waf xml-validation

Use this command to create XML protection rules and configure XML protection policies. You can create up to 256 rules per policy.

XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML to attack web servers. Using this command, you can configure FortiWeb to examine lcient requests for anomalies in XML. Configuring XML protection can help ensure that the content of HTTP requests containing XML does not contain any potential attacks.

XML protection is available in Reverse Proxy, True Transparent Proxy, and WCCP operating modes.

Syntax

config waf xml-validation rule

edit "<xml_rule_name>"

set action {alert | alert_deny | block-period | redirect | send_403_forbidden | deny_no_log}

set block-period <period_int>

set expansion-entity-check {enable | disable}

set external-entity-check {enable | disable}

set host "<host_name_str>"

set host-status {enable | disable}

set request-file "<file_str>"

set request-type {plain | regular}

set dtd-file <dtd_file_name>

set schema-file "<schema_file_name>"

set severity {High Low | Medium | Info}

set trigger "<trigger_policy_name>"

set xml-attributes-check {enable | disable}

set xml-limit-attr-num <limit_int>

set xml-limit-attrname-len <limit_int>

set xml-limit-attrvalue-len <limit_int>

set xml-limit-cdata-len <limit_int>

set xml-limit-check {enable | disable}

set xml-limit-element-depth <limit_int>

set xml-limit-element-name-len <limit_int>

set data-format {xml | soap}

set wsdl-ip-port-override {enable | disable}

set wsdl-file <wsdl-file_name>

set ws-security <string>

set xsw <string>

set validate-soapaction {enable | disable}

set validate-soap-headers {enable | disable}

set allow-additional-soap-headers {enable | disable}

set validate-soap-body {enable | disable}

set x-include-check {enable | disable}

set schema-location-check {enable | disable}

set schema-location-exempted-urls <schema-location-exempted-urls_str>

set soap-attachment {allow | disallow}

set ws-i-basic-profile-assertion {WSI1001 | WSI1002 | WSI1003 | WSI1004 | WSI1006 | WSI1007 | WSI1032 | WSI1033 | WSI1109 | WSI1110 | WSI1111 | WSI1201 | WSI1202 | WSI1204 | WSI1208 | WSI1301 | WSI1307 | WSI1308 | WSI1309 | WSI1318 | WSI1601 | WSI1701}

set ws-i-basic-profile-wsdl-assertion {WSI1008 | WSI1116 | WSI1211}

end

config waf xml-validation policy

edit "<xml_policy_name>"

set enable-signature-detection {enable | disable}

config input-rule-list

edit <entry_index>

set "<xml_rule_1>"

