"<rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

access-limit-in-HTTP-session <limit_int>

action {alert | alert_deny | block-period | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when the count exceeds the limit:

• alert—Accept the request and generate an alert email and/or log message.

• alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

  You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see "system replacemsg" on page 1.

• block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

  Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see waf x-forwarded-for). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

• deny_no_log—Deny a request. Do not generate a log message.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see "waf web-protection-profile autolearning-profile" on page 1.

bot-recognition {captcha-enforcement | captcha-puzzle-enforcement | recaptcha-enforcement | recaptcha-v3-enforcement | real-browser-enforcement | disable}

Select between:

• captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page.

• captcha-puzzle-enforcement—Presents an interactive image-based puzzle challenge to the user. This method is resistant to headless browsers and scripted bots, and is suitable for high-security scenarios where traditional challenges are easily bypassed. If the client cannot successfully fulfill the request within the max-attempt-times <attempts_int>, or doesn't fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action.
  When selected:
  • FortiWeb intercepts the request and serves a visual CAPTCHA that requires drag-and-drop interaction before allowing access to the backend.
  • The original backend response is cached by FortiWeb and only delivered after the user successfully completes the challenge.
  • No customization of the puzzle or replacement message is currently supported.

• recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the validation-timeout <seconds_int>, FortiWeb applies the action and sends the CAPTCHA block page. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.

• recaptcha-v3-enforcement: Requires the client to successfully fulfill a reCAPTCHA v3 request. If the client cannot successfully fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the reCAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide.
  You can set the threshold of the reCAPTCHA v3 score through CLI

  config system recaptcha-api

  set recaptcha-v3-score-threshold <string> *The value range is 0 to 1

  end

• real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by validation-timeout <seconds_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

• disable—Disable this option to simply apply the access rule.

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

max-attempt-times <attempts_int>

If captcha-enforcement or captcha-puzzle-enforcement is selected for bot-recognition {captcha-enforcement | captcha-puzzle-enforcement | recaptcha-enforcement | recaptcha-v3-enforcement | real-browser-enforcement | disable}, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA/Puzzle CAPTCHA request. The valid range is 1–5.

Available only when captcha-enforcement or captcha-puzzle-enforcement is selected for bot-recognition.

validation-timeout <seconds_int>

block-period <seconds_int>

If action is block-period, type the number of seconds that the connection will be blocked.

This setting applies only if action is block-period. The valid is from 1 to 10,000 seconds.

severity {High | Medium | Low | Info}

trigger-policy "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

mobile-app-identification {disabled | mobile-token-validation}

Disabled: Disable not to carry out the mobile token verification.

Mobile Token Validation: Requires the client to use mobile token for verification.

To apply mobile token validation, you must enable Mobile App Identification in waf web-protection-profile inline-protection