Fortinet white logo
Fortinet white logo

CLI Reference

waf input-rule

waf input-rule

Use this command to configure input rules.

Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests matching the host and URL defined in the input rule.

Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.

For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.

To apply input rules, select them within a parameter validation rule. For details, see waf parameter-validation-rule.

Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf input-rule

edit "<input-rule_name>"

set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

set block-period <seconds_int>

set host "<protected-host_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set request-type {plain | regular}

set maximum-parameter-number <int>

set json-parameter-support {enable | disable}

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

config rule-list

edit <entry_index>

set type-checked {enable | disable}

set argument-type {custom-data-type | data-type | regular-expression}

set argument-name-type {plain | regular}

set argument-name "<input_name>"

set argument-expression "<regex_pattern>"

set custom-data-type "<custom-data-type_name>"

set data-type "<predefined_name>"

set is-essential {yes | no}

set max-length <limit_int>

set location {url | body}

set from-json {yes | no}

next

end

next

end

Variable Description Default

"<input-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry:

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.
  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <seconds_int>

Enter the number of seconds to block the source IP. The valid range is 1–3,600 seconds.

This setting applies only if action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} is block-period.

600

host "<protected-host_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

This setting applies only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host "<protected-host_name>".

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

request-file "<url_str>"

Depending on your selection in request-type {plain | regular}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-host_name>". The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

HTTPS://docs.fortinet.com/fortiweb/admin-guides

No default.

request-type {plain | regular}

Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain

maximum-parameter-number <int>

Limit the maximum number of parameters in a request;

The valid range is from 0 to 1024; When the value is 0, FortiWeb will not check the parameter number.

0

json-parameter-support {enable | disable}

Enabled to check the parameters in JSON or not.

The JSON data could be in URL or Body.

If enabled, the maximum-parameter-number will include JSON parameters.

disable

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

is-essential {yes | no}

Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no. no

max-length <limit_int>

Enter the maximum allowed length of the parameter value.

The valid range is 0–1,024. To disable the limit, enter 0.

0

location {url | body}

Specify where this parameter is from. The parameter will only be checked when it’s from the selected location.

You can select both url and body, for example, set location url body.

url body

from-json {yes | no}

Specify whether this parameter is from JSON.

You must also enable json-parameter-support for this option to function.

no

type-checked {enable | disable}

Enable to use predefined or configured data types when validating parameters. Also configure argument-type {custom-data-type | data-type | regular-expression}.

Disable to ignore data-type and custom-data-type settings.

disable

argument-type {custom-data-type | data-type | regular-expression}

Specify the type of argument. data-type

argument-name-type {plain | regular}

Specify one of the following options:

  • plainargument-name is the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
  • regularargument-name is a regular expression designed to match the name attribute of the parameter’s input tag.
plain

argument-name "<input_name>"

If argument-name-type {plain | regular} is plain, specify the name of the input as it appears in the HTTP content, such as username. The maximum length is 63 characters.

If argument-name-type is regular, specify a regular expression designed to match the name attribute of the parameter’s input tag.

No default.

argument-expression "<regex_pattern>"

Enter a regular expression that matches all valid values, and no invalid values, for this input.

The maximum length is 2,071 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported.

custom-data-type "<custom-data-type_name>"

Enter the name of a custom data type, if any. The maximum length is 63 characters.

To display the list of custom data types, enter:

set custom-data-type ?

This setting applies only if type-checked {enable | disable} is enable.

No default.

data-type "<predefined_name>"

Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates).

To display available options, enter:

set data type ?

For match descriptions of each option, see "server-policy pattern data-type-group" on page 1.

Alternatively, configure argument-type {custom-data-type | data-type | regular-expression}. This option is ignored if you configure argument-type, which also defines parameters to which the input rule applies, but supersedes this option.

No default.

Example

This example blocks and logs requests for the file named login.php that do not include a user name and password, both of which are required, or whose user name and password exceed the 64-character limit.

config waf input-rule

edit "input_rule1"

set action alert_deny

set request-file "/login.php?*"

request-type regular

config rule-list

edit 1

set argument-name "username"

set argument-type data-type

set data-type Email

set is-essential yes

set max-length 64

next

edit 2

set argument-name "password"

set data-type String

set is-essential yes

set max-length 64

next

end

next

end

Related topics

waf input-rule

waf input-rule

Use this command to configure input rules.

Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests matching the host and URL defined in the input rule.

Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.

For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.