end

Variable	Description	Default
"<xml_rule_name>"	Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection policy. The maximum length is 63 characters.	No default.
action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log}	Select one of the following actions that FortiWeb performs when a request violates the rule: `alert`—Accept the request and generate an alert email and/or log message. `alert_deny`—Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg. `block-period`—Block subsequent requests from the client for a number of seconds. Also configure waf xml-validation. `redirect`—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable \| disable}. `send_403_forbidden`—Reply to the client with an HTTP `403 Access Forbidden` error message and generate an alert email and/or log message. `deny_no_log`—Deny a request. Do not generate a log message. Caution:FortiWeb ignores this setting when monitor-mode {enable \| disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.	alert
block-period <period_int>	Enter the amount of time (in seconds) that you want to block subsequent requests from a client after FortiWeb detects a rule violation. This setting is available only when waf xml-validation is `block-period`. The valid range is 1–3,600 seconds.	600
expansion-entity-check {enable \| disable}	Enable to trigger the waf xml-validation if an HTTP request contains an XML recursive entity expansion. To enable this option, you must first enable waf xml-validation.	disable
external-entity-check {enable \| disable}	Enable to trigger the waf xml-validation if an HTTP request contains an external entity in XML. To enable this option, you must first enable waf xml-validation.	disable
host "<host_name_str>"	Enter the name of a protected host that the `Host:` field of an HTTP request must match in order for the rule to apply. For details, see server-policy allow-hosts.	No default.
host-status {enable \| disable}	Enable to compare the XML rule to the Host: field in the HTTP header. If enabled, also configure waf xml-validation.	disable
request-file "<file_str>"	Depending on your selection for waf xml-validation, enter either: `plain`—The literal URL, such as `/index.php`, that the HTTP request must contain in order to match the rule. The URL must begin with a slash ( `/` ). `regular`—A regular expression, such as `^/*.php`, matching the URLs to which the rule should apply. The pattern does not require a slash ( `/` ), but it must match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in waf xml-validation.	No default.
request-type {plain \| regular}	Select whether waf xml-validation must contain either: Simple String—The field is a string that the request URL must match exactly. Regular Expression—The field is a regular expression that defines a set of matching URLs.	No default.
dtd-file <dtd_file_name>	Select the DTD file uploaded in the web UI through the XML DTD tab in Web Protection > XML Protection. Available only when the data-format is XML. Note: If you upload an XML DTD file that refers to other DTD schema files, the other DTD files must also be uploaded to FortiWeb.	No default.
schema-file "<schema_file_name>"	Select an XML schema file. To display a list of existing XML schema files, enter: set schema-file ? Note, if you select an XML schema file that references other XML schema files, the other XML schema files must also be uploaded to FortiWeb.	No default.
severity {High Low \| Medium \| Info}	When rule violations are recorded in the attack log, each log message contains a Severity Level field. Select which severity level FortiWeb will use when it logs a violation of the rule: `Low` `Medium` `High` `Info`	Low
trigger "<trigger_policy_name>"	Enter the name of the trigger, if any, to apply when the rule is violated. The maximum length is 63 characters. For details, see log trigger-policy. To display a list of existing triggers, enter: set trigger ?	No default.
xml-attributes-check {enable \| disable}	Enable to configure waf xml-validation and waf xml-validation.	disable
xml-limit-attr-num <limit_int>	Enter the maximum number of attributes for each element. The valid range is 1–256. To configure this option, you must first enable waf xml-validation.	20
xml-limit-attrname-len <limit_int>	Enter the maximum attribute name length (in bytes) of each element. The valid range is 1–1,024. To configure this option, you must first enable waf xml-validation.	64
xml-limit-attrvalue-len <limit_int>	Enter the maximum attribute value length (in bytes) of each element. The valid range is 1–2,048. To configure this option, you must first enable waf xml-validation.	1,024
xml-limit-cdata-len <limit_int>	Enter the maximum Character Data (CDATA) length (in bytes) in XML. The valid range is 1–4,096. To configure this option, you must first enable waf xml-validation.	4,096
xml-limit-check {enable \| disable}	Enable to configure XML limits.	disable
xml-limit-element-depth <limit_int>	Enter the maximum element depth in XML. The valid range is 1–256. To configure this option, you must first enable waf xml-validation.	20
xml-limit-element-name-len <limit_int>	Enter the maximum element name length (in bytes) in XML. The valid range is 1–1,024. To configure this option, you must first enable waf xml-validation.	64
"<xml_policy_name>"	Enter the name of an XML protection policy. You will use the name to select the policy in other parts of the configuration. The maximum length is 63 characters.	No default.
<entry_index>	Enter the index number of an entry to create or modify a rule for the policy. The valid range is 1–9,999,999,999,999,999,999.	No default.
"<xml_rule_1>"	Enter the sequence number of an XML protection rule to add to the XML protection policy. The maximum length is 63 characters.	No default.
data-format {xml \| soap}	Select the XML protection rule format.	No default.
wsdl-ip-port-override {enable \| disable}	When enabled, only the URL will be used to match the service in WSDL. If a URL corresponds to multiple services, the first service will be matched.	disable
wsdl-file <wsdl-file_name>	This field applies when the Data Format is SOAP. Enter a name for the WSDL file.	No default.
ws-security <string>	Select the WS-Security rule created with `config waf ws-security rule`. Available only when the `data-format` is `SOAP`.
xsw <string>	Select the XSW Detection rule created with `config waf xsw-detection rule`.	No default.
validate-soapaction {enable \| disable}	Enable to validate whether the soapAction in SOAP protocol complies with that in WSDL file.	No default.
validate-soap-headers {enable \| disable}	Enable to validate whether the header elements in SOAP protocol comply with those in WSDL file.	No default.
allow-additional-soap-headers {enable \| disable}	Enable not to validate additional header elements.	No default.
validate-soap-body {enable \| disable}	Enable to validate whether the body elements in SOAP protocol comply with those in WSDL file.	No default.
x-include-check {enable \| disable}	Enable to trigger the action {alert \| alert_deny \| block-period \| redirect \| send_403_forbidden \| deny_no_log} if other XML contents are included in XML.	No default.
schema-location-check {enable \| disable}	Enable to forbid using location field to perform malicious requests.	No default.
schema-location-exempted-urls <schema-location-exempted-urls_str>	Select the exempted URL you have created to configure allowed location URLs. Available only when schema-location-check {enable \| disable} is enabled.	No default.
enable-signature-detection {enable \| disable}	Enable to scan for matches with attack and data leak signatures in Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in the bodies of HTTP POST requests.	disable
soap-attachment {allow \| disallow}	Specify whether the SOAP message can carry attachments. Available only when the data-format {xml \| soap} is SOAP.	Allow
ws-i-basic-profile-assertion {WSI1001 \| WSI1002 \| WSI1003 \| WSI1004 \| WSI1006 \| WSI1007 \| WSI1032 \| WSI1033 \| WSI1109 \| WSI1110 \| WSI1111 \| WSI1201 \| WSI1202 \| WSI1204 \| WSI1208 \| WSI1301 \| WSI1307 \| WSI1308 \| WSI1309 \| WSI1318 \| WSI1601 \| WSI1701}	Select WSI rules that SOAP messages will adhere to. Available only when the data-format {xml \| soap} is SOAP.	No default
ws-i-basic-profile-wsdl-assertion {WSI1008 \| WSI1116 \| WSI1211}	If you select these three rules, configure WSDL files first. Available only when the data-format {xml \| soap} is SOAP.	No default

Example

The below example creates an XML protection rule and applies the rule to a new XML protection policy.

config waf xml-validation rule

edit "example_rule_name_1"

set action block-period

set block-period 3000

set severity Medium

set trigger "example_trigger_policy_name"

set host-status enable

set host "example_host_name"

set request-type plain

set request-file "/index.php"

set schema-file "example_schema_file_name"

set xml-limit-check enable

set xml-limit-attr-num 64

set xml-limit-attrname-len 256

set xml-limit-attrvalue-len 1024

set xml-limit-cdata-len 2096

set xml-limit-element-depth 128

set xml-limit-element-name-len 128

set xml-entity-check enable

set expansion-entity-check enable

set external-entity-check enable

end

config waf xml-validation policy

edit "example_policy_name"

config input-rule-list

edit "example_rule_1"

set "example_rule_1"

end