Creating GraphQL protection rules

This section provides instructions to:

Create a GraphQL protection rule
Add a GraphQL protection rule to a GraphQL protection policy

To create a GraphQL protection rule

Go to API Protection > GraphQL Protection.
Select the GraphQL Protection Rule tab.
Click Create New.
Configure these settings:

Name	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a GraphQL protection policy. The maximum length is 63 characters.
Host status	Enable to compare the GraphQL rule to the `Host:` field in the HTTP header. If enabled, also configure Creating GraphQL protection rules.
Host	Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.
URL type	Select whether the URL of the GraphQL POST API request must contain either: Simple String—The field is a string that the URL must match exactly. Regular Expression—The field is a regular expression that defines a set of matching URLs.
Post URL	Depending on your selection in URL type , enter either: Simple String—Enter a literal URL, such as `/folder1/index.htm` that the POST API request must contain in order to match the rule, or use wildcards to match multiple URLs, such as `/folder1/` or `/folder1//index.htm`. The URL must begin with a slash ( `/` ). Regular Expression—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in Creating GraphQL protection rules. To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.
Payload Size	It sets a limit on the size of the HTTP request body in the POST method or the size of URL parameters in the GET method. The default value for this limit is 1024.
Value Size	It sets a maximum length on any user input value within a GraphQL query. The default value for this limit is 256. If the value is an array, each item in the array is evaluated against the specified value size. If the value is an object, only the values contained within the object are compared to the value size, not the keys themselves.
Field Number	It limits the number of terminal fields within a query, thereby limiting the number of fields within objects. The default value for this limit is 256.
Object Depth	It limits the depth of a GraphQL query, which limits how deeply nested the query can be. The default value is 32.
Alias Batching	Enable this option to allow alias batching and display the Alias Batching Number option.
Alias Batching Number	It sets a limit on the number of queries that can be found within an alias batch. The default value is 8. Only available when Alias Batching is enabled.
Array Batching	Enable this option to allow array batching and displays the Array Batching Number option.
Array Batching Number	It sets a limit on the number of queries that can be found within an array batch. The default value is 8. Only available when Array Batching is enabled.
Introspection Queries	Enable to allow introspection queries.
Enable Fragment	Enable to allow fragments.
Action	Select which action FortiWeb will take when it detects a violation of the rule: Alert—Accept the connection and generate an alert email and/or log message. Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages). Deny (no log)—Block the request (or reset the connection). Block Period —Block subsequent requests from the client for a number of seconds. Also configure Block Period . Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers. Client ID Block Period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure Period Block. Redirect—Redirect the request to the URL that you specify in the web protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason in the Redirect section in the web protection profile. Send 403 Forbidden—Reply with an HTTP `403 Access Forbidden` error message and generate an alert and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages). The default value is Alert. See also Reducing false positives. Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.
Block Period	Enter the amount of time (in seconds) that you want to block subsequent requests from a source IP or a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Block Period and Client ID Block Period. The valid range is 1–3,600 seconds (1 hour). For details about tracking blocked clients, see Blocked IPs.
Severity	When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated: Low Medium High Informative The default value is Low.
Trigger Policy	Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

Click OK.

To add a GraphQL protection rule to a GraphQL protection policy

For details about creating a GraphQL protection policy, see Creating GraphQL protection policy.

Go to API Protection > GraphQL Protection.
Select the GraphQL Protection Policy tab.
Select the existing GraphQL protection policy to which you want to add the GraphQL protection rule.
Click Edit.
Click Create New.
For Rule, select the GraphQL protection rule that you want to include in the GraphQL protection policy.
Note: To view details about a selected GraphQL protection rule, click the view icon next to the drop down list.
Click OK.
Repeat Steps 4-6 for as many GraphQL protection rules as you want to add to the GraphQL protection policy.

