Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.2.7 Administration Guide
    7.2.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Creating XML protection rules

    Creating XML protection rules

    XML protection rules define and enforce acceptable XML content, including:

    • Limits for names, values, depth, and other attributes
    • Preventing forbidden XML entities from making requests

    FortiWeb responds to rule violations of XML protection rules according to the response action specified in a rule that a request has violated. Multiple XML protection rules can be organized into policies that FortiWeb enforces. You can create up to 256 rules per policy.

    This section provides instructions to:

    • Create an XML protection rule
    • Add an XML protection rule to an XML protection policy
    To create an XML protection rule
    1. Go to XML Protection > XML Protection Rule.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection policy. The maximum length is 63 characters.

      Host status

      Enable to compare the XML rule to the Host: field in the HTTP header. If enabled, also configure Host.

      Host

      Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.

      Request URL type

      Select whether the Request URL field must contain either:

      • Simple String—The field is a string that the request URL must match exactly.
      • Regular Expression—The field is a regular expression that defines a set of matching URLs.

      Request URL

      Depending on your selection in Request URL type, enter either:

      • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
      • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

      Do not include the domain name, such as www.example.com, which is configured separately in Host.

      To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

      Data Format

      Two data formats are available:

      • XML
      • SOAP

      Schema Validation

      Optionally, select an XML schema file. For details, see Importing XML schema files.

      Available only when the Data Format is XML.

      Note: If you upload an XML schema file that refers to other XML schema files, the other XML schema files must also be uploaded to FortiWeb.

      WSDL Validation

      Select the WSDL file created in XML Protection > WSDL.

      Available only when the Data Format is SOAP.

      Note: If you are to upload a WSDL file that refers to local XML schema files, the XML schema files must be uploaded to FortiWeb first.

      Override IP and Port in WSDL

      When enabled, only the URL will be used to match the service in WSDL. If a URL corresponds to multiple services, the first service will be matched.

      WS-Security

      Select the WS-Security rule created in Creating WS-Security rules.

      You can also click to edit the WS-Security rule.

      Available only when the Data Format is SOAP.

      WS-I Basic Profile Check

      Click to check whether the SOAP messages adhere to the selected WSI rules.

      Available only when the Data Format is SOAP.

      Attachments in SOAP Messages

      Specify whether the SOAP message can carry attachments.

      Available only when the Data Format is SOAP.

      XML Limits

      Enable to define limits for attributes, CDATA, and elements.

      Attribute

      Enter the maximum number of attributes for each element. The valid range is 1–256. The default value is 32.

      Attribute Name Length

      Enter the maximum attribute name length (in bytes) of each element. The valid range is 1–1,024. The default value is 64.

      Attribute Value Length

      Enter the maximum attribute value length (in bytes) of each element. The valid range is 1–2,048. The default value is 1,024.

      CDATA Length

      Enter the maximum Character Data (CDATA) length (in bytes) in XML. The valid range is 1–4,096. The default value is 4,096.

      Element Depth

      Enter the maximum element depth in XML. The valid range is 1–256. The default value is 20.

      Element Name Length

      Enter the maximum element name length (in bytes) in XML. The valid range is 1–1,024. The default value is 64.

      Forbidden XML Entities

      Enable to configure limits for the below XML entities.

      External Entity

      Enable to trigger the Action if an HTTP request contains an external entity in XML.

      Entity Expansion

      Enable to trigger the Action if an HTTP request contains an XML recursive entity expansion.

      XInclude

      Enable to trigger the Action if other XML contents are included in XML.

      Schema Location

      Enable to forbid using location field to perform malicious requests.

      Exempted URL

      Select the exempted URL you have created in Configuring exempted URLsto configure allowed location URLs.

      Available only when Schema Location (page 1) is enabled.

      Action

      Select which action FortiWeb will take when it detects a violation of the rule:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

        Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

      • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
      • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

      The default value is Alert. See also Reducing false positives.

      Caution: This setting will be ignored if Monitor Mode is enabled.

      Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

      Block Period

      Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

      The valid range is 1–3,600 seconds (1 hour).

      For details about tracking blocked clients, see Blocked IPs.

      Severity

      When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Policy

      Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

    4. Click OK.
    To add an XML protection rule to an XML protection policy

    For details about creating an XML protection policy, see Creating XML protection policies.

    1. Go to XML Protection > XML Protection Policy.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    2. Select the existing XML protection policy to which you want to add the XML protection rule.
    3. Click Edit.
    4. Click Create New.
    5. For Rule, select the XML protection rule that you want to include in the XML protection policy.
      Note: To view details about a selected XML protection rule, click the view icon next to the drop down list.
    6. Click OK.
    7. Repeat Steps 4-6 for as many XML protection rules as you want to add to the XML protection policy.
    Previous
    Next

    Creating XML protection rules

    Creating XML protection rules

    XML protection rules define and enforce acceptable XML content, including:

    • Limits for names, values, depth, and other attributes
    • Preventing forbidden XML entities from making requests

    FortiWeb responds to rule violations of XML protection rules according to the response action specified in a rule that a request has violated. Multiple XML protection rules can be organized into policies that FortiWeb enforces. You can create up to 256 rules per policy.

