waf HTTP-constraints-exceptions
Use set statements under this command to configure exceptions to existing HTTP protocol parameter constraints for specific hosts.
Exceptions may be useful if you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature. Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint policy.
For example, if you enable max-HTTP-header-length in a HTTP protocol constraint exception for a specific host, FortiWeb ignores the HTTP header length check when executing the web protection profile for that host.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.
Syntax
config waf HTTP-constraints-exceptions
config HTTP_constraints-exception-list
edit <entry_index>
set request-file "<url_pattern>"
set request-type {plain | regular}
set host-status {enable | disable}
set block-malformed-request {enable | disable}
set Illegal-content-length-check {enable | disable}
set Illegal-content-type-check {enable | disable}
set Illegal-header-name-check {enable | disable}
set Illegal-header-value-check {enable | disable}
set Illegal-host-name-check {enable | disable}
set Illegal-HTTP-request-method-check {enable | disable}
set Internal-resource-limits-check {enable | disable}
set max-cookie-in-request {enable | disable}
set max-header-line-request {enable | disable}
set max-HTTP-body-length {enable | disable}
set max-HTTP-body-parameter-length {enable | disable}
set max-HTTP-content-length {enable | disable}
set max-HTTP-header-length {enable | disable}
set max-HTTP-header-line-length {enable | disable}
set max-HTTP-header-name-length {enable | disable}
set max-HTTP-header-value-length {enable | disable}
set max-HTTP-parameter-length {enable | disable}
set max-HTTP-request-filename-length {enable | disable}
set max-HTTP-request-length {enable | disable}
set max-url-param-name-len {enable | disable}
set max-url-param-value-len {enable | disable}
set max-url-parameter {enable | disable}
set max-url-parameter-length {enable | disable}
set number-of-ranges-in-range-header {enable | disable}
set parameter-name-check {enable | disable}
set parameter-value-check {enable | disable}
set redundant-header-check {enable | disable}
set source-ip-status {enable|disable}
set url-param-name-check {enable | disable}
set url-param-value-check {enable | disable}
set redundant-header-check {enable | disable}
set duplicate-parameter-check {enable | disable}
set null-byte-in-url-check {enable | disable}
set Illegal-byte-in-url-check {enable | disable}
set web-socket-protocol-check {enable | disable}
set odd-and-even-space-attack-check {enable | disable}
set rpc-protocol-check {enable | disable}
move "<source-exception_id>" to {before | after | up | down} "<destination-exception_id>"
next
end
next
end
| Variable | Description | Default |
|
Enter the name of a new or existing HTTP protocol constraint exception. The maximum length is 63 characters. To display the list of existing exceptions, enter:
|
No default | |
| Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default | |
|
Enter either:
Do not include the name of the web host, such as |
No default | |
Enter either plain or regular (for a regular expression) to match the string entered in request-file "<url_pattern>". |
No default | |
|
Enable to apply this exception only to HTTP requests for specific web hosts. Also configure analyzer-policy "<fortianalyzer-policy_name>". Disable to match the exception based upon the other criteria, such as the URL, but regardless of the |
disable
|
|
|
Enable to omit the constraint on syntax and FortiWeb parsing errors. Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary. |
||
| Enable to omit the constraint on the maximum acceptable size in bytes of the request body. | disable
|
|
Enable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>. |
disable
|
|
| Enable to omit the constraint on whether the HTTP header name contains illegal characters. | disable
|
|
| Enable to omit the constraint on whether the HTTP header value contains illegal characters. | disable
|
|
| Enable to omit the constraint on host names with illegal characters. | disable
|
|
| Enable to omit the constraint on illegal HTTP request methods. | disable
|
|
| Enable to omit the constraint on whether the HTTP response code is a 3-digit number. | disable
|
|
|
Enable to omit the constraint on the maximum number of limits allowed by HTTP parser. |
|
|
| Enable to omit the constraint on the maximum number of cookies per request. | disable
|
|
| Enable to omit the constraint on the maximum number of HTTP header lines. | disable
|
|
| Enable to omit the constraint on the maximum HTTP body length. | disable
|
|
| Enable to omit the constraint on the maximum acceptable size in bytes of all parameters in the HTTP body of HTTP POST requests. | disable
|
|
| Enable to omit the constraint on the maximum HTTP content length. | disable
|
|
| Enable to omit the constraint on the maximum HTTP header length. | disable
|
|
| Enable to omit the constraint on the maximum HTTP header line length. | disable
|
|
| Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header name. | disable
|
|
| Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header value. | disable
|
|
| Enable to omit the constraint on the maximum HTTP request filename length. | disable
|
|
| Enable to omit the constraint on the maximum HTTP parameter length. | disable
|
|
| Enable to omit the constraint on the maximum HTTP request length. | disable
|
|
| Enable to omit the constraint on the maximum acceptable length in bytes of the parameter name. | disable
|
|
| Enable to omit the constraint on the maximum acceptable length in bytes of the parameter value. | disable
|
|
| Enable to omit the constraint on the maximum number of parameters in the URL. | disable
|
|
| Enable to omit the constraint on the maximum length of parameters in the URL. | disable
|
|
Enable to omit the constraint on the maximum acceptable number of Range: fields of an HTTP header. |
disable
|
|
| Enable to omit the constraint on null characters in parameter names. | disable
|
|
| Enable to omit the constraint on null characters in parameter values. | disable
|
|
Enable to omit the constraint on whether the Content-Type: header is available. |
disable
|
|
Enable to omit the constraint on the redundant instances of
Content-Length, Content-Type and Host herder fields. |
disable
|
|
| Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses. | disable
|
|
|
Enter the source IP of the protected requests to which this exception applies. Only a single IPv4/IPv6 address, or a IPv4/IPv6 range is acceptable. For example:
Available only when source-ip-status {enable|disable} is |
No default. | |
| Enable to omit the constraint on illegal characters in the parameter name. | disable
|
|
| Enable to omit the constraint on illegal characters in the parameter value. | disable
|
|
Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields. |
disable
|
|
| Enable to omit the constraint on duplicate parameter names. | disable
|
|
| Enable to omit the constraint on null bytes in URL. | disable
|
|
| Enable to omit the constraint on illegal bytes in URL. | disable
|
|
| Enable to omit detecting traffic that uses the WebSocket TCP-based protocol. | disable
|
|
| Enable to omit the constraint on detecting Odd and Even Space Attack. | disable
|
|
|
Enable to omit detecting traffic that uses the PRC protocol. |
|
|
|
Specifies the maximum acceptable number of requests in an HTTP/2 connection. |
|
|
|
"<source-exception_id>" to {before | after | up | down} "<destination-exception_id>" |
adjust the priority of the exception entries. |
|
Example
This example omits header length limits for HTTP requests to www.example.com and 192.0.2.1 for /login.asp.
config waf HTTP-constraints-exceptions
edit "exception1"
config HTTP_constraints-exception-list
edit 1
set host "www.example.com"
set host-status enable
set max-HTTP-header-length enable
set request-file "/login.asp"
next
edit 2
set host "192.0.2.1"
set host-status enable
set max-HTTP-body-length enable
set request-file "/login.asp"
next
end
next
end