Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf xml-validation-detection

Use this command to configure XML validation detection.

Note: This command only checks HTTP requests with content type being application/xml and text/xml.

Predefined WAF profiles

Predefined Rules Required settings

High-Level-Security

format-checks — enable

set soap-format-checks— disable

set schema-checks — disable

set xss-checks — enable

set sql-injection-checks — enable

severity —high

action — deny

Medium-Level-Security

format-checks — enable

set soap-format-checks— disable

set schema-checks — disable

set xss-checks — enable

set sql-injection-checks — enable

severity — mdeium

action — alert

Alert-Only

format-checks — enable

set soap-format-checks— disable

set schema-checks — disable

set xss-checks — disable

set sql-injection-checks — disable

severity — low

action — alert

Syntax

config security waf xml-validation-detection

edit <name>

set format-checks enable/disable

set soap-format-checks enable/disable

set wsdl-checks enable/disable

set soap_wsdl_id <datasource>

set schema-checks enable/disable

set xml-schema-id <datasource>

set limit-checks enable/disable

set limit-max-attr-num <1-256>

set limit-max-attr-name-len <1-2048>

set limit-max-attr-value-len <1-2048>

set limit-max-cdata-len <1-65535>

set limit-max-elem-child-num <1-65535>

set limit-max-elem-depth-num <1-65535>

set limit-max-elem-name-len <1-65535>

set limit-max-namespace-num <0-256>

set limit-max-namespace-url-len <0-1024>

set xss-checks enable/disable

set sql-injection-checks enable/disable

set exception <datasource>

set severity low/medium/high

set action <datasource>

next

end

name

Specify the name of the XML detection profile.

format-checks

Enable or disable XML format detection.

schema-checks

Enable or disable XML schema validation detection.

Note:Before enabling XML schema checks, you must upload an XML schema file to check whether XML content is well-formed.

xml-schema-id

Select the XML schema file that you want to use.

soap-format-checks

Enable or disable soap-format-checks.

wsdl-checks

Enable or disable WSDL validation detection.

Note: Before enabling WSDL checks, you must upload an WSDL file to check whether SOAP content is well-formed.

soap_wsdl_id

Select the desired WSDL file.

limit-checks

Enable or disable XML limit checks.

Note: If enabled, you must can configure the following parameters:

  • limit-max-attr-num
  • limit-max-attr-name-len
  • limit-max-attr-value-len
  • limit-max-cdata-len
  • limit-max-elem-child-num
  • limit-max-elem-depth-num
  • limit-max-elem-name-len
  • limit-max-namespace-num
  • limit-max-namespace-url-len

limit-max-attr-num

Specify the maximum number of attributes each individual element is allowed to have. The default value is 256. Valid values range from 1 to 256.

Note: This option is available only when  XML limit-checks is enabled.

limit-max-attr-name-len

Specify the maximum length of each attribute name. The default value is 128. Valid values range from 1 to 2,048.

Note: This option is available only when XML limit-checks is enabled.

limit-max-attr-value-len

Specify the maximum length of each attribute value. The default value is 128. Valid values range from 1 to 2,048.

Note: This option is available only when  XML limit-checks is enabled.

limit-max-cdata-len

Specify the length of the Cdata for each element. The default value is 65,535. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-elem-child-num

Specify the maximum number of children each element is allowed, including other elements and character information. The default value is 65,535. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-elem-depth-num

Specify the maximum number of nested levels in each element. The default value is 256. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-elem-name-len

Specify the maximum length of the name of each element. The default value is 128. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-namespace-num

Specify the number of namespace declarations in the XML document. The default value is 16. Valid values range from 0 to 256.

Note: This option is available only when XML limit-checks is enabled.

limit-max-namespace-url-len

Specify the URL length for each namespace declaration. The default value is 256. Valid values range from 0 to 1,024.

Note: This option is available only when XML limit-checks is enabled.

xss-checks

Enable to examine the bodies of incoming XML requests that might indicate possible cross-site scripting attacks.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

sql-injection-checks

Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

exception

Optional. Select the exception profile to be applied to the XML detection profile.

severity

Set the severity level in WAF logs for potential attacks detected by the XML detection profile by selecting one of the following:

  • High
  • Medium
  • Low

action

Specify the action that FortiADC will take upon detecting a potential attack. You can choose a WAF action object.

Example

config security waf xml-validation-detection

edit "all"

set format-checks enable

set soap-format-checks enable

set wsdl-checks enable

unset soap_wsdl_id

set schema-checks enable

unset xml-schema-id

set limit-checks enable

set limit-max-attr-num 100

set limit-max-attr-name-len 100

set limit-max-attr-value-len 100

set limit-max-cdata-len 1

set limit-max-elem-child-num 100

set limit-max-elem-depth-num 100

set limit-max-elem-name-len 100

set limit-max-namespace-num 1

set limit-max-namespace-url-len 1

set xss-checks enable

set sql-injection-checks enable

unset exception

set severity medium

set action alert

next

end

 

config security waf xml-validation-detection

Use this command to configure XML validation detection.

Note: This command only checks HTTP requests with content type being application/xml and text/xml.

