waf allow-method-policy

Use this command to allow only specific HTTP request methods.

To define specific exceptions to this policy, use waf allow-method-exceptions.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf allow-method-policy

edit "<allowed-methods_name>"

set allow-method {get post head options trace connect delete put patch webdav rpc}

set override-header {enable | disable}

set override-parameter {enable | disable}

set severity {High | Medium | Low | Info}

set triggered-action "<trigger-policy_name>"

set allow-method-exception "<method-exception_name>"

end

Variable	Description	Default
"<allowed-methods_name>"	Enter the name of a new or existing allowed methods policy. This field cannot be modified if you are editing an existing allowed method exception. To modify the name, delete the entry, then recreate it using the new name. The maximum length is 63 characters. To display a list of the existing policies, enter: `edit ?`	No default.
override-header {enable \| disable}	When Override Header or Override Parameter settings are enabled, FortiWeb should check methods from these headers or parameters as well as the HTTP method used in the actual request. If any of the methods are not in the allowed method list, FortiWeb should deny the request.	disable
override-parameter {enable \| disable}	When Override Header or Override Parameter settings are enabled, FortiWeb should check methods from these headers or parameters as well as the HTTP method used in the actual request. If any of the methods are not in the allowed method list, FortiWeb should deny the request.	disable
allow-method {get post head options trace connect delete put patch webdav rpc}	Select one or more HTTP request methods that you want to allow for this specific policy. Methods that you do not select will be denied, unless specifically allowed for a host and/or URL in analyzer-policy "<fortianalyzer-policy_name>". The `others` option includes methods not specifically named in the other options. It often may be required by WebDAV applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as `PROPFIND` and `BCOPY`. For details, see RFC 2518 (http://tools.ietf.org/html/rfc4918). Note: If a WAF Auto Learning Profile is used in the server policy where the HTTP request method is applied (via the Web Protection Profile), you must enable the HTTP request methods that will be used by sessions that you want the FortiWeb appliance to learn about. If a method is disabled, the FortiWeb appliance will reset the connection, and therefore cannot learn about the session.	No default.
severity {High \| Medium \| Low \| Info}	Select the severity level to use in logs and reports generated when a violation of the policy occurs.	`High`
triggered-action "<trigger-policy_name>"	Enter the name of the trigger policy you want FortiWeb to apply when a violation of the HTTP request method policy occurs. Trigger policies determine who will be notified by email when the policy violation occurs, and whether the log message associated with the violation are recorded. The maximum length is 63 characters. To display a list of the existing policies, enter: `set triggered-action ?`	No default.
allow-method-exception "<method-exception_name>"	Enter the name of an existing HTTP request method exception, if any, to apply to it. The maximum length is 63 characters. To display a list of the existing policy, enter: `set allow-method-exception ?`	No default.

Example

This example allows the HTTP GET and POST methods and rejects others, except according to the exceptions defined in MethodExceptions1.

config waf allow-method-policy

edit "allowpolicy1"

set allow-method get post

set triggered-action "TriggerActionPolicy1"

set allow-method-exception "MethodExceptions1"

end