"<custom-access_name>"

Enter the name of a new or existing custom access rule. The maximum length is 63 characters.

To display a list of the existing rule, enter:

edit ?

action {alert | alert_deny | block-period | deny_no_log | redirect}

Select the specific action to be taken when the request matches the signature.

• alert—Accept the request and generate an alert email and/or log message.
  Note: If type {request | response} is response, it does not cloak, except for removing sensitive headers. Sensitive information in the body remains unaltered.

• alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message. This option is applicable only if type is signature-creation.

  You can customize the web page that FortiWeb returns to the client with the HTTP status code.

• block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

• deny_no_log—Deny a request. Do not generate a log message.

Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

• redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.

block-period <seconds_int>

Enter the length of time (in seconds) for which the FortiWeb appliance will block additional requests after a source IP address violates this rule.

The block period is shared by all clients whose traffic originates from the source IP address.

The valid range is 1–3,600 seconds.

severity {High | Medium | Low | Info}

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}

Select between:

• captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page.

• recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.

• real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

• disable—Disable this option to simply apply the access rule.

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

mobile-app-identification {disabled | mobile-token-validation}

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

max-attempt-times <attempts_int>

If captcha-enforcement is selected for bot-recognition {captcha-enforcement | recaptcha-enforcement | real-browser-enforcement | disable}, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement is selected for bot-recognition.

validation-timeout <seconds_int>

<entry_index>

access-rate-limit <rate_int>

Enter the rate threshold for source IP addresses.

The valid range is 1–65535. To disable the rate limit, enter 0.

Note: Blocking a shared source IP address could block innocent clients that share the same source IP address with an offending client.

header-name-type {custom | predefined}

Select whether to define the HTTP header filter by selecting a predefined HTTP header name, or by typing the name of a custom HTTP header. Also configure header-value "<value_str>" and, depending on which you indicate in this option, either:

• predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept}

• pre-header-type {plain | regular}

• pre-header-rev-match {enable | disable}

• pre-header-rev-match {enable | disable}

• pre-header-rev-match {enable | disable}

• pre-header-rev-match {enable | disable}

header-field-check {enable | disable}

predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept}

Select the name (key) of the HTTP header such as Accept: that must be present in order for the request to be allowed.

This field appears only if header-name-type {custom | predefined} is predefined.

pre-header-type {plain | regular}

pre-header-rev-match {enable | disable}

Indicate how to use predefined-header {host | connection | authorization | x-pad | cookie | referer | user-agent | X-Forwarded-For | Accept} and header-value "<value_str>" when determining whether or not this condition has been met.

• no—If the regular expression does match the request object, the condition is met.
• yes—If the regular expression does not match the request object, the condition is met.
  The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will allow access.

custom-header-name "<key_str>"

Enter the name (key) without the trailing colon ( : ), such as X-Real-IP, of the HTTP header that must be present in order for the request to be allowed.

For example, if the specified name is test, then both atest, test1, atest1 will be considered a match.

This field appears only if header-name-type {custom | predefined} is custom.

cus-header-type {plain | regular}

Indicate whether header-value "<value_str>" is a literal header value (plain) or a regular expression that indicates multiple possible valid header values (regular).

cus-header-name-type {plain | regular}

Indicate whether custom-header-name "<key_str>"is a literal header name (plain) or a regular expression that indicates multiple possible valid header names (regular).

cus-header-rev-match {enable | disable}

Indicate how to use custom-header-name "<key_str>" and header-value "<value_str>" when determining whether or not this condition has been met.

• no—If the regular expression does match the request object, the condition is met.
• yes—If the regular expression does not match the request object, the condition is met.
  The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

If all conditions are met, the FortiWeb appliance will allow access.

HTTP-hline-empty-check {enable | disable}

If you enable Header Empty Value Check, the request matches the condition if it contains the specified header but the value of the matched header is empty.

The HTTP-hline-empty-check checks whether a certain header has empty value.

basic-scheme-check {enable | disable}

Enable to check the Misformatted Basic Scheme.

This field appears only when:

• header-name-type is predefined.

• predefined-header is authorization

• HTTP-hline-missing-check is disable

• HTTP-hline-empty-check is disable

HTTP-hline-missing-check {enable | disable}

If you enable HTTP-hline-missing-check, the request matches the condition if it does not contain the specified header name.

The HTTP-hline-missing-check checks whether a certain header is missing.

HTTP-hline-empty-check and HTTP-hline-missing-check can't be enabled at the same time.

This setting does not take effect for HTTP2 packets without the following headers:

• :method
• :scheme
• :path
• :authority
• :status

HTTP2 packets without the above headers will not go far to be scanned against the HTTP-hline-missing-check setting. It will be considered as illegitimate and be abandoned directly when it arrives at FortiWeb at the first place.

header-value "<value_str>"

Depending on your selection in pre-header-type {plain | regular}, either:

• Type the literal header value. Your specified HTTP header must contain in order to match the filter. Value matching is case sensitive.
  For example, if the specified name is test, then both atest, test1, atest1 will be considered a match.
  If you require a filter based upon more than one HTTP header, create multiple entries in the set, one for each HTTP header.
• Type a regular expression, such as 192\.0\.2\.*, matching all and only the header values which accepted HTTP header values must match.

For details about language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

Tip: To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring.

For example, entering the value 192.0.2.1 would also match the IPs 192.0.2.10-19 and 192.0.2.100-199. This result may be unintended. The better solution would be to configure either:

• A regular expression such as ^192.0.2.1$ or
• A source IP condition instead of an HTTP header condition

method-type {predefined|custom}

Configure the HTTP methods that FortiWeb will search for in the header field.

