waf custom-protection-rule
Use this command to configure custom data leak and attack signatures.
Before you enter custom signatures via the CLI, first enable it. |
To use your custom signatures, you must first group them so that they can be included in a rule. For details, see waf custom-protection-group.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf custom-protection-rule
edit "<custom-protection rule_name>"
set block-period <seconds_int>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_"name>
config meet-condition
edit <entry_index>
set operator {RE | GT | LT | NE | EQ}
set case-sensitive {enable | disable}
set expression <regex_pattern>
next
end
next
end
Variable | Description | Default |
Enter the name of the new or existing custom signature. The maximum length is 63 characters. To display a list of the existing rules, enter:
|
No default. | |
Specify the type of regular expression:
|
request
|
|
action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log} |
Select the specific action to be taken when the request matches the this signature.
|
alert
|
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. |
||
If action {alert | alert_deny | alert_erase | redirect | block-period | send_HTTP_response | only_erase | deny_no_log} is https://docs.fortinet.com/fortiweb/admin-guides The valid range is 1–3,600 seconds. |
600
|
|
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level ) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule. |
Medium
|
|
Select which trigger policy, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
Enter the index number of the individual entry in the table. The valid range is from 1–9,999,999,999,999,999,999. |
No default. | |
|
RE
|
|
request-target {REQUEST_FILENAME REQUEST_URI REQUEST_HEADERS_NAMES REQUEST_HEADERS REQUEST_COOKIES_NAMES REQUEST_COOKIES ARGS_NAMES ARGS_VALUE REQUEST_RAW_URI REQUEST_BODY CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH COOKIE_NUMBER ARGS_NUMBER HTTP_METHOD HTTP_METHOD} |
Enter the name of one or more locations in the HTTP request to scan for a signature match. For example, |
No default. |
response-target {RESPONSE_BODY RESPONSE_HEADER CONTENT_LENGTH HEADER_LENGTH BODY_LENGTH RESPONSE_CODE} |
Enter the name of one or more locations in the HTTP response to scan for a signature match. | No default. |
Enter the value that FortiWeb compares to the target value to determine if a request or response matches. | No default. | |
Enable to differentiate upper case and lower case letters when evaluating the web server’s response for data leaks according to expression <regex_pattern>. For example, when enabled, an HTTP reply containing the phrase C |
disable
|
|
When operator {RE | GT | LT | NE | EQ} is If config waf custom-protection-rule edit "test" set type response set action alert_erase config meet-condition edit 1 set response-target RESPONSE_BODY set expression "(webattack)" next end next end To prevent false positives, it should not match anything else. The maximum length is 2,071 characters. |
No default. |
Example
This example configures a signature to detect and block an LFI attack that uses directory traversal through an unsanitized controller
parameter in older versions of Joomla. Each time it detects an attack, the trigger policy named notification-servers1
sends an alert email and attack log messages whose severity level is High
.
config waf custom-protection-rule
edit "Joomla_controller_LFI"
set type request
set action alert_deny
set severity High
set trigger "notification-servers1"
config meet-condition
edit 1
set request-target REQUEST_RAW_URI
set expression "^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?"
next
end
next
end