Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf http-protocol-constraint

Use this command to configure HTTP protocol checks: HTTP request parameter lengths, HTTP request method, and HTTP response code.

Table 15 describes the three predefined policies.

Predefined HTTP protocol constraint policies

Predefined Rules Description

High-Level-Security

Maximum URI length is 2048 characters. Action is set to deny. Severity is set to high.

Medium-Level-Security

Maximum URI length is 2048 characters. Action is set to alert. Severity is set to medium.

Alert-Only

Maximum URI length is 2048 characters. Action is set to alert. Severity is set to low.

The configurations for these rules are shown in the examples that follow. If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.

Before you begin:

  • You must have read-write permission for security settings.

After you have created an HTTP protocol constraint policy, you can specify it in a WAF profile configuration.

Syntax

config security waf http-protocol-constraint

edit <name>

set constraint-method-override {enable | disable}

set exception <datasource>

set illegal-host-name-check {enable|disable}

set illegal-host-name-check-action {datasource}

set illegal-host-name-check-severity {high|medium|low}

set illegal-http-version-check {enable|disable}

set illegal-http-version-check-action {datasource}

set illegal-http-version-check-severity {high|medium|low}

set max-cookie-number-in-request <integer>

set max-cookie-number-in-request-action {datasource}

set max-cookie-number-in-request-severity {high|medium|low}

set max-header-number-in-request <integer>

set max-header-number-in-request-action {datasource}

set max-header-number-in-request-severity {high|medium|low}

set max-request-body-length <integer>

set max-request-body-length-action {datasource}

set max-request-body-length-severity {high|medium|low}

set max-request-header-length <integer>

set max-request-header-length-action {datasource}

set max-request-header-length-severity {high|medium|low}

set max-request-header-name-length <integer>

set max-request-header-name-length-action {datasource}

set max-request-header-name-length-severity {high|medium|low}

set max-request-header-value-length <integer>

set max-request-header-value-length-action {datasource}

set max-request-header-value-length-severity {high|medium|low}

set max-uri-length <integer>

set max-uri-length-action {datasource}

set max-uri-length-severity {high|medium|low}

set max-url-parameter-name-length <integer>

set max-url-parameter-name-length-action {datasource}

set max-url-parameter-name-length-severity {high|medium|low}

set max-url-parameter-value-length <integer>

set max-url-parameter-value-length-action {datasource}

set max-url-parameter-value-length-severity {high|medium|low}

config request-method-rule

edit <No.>

set exception <datasource>

set action {datasource}

set severity {high|medium|low}

set method {CONNECT DELETE GET HEAD OPTIONS OTHERS POST PUT TRACE }

next

end

config response-code-rule

edit <No.>

set exception <datasource>

set action {datasource}

set severity {high|medium|low}

set code-min <400-599>

set code-max <400-599>

next

end

next

end

constraint-method-override

Enable/disable constraint method override. When enabled, FortiADC will check the value/method in overridden-method header field of client requests and then use ‘request method rule’ to see if there’s any actions to do for the value/method. Default is disable.

exception

Specify an exception configuration object.

illegal-host-name-check

Enable/disable hostname checks. A domain name must consist of only the ASCII alphabetic and numeric characters, plus the hyphen. The hostname is checked against the set of characters allowed by the RFC 2616. Disallowed characters, such as non-printable ASCII characters or other special characters (for example, '<', '>', and the like), are a symptom of an attack.

illegal-host-name-check-action

Specify a WAF action object.

illegal-host-name-check-severity

  • high
  • medium
  • low

illegal-http-version-check

Enable/disable the HTTP version check. Well-formed requests include the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). Malformed requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.

illegal-http-version-check-action

Specify a WAF action object.

illegal-http-version-check-severity

  • high
  • medium
  • low

max-cookie-number-in-request

Maximum number of cookie headers in an HTTP request. The default is 16. The valid range is 1-32.

max-cookie-number-in-request-action

Specify a WAF action object.

max-cookie-number-in-request-severity

  • high
  • medium
  • low

max-header-number-in-request

Maximum number of headers in an HTTP request. The default is 50. Requests with more headers are a symptom of a buffer overflow attack or an attempt to evade detection mechanisms. The valid configuration range is 1-100.