    This section provides instructions to:

    • Create an XML protection rule
    • Add an XML protection rule to an XML protection policy
    To create an XML protection rule
    1. Go to XML Protection > XML Protection Rule.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection policy. The maximum length is 63 characters.

      Host status

      Enable to compare the XML rule to the Host: field in the HTTP header. If enabled, also configure Host.

      Host

      Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.

      Request URL type

      Select whether the Request URL field must contain either:

      • Simple String—The field is a string that the request URL must match exactly.
      • Regular Expression—The field is a regular expression that defines a set of matching URLs.

      Request URL

      Depending on your selection in Request URL type, enter either:

      • Simple String—Enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
      • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

      Do not include the domain name, such as www.example.com, which is configured separately in Host.

      To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.

      Data Format

      Two data formats are available:

      • XML
      • SOAP

      Schema Validation

      Optionally, select an XML schema file. For details, see Importing XML schema files.

      Available only when the Data Format is XML.

      Note: If you upload an XML schema file that refers to other XML schema files, the other XML schema files must also be uploaded to FortiWeb.

      WSDL Validation

      Select the WSDL file created in XML Protection > WSDL.

      Available only when the Data Format is SOAP.

      Note: If you are to upload a WSDL file that refers to local XML schema files, the XML schema files must be uploaded to FortiWeb first.

      Override IP and Port in WSDL

      When enabled, only the URL will be used to match the service in WSDL. If a URL corresponds to multiple services, the first service will be matched.

      WS-Security

      Select the WS-Security rule created in Creating WS-Security rules.

      You can also click to edit the WS-Security rule.

      Available only when the Data Format is SOAP.

      WS-I Basic Profile Check

      Click to check whether the SOAP messages adhere to the selected WSI rules.

      Available only when the Data Format is SOAP.

      Attachments in SOAP Messages

      Specify whether the SOAP message can carry attachments.

      Available only when the Data Format is SOAP.

      XML Limits

      Enable to define limits for attributes, CDATA, and elements.

      Attribute

      Enter the maximum number of attributes for each element. The valid range is 1–256. The default value is 32.

      Attribute Name Length

      Enter the maximum attribute name length (in bytes) of each element. The valid range is 1–1,024. The default value is 64.

      Attribute Value Length

      Enter the maximum attribute value length (in bytes) of each element. The valid range is 1–2,048. The default value is 1,024.

      CDATA Length

      Enter the maximum Character Data (CDATA) length (in bytes) in XML. The valid range is 1–4,096. The default value is 4,096.

      Element Depth

      Enter the maximum element depth in XML. The valid range is 1–256. The default value is 20.

      Element Name Length

      Enter the maximum element name length (in bytes) in XML. The valid range is 1–1,024. The default value is 64.

      Forbidden XML Entities

      Enable to configure limits for the below XML entities.

      External Entity

      Enable to trigger the Action if an HTTP request contains an external entity in XML.

      Entity Expansion

      Enable to trigger the Action if an HTTP request contains an XML recursive entity expansion.

      XInclude

      Enable to trigger the Action if other XML contents are included in XML.

      Schema Location

      Enable to forbid using location field to perform malicious requests.

      Exempted URL

      Select the exempted URL you have created in Configuring exempted URLsto configure allowed location URLs.

      Available only when Schema Location (page 1) is enabled.

      Action

      Select which action FortiWeb will take when it detects a violation of the rule:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

        Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

      • Redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason.
      • Send 403 Forbidden—Reply with an HTTP 403 Access Forbidden error message and generate an alert and/or log message.

      The default value is Alert. See also Reducing false positives.

      Caution: This setting will be ignored if Monitor Mode is enabled.

      Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.

      Block Period

      Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Period Block.

      The valid range is 1–3,600 seconds (1 hour).

      For details about tracking blocked clients, see Blocked IPs.

      Severity

      When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is violated:

      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Policy

      Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

    4. Click OK.
    To add an XML protection rule to an XML protection policy

    For details about creating an XML protection policy, see Creating XML protection policies.

    1. Go to XML Protection > XML Protection Policy.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
    2. Select the existing XML protection policy to which you want to add the XML protection rule.
    3. Click Edit.
    4. Click Create New.
    5. For Rule, select the XML protection rule that you want to include in the XML protection policy.
      Note: To view details about a selected XML protection rule, click the view icon next to the drop down list.
    6. Click OK.
    7. Repeat Steps 4-6 for as many XML protection rules as you want to add to the XML protection policy.
    Previous
    Next