waf json-validation rule
Use this command to create JSON protection rules and configure JSON protection policies.
Syntax
config waf json-validation rule
edit "<json_rule_name>"
set host-status {enable | disable}
set request-type {plain | regular}
set Schema-type {single-schema|schema-group}
set Schema-group <schema-group>
set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}
set severity {High Low | Medium | Info}
set trigger "<trigger_policy_name>"
set json-limits {enable | disable}
set json-data-size "<json-data-size_int>"
set key-number "<key-number_int>"
set value-size "<value-size_int>"
set value-number-in-array "<value-number-in-array _int>"
set object-depth "<object-depth_int>"
next
end
config waf json-validation policy
edit "<json_policy_name>"
set enable-signature-detection {enable | disable}
config input-rule-list
set json_input_rule "<json_input_rule_str>"
next
end
next
end
Variable | Description | Default |
Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a JSON protection policy. |
No default. | |
host-status {enable | disable}
|
Enable to compare the JSON rule to the |
disable |
host "<host_name_str>"
|
Enter the name of a protected host that the |
No default. |
Select whether request-type {plain | regular} must contain either:
|
No default. |
|
Depending on your selection for request-type {plain | regular}, enter either:
Do not include the domain name, such as |
No default. |
|
Select whether to use a single schema file or a schema group. If a request does not match the schema it will be considered as a violation. |
single-schema |
|
Select the schema file you have uploaded it through the JSON Schema tab in API Protection > JSON Protection in GUI. Please note the schema file can't be uploaded through CLI. |
No default. |
|
Select the schema group you have created through |
No default. |
|
action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} |
Select one of the following actions that FortiWeb performs when a request violates the rule:
Caution:FortiWeb ignores this setting when monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. |
alert |
Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log} is The valid range is 1–3,600 seconds. |
|
|
When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule:
|
Low |
|
Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ? |
No default. |
|
Enable to define limits for data size, key, and value, etc. |
|
|
Enter the total size of JSON data in the JSON file. The valid range is 0–10240. |
|
|
Enter the key size of each object. The valid range is 0–10240. The |
|
|
Enter the total key number of each JSON file. The valid range is 0–2147483647. |
|
|
Enter the value size of each key. The valid range is 0–10240. |
|
|
Enter the total value number in an array. The valid range is 0–2147483647. |
|
|
Enter the number of the nested objects. The valid range is 0–2147483647. |
|
|
"<json_policy_name>"
|
Enter the name of a JSON protection policy. You will use the name to select the policy in other parts of the configuration. | No default. |
"<input-rule-list_id>"
|
Enter the index number of an entry to create or modify a rule for the policy. | No default. |
enable-signature-detection {enable | disable}
|
Enable to scan for matches with attack and data leak
signatures in JSON data submitted by clients in HTTP requests with Content-Type: values
application/json or text/json . |
disable
|
json_input_rule "<json_input_rule_str>"
|
Enter the sequence number of a JSON protection rule to add to the JSON protection policy. | No default. |
Example
The below example creates a JSON protection rule and applies the rule to a new JSON protection policy.
config waf json-validation rule
edit "example_rule_name_1"
set action block-period
set block-period 3000
set severity Medium
set trigger "example_trigger_policy_name"
set host-status enable
set host "example_host_name"
set request-type plain
set request-file "/index.php"
set schema-file "example_schema_file_name"
set json-limits enable
set json-data-size 1030
set key-size 100
set key-number 300
set value-size 200
set object-depth 60
next
end
config waf json-validation policy
edit "example_policy_name"
config input-rule-list
edit "example_rule_1"
set "example_rule_1"
next
end
next
end