Predefined WAF profiles

Predefined Rules Required settings

High-Level-Security

format-checks — enable

set soap-format-checks— disable

set schema-checks — disable

set xss-checks — enable

set sql-injection-checks — enable

severity —high

action — deny

Medium-Level-Security

format-checks — enable

set soap-format-checks— disable

set schema-checks — disable

set xss-checks — enable

set sql-injection-checks — enable

severity — mdeium

action — alert

Alert-Only

format-checks — enable

set soap-format-checks— disable

set schema-checks — disable

set xss-checks — disable

set sql-injection-checks — disable

severity — low

action — alert

Syntax

config security waf xml-validation-detection

edit <name>

set format-checks enable/disable

set soap-format-checks enable/disable

set wsdl-checks enable/disable

set soap_wsdl_id <datasource>

set schema-checks enable/disable

set xml-schema-id <datasource>

set limit-checks enable/disable

set limit-max-attr-num <1-256>

set limit-max-attr-name-len <1-2048>

set limit-max-attr-value-len <1-2048>

set limit-max-cdata-len <1-65535>

set limit-max-elem-child-num <1-65535>

set limit-max-elem-depth-num <1-65535>

set limit-max-elem-name-len <1-65535>

set limit-max-namespace-num <0-256>

set limit-max-namespace-url-len <0-1024>

set xss-checks enable/disable

set sql-injection-checks enable/disable

set exception <datasource>

set severity low/medium/high

set action <datasource>

next

end

name

Specify the name of the XML detection profile.

format-checks

Enable or disable XML format detection.

schema-checks

Enable or disable XML schema validation detection.

Note:Before enabling XML schema checks, you must upload an XML schema file to check whether XML content is well-formed.

xml-schema-id

Select the XML schema file that you want to use.

soap-format-checks

Enable or disable soap-format-checks.

wsdl-checks

Enable or disable WSDL validation detection.

Note: Before enabling WSDL checks, you must upload an WSDL file to check whether SOAP content is well-formed.

soap_wsdl_id

Select the desired WSDL file.

limit-checks

Enable or disable XML limit checks.

Note: If enabled, you must can configure the following parameters:

  • limit-max-attr-num
  • limit-max-attr-name-len
  • limit-max-attr-value-len
  • limit-max-cdata-len
  • limit-max-elem-child-num
  • limit-max-elem-depth-num
  • limit-max-elem-name-len
  • limit-max-namespace-num
  • limit-max-namespace-url-len

limit-max-attr-num

Specify the maximum number of attributes each individual element is allowed to have. The default value is 256. Valid values range from 1 to 256.

Note: This option is available only when  XML limit-checks is enabled.

limit-max-attr-name-len

Specify the maximum length of each attribute name. The default value is 128. Valid values range from 1 to 2,048.

Note: This option is available only when XML limit-checks is enabled.

limit-max-attr-value-len

Specify the maximum length of each attribute value. The default value is 128. Valid values range from 1 to 2,048.

Note: This option is available only when  XML limit-checks is enabled.

limit-max-cdata-len

Specify the length of the Cdata for each element. The default value is 65,535. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-elem-child-num

Specify the maximum number of children each element is allowed, including other elements and character information. The default value is 65,535. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-elem-depth-num

Specify the maximum number of nested levels in each element. The default value is 256. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-elem-name-len

Specify the maximum length of the name of each element. The default value is 128. Valid values range from 1 to 65,535.

Note: This option is available only when XML limit-checks is enabled.

limit-max-namespace-num

Specify the number of namespace declarations in the XML document. The default value is 16. Valid values range from 0 to 256.

Note: This option is available only when XML limit-checks is enabled.

limit-max-namespace-url-len

Specify the URL length for each namespace declaration. The default value is 256. Valid values range from 0 to 1,024.

Note: This option is available only when XML limit-checks is enabled.

xss-checks

Enable to examine the bodies of incoming XML requests that might indicate possible cross-site scripting attacks.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the beginning of this table.

sql-injection-checks

Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords, which may indicate an SQL injection attack.

Note: If the request contains a positive match, FortiADC will respond with the specified action, as discussed at the end of this table.

exception

Optional. Select the exception profile to be applied to the XML detection profile.

severity

Set the severity level in WAF logs for potential attacks detected by the XML detection profile by selecting one of the following:

  • High
  • Medium
  • Low

action

Specify the action that FortiADC will take upon detecting a potential attack. You can choose a WAF action object.

Example

config security waf xml-validation-detection

edit "all"

set format-checks enable

set soap-format-checks enable

set wsdl-checks enable

unset soap_wsdl_id

set schema-checks enable

unset xml-schema-id

set limit-checks enable

set limit-max-attr-num 100

set limit-max-attr-name-len 100

set limit-max-attr-value-len 100

set limit-max-cdata-len 1

set limit-max-elem-child-num 100

set limit-max-elem-depth-num 100

set limit-max-elem-name-len 100

set limit-max-namespace-num 1

set limit-max-namespace-url-len 1

set xss-checks enable

set sql-injection-checks enable

unset exception

set severity medium

set action alert

next

end