To apply input rules, select them within a parameter validation rule. For details, see waf parameter-validation-rule.

Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf input-rule

edit "<input-rule_name>"

set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

set block-period <seconds_int>

set host "<protected-host_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set request-type {plain | regular}

set maximum-parameter-number <int>

set json-parameter-support {enable | disable}

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

config rule-list

edit <entry_index>

set type-checked {enable | disable}

set argument-type {custom-data-type | data-type | regular-expression}

set argument-name-type {plain | regular}

set argument-name "<input_name>"

set argument-expression "<regex_pattern>"

set custom-data-type "<custom-data-type_name>"

set data-type "<predefined_name>"

set is-essential {yes | no}

set max-length <limit_int>

set location {url | body}

set from-json {yes | no}

next

end

next

end

Variable Description Default

"<input-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry:

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.
  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <seconds_int>

Enter the number of seconds to block the source IP. The valid range is 1–3,600 seconds.

This setting applies only if action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} is block-period.

600

host "<protected-host_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

This setting applies only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host "<protected-host_name>".

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

request-file "<url_str>"

Depending on your selection in request-type {plain | regular}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a slash ( / ).
  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern is not required to begin with a slash ( / ). However, it must at least match URLs that begin with a slash, such as /index.cfm.

Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-host_name>". The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

HTTPS://docs.fortinet.com/fortiweb/admin-guides

No default.

request-type {plain | regular}

Select whether request-file "<url_str>" will contain a literal URL (plain), or a regular expression designed to match multiple URLs (regular). plain

maximum-parameter-number <int>

Limit the maximum number of parameters in a request;

The valid range is from 0 to 1024; When the value is 0, FortiWeb will not check the parameter number.

0

json-parameter-support {enable | disable}

Enabled to check the parameters in JSON or not.

The JSON data could be in URL or Body.

If enabled, the maximum-parameter-number will include JSON parameters.

disable

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. Low

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

is-essential {yes | no}

Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no. no

max-length <limit_int>

Enter the maximum allowed length of the parameter value.

The valid range is 0–1,024. To disable the limit, enter 0.

0

location {url | body}

Specify where this parameter is from. The parameter will only be checked when it’s from the selected location.

You can select both url and body, for example, set location url body.

url body

from-json {yes | no}

Specify whether this parameter is from JSON.

You must also enable json-parameter-support for this option to function.

no

type-checked {enable | disable}

Enable to use predefined or configured data types when validating parameters. Also configure argument-type {custom-data-type | data-type | regular-expression}.

Disable to ignore data-type and custom-data-type settings.

disable

argument-type {custom-data-type | data-type | regular-expression}

Specify the type of argument. data-type

argument-name-type {plain | regular}

Specify one of the following options:

  • plainargument-name is the name attribute of the parameter’s input tag exactly as it appears in the form on the web page.
  • regularargument-name is a regular expression designed to match the name attribute of the parameter’s input tag.
plain

argument-name "<input_name>"

If argument-name-type {plain | regular} is plain, specify the name of the input as it appears in the HTTP content, such as username. The maximum length is 63 characters.

If argument-name-type is regular, specify a regular expression designed to match the name attribute of the parameter’s input tag.

No default.

argument-expression "<regex_pattern>"

Enter a regular expression that matches all valid values, and no invalid values, for this input.

The maximum length is 2,071 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported.

custom-data-type "<custom-data-type_name>"

Enter the name of a custom data type, if any. The maximum length is 63 characters.

To display the list of custom data types, enter:

set custom-data-type ?

This setting applies only if type-checked {enable | disable} is enable.

No default.

data-type "<predefined_name>"

Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates).

To display available options, enter:

set data type ?

For match descriptions of each option, see "server-policy pattern data-type-group" on page 1.

Alternatively, configure argument-type {custom-data-type | data-type | regular-expression}. This option is ignored if you configure argument-type, which also defines parameters to which the input rule applies, but supersedes this option.

No default.

Example

This example blocks and logs requests for the file named login.php that do not include a user name and password, both of which are required, or whose user name and password exceed the 64-character limit.

config waf input-rule

edit "input_rule1"

set action alert_deny

set request-file "/login.php?*"

request-type regular

config rule-list

edit 1

set argument-name "username"

set argument-type data-type

set data-type Email

set is-essential yes

set max-length 64

next

edit 2

set argument-name "password"

set data-type String

set is-essential yes

set max-length 64

next

end

next

end

Related topics