waf file-upload-restriction-rule
Use this command to define the specific host and request URL for which file upload restrictions apply, and define the specific file types that can be uploaded to that host or URL.
To apply the rule, select it in a file security policy. For details, see waf file-upload-restriction-policy.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf file-upload-restriction-rule
edit "<file-upload-restriction-rule_name>"
set host-status {enable | disable}
set host "<protected-host_name>"
set request-file "<url_pattern>"
set request-type {regular | plain}
set file-size-limit <size_int>
set octet-stream-filename-position {Default | Header |Parameter | Resource }
set octet-stream-filename-string <Header or Parameter names>
set enable_base64_decode {enable | disable}
set json-file-support {enable | disable}
set json-key-for-filename <filename>
set json-key-field <FileContents>
set waf file-upload-restriction-rule
set file-uncompress {enable | disable}
set uncompress-nest-limit <int>
set uncompress-oversize-limit <int>
config file-types
edit <entry_index>
set file-type_name "<file-type-extension_str>"
next
config custom-file-types
edit <entry_index>
set custom-file-extention <custom-file-type-extension_str>
next
end
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Enable to apply this exception only to HTTP requests for specific web hosts. Disable to match the exception based upon the other criteria, such as the URL, but regardless of the |
disable
|
|
Enter the name of a protected host that the This setting applies only if host-status {enable | disable} is |
No default. | |
Depending on your selection in request-type {regular | plain}, type either:
Do not include the name of the web host, such as Note: Regular expressions beginning with an exclamation point ( |
No default. | |
Select whether analyzer-policy "<fortianalyzer-policy_name>" will contain a literal URL (plain ), or a regular expression designed to match multiple URLs (regular ). |
plain | |
Optionally, enter a number to represent the maximum size in kilobytes for any individual file. This places a size limit on allowed file types.
|
0 | |
Select to Allow or Block file types and custom file types |
Block |
|
octet-stream-filename-position {Default | Header |Parameter | Resource } |
Identify where to retrieve the filename of 'application/octet-stream' type file. |
Default |
Specify the header or parameter names to get the file name of octet-stream. e.g. X-File-Name;X-Name. |
No default. |
|
Enable JSON File Support if you want FortiWeb to further parse the file contained in JSON file. |
|
|
filename parameter, and compare it against the value you set for json-key-for-filename. This is optional. |
No default. |
|
FortiWeb will parse the JSON file to find the value of the
Both json-key-for-filename and json-key-field require exact match and are case sensitive. If both of them matches, FortiWeb will apply File Security policy to the file contained in JSON file. If only json-key-field matches, FortiWeb will apply File Security policy to the file contained in JSON file, and in the attack log the name of the file will be shown as "JSON File". If only json-key-for-filename matches, it equals to no match. FortiWeb will not execute further scan to the file contained in JSON file. |
No default. |
|
Enable to decode the file contained in the JSON file with base64. |
|
|
Enable file unzip in CLI to verify file type and size in the compressed files. |
|
|
Type the maximum number of allowed levels of compression (“nesting”) that FortiWeb will attempt to decompress. The valid range is 1-100. |
12 |
|
Type the maximum size in kilobytes (KB) of the memory buffer that FortiWeb will use to temporarily undo the compression. When the file has multiple compression levels and the size of the decompressed files reaches the maximum when FortiWeb decompresses to a certain level, then FortiWeb will only check the already-decompressed files. The files that are not decompressed will pass through FortiWeb without scanning. |
5,000 |
|
Enter the index number of the individual entry in the table. Each entry in the table can define one file type. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Select the numeric type ID that corresponds to the file type. Recognized IDs are updated by FortiGuard services and may vary. For a list of available IDs, select all file types in the GUI, then use the CLI to view their corresponding IDs. Common IDs include:
|
No default. | |
Enter the extension, such as Note: Microsoft Office Open XML file types such as .docx, xlsx, .pptx, and .vsdx are a type of ZIP-compressed XML. If you specify restrictions for them, those signatures will take priority. However, if you do not select a MSOOX restriction but do have an XML or ZIP restriction, the XML and ZIP restrictions will still apply, and the files will still be restricted. |
No default. | |
If the file type is not one of the Recognized file types, use this command to enter your custom file type. |
No default. |
Example
This example allows both MPEG and FLV files uploaded to the URL /file-uploads
on the host www.example.com
.
config waf file-upload-restriction-rule
edit "file-upload-rule1"
set host-status enable
set host "www.example.com"
set request-file "/file-uploads"
config file-types
edit 1
set file-type-id "00013"
set file-type-name "MPEG"
next
edit 2
set file-type-id "00008"
set file-type-name "FLV"
next
end
next
end