max-header-number-in-request-action

Specify a WAF action object.

max-header-number-in-request-severity

  • high
  • medium
  • low

max-request-body-length

Maximum length of the HTTP body. The default is 67108864. The valid range is 1-67108864.

max-request-body-length-action

Specify a WAF action object.

max-request-body-length-severity

  • high
  • medium
  • low

max-request-header-length

Maximum length of the HTTP request header. The default is 8192. The valid range is 1-16384.

max-request-header-action

Specify a WAF action object.

max-request-header-severity

  • high
  • medium
  • low

max-request-header-name-length

Maximum characters in an HTTP request header name. The default is 1024. The valid range is 1-8192.

max-request-header-name-length-action

Specify a WAF action object.

max-request-header-name-length-severity

  • high
  • medium
  • low

max-request-header-value-length

Maximum characters in an HTTP request header value. The default is 4096. Longer headers might be a symptom of a buffer overflow attack. The valid configuration range is 1-8192.

max-request-header-value-length-action

Specify a WAF action object.

max-request-header-value-length-severity

  • high
  • medium
  • low

max-uri-length

Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192.

max-uri-length-action

Specify a WAF action object.

max-uri-length-severity

  • high
  • medium
  • low

max-url-parameter-name-length

Maximum characters in a URL parameter name. The default is 1024. The valid range is 1-2048.

max-url-parameter-name-length-action

Specify a WAF action object.

max-url-parameter-name-length-severity

  • high
  • medium
  • low

max-url-parameter-value-length

Maximum characters in a URL parameter value. The default is 4096. The valid range is 1-8192.

max-url-parameter-value-length-action

Specify a WAF action object.

max-url-parameter-value-length-severity

  • high
  • medium
  • low

config request-method-rule

exception

Specify an exception configuration object.

action

Specify a WAF action object.

severity

  • high
  • medium
  • low

method

Specify a space-separated list of methods to match in the HTTP request line:

  • CONNECT
  • DELETE
  • GET
  • HEAD
  • OPTIONS
  • POST
  • PUT
  • TRACE
  • Others

Note: The first 8 methods are described in RFC 2616. Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions.

config response-code-rule

exception

Specify an exception configuration object.

action

Specify a WAF action object.

severity

  • high
  • medium
  • low

code-min

Start of the range.

code-max

End of the range.

Example

FortiADC-docs # get security waf http-protocol-constraint High-Level-Security

max-uri-length : 2048

max-uri-length-action : deny

max-uri-length-severity : high

max-request-header-name-length: 1024

max-request-header-name-length-action: deny

max-request-header-name-length-severity: high

max-request-header-value-length: 4096

max-request-header-value-length-action: deny

max-request-header-value-length-severity: high

max-url-parameter-name-length : 1024

max-url-parameter-name-length-action: deny

max-url-parameter-name-length-severity: high

max-url-parameter-value-length: 4096

max-url-parameter-value-length-action: deny

max-url-parameter-value-length-severity: high

illegal-http-version-check : enable

illegal-http-version-check-action: deny

illegal-http-version-check-severity: high

illegal-host-name-check : enable

illegal-host-name-check-action: deny

illegal-host-name-check-severity: high

max-cookie-number-in-request : 16

max-cookie-number-in-request-action: deny

max-cookie-number-in-request-severity: high

max-header-number-in-request : 50

max-header-number-in-request-action: deny

max-header-number-in-request-severity: high

max-request-header-length : 8192

max-request-header-length-action: deny

max-request-header-length-severity: high

max-request-body-length : 67108864

max-request-body-length-action: deny

max-request-body-length-severity: high

exception :

 

