"<signature-set_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

credit-card-detection-threshold <instances_int>

Enter the number of credit cards that triggers the credit card number detection feature.

For example, to ignore web pages with only one credit card number, but to detect when a web page containing two or more credit cards, enter 2.

The valid range is 1–128.

custom-protection-group "<group_name>"

Enter the name of the custom signature group to be used, if any. The maximum length is 63 characters.

To display the list of existing custom signature groups, enter:

set custom-protection-group ?

sensitivity-level {1|2|3|4}

Increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic.

{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 070000000 | 080000000 | 090000000 | 100000000 | 110000000 | 120000000}

Enter the ID of a signature class (or, for subclass overrides, the subclass ID).

To display the list of signature classes, enter:

edit ?

action {alert |alert_deny | block-period |only_erase | send_HTTP_response | alert_erase | redirect | deny_no_log}

Select which action the FortiWeb appliance will take when it detects a signature match.

Note: This is not a single setting. Available actions may vary slightly, depending on what is possible for each specific type of attack/information disclosure.

• alert—Accept the request and generate an alert email and/or log message.

  Note: Does not cloak, except for removing sensitive headers. (Sensitive information in the body remains unaltered.)

• alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

  You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

• block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

• only_erase—Hide sensitive information in replies from the web server (sometimes called “cloaking”). Block the request or remove the sensitive information, but do not generate an alert email and/or log message.

  Caution: This option is not supported in Offline Protection mode.

• send_HTTP_response—Block and reply to the client with an HTTP error message, and generate an alert email, a log message, or both

• alert_erase—Hide replies with sensitive information (sometimes called “cloaking”). Block the reply (or reset the connection) or remove the sensitive information, and generate an alert email and/or log message.

• deny_no_log—Deny a request. Do not generate a log message.

Note: This option is not fully supported in Offline Protection mode. Effects will be identical to alert; sensitive information will not be blocked or erased.

• redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

Caution: FortiWeb ignores this setting if monitor-mode {enable | disable} is enabled.

Note: Actions that generate log messages alert email actions require the features to be enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile in the policy with Offline Protection profiles that use this rule, select alert. If the action is alert_deny, the FortiWeb appliance resets the connection when it detects an attack and the session information for the auto-learning feature will be incomplete. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

block-period <seconds_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

The valid range is 1–3,600 seconds. The setting is applicable only if action is period-block.

Note: This is not a single setting. You can configure the block period separately for each signature category.

severity {Low | Medium | High | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

• Low
• Medium
• High

Note: This is not a single setting. You can configure the severity separately for each signature category.

trigger "trigger-policy_name>"

Enter the name of the trigger, if any, to apply when a protection rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing triggers, enter:

set trigger ?

Note: This is not a single setting. You can configure a different trigger for each signature category.

"<signature-id_str>"

Enter the ID of a specific signature that you want to disable.

Some signatures often cause false positives and are disabled by default. To display a list, enter:

edit ?

"<alert-only-list_signature-id_str>"

Enter the ID of a specific signature that generates logs or alert email only and does not block matching requests.

"<fpm-disable-list_signature-id_str>"

Enter the ID of a specific signature for which false positive mitigation is disabled.

The false positive mitigation feature performs additional lexical and syntax analysis after a SQL injection signature matches a request.

"<scoring-override-disable-list_signature-id_str>"

Enter the ID of a specific signature that will not be affected by the threat weight settings, if any. When traffic violates specified signature, FortiWeb takes the local action specified for that signature.

"<score-grade-list_signature-id_str>"

Enter the ID of a specific signature to configure its threat weight.

Specify the scoring-grade to set the threat weight of the specified signature.

scoring-grade {low | critical | informational | moderate | substantial | severe}

Specify the threat weight that the signature adds to the combined threat weight.

Global threat weight risk level values can be modified using server-policy pattern threat-weight.

<entry_index>

signature_id "<signature-id_str>"

match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS}

Enter the type of object that FortiWeb examines for matching values:

• HTTP_METHOD—One or more HTTP methods specified by HTTP-method {get post head options trace connect delete put others patch}.
• CLIENT_IP—The IP address or IP range specified by ip {<ipv4> | <ipv6>}.
• HOST—The Host: field value specified by value {"<value_str>" | "<value_pattern>"}.
• URI—The URL value specified by value. The value does not include parameters.
• FULL_URL—The URL value specified by value. The value includes parameters to match.
• PARAMETER—A parameter specified by name {"<name_str>" | "<name_pattern>"}. To match a specific parameter value, enable value-check {enable | disable}, and then specify value.
• COOKIE—A cookie specified by name. To match a specific cookie value, enable value-check, and then specify value.

operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}

Enter the type of values to match. The match-target value determines which types are available.

• STRING_MATCH—value is a literal value (for example, a literal host name).
• REGEXP_MATCH—value is a regular expression that matches the object the exception applies to.
• EQ—When match-target is CLIENT_IP, FortiWeb only performs a signature scan for requests with a client IP address that matches the value of ip.
• NE—When match-target is CLIENT_IP, FortiWeb does not perform a signature scan for requests with a client IP address that matches the value of ip.
• INCLUDE—When match-target is HTTP_METHOD, FortiWeb does not perform a signature scan for requests that include the HTTP methods specified by HTTP-method.
• EXCLUDE—When match-target is HTTP_METHOD, FortiWeb only performs a signature scan for requests that include the HTTP methods specified by HTTP-method.

HTTP-method {get post head options trace connect delete put others patch}

When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is HTTP_METHOD, specifies one or more HTTP methods to match.

ip {<ipv4> | <ipv6>}

When match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is CLIENT_IP, specifies the IP address or IP range to match.

name {"<name_str>" | "<name_pattern>"}

Enter the name of a parameter or cookie to match. Whether the value is a literal value or a regular expression is determined by the value of operator {STRING_MATCH | REGEXP_MATCH | EQ | NE| INCLUDE | EXCLUDE}.

Available when match-target {HTTP_METHOD | CLIENT_IP | HOST | URI | FULL_URL | PARAMETER | COOKIE | HTTP_HEADER | JSON_ELEMENTS} is PARAMETER or COOKIE.

value-check {enable | disable}

Enable to specify whether matching requests match a specified parameter or cookie value as well as the specified parameter or cookie name.

value {"<value_str>" | "<value_pattern>"}

Enter the value to match (for example, a Host: field value). Whether the value is a literal value or a regular expression is determined by the value of operator.

concatenate-type {AND | OR}

• AND—A matching request matches this entry in addition to other entries in the list.
• OR—A matching request matches this entry or other entries in the list.