waf graphql-validation rule

Variable	Description	Default
"<graphql_rule_name>"	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a GraphQL protection policy.	No default.
`host-status {enable \| disable}`	Enable to compare the GraphQL rule to the `Host: field` in the HTTP header. If enabled, also configure host "<host_name_str>".	disable
`host "<host_name_str>"`	Enter the name of a protected host that the `Host:` field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.	No default.
request-type {plain \| regular}	Select whether request-type {plain \| regular} must contain either: `plain`—The field is a string that the request URL must match exactly. `regular`—The field is a regular expression that defines a set of matching URLs.	No default.
request-url <string>	Depending on your selection for request-type {plain \| regular}, enter either: `plain`—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( `/` ). `regular`—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in host "<host_name_str>".	No default.
action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log}	Select one of the following actions that FortiWeb performs when a request violates the rule: `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. `block-period`—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>. `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `send_403_forbidden`—Reply to the client with an HTTP `403 Access Forbidden` error message and generate an alert email and/or log message. `deny_no_log`—Deny a request. Do not generate a log message. Caution:FortiWeb ignores this setting when monitor-mode {enable \| disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.	alert
block-period <period_int>	Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log} is `block-period`. The valid range is 1–3,600 seconds.	`600`
severity {High Low \| Medium \| Info}	When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule: `Low` `Medium` `High` `Info`	Low
trigger "<trigger_policy_name>"	Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ?	No default.
enable-introspection {enable \| disable}	Enable to allow introspection queries.	disable
enable-fragment {enable \| disable}	Enable to allow fragments.	disable
graphql-data-size <integer>	It sets a limit on the size of the HTTP request body in the POST method or the size of URL parameters in the GET method.	1024
field-number <integer>	It limits the number of terminal fields within a query, thereby limiting the number of fields within objects.	256
value-size <integer>	It sets a maximum length on any user input value within a GraphQL query. If the value is an array, each item in the array is evaluated against the specified value size. If the value is an object, only the values contained within the object are compared to the value size, not the keys themselves.	256
object-depth <integer>	It limits the depth of a GraphQL query, which limits how deeply nested the query can be.	32
alias-batch-query {enable \| disable}	Enable this option to allow alias batching.	disable
alias-batch-query-number <integer>	It sets a limit on the number of queries that can be found within an alias batch. Only available when Alias Batching is enabled.	8
array-batch-query {enable \| disable}	Enable this option to allow array batching	disable
array-batch-query-number <integer>	It sets a limit on the number of queries that can be found within an array batch. Only available when Array Batching is enabled.	8
<graphql_policy_name>	Enter the name of a GraphQL protection policy. You will use the name to select the policy in other parts of the configuration.	No default.
<graphql-rule-list_id>	Enter the index number of an entry to create or modify a rule for the policy.	No default.
enable-signature-detection {enable \| disable}	Enable to scan for matches with signature attacks in GraphQL API requests.	disable
graphql_input_rule <graphql_input_rule_str>	Enter the sequence number of a GraphQL protection rule to add to the GraphQL protection policy.	No default.

Syntax

config waf graphql-validation rule

edit "<graphql_rule_name>"

set host-status {enable | disable}

set host "<host_name_str>"

set request-type {plain | regular}

set request-url <string>

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set enable-introspection {enable | disable}

set enable-fragment {enable | disable}

set graphql-data-size <integer>

set field-number <integer>

set value-size <integer>

set object-depth <integer>

set alias-batch-query {enable | disable}

set alias-batch-query-number <integer>

set array-batch-query {enable | disable}

set array-batch-query-number <integer>

end

config waf graphql-validation policy

edit <graphql_policy_name>

set enable-signature-detection {enable | disable}

config input-rule-list

edit <graphql-rule-list_id>

set graphql_input_rule <graphql_input_rule_str>

end

Variable	Description	Default
"<graphql_rule_name>"	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a GraphQL protection policy.	No default.
`host-status {enable \| disable}`	Enable to compare the GraphQL rule to the `Host: field` in the HTTP header. If enabled, also configure host "<host_name_str>".	disable
`host "<host_name_str>"`	Enter the name of a protected host that the `Host:` field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.	No default.
request-type {plain \| regular}	Select whether request-type {plain \| regular} must contain either: `plain`—The field is a string that the request URL must match exactly. `regular`—The field is a regular expression that defines a set of matching URLs.	No default.
request-url <string>	Depending on your selection for request-type {plain \| regular}, enter either: `plain`—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( `/` ). `regular`—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in host "<host_name_str>".	No default.
action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log}	Select one of the following actions that FortiWeb performs when a request violates the rule: `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. `block-period`—Block subsequent requests from the client for a number of seconds. Also configure block-period <period_int>. `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. `send_403_forbidden`—Reply to the client with an HTTP `403 Access Forbidden` error message and generate an alert email and/or log message. `deny_no_log`—Deny a request. Do not generate a log message. Caution:FortiWeb ignores this setting when monitor-mode {enable \| disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.	alert
block-period <period_int>	Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log} is `block-period`. The valid range is 1–3,600 seconds.	`600`
severity {High Low \| Medium \| Info}	When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule: `Low` `Medium` `High` `Info`	Low
trigger "<trigger_policy_name>"	Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ?	No default.
enable-introspection {enable \| disable}	Enable to allow introspection queries.	disable
enable-fragment {enable \| disable}	Enable to allow fragments.	disable
graphql-data-size <integer>	It sets a limit on the size of the HTTP request body in the POST method or the size of URL parameters in the GET method.	1024
field-number <integer>	It limits the number of terminal fields within a query, thereby limiting the number of fields within objects.	256
value-size <integer>	It sets a maximum length on any user input value within a GraphQL query. If the value is an array, each item in the array is evaluated against the specified value size. If the value is an object, only the values contained within the object are compared to the value size, not the keys themselves.	256
object-depth <integer>	It limits the depth of a GraphQL query, which limits how deeply nested the query can be.	32
alias-batch-query {enable \| disable}	Enable this option to allow alias batching.	disable
alias-batch-query-number <integer>	It sets a limit on the number of queries that can be found within an alias batch. Only available when Alias Batching is enabled.	8
array-batch-query {enable \| disable}	Enable this option to allow array batching	disable
array-batch-query-number <integer>	It sets a limit on the number of queries that can be found within an array batch. Only available when Array Batching is enabled.	8
<graphql_policy_name>	Enter the name of a GraphQL protection policy. You will use the name to select the policy in other parts of the configuration.	No default.
<graphql-rule-list_id>	Enter the index number of an entry to create or modify a rule for the policy.	No default.
enable-signature-detection {enable \| disable}	Enable to scan for matches with signature attacks in GraphQL API requests.	disable
graphql_input_rule <graphql_input_rule_str>	Enter the sequence number of a GraphQL protection rule to add to the GraphQL protection policy.	No default.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

waf graphql-validation rule

waf graphql-validation rule

Syntax

Related topics

waf graphql-validation rule

waf graphql-validation rule

Syntax

Related topics