FortiADC-docs # get security waf http-protocol-constraint Medium-Level-Security

max-uri-length : 2048

max-uri-length-action : alert

max-uri-length-severity : medium

max-request-header-name-length: 1024

max-request-header-name-length-action: alert

max-request-header-name-length-severity: medium

max-request-header-value-length: 4096

max-request-header-value-length-action: alert

max-request-header-value-length-severity: medium

max-url-parameter-name-length : 1024

max-url-parameter-name-length-action: alert

max-url-parameter-name-length-severity: medium

max-url-parameter-value-length: 4096

max-url-parameter-value-length-action: alert

max-url-parameter-value-length-severity: medium

illegal-http-version-check : enable

illegal-http-version-check-action: alert

illegal-http-version-check-severity: medium

illegal-host-name-check : enable

illegal-host-name-check-action: alert

illegal-host-name-check-severity: medium

max-cookie-number-in-request : 16

max-cookie-number-in-request-action: alert

max-cookie-number-in-request-severity: medium

max-header-number-in-request : 50

max-header-number-in-request-action: alert

max-header-number-in-request-severity: medium

max-request-header-length : 8192

max-request-header-length-action: alert

max-request-header-length-severity: medium

max-request-body-length : 67108864

max-request-body-length-action: alert

max-request-body-length-severity: medium

exception :

 

FortiADC-docs # get security waf http-protocol-constraint Alert-Only

max-uri-length : 2048

max-uri-length-action : alert

max-uri-length-severity : low

max-request-header-name-length: 1024

max-request-header-name-length-action: alert

max-request-header-name-length-severity: low

max-request-header-value-length: 4096

max-request-header-value-length-action: alert

max-request-header-value-length-severity: low

max-url-parameter-name-length : 1024

max-url-parameter-name-length-action: alert

max-url-parameter-name-length-severity: low

max-url-parameter-value-length: 4096

max-url-parameter-value-length-action: alert

max-url-parameter-value-length-severity: low

illegal-http-version-check : enable

illegal-http-version-check-action: alert

illegal-http-version-check-severity: low

illegal-host-name-check : enable

illegal-host-name-check-action: alert

illegal-host-name-check-severity: low

max-cookie-number-in-request : 16

max-cookie-number-in-request-action: alert

max-cookie-number-in-request-severity: low

max-header-number-in-request : 50

max-header-number-in-request-action: alert

max-header-number-in-request-severity: low

max-request-header-length : 8192

max-request-header-length-action: alert

max-request-header-length-severity: low

max-request-body-length : 67108864

max-request-body-length-action: alert

max-request-body-length-severity: low

exception :

 

 

config security waf http-protocol-constraint

Use this command to configure HTTP protocol checks: HTTP request parameter lengths, HTTP request method, and HTTP response code.

Table 15 describes the three predefined policies.

Predefined HTTP protocol constraint policies

Predefined Rules Description

High-Level-Security

Maximum URI length is 2048 characters. Action is set to deny. Severity is set to high.

Medium-Level-Security

Maximum URI length is 2048 characters. Action is set to alert. Severity is set to medium.

Alert-Only

Maximum URI length is 2048 characters. Action is set to alert. Severity is set to low.

The configurations for these rules are shown in the examples that follow. If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.

Before you begin:

  • You must have read-write permission for security settings.

After you have created an HTTP protocol constraint policy, you can specify it in a WAF profile configuration.

