Fortinet black logo

Handbook

Home FortiADC 7.4.3 Handbook
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring a Parameter Validation rule

Configuring a Parameter Validation rule

Define the Parameter Validation rule for Input Validation to determine whether or not parameters are required, and their maximum allowed length. Inputs are typically the <input> tags in an HTML form, where the input rules are applicable for visible inputs only, such as buttons and text areas.

The Parameter Validation rule function can do the following:

  • Check the HOST by simple string or regular expression matching.
  • Check the URL by simple string or regular expression matching.
  • Check the parameter name of inputs filed by matching simple string or regular express. Will also restrict the length of the name.

If the conditions are successfully matched, it will execute the specified action.

To configure a Parameter Validation rule:
  1. Go to Web Application Firewall > Input Validation.
  2. Click the Parameter Validation tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following Parameter Validation Rule settings:

    Setting

    Description

    Name

    Enter a unique name for the Parameter Validation Rule. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

    Note: Once saved, the name of a Parameter Validation Rule cannot be changed.

    Host Status

    Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

    Host

    The Host option is available if Host Status is enabled.

    Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    Request URL

    The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default value is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

  5. Click Save.
    Once the Parameter Validation Rule is saved, the Parameter Validation Rule Element section can be configured.
  6. Under the Parameter Validation Rule Element section, click Create New to display the configuration editor.
  7. Configure the following Parameter Validation Rule Element settings:

    Setting

    Description

    Name

    Enter a unique name for the Parameter Validation Rule Element. It must match the value of the name in the input type of the HTML request.

    Max Length

    The maximum length of the Parameter Validation Rule Element name's value.

    Use Type Check

    Enable/disable to check the data type.

    Argument Type

    The Argument Type option is available if Use Type Check is enabled.

    Select to use predefined data type or customized regular expression.

    Data Type

    The Data Type option is available if Use Type Check is enabled and Argument Type is Data Type.

    Match the string by the predefined data type.

    Regular Expression

    The Regular Expression option is available if Use Type Check is enabled and Argument Type is Regular Expression.

    Match the string by regular expression.

  8. Click Save to save the Parameter Validation Rule Element configuration and exit from the dialog.
  9. Click Save to update the Parameter Validation Rule configuration.

After the Parameter Validation rule has been saved, you can include it in an Input Validation Policy.

Previous
Next

Configuring a Parameter Validation rule

Define the Parameter Validation rule for Input Validation to determine whether or not parameters are required, and their maximum allowed length. Inputs are typically the <input> tags in an HTML form, where the input rules are applicable for visible inputs only, such as buttons and text areas.

The Parameter Validation rule function can do the following:

  • Check the HOST by simple string or regular expression matching.
  • Check the URL by simple string or regular expression matching.
  • Check the parameter name of inputs filed by matching simple string or regular express. Will also restrict the length of the name.

If the conditions are successfully matched, it will execute the specified action.

To configure a Parameter Validation rule:
  1. Go to Web Application Firewall > Input Validation.
  2. Click the Parameter Validation tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following Parameter Validation Rule settings:

    Setting

    Description

    Name

    Enter a unique name for the Parameter Validation Rule. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

    Note: Once saved, the name of a Parameter Validation Rule cannot be changed.

    Host Status

    Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

    Host

    The Host option is available if Host Status is enabled.

    Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    Request URL

    The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default value is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

  5. Click Save.
    Once the Parameter Validation Rule is saved, the Parameter Validation Rule Element section can be configured.
  6. Under the Parameter Validation Rule Element section, click Create New to display the configuration editor.
  7. Configure the following Parameter Validation Rule Element settings:

    Setting

    Description

    Name

    Enter a unique name for the Parameter Validation Rule Element. It must match the value of the name in the input type of the HTML request.

    Max Length

    The maximum length of the Parameter Validation Rule Element name's value.

    Use Type Check

    Enable/disable to check the data type.

    Argument Type

    The Argument Type option is available if Use Type Check is enabled.

    Select to use predefined data type or customized regular expression.

    Data Type

    The Data Type option is available if Use Type Check is enabled and Argument Type is Data Type.

    Match the string by the predefined data type.

    Regular Expression

    The Regular Expression option is available if Use Type Check is enabled and Argument Type is Regular Expression.

    Match the string by regular expression.

  8. Click Save to save the Parameter Validation Rule Element configuration and exit from the dialog.
  9. Click Save to update the Parameter Validation Rule configuration.

After the Parameter Validation rule has been saved, you can include it in an Input Validation Policy.

Previous
Next