Select whether to use the predefined method types or define custom types.

predefined-method-set {GET POST HEAD OPTIONS TRACE CONNECT DELETE PUT PATCH WEBDAV RPC OTHERS}

Select the methods that FortiWeb will search for in the header field.

Please note that if you only select WEBDAV, then some of the methods included in WEBDAV (GET, HEAD, POST, DELETE, PUT) won't be scanned by the system; The WEBDAV related attack log won't have WEBDAV keyword in it, instead, it will be shown as the individual method violations.

custom-method-type {plain |regular}

custom-method-value <string>

To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring.

method-reverse-match {enable|disable}

Enable method-reverse-match so that the request matches the condition if the header does not contain the HTTP method's exact value or regular expression.

source-ip <ip_range>

Enter the IP address or IP address range that specifies the clients that FortiWeb allows.

For example:

• 1.2.3.4
• 2001::1
• 1.2.3.4-1.2.3.40
• 2001::1-2001::100

Depending on your configuration of how FortiWeb will derive the client’s IP (see waf x-forwarded-for), this may be the IP address that is indicated in an HTTP header rather than the IP header.

user-name "<user-name_str>"

Enter the user name to match.

reverse-match {no | yes}

Indicate how to use user-name "<user-name_str>" when determining whether or not this rule’s condition has been met.

• no—If the regular expression does match the user name, the condition is met.
• yes—If the regular expression does not match the user name, the condition is met.

The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

request-file "<url_str>"

Enter a regular expression that defines either all matching or all non-matching URLs. Then, also configure reverse-match {no | yes}.

For example, for the URL access rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in reverse-match {yes | no}, select no.

The pattern is not required to begin with a slash ( / ). The maximum length is 256 characters.

Note: Regular expressions beginning with an exclamation point ( ! ) are not supported. Instead, use reverse-match {yes | no}.

reverse-match {no | yes}

Indicate how to use request-file "<url_str>" when determining whether or not this rule’s condition has been met.

• no—If the regular expression does match the request URL, the condition is met.
• yes—If the regular expression does not match the request URL, the condition is met.
  
  The effect is equivalent to preceding a regular expression with an exclamation point ( ! ).

HTTP-transation-timeout "<timeout_int>"

Enter a timeout value of 1–3600 seconds.

If the lifetime of a HTTP transaction exceeds this value, the transaction matches this condition.

<response-code_int>

Specify the start and end code in a range of HTTP response codes.

To specify a single code, enter the same value for the start and end codes (for example, 404-404 or 500-503).

If its HTTP response code is within this range, the HTTP transaction matches this condition.

response-code-max <response-code_int>

response-code-rev-match {enable | disable}

Enable it so that the response matches the condition if the code is not in the specified range.

{text/html text/plain text/xml application/xml application/soap+xml application/json application/octet-stream text/javascript text/}

Specify a file content type to match.

Use with occurrence to detect and control web scraping (content scraping) activity.

content-type-rev-match {enable | disable}

Enable it so that the content type matches the condition if it's not the specified type.

packet-interval-timeout <timeout_int>

Specify the maximum number of seconds allowed between packets arriving from either the client or server (request or response packets), in seconds. Enter a value from 1 to 60.

If the interval exceeds this value, the HTTP transaction matches this condition.

Indicate whether the parameter name is a literal value (plain) or a regular expression that indicates multiple possible valid values (regular).

Enter either a literal value or a regular expression to match the parameter name.

value-check {enable | disable}

Enable to check the value of the specified parameters.

value <value_regular_expression>

Enter a regular expression to match the parameter value.

location-check {enable | disable}

The system by default search for the parameters in both URL and HTTP body. You can enable Location Check to restrict the search to either URL or HTTP body.

location {URL | HTTP-body}

Specify whether to scan the parameters in URL or HTTP body.

parameter-rev-match {enable | disable}

Enable parameter-rev-match so that the request matches the condition if the URL or HTTP body does not contain the specified parameter names or values.

{010000000 | 020000000 | 030000000 | 040000000 | 050000000 | 060000000 | 090000000| 100000000 | 110000000 | 120000000}

Specify the ID of a signature class.

Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature.

status {enable | disable}

custom-signature-enable {enable | disable}

{custom-signature-group | custom-signature}

"<custom-signature-name_str>"

Specify the custom signature group or individual signature to match.

Ensure the signature is enabled in signature configuration before you use it in an advanced access control rule. For details, see waf signature.

occurrence-num "<occurrence_int>"

Specify the maximum number of times a transaction can match other filter types in the current rule during the time period specified by within.

Enter a value between 1–100,000.

If the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition.

within "<within_int>"

Specify the time period during which FortiWeb counts the number of times transactions match other filter types in the current rule.

Enter a value between 1–600.

percentage-flag {enable | disable}

percentage "<percentage_int>"

The maximum rate of matches with other filter types in the current rule, expressed as percent of hits.

If percentage-flag {enable | disable} is enabled and the number of matches exceeds this threshold, the associated HTTP source client IP address or client matches this condition.

traced-by {Source-IP | User | Http-Session}

Specify whether FortiWeb determines the rate at which a transaction matches other filter types in the current rule by counting matches by source client IP address or by client.

To specify user, ensure that the value of client-management {enable | disable} is enable.

<entry_index>

Enter the index number of the individual entry in the table.

match-exclusive {yes | no}

If you select yes, FortiWeb matches the traffic from all countries except the ones you select. If you select no, FortiWeb matches the traffic from the countries you select.