Syntax

config security waf http-protocol-constraint

edit <name>

set constraint-method-override {enable | disable}

set exception <datasource>

set illegal-host-name-check {enable|disable}

set illegal-host-name-check-action {datasource}

set illegal-host-name-check-severity {high|medium|low}

set illegal-http-version-check {enable|disable}

set illegal-http-version-check-action {datasource}

set illegal-http-version-check-severity {high|medium|low}

set max-cookie-number-in-request <integer>

set max-cookie-number-in-request-action {datasource}

set max-cookie-number-in-request-severity {high|medium|low}

set max-header-number-in-request <integer>

set max-header-number-in-request-action {datasource}

set max-header-number-in-request-severity {high|medium|low}

set max-request-body-length <integer>

set max-request-body-length-action {datasource}

set max-request-body-length-severity {high|medium|low}

set max-request-header-length <integer>

set max-request-header-length-action {datasource}

set max-request-header-length-severity {high|medium|low}

set max-request-header-name-length <integer>

set max-request-header-name-length-action {datasource}

set max-request-header-name-length-severity {high|medium|low}

set max-request-header-value-length <integer>

set max-request-header-value-length-action {datasource}

set max-request-header-value-length-severity {high|medium|low}

set max-uri-length <integer>

set max-uri-length-action {datasource}

set max-uri-length-severity {high|medium|low}

set max-url-parameter-name-length <integer>

set max-url-parameter-name-length-action {datasource}

set max-url-parameter-name-length-severity {high|medium|low}

set max-url-parameter-value-length <integer>

set max-url-parameter-value-length-action {datasource}

set max-url-parameter-value-length-severity {high|medium|low}

config request-method-rule

edit <No.>

set exception <datasource>

set action {datasource}

set severity {high|medium|low}

set method {CONNECT DELETE GET HEAD OPTIONS OTHERS POST PUT TRACE }

next

end

config response-code-rule

edit <No.>

set exception <datasource>

set action {datasource}

set severity {high|medium|low}

set code-min <400-599>

set code-max <400-599>

next

end

next

end

constraint-method-override

Enable/disable constraint method override. When enabled, FortiADC will check the value/method in overridden-method header field of client requests and then use ‘request method rule’ to see if there’s any actions to do for the value/method. Default is disable.

exception

Specify an exception configuration object.

illegal-host-name-check

Enable/disable hostname checks. A domain name must consist of only the ASCII alphabetic and numeric characters, plus the hyphen. The hostname is checked against the set of characters allowed by the RFC 2616. Disallowed characters, such as non-printable ASCII characters or other special characters (for example, '<', '>', and the like), are a symptom of an attack.

illegal-host-name-check-action

Specify a WAF action object.

illegal-host-name-check-severity

  • high
  • medium
  • low

illegal-http-version-check

Enable/disable the HTTP version check. Well-formed requests include the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). Malformed requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.

illegal-http-version-check-action

Specify a WAF action object.

illegal-http-version-check-severity

  • high
  • medium
  • low

max-cookie-number-in-request

Maximum number of cookie headers in an HTTP request. The default is 16. The valid range is 1-32.

max-cookie-number-in-request-action

Specify a WAF action object.

max-cookie-number-in-request-severity

  • high
  • medium
  • low

max-header-number-in-request

Maximum number of headers in an HTTP request. The default is 50. Requests with more headers are a symptom of a buffer overflow attack or an attempt to evade detection mechanisms. The valid configuration range is 1-100.

max-header-number-in-request-action

Specify a WAF action object.

max-header-number-in-request-severity

  • high
  • medium
  • low

max-request-body-length

Maximum length of the HTTP body. The default is 67108864. The valid range is 1-67108864.

max-request-body-length-action

Specify a WAF action object.

max-request-body-length-severity

  • high
  • medium
  • low

max-request-header-length

Maximum length of the HTTP request header. The default is 8192. The valid range is 1-16384.

max-request-header-action

Specify a WAF action object.

max-request-header-severity

  • high
  • medium
  • low

max-request-header-name-length

Maximum characters in an HTTP request header name. The default is 1024. The valid range is 1-8192.

max-request-header-name-length-action

Specify a WAF action object.

max-request-header-name-length-severity

  • high
  • medium
  • low

max-request-header-value-length

Maximum characters in an HTTP request header value. The default is 4096. Longer headers might be a symptom of a buffer overflow attack. The valid configuration range is 1-8192.

max-request-header-value-length-action

Specify a WAF action object.

max-request-header-value-length-severity

  • high
  • medium
  • low

max-uri-length

Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192.

max-uri-length-action

Specify a WAF action object.

max-uri-length-severity

  • high
  • medium
  • low

max-url-parameter-name-length

Maximum characters in a URL parameter name. The default is 1024. The valid range is 1-2048.

max-url-parameter-name-length-action

Specify a WAF action object.

max-url-parameter-name-length-severity

  • high
  • medium
  • low

max-url-parameter-value-length

Maximum characters in a URL parameter value. The default is 4096. The valid range is 1-8192.

max-url-parameter-value-length-action

Specify a WAF action object.

max-url-parameter-value-length-severity

  • high
  • medium
  • low

config request-method-rule

exception

Specify an exception configuration object.

action

Specify a WAF action object.

severity

  • high
  • medium
  • low

method

Specify a space-separated list of methods to match in the HTTP request line:

  • CONNECT
  • DELETE
  • GET
  • HEAD
  • OPTIONS
  • POST
  • PUT
  • TRACE
  • Others

Note: The first 8 methods are described in RFC 2616. Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions.

config response-code-rule

exception

Specify an exception configuration object.

action

Specify a WAF action object.

severity

  • high
  • medium
  • low

code-min

Start of the range.

code-max

End of the range.

