waf input-rule
Use this command to configure input rules.
Input rules define whether or not parameters are required, and sets their maximum allowed length, for HTTP requests matching the host and URL defined in the input rule.
Each input rule contains one or more individual rules. This enables you to define, within one input rule, all parameter restrictions that apply to HTTP requests matching that URL and host name.
For example, one web page might have multiple inputs: a user name, password, and a preference for whether or not to remember the login. Within the input rule for that web page, you could define separate rules for each parameter in the HTTP request: one rule for the user name parameter, one rule for the password parameter, and one rule for the preference parameter.
To apply input rules, select them within a parameter validation rule. For details, see waf parameter-validation-rule.
Before you configure an input rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf input-rule
edit "<input-rule_name>"
set action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log}
set block-period <seconds_int>
set host "<protected-host_name>"
set host-status {enable | disable}
set request-type {plain | regular}
set maximum-parameter-number <int>
set json-parameter-support {enable | disable}
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
config rule-list
edit <entry_index>
set type-checked {enable | disable}
set argument-type {custom-data-type | data-type | regular-expression}
set argument-name-type {plain | regular}
set argument-name "<input_name>"
set argument-expression "<regex_pattern>"
set custom-data-type "<custom-data-type_name>"
set data-type "<predefined_name>"
next
end
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} |
Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the input rules in the entry:
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select |
alert
|
Enter the number of seconds to block the source IP. The valid range is 1–3,600 seconds. This setting applies only if action {alert | alert_deny | redirect | send_403_forbidden | block-period | deny_no_log} is block-period. |
600
|
|
Enter the name of a protected host that the This setting applies only if host-status {enable | disable} is |
No default. | |
Enable to apply this input rule only to HTTP requests for specific web hosts. Also configure host "<protected-host_name>". Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the |
disable
|
|
Depending on your selection in request-type {plain | regular}, enter either:
Do not include the name of the web host, such as Note: Regular expressions beginning with an exclamation point ( |
No default. | |
Select whether request-file "<url_str>" will contain a literal URL (plain ), or a regular expression designed to match multiple URLs (regular ). |
plain
|
|
Limit the maximum number of parameters in a request; The valid range is from 0 to 1024; When the value is 0, FortiWeb will not check the parameter number. |
0 |
|
Enabled to check the parameters in JSON or not. The JSON data could be in URL or Body. If enabled, the maximum-parameter-number will include JSON parameters. |
|
|
Select the severity level to use in logs and reports generated when a violation of the rule occurs. | Low
|
|
Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Select yes if the parameter is required for HTTP requests to this combination of Host: field and URL. Otherwise, select no . |
no
|
|
Enter the maximum allowed length of the parameter value. The valid range is 0–1,024. To disable the limit, enter |
0
|
|
Specify where this parameter is from. The parameter will only be checked when it’s from the selected location. You can select both url and body, for example, |
url body |
|
Specify whether this parameter is from JSON. You must also enable json-parameter-support for this option to function. |
no |
|
Enable to use predefined or configured data types when validating parameters. Also configure argument-type {custom-data-type | data-type | regular-expression}. Disable to ignore |
disable
|
|
argument-type {custom-data-type | data-type | regular-expression} |
Specify the type of argument. | data-type |
Specify one of the following options:
|
plain | |
If argument-name-type {plain | regular} is If |
No default. | |
Enter a regular expression that matches all valid values, and no invalid values, for this input. The maximum length is 2,071 characters. Note: Regular expressions beginning with an exclamation point ( |
||
Enter the name of a custom data type, if any. The maximum length is 63 characters. To display the list of custom data types, enter:
This setting applies only if type-checked {enable | disable} is |
No default. | |
Select one of the predefined data types, if the input matches one of them (available options vary by FortiGuard updates). To display available options, enter:
For match descriptions of each option, see "server-policy pattern data-type-group" on page 1. Alternatively, configure argument-type {custom-data-type | data-type | regular-expression}. This option is ignored if you configure |
No default. |
Example
This example blocks and logs requests for the file named login.php that do not include a user name and password, both of which are required, or whose user name and password exceed the 64-character limit.
config waf input-rule
edit "input_rule1"
set action alert_deny
set request-file "/login.php?*"
request-type regular
config rule-list
edit 1
set argument-name "username"
set argument-type data-type
set data-type Email
set is-essential yes
set max-length 64
next
edit 2
set argument-name "password"
set data-type String
set is-essential yes
set max-length 64
next
end
next
end