waf HTTP-protocol-parameter-restriction
Use this command to configure HTTP protocol constraints.
HTTP constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the content payload.
Use protocol constraints to prevent attacks such as buffer overflows in web servers that do not restrict elements of the HTTP protocol to acceptable lengths, or mishandle malformed requests. Such errors can lead to security vulnerabilities.
You can also use protocol constraints to block requests that are too large for the memory size you have configured for FortiWeb’s scan buffers. If your web applications do not require large HTTP POST requests, enable waf HTTP-protocol-parameter-restriction to harden your configuration. To configure the buffer size, see system advanced. |
You can configure each protocol parameter independently with a threat weight, action, severity, and trigger that determines how an attack on that parameter is handled. For example, you can set the action for header constraints to alert, the severity to high, and a trigger set to deliver an email each time FortiWeb detects a violation of these protocol parameters.
To apply HTTP protocol constraints, select them in an inline or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf HTTP-protocol-parameter-restriction
set <constraint_name>-check {enable | disable}
set <constraint_name>-action {alert | alert_deny | block-period | deny_no_log}
set <constraint_name>-block-period <seconds_int>
set <parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe}
set <constraint_name>-severity {High | Medium | Low | Info}
set <constraint_name>-trigger "<trigger-policy_name>"
next
end
Variable | Description | Default |
Enter the name of a new or existing HTTP protocol constraint. The maximum length is 63 characters. To display the list of existing constraints, enter:
|
No default. | |
Specify whether FortiWeb includes the specified constraint when it applies this set of constraints. | ||
<constraint_name>-action {alert | alert_deny | block-period | deny_no_log} |
Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the rules:
You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. Caution: This setting is ignored when the value of monitor-mode {enable | disable} is Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select Note: This is not a single setting. Configure the action setting for each violation type. The number of action settings equals the number of violation types. For example, for maximum HTTP header length violations, you might type the accompanying setting:
Note: Available actions vary depending on operating mode and protocol parameter. |
alert
|
Select the severity level to use in logs and reports generated when a violation of the rule occurs. Note: This is not a single setting. Configure the severity setting for each violation type. The number of severity settings equals the number of violation types. For example, for maximum HTTP header length violations, you might type the accompanying setting:
|
Medium
|
|
Enter the name of the trigger to apply when this rule is violated (see log trigger-policy). The maximum length is 63 characters. To display the list of existing trigger policies, enter:
Note: This is not a single setting. Configure the trigger setting for each violation type. The number of trigger settings equals the number of violation types.
|
No default. | |
If action is block-period , type the number of seconds that the connection will be blocked. |
600
|
|
<parameter_name>-threat-weight {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for an event when FortiWeb detects a violation of a parameter restriction rule. For details, see the FortiWeb Administration Guide: HTTPS://docs.fortinet.com/fortiweb/admin-guides. |
No default. |
Example
This example limits the total size of the HTTP header, including all lines, to 2,048 bytes. If the HTTP header length exceeds 2,048 bytes, the FortiWeb appliance takes an action to create a log message (alert
), identifying the violation as medium
severity, and sends an email to the administrators defined within the trigger policy email-admin
.
config waf HTTP-protocol-parameter-restriction
edit "HTTP-constraint1"
set max-HTTP-header-length 2048
set max-HTTP-header-length-action alert
set max-HTTP-header-length-severity Medium
set max-HTTP-header-length-trigger email-admin
next
end