple rules are violated, a single request will generate multiple attack log messages. For details, see debug flow trace.

  • pass—Allow the request. Do not generate an alert and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If an auto-learning profile will be selected in the policy with Offline Protection profiles that use this rule, you should select pass. If the action is alert_deny, the FortiWeb appliance will reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

pass

host "<protected-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

This setting is used only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the rule. Also configure host "<protected-hosts_name>". disable

severity {Informative | Low | Medium | High | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blocklisted IP address attempts to connect to your web servers:

  • Informative
  • Low
  • Medium
  • High
  • Info

Low

trigger "<trigger-policy_name>"

Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blocklisted IP address’s attempt to connect to your web servers. The maximum length is 63 characters. For details, see log trigger-policy.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

sip-address-check {enable | disable}

Enable to add the client’s source IP address as a criteria for matching the URL access rule. Also configure sip-address-type {sip | sdomain | source-domain} and the specific settings for each source address type. disable

sip-address-type {sip | sdomain | source-domain}

sip

sip-address-value "<client_ip>"

Enter one of the following values:

  • A single IP address that a client source IP must match, such as a trusted private network IP address (e.g. an administrator’s computer, 172.16.1.20).
  • A range or addresses (e.g., 172.22.14.1-172.22.14.256 or 10:200::10:1-10:200:10:100).

Available only if sip-address-type {sip | sdomain | source-domain} is sip.

0.0.0.0

sdomain-type {"<ipv4>" | "<ipv6>"}

Specifies the type of IP address FortiWeb retrieves from the DNS lookup of the domain specified by sip-address-domain "<fqdn_str>".

Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

No default.

sip-address-domain "<fqdn_str>"

Specifies the domain to match the client source IP after DNS lookup.

Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

No default.

source-domain-type {simple-string | regex-expression}

  • simple-stringsource-domain specifies a literal domain.
  • regex-expressionsource-domain specifies a regular expression that is designed to match multiple URLs.

Available only if sip-address-type {sip | sdomain | source-domain} is source-domain.

simple-string

source-domain "<source-domain_str>"

Enter a literal domain or a regular expression that is designed to match multiple URLs.

Available only if sip-address-type {sip | sdomain | source-domain} is sdomain.

No default.

type {regex-expression | simple-string}

Select how to use the text in reg-exp "<object_pattern>" to determine whether or not a request URL meets the conditions for this rule.

  • simple-string—The text is a string that request URLs must match exactly.
  • regular-expression—The text is a regular expression that defines a set of matching URLs.
No default.

reg-exp "<object_pattern>"

Depending on your selection in type {regex-expression | simple-string} and reverse-match {yes | no}, type a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {yes | no}.

For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, for reverse-match, enter no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

No default.

url-access-parameter

Enter the URL Access Parameter rule you have created by config waf url-access-parameter.

No default.

only-method {get | post | head | options | trace | connect | delete | put | patch | webdav | rpc | others}

Select the HTTP methods. Only the requests with the specified HTTP methods will match.

No default.

only-protocol {http | https | ws | wss}

Select the HTTP protocols. Only the requests with the specified HTTP protocols will match.

No default.

reverse-match {yes | no}

Indicate how to use reg-exp "<object_pattern>" when determining whether or not this rule’s condition has been met.

  • no—If the simple string or regular expression does match the request URL, the condition is met.
  • yes—If the simple string or regular expression does not match the request URL, the condition is met.
    The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).
no

Example

This example defines two sets of URL access rules.

The first set, Blocked URL, defines two URL match conditions: one uses a simple string to match an administrative page, and the other uses a regular expression to match a set of dynamic URLs for statistics pages.

The second set, Allowed URL, defines a single match condition that uses a regular expression to match all dynamic forms of the index page.

Actual blocking or allowing of the URLs, however, would not occur until a policy applies these URL access rules, and sets an action that the FortiWeb appliance will perform when an HTTP request matches either rule set.

config waf url-access url-access-rule

edit "Blocked URL"

config match-condition

edit 1

set type simple-string

set reg-exp "/admin.php"

next

edit 2

set type regular-expression

set reverse-match no

set reg-exp "statistics.php*"

next

end

next

edit "Allowed URL"

config match-condition

edit 1

set type regular-expression

set reverse-match no

set reg-exp "index.php*"

next

end

next

end

Related topics