Creating GraphQL protection rules

This section provides instructions to:

Create a GraphQL protection rule
Add a GraphQL protection rule to a GraphQL protection policy

To create a GraphQL protection rule

Go to API Protection > GraphQL Protection.
Select the GraphQL Protection Rule tab.
Click Create New.
Configure these settings:

Name	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in a GraphQL protection policy. The maximum length is 63 characters.
Host status	Enable to compare the GraphQL rule to the `Host:` field in the HTTP header. If enabled, also configure Creating GraphQL protection rules.
Host	Select the IP address or FQDN of a protected host. For details, see Defining your protected/allowed HTTP “Host:” header names.
URL type	Select whether the URL of the GraphQL POST API request must contain either: Simple String—The field is a string that the URL must match exactly. Regular Expression—The field is a regular expression that defines a set of matching URLs.
Post URL	Depending on your selection in URL type , enter either: Simple String—Enter a literal URL, such as `/folder1/index.htm` that the POST API request must contain in order to match the rule, or use wildcards to match multiple URLs, such as `/folder1/` or `/folder1//index.htm`. The URL must begin with a slash ( `/` ). Regular Expression—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in Creating GraphQL protection rules. To test a regular expression, click the >> (test) icon. This icon opens the Regular Expression Validator window from which you can fine-tune the expression. For details, see Regular expression syntax and Cookbook regular expressions.
Payload Size	It sets a limit on the size of the HTTP request body in the POST method or the size of URL parameters in the GET method. The default value for this limit is 1024.
Value Size	It sets a maximum length on any user input value within a GraphQL query. The default value for this limit is 256. If the value is an array, each item in the array is evaluated against the specified value size. If the value is an object, only the values contained within the object are compared to the value size, not the keys themselves.
Field Number	It limits the number of terminal fields within a query, thereby limiting the number of fields within objects. The default value for this limit is 256.
Object Depth	It limits the depth of a GraphQL query, which limits how deeply nested the query can be. The default value is 32.
Alias Batching	Enable this option to allow alias batching and display the Alias Batching Number option.
Alias Batching Number	It sets a limit on the number of queries that can be found within an alias batch. The default value is 8. Only available when Alias Batching is enabled.
Array Batching	Enable this option to allow array batching and displays the Array Batching Number option.
Array Batching Number	It sets a limit on the number of queries that can be found within an array batch. The default value is 8. Only available when Array Batching is enabled.
Introspection Queries	Enable to allow introspection queries.
Enable Fragment	Enable to allow fragments.
Action	Select which action FortiWeb will take when it detects a violation of the rule: Alert—Accept the connection and generate an alert email and/or log message. Alert & Deny—Block the request (or reset the connection) and generate an alert and /or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages). Deny (no log)—Block the request (or reset the connection). Block Period —Block subsequent requests from the client for a number of seconds. Also configure Block Period . Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers. Client ID Block Period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure Period Block. Redirect—Redirect the request to the URL that you specify in the web protection profile and generate an alert and/or log message. Also configure Redirect URL and Redirect URL With Reason in the Redirect section in the web protection profile. Send 403 Forbidden—Reply with an HTTP `403 Access Forbidden` error message and generate an alert and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages). The default value is Alert. See also Reducing false positives. Note: Logging will occur only if enabled and configured. For details, see Logging and Alert email.
Block Period	Enter the amount of time (in seconds) that you want to block subsequent requests from a source IP or a client after FortiWeb detects a rule violation. This setting is available only when Action is set to Block Period and Client ID Block Period. The valid range is 1–3,600 seconds (1 hour). For details about tracking blocked clients, see Blocked IPs.
Severity	When FortiWeb records rule violations in the attack log, each log message contains a Severity Level field. Select the severity level that FortiWeb will record when the rule is vioated: Low Medium High Informative The default value is Low.
Trigger Policy	Select the trigger, if any, that FortiWeb carries out when it logs and/or sends an alert email about a rule violation. For details, see Viewing log messages.

Click OK.

To add a GraphQL protection rule to a GraphQL protection policy

For details about creating a GraphQL protection policy, see Creating GraphQL protection policy.

Go to API Protection > GraphQL Protection.
Select the GraphQL Protection Policy tab.
Select the existing GraphQL protection policy to which you want to add the GraphQL protection rule.
Click Edit.
Click Create New.
For Rule, select the GraphQL protection rule that you want to include in the GraphQL protection policy.
Note: To view details about a selected GraphQL protection rule, click the view icon next to the drop down list.
Click OK.
Repeat Steps 4-6 for as many GraphQL protection rules as you want to add to the GraphQL protection policy.