Example

FortiADC-docs # get security waf http-protocol-constraint High-Level-Security

max-uri-length : 2048

max-uri-length-action : deny

max-uri-length-severity : high

max-request-header-name-length: 1024

max-request-header-name-length-action: deny

max-request-header-name-length-severity: high

max-request-header-value-length: 4096

max-request-header-value-length-action: deny

max-request-header-value-length-severity: high

max-url-parameter-name-length : 1024

max-url-parameter-name-length-action: deny

max-url-parameter-name-length-severity: high

max-url-parameter-value-length: 4096

max-url-parameter-value-length-action: deny

max-url-parameter-value-length-severity: high

illegal-http-version-check : enable

illegal-http-version-check-action: deny

illegal-http-version-check-severity: high

illegal-host-name-check : enable

illegal-host-name-check-action: deny

illegal-host-name-check-severity: high

max-cookie-number-in-request : 16

max-cookie-number-in-request-action: deny

max-cookie-number-in-request-severity: high

max-header-number-in-request : 50

max-header-number-in-request-action: deny

max-header-number-in-request-severity: high

max-request-header-length : 8192

max-request-header-length-action: deny

max-request-header-length-severity: high

max-request-body-length : 67108864

max-request-body-length-action: deny

max-request-body-length-severity: high

exception :

 

FortiADC-docs # get security waf http-protocol-constraint Medium-Level-Security

max-uri-length : 2048

max-uri-length-action : alert

max-uri-length-severity : medium

max-request-header-name-length: 1024

max-request-header-name-length-action: alert

max-request-header-name-length-severity: medium

max-request-header-value-length: 4096

max-request-header-value-length-action: alert

max-request-header-value-length-severity: medium

max-url-parameter-name-length : 1024

max-url-parameter-name-length-action: alert

max-url-parameter-name-length-severity: medium

max-url-parameter-value-length: 4096

max-url-parameter-value-length-action: alert

max-url-parameter-value-length-severity: medium

illegal-http-version-check : enable

illegal-http-version-check-action: alert

illegal-http-version-check-severity: medium

illegal-host-name-check : enable

illegal-host-name-check-action: alert

illegal-host-name-check-severity: medium

max-cookie-number-in-request : 16

max-cookie-number-in-request-action: alert

max-cookie-number-in-request-severity: medium

max-header-number-in-request : 50

max-header-number-in-request-action: alert

max-header-number-in-request-severity: medium

max-request-header-length : 8192

max-request-header-length-action: alert

max-request-header-length-severity: medium

max-request-body-length : 67108864

max-request-body-length-action: alert

max-request-body-length-severity: medium

exception :

 

FortiADC-docs # get security waf http-protocol-constraint Alert-Only

max-uri-length : 2048

max-uri-length-action : alert

max-uri-length-severity : low

max-request-header-name-length: 1024

max-request-header-name-length-action: alert

max-request-header-name-length-severity: low

max-request-header-value-length: 4096

max-request-header-value-length-action: alert

max-request-header-value-length-severity: low

max-url-parameter-name-length : 1024

max-url-parameter-name-length-action: alert

max-url-parameter-name-length-severity: low

max-url-parameter-value-length: 4096

max-url-parameter-value-length-action: alert

max-url-parameter-value-length-severity: low

illegal-http-version-check : enable

illegal-http-version-check-action: alert

illegal-http-version-check-severity: low

illegal-host-name-check : enable

illegal-host-name-check-action: alert

illegal-host-name-check-severity: low

max-cookie-number-in-request : 16

max-cookie-number-in-request-action: alert

max-cookie-number-in-request-severity: low

max-header-number-in-request : 50

max-header-number-in-request-action: alert

max-header-number-in-request-severity: low

max-request-header-length : 8192

max-request-header-length-action: alert

max-request-header-length-severity: low

max-request-body-length : 67108864

max-request-body-length-action: alert

max-request-body-length-